[webauthn] "JSON serialization" in makeCredential probably needs to be defined more clearly from Boris Zbarsky via GitHub on 2016-11-04 (public-webauthn@w3.org from November 2016)

From: Boris Zbarsky via GitHub <sysbot+gh@w3.org>
Date: Fri, 04 Nov 2016 20:58:50 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-187436812-1478293128-sysbot+gh@w3.org>

bzbarsky has just created a new issue for 
https://github.com/w3c/webauthn:

== "JSON serialization" in makeCredential probably needs to be defined
 more clearly ==
https://w3c.github.io/webauthn/#dom-webauthentication-makecredential 
step 8 says:

> compute the clientDataJSON and clientDataHash

where clientDataJSON is defined as:

> This is the UTF-8 encoded JSON serialization [RFC7159] of a 
ClientData dictionary.

and clientDataHash is defined as:

>  This is the hash (computed using hashAlg) of clientDataJSON.

Unfortunately, RFC 7159 doesn't define a unique serialization format.
  For example, the following are all valid JSON serializations of the 
same data:

    { "foo": 5 }
    {"foo":5}
    {       "foo"     :      5       }

This is normally not a problem, because when parsed with a JSON parser
 they will all produce the same data structure.  But here we're 
hashing the serialization here, and the expectation is presumably that
 the hash is stable for a given ClientData.  That means the JSON 
serialization needs to be specified somewhat more strictly than just 
"any valid JSON serialization of this data"...

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/274 using your GitHub account

Received on Friday, 4 November 2016 20:58:56 UTC