[webauthn] Why not make things simple? (#1709) from Arnaud Dagnelies via GitHub on 2022-03-22 (public-webauthn@w3.org from March 2022)

From: Arnaud Dagnelies via GitHub <sysbot+gh@w3.org>
Date: Tue, 22 Mar 2022 17:09:50 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1177046885-1647968173-sysbot+gh@w3.org>

dagnelies has just created a new issue for https://github.com/w3c/webauthn:

== Why not make things simple? ==
Hi,

RFC was originally meant as a "Request For Comments", so here goes my comment as a humble nobody.

I find the goal of the spec revolutionary and it is an ideal to reach. Less passwords, more security, smoother interaction. That's what the world needs!

However, regarding the spec itself, I've never seen (nor could I have imagined) something so complex, messy and feeling so outdated.

- *outdated*: byte buffers containing CBOR structures, which in turn contain nested byte buffers which are a concatenation of flags, byte lengths and nested CBOR... shouldn't such things a relic of the last century?!
- *messy*: there are many different attestation formats, with each its own way to be parsed, interpreted and validated... Isn't it kind of ironic for a "standard"?!
- *complex*: it's fucking 165 pages long!!! It's huge, it's difficult to read, it's sometimes unclear, sometimes obscure... Who can even understand all that?!

Since the goal itself is amazing and to "make it work so far" is already a tremendous achievement, I'm also sorry to hurt some feelings here. However, from a third-party's perspective, the spec in its current form is a source of frustration and headaches. I would even argue that its own complexity hampers adoption and increases security risks, since proper validation and ensuring that no loopholes were missed is very tricky in this 165 pages long spec.

What also puzzles me greatly is that there are already wonderful and simple RFCs for signing content. It's nothing new, it's something really basic and widespread. I'm referring to [JWT](https://jwt.io) which is simply arbitrary JSON payload with a signature. It would have been so simple if this API used it. The whole specs would have been simplified greatly:

```js
let registration = await navigator.credentials.create({...}); // Obtain a JSON Web Token
let login = await navigator.credentials.get({...}); // Obtain a JSON Web Token
```

Here goes your signed content. Everyone understands it, it's simple, it's standardized, there is an RFC for it, and a plethora of tested libs to validate their signatures. It would have been so easy. ...so well, if there is a new version one day, it would be nice to see this RFC cut down to a few simple pages, with tokens that are easily validated and understood. I guess it's a pipe dream, but who knows, asking never hurts ...I hope.

Please bear in mind that this RFC is shaping the future of passwordless, it's no small feat! Let me stress the importance and far reaching consequences of it. Being smaller, clearer, easier to work with would provide profound and significant impact. It would make the adoption faster, easier, safer ...or the opposite for the decades to come.

Thanks for your attention, sorry for the hurt feelings.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1709 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 22 March 2022 17:09:51 UTC