You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#347 defines the "client processing" term for use in makeCredential() and getAssertion(), but it doesn't yet define an input and output format for the data, and it doesn't fix up the actual client processing definitions to have defined output. For example, https://w3c.github.io/webauthn/#extension-txauth refers to "default forwarding of client argument to authenticator argument.", but nothing has defined that default forwarding.
In that definition, I'm tempted to use canonical CBOR (since arbitrary CBOR is likely to increase parsing difficulty, which will cause vulnerabilities in authenticators), but:
We'll need some more details defined locally, like double vs float format, to make it actually canonical.
Not all JS objects can be serialized at all. We'll probably want to conceptually go through JSON.stringify in order to get a deterministic result for those.
The text was updated successfully, but these errors were encountered:
The [=client extension processing=] and [=authenticator extension processing=] inputs and outputs and representations are now well specified, since PR #389 has been merged. All the stuff about "default forwarding of client argument to authenticator argument" is gone. @jyasskin - if you agree, let's close this one. If you disagree, please say what additional steps need to be taken to address this for overall extension processing.
If there are specific issues remaining on the processing rules or representations for particular extensions, let's file individual issues against them. There's at least one that I have in mind myself...
#347 defines the "client processing" term for use in
makeCredential()
andgetAssertion()
, but it doesn't yet define an input and output format for the data, and it doesn't fix up the actual client processing definitions to have defined output. For example, https://w3c.github.io/webauthn/#extension-txauth refers to "default forwarding of client argument to authenticator argument.", but nothing has defined that default forwarding.In that definition, I'm tempted to use canonical CBOR (since arbitrary CBOR is likely to increase parsing difficulty, which will cause vulnerabilities in authenticators), but:
The text was updated successfully, but these errors were encountered: