- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Fri, 19 Jul 2024 16:34:49 +0000
- To: public-webauthn@w3.org
To add to this, [the limited verification algorithm](https://www.w3.org/TR/webauthn-3/#clientdatajson-verification) doesn't even rely on UTF-8 decode or any other decoding. This means the whole BOM stripping isn't even applicable to it. Either steps need to be added to both the serialization and limited verification algorithms or UTF-8 decode should not be required. If BOM stripping is necessary, then in order for the limited verification algorithm to be consistent, step 2 should be added to the serialization section:
> 1. Let _result_ be an empty byte string.
> 2. Optionally append 0xefbbbf (i.e., U+FEFF) to _result_.
> 3. Append 0x7b2274797065223a (`{"type":`) to _result_.
Similarly steps 4 and 5 should be added to the limited verification algorithm:
> 2. Let _expected_ be an empty byte string.
> 3. If _clientDataJSON_ is not at least 3 bytes long, fail.
> 4. Let _bom_ be the first three bytes of _clientDataJSON_.
> 5. If _bom_ is 0xefbbbf (i.e., U+FEFF), then append 0xefbbbf to _expected_.
> 4. Append 0x7b2274797065223a (`{"type":`) to _expected_.
--
GitHub Notification of comment by zacknewman
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2100#issuecomment-2239584170 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 19 July 2024 16:34:50 UTC