Re: [webauthn] AttestationFormats may have duplicate entries (#2202)

This problem would also apply to any other "preference-ordered sequence" parameters, namely [`pubKeyCredParams`](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-pubkeycredparams) and [`hints`](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-hints). For `hints` it is [explicitly specified that duplicates are ignored](https://w3c.github.io/webauthn/#enumdef-publickeycredentialhint), but `pubKeyCredParams` and `attestationFormats` have no explicit statement like that.

I don't think this is a problem in practice, though, precisely because both `pubKeyCredParams` and `attestationFormats` are meant so that the authenticator simply iterates through them and picks the first option it supports. Thus if a supported option appears more than once, the authenticator will just pick the first occurrence and ignore the rest. If an unsupported option appears more than once, it will just be rejected each time it is encountered. In both cases, everything works as expected.

One could make the argument that it's better to reject duplicates because they are most likely unintended, so it's better to reject them so the RP finds out about the issue. This would, however, not be backwards compatible with existing RP implementations that (intentionally or accidentally) rely on duplicates being silently ignored.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2202#issuecomment-2476352561 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 14 November 2024 13:24:53 UTC