- From: Andrew Kozlik via GitHub <sysbot+gh@w3.org>
- Date: Mon, 11 Mar 2024 18:13:41 +0000
- To: public-webauthn@w3.org
I am very much in favor of reintroducing the `txAuthSimple` extension for all the reasons already mentioned above. I agree with @mage28's arguments for using plain text in the `txAuthSimple` extension. After all, I think it was named "simple" for a reason. It should be as simple as possible to support by all parties involved and you can't get any more basic than plain text. Dealing with structured data is a job for something like `txAuthGeneric` which had a `contentType` field to specify how the data should be interpreted. I am not disputing @petrdvorak's statement that "structured data can accommodate any use case where the plain text is sufficient", but I am a bit worried that adding any complexity could become a blocker for wider adoption of the `txAuthSimple` extension. One thing that deserves discussion IMHO is how to handle the fact that the authenticator may insert line breaks if needed. The question is whether the authenticator extension output should include the line breaks, like in the earlier L1 version of the spec, or exclude them, as is the case of the present PR. I can see arguments on both sides. If the way the message is displayed on the authenticator is broken up such that the user misinterprets its meaning, then there can be legal consequences. The signature issued by the authenticator should therefore reflect the exact string that the user authorized so that it can serve as evidence in case of a dispute. On the other hand, this of course puts extra work on the relying party, because it needs to evaluate whether the returned `txAuthSimpleOutput` is acceptable. In the simplest case this could just mean replacing all line breaks in `txAuthSimpleOutput` with spaces and comparing to the original `transactionText`. But things can quickly become more complicated, for example, with narrow screens which may require breaking up long words or other expressions without spaces, e.g. IBAN. -- GitHub Notification of comment by andrewkozlik Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2020#issuecomment-1989128366 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 11 March 2024 18:13:42 UTC