[webauthn] clientDataJSON sent to authenticator? (#1442)

Nesuma has just created a new issue for https://github.com/w3c/webauthn:

== clientDataJSON sent to authenticator? ==
I'm a little confused why under 5.2. Authenticator Responses is says 
`This attribute contains a JSON serialization of the client data passed to the authenticator by the client in its call to either create() or get().`
and why (for registration) pubKeyCred.response.clientDataJSON gets its value from credentialCreationData.clientDataJSONResult instead of clientDataJSON directly when the value is just clientDataJSON copied a few steps earlier and there is no real clientDataJSON**result**.

In the algorithms of 5.1.3 and 5.1.4 only the clientDataHash is passed to the authenticator. The CTAP specification also expects only the hash. Researching didn't solve my problem:
 
https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
`only a hash is sent because the link to the authenticator may be a low-bandwidth`

https://webauthn.guide/
`clientDataJSON: This represents data passed from the browser to the authenticator`

https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/WebAuthn_Client_Authentication.html
`The clientDataJSON contains the JSON-serialized data passed to the authenticator by the client in order to generate the credential`

What am I missing or are these problems just artifacts of an earlier version of webauthn?


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1442 using your GitHub account

Received on Tuesday, 16 June 2020 16:01:27 UTC