W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2020

Re: [webauthn] Use of CBOR, and Uint8Array/ArrayBuffer (#1362)

From: Craig Francis via GitHub <sysbot+gh@w3.org>
Date: Thu, 23 Jan 2020 00:33:33 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-577451717-1579739612-sysbot+gh@w3.org>
I do see your point, especially in regards to backwards compatibility, but ArrayBuffers are a pain to send to the server (where they will ultimately need to be sent).

Which is where I'm intrigued by the suggestion of a HTML element, one that does not need any JavaScript, and could be polyfilled by JavaScript on older browsers (addressing the backwards compatibility issue).

I think that HTML element should make a POST request to the server, using JSON encoding, and base64 encoding for any binary data.

At the moment I'm thinking a normal `<input type="submit" name="auth" value="Create" />` (so something appears for older browsers, when a polyfill fails), then adding one of two new attributes (`credential-create=""` or `credential-get=""`) where their content sets the options (also using JSON).

Then, along with the public key being in an easier to use format (maybe PEM), it would be nice to have easy access to all of the other values (rpIdHash, flags, and signCount).



    $options = {
        "publicKey": {
            "rp": {
                "name": "Test Website",
                "id": "example.com"
            "user": {
                "id": "MTIzNA==", // A Base64 encoded value (1234), not Uint8Array
                "name": "craig@example.com",
                "displayName": "Craig Francis"
            "challenge": "txHXB+K0cQFlWLhBOd0jvHSBCd4aJv8I5X0Z7U7ElGU=", // A Base64 encoded value, not Uint8Array
            "pubKeyCredParams": [
                    "type": "public-key",
                    "alg": -7
            "timeout": 10000,
            "attestation": "none",
            "excludeCredentials": [
            "userVerification": "discouraged"

    <form action="/path/" method="post">
        <input type="submit" name="auth" value="Create" credential-create="<?= htmlentities(json_encode($options)) ?>" />


POST Response:

    $auth = {
        "id": "mGYJM5RrXM1bwWlIvOewnjOAJ1Y4OmmDyMZ5tkdJCcWCay1RktHcfQvpDB4OIw9UsqntFx1FGJDCugyQTTFnrg",
        "type": "public-key",
        "auth": {
            "rpIdHash": "afb64c14d8723ef066d1e108dd60adec30447611664958a5587cdf806ba5ab6b",
            "flags": {
                "UP": true,
                "RFU1": false,
                "UV": false,
                "RFU2a": false,
                "RFU2b": false,
                "RFU2c": false,
                "AT": true,
                "ED": false
            "signCount": 0,
            "attestedCredentialData": {
                "aaguid": "AAAAAAAAAAAAAAAAAAAAAA==",
                "credentialId": "mGYJM5RrXM1b",
                "publicKey": {
                    "type": 2,
                    "algorithm": -7,
                    "curve_type": 1,
                    "curve_x": "uELJlQrFdsxGjthRcbrcNwMKDGbsaEoP4T5T6JBdGQM=",
                    "curve_y": "XBZY+ZCfmnQia65ZO17sHuD0FkUoAwIbE39G/EfChjI=",
                    "pem": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuELJlQrFdsxGjthRcbrcNwMKDGbs\naEoP4T5T6JBdGQNcFlj5kJ+adCJrrlk7Xuwe4PQWRSgDAhsTf0b8R8KGMg==\n-----END PUBLIC KEY-----"
            "extensions": null
        "response": {
            "clientDataJSON": "eyJjaGFsbGVuZ2UiOiJ0eEhYQi1LMGNRRmxXTGhCT2QwanZIU0JDZDRhSnY4STVYMFo3VTdFbEdVIiwib3JpZ2luIjoiaHR0cHM6Ly9icm93c2VyLndlYmF1dGhuLmVtbWEuZGV2Y2YuY29tIiwidHlwZSI6IndlYmF1dGhuLmNyZWF0ZSJ9",
            "attestationObject": ""

GitHub Notification of comment by craigfrancis
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1362#issuecomment-577451717 using your GitHub account
Received on Thursday, 23 January 2020 00:33:35 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:39 UTC