- From: David Waite via GitHub <sysbot+gh@w3.org>
- Date: Tue, 15 Feb 2022 12:36:04 +0000
- To: public-webauthn@w3.org
> On the client side, you have to transform it in proper JSON to even send it to the server. > And in order to get get the public key, you have to decode the CBOR stuff inside. > So, from the perspective of a web developer, I don't understand why being directly decoded would be a problem. Right, but the original statement: > So that you directly see the content of the attestation objects, have direct access to the public key, signatures and so on ....and not simply a base64 CBOR buffer, which besides of being obfuscated, tranfers the burden of CBOR decoding to the server. Implies that a full fledged transforms would be applied by this API, rather than simple base64 encoding and embedding the normal configurations and results into a JSON structure. Specifically, that such transforms would eliminate the server's burden for understanding the CBOR format of attestations and extensions. There is not much capability for doing this between the client and server. The server can certainly create its own simplified forms for business logic and policy evaluation _after_ verifying the credential result, but the server needs to be able to evaluate based on unmodified data in order to do signature integrity checks. Add onto this that translation between CBOR and JSON is limited, as CBOR is a superset of JSON. Translating CBOR to JSON means that only responses that the client fully understands would be available. -- GitHub Notification of comment by dwaite Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1683#issuecomment-1040221603 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 15 February 2022 12:36:06 UTC