Re: [webauthn] Why not make things simple? (#1709) from Ackermann Yuriy via GitHub on 2022-03-22 (public-webauthn@w3.org from March 2022)

From: Ackermann Yuriy via GitHub <sysbot+gh@w3.org>
Date: Tue, 22 Mar 2022 18:29:14 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1075480030-1647973599-sysbot+gh@w3.org>

Hey @dagnelies 

So first, I actually written a whole series of article just about FIDO2 and Webauthn: https://medium.com/webauthnworks/webauthn-fido-series-content-page-4f9a187aa588

And there are a good list of existing solutions: https://github.com/herrjemand/awesome-webauthn#server-libs


Next let me break down why:

> outdated: byte buffers containing CBOR structures, which in turn contain nested byte buffers which are a concatenation of flags, byte lengths and nested CBOR... shouldn't such things a relic of the last century?!

I am not sure why are you referring to CBOR as outdates since it's a quiet new standard. The reason why it is like that is because the authenticator, like a physical security key, Yubikey, Trustkey, is communicating using CTAP2 protocol which in it self uses CBOR as efficient standard for encoding and decoding structs.

> messy: there are many different attestation formats, with each its own way to be parsed, interpreted and validated... Isn't it kind of ironic for a "standard"?!

There are different kinds of devices, with different kinds of hardware, with different kinds of manufacturers, and different kinds of specifics of how device is attested, and what is is even attested. iOS does it differently, to Windows TPM, to Android Safetynet.

In general no one really even needs attestation. This is mostly enterprise feature. You can read this article to learn more: https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651


> complex: it's fucking 165 pages long!!! It's huge, it's difficult to read, it's sometimes unclear, sometimes obscure... Who can even understand all that?!

Webauthn, same as every standard, grows to satisfy industry needs. Same as every other standard in requires some pre-requisite knowledge. There are workshops, and tutorials you can start with. Diving into the standard as a newcomer might be tough. Take a look at that: https://medium.com/webauthnworks/introduction-to-webauthn-api-5fd1fb46c285

And please avoid swearing. 

For the rest of the question, I might just add that even though the webauthn is not perfect, because nothing is, this standard is five years of work, debates, arguments, and careful consideration of many specialists, including the creators of JWT if you are not aware, and this was what they came up with.

If you have some clear, and constructive ideas, that would be far more beneficial to this group, than coming out with vocal IMHO "everything is crap, I don't like it".

-- 
GitHub Notification of comment by herrjemand
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1709#issuecomment-1075480030 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 22 March 2022 18:29:15 UTC