Re: [webauthn] Make AuthenticatorAttestationResponseJSON.clientDataJSON a DOMString or USVString (#2060) from Emil Lundberg via GitHub on 2024-04-24 (public-webauthn@w3.org from April 2024)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 24 Apr 2024 10:46:03 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2074657869-1713955561-sysbot+gh@w3.org>

Adding to what @MasterKale said - critically, the encoding of `clientDataJSON` MUST remain byte-for-byte identical in transmission from authenticator to server so that the signature over it remains valid. Intermediate parties should not be led to believe that they can safely parse and re-serialize the JSON, because any change to it would break the signature even if the re-serialized JSON is semantically equivalent. Therefore `clientDataJSON` is defined as a byte array rather than a `DOMString`, to emphasize that intermediate parties should consider it as opaque. These are essentially the same reasons as why [JWS](https://www.rfc-editor.org/rfc/rfc7515.html#section-3) also serializes everything as base64-encoded byte arrays even though many of the components are JSON data.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2060#issuecomment-2074657869 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 24 April 2024 10:46:04 UTC