W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2021

Re: [webauthn] Provide request deserialization, response serialization (#1683)

From: David Waite via GitHub <sysbot+gh@w3.org>
Date: Thu, 02 Dec 2021 00:18:40 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-984176324-1638404318-sysbot+gh@w3.org>
The two leading formats would be:

1. JSON with base64url-encoded properties for ArrayBuffers
2. base64url-encoded CBOR

I would make two points in favor of CBOR:
1. This is meant for the server, and the server already needs to work with WebAuthn binary formats as well as CBOR to handle the assertions, to handle attestations and to handle extensions (such as the mandated credProtect by some clients)
2. Having it be CBOR frees us from some issues with compatibility, while by comparison we can't determine if a RP server intended for a JSON property to be interpreted as a string or an ArrayBuffer without additional rules.

For the second point, additional `ArrayBuffer` values represented as base64 encoded properties might not be understood as string vs binary properly if a request is sent to a client which does not support it.

This would likely not be an issue where the fromJSON for options is being interpreted by the platform, as @agl mentioned on call. I cannot speak to how this knowledge might complicate environments where the browser and platform have an API between them.

GitHub Notification of comment by dwaite
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1683#issuecomment-984176324 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 2 December 2021 00:18:42 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC