- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Wed, 24 Apr 2024 15:16:01 +0000
- To: public-webauthn@w3.org
> Adding to what @MasterKale said - critically, the encoding of `clientDataJSON` MUST remain byte-for-byte identical in transmission from authenticator to server so that the signature over it remains valid. Intermediate parties should not be led to believe that they can safely parse and re-serialize the JSON, because any change to it would break the signature even if the re-serialized JSON is semantically equivalent. Therefore `clientDataJSON` is defined as a byte array rather than a `DOMString`, to emphasize that intermediate parties should consider it as opaque. These are essentially the same reasons as why [JWS](https://www.rfc-editor.org/rfc/rfc7515.html#section-3) also serializes everything as base64-encoded byte arrays even though many of the components are JSON data. `clientDataJSON` is not the only item that must remain identical though. For example RP ID must also remain identical since a SHA-256 hash of it is matched with `rpIdHash` in `authData`; yet RP ID is modeled as a `DOMString` and not `ArrayBuffer`. I find it _more_ likely RP ID gets altered in transit since an RP ID only [needs to be a valid domain string](https://github.com/w3c/webauthn/issues/2059). For example, `www.EXample.com` very likely will be altered into `www.example.com` when sent from the server to authenticator which will cause the registration to fail. -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2060#issuecomment-2075192807 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 24 April 2024 15:16:02 UTC