[webauthn] How do I handle these unexpected U2F values for `tokenBinding`? (#1623)

MasterKale has just created a new issue for https://github.com/w3c/webauthn:

== How do I handle these unexpected U2F values for `tokenBinding`? ==
I've come across some `"fido-u2f"` attestations that contain unexpected values for `clientDataJSON.tokenBinding`. I'm hoping to get some clarification on how to process these instances of [`clientDataJSON.tokenBinding`](https://w3c.github.io/webauthn/#dom-collectedclientdata-tokenbinding) values:

![Screen Shot 2021-06-14 at 7 23 39 PM](https://user-images.githubusercontent.com/5166470/121983339-09c14d00-cd46-11eb-9279-fc7463d23645.png)

In the case of `"status": "not-supported"` I'm understanding that I need to parse this response as though `tokenBinding` is not defined:

![Screen Shot 2021-06-14 at 7 05 19 PM](https://user-images.githubusercontent.com/5166470/121982588-9ff47380-cd44-11eb-9217-72a776860a35.png)

I was very surprised, though, to see a response in which `tokenBinding` was the string `"unused"`:

![Screen Shot 2021-06-14 at 7 05 32 PM](https://user-images.githubusercontent.com/5166470/121982583-9e2ab000-cd44-11eb-8233-e9f9a7c44faa.png)

I consulted the spec again and no matter how I read it I couldn't figure out what I was supposed to do with this - the definition of `tokenBinding.status` says to ignore `tokenBinding` if `tokenBinding.status` is an unexpected value, but in this case it's `tokenBinding` that's an unexpected value.

What's the correct way to handle the second response? Am I supposed to ignore `tokenBinding` if isn't an object?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1623 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 15 June 2021 02:28:32 UTC