W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] New PublicKeyCredential methods for JSON (de)serialization (#1703)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 20 Jun 2022 12:36:43 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1160395874-1655728601-sysbot+gh@w3.org>
> * During authentication, the `response.userHandle` contains the plain text "user.id" like `my-john-doe-id` and here also the raw value holds more value than its base64url encoded variant.

The spec states that "The [user handle](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#user-handle) MUST NOT contain personally identifying information about the user, such as a username or e-mail address" and "It is RECOMMENDED to let the [user handle](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#user-handle) be 64 random bytes". We should not add features to support a use case we actively recommend against.

I think `clientDataJSON` should also stay base64url-encoded to keep the emphasis that it needs to be conveyed byte-identically to the value that was signed. More generally I think this JSON variant of the API should mirror the BufferSource variant as closely as possible and not make any structural or semantic changes to the data, otherwise the mismatch will be confusing.

I guess that could be an argument against splitting the root object into two separate types for registration and authentication, but I think that one is fair enough since that is likely how most developers already think of it anyway.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1703#issuecomment-1160395874 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 20 June 2022 12:36:44 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC