- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Mon, 22 Jul 2024 15:36:22 +0000
- To: public-webauthn@w3.org
Obviously there's a tension around how "limited" the limited algorithm is. If it keeps gaining things it'll be no better than writing a small JSON parser! The original motivation for it was that OpenSSH would not accept a JSON parser in their code, and I had sufficient sympathy for that to propose that we constrain the format of the client data accordingly. If this were proposed as a PR, I wouldn't have strong feelings either way, but I do worry in general that the limited form wasn't really intended for normal Web usage, and I'm not sure that we want to adopt a norm that we keep extending the algorithm to cover everything. Could you expand on why your case both seems to be web-based, yet wants to use the limited algorithm? Is it that you look at results [like this](https://seriot.ch/projects/parsing_json.html#41) and feel that JSON is insufficiently rigorously defined for such usages? If so, I think the saving grace here is that the signature tells you, before parsing, that the JSON is as originally generated and, if the generator (i.e. browser) is trying to mess with you, you've already lost. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2102#issuecomment-2243256705 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 22 July 2024 15:36:23 UTC