Re: [webauthn] Clarification on CBOR-encoding of COSE keys (#2054) from philomathic_life via GitHub on 2024-03-28 (public-webauthn@w3.org from March 2024)

From: philomathic_life via GitHub <sysbot+gh@w3.org>
Date: Thu, 28 Mar 2024 22:47:29 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2026265216-1711666047-sysbot+gh@w3.org>

Interesting. I'll have to ruminate if my library should support such types then. I wish that were the only issue with the technical documentation. For example [FIDO2 CTAP2.1](https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#authenticatormakecredential-response-structure) describes the format of an attestation object that does not align with [WebAuthn Level 3](https://www.w3.org/TR/webauthn/#attestation-object) (specifically it has `authData` coming before `attStmt`) in addition to contradicting itself with how it describes the CTAP2 canonical CBOR encoding form. Even the example that is provided in [FIDO2 CTAP 2.0](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#commands) does not seem right. For example here is a snippet that show the keys of the map to be `unsigned(1)`, `unsigned(2)`, and `unsigned(3)` and not the keys they're supposed to be (e.g., `"fmt"`) in addition to having `authData` coming before `attStmt`:

```cbor
00                                      # status = success
a3                                      # map(3)
   01                                   # unsigned(1)
   66                                   # text(6)
      7061636b6564                      # "packed"
   02                                   # unsigned(2)
   58 9a                                # bytes(154)
      c289c5ca9b0460f9346ab4e42d842743  # authData
      404d31f4846825a6d065be597a87051d  # ...
      410000000bf8a011f38c0a4d15800617  # ...
      111f9edc7d00108959cead5b5c48164e  # ...
      8abcd6d9435c6fa363616c6765455332  # ...
      353661785820f7c4f4a6f1d79538dfa4  # ...
      c9ac50848df708bc1c99f5e60e51b42a  # ...
      521b35d3b69a61795820de7b7d6ca564  # ...
      e70ea321a4d5d96ea00ef0e2db89dd61  # ...
      d4894c15ac585bd23684              # ...
```

I'm more confident in my stance that such inconsistencies are wrong unlike the `kty` stuff.

-- 
GitHub Notification of comment by zacknewman
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2054#issuecomment-2026265216 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 28 March 2024 22:47:30 UTC