[webauthn] UAs can't pass unknown extensions to authenticators from Jeffrey Yasskin via GitHub on 2018-01-09 (public-webauthn@w3.org from January 2018)

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Tue, 09 Jan 2018 17:51:01 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-287175330-1515520260-sysbot+gh@w3.org>

jyasskin has just created a new issue for https://github.com/w3c/webauthn:

== UAs can't pass unknown extensions to authenticators ==
https://w3c.github.io/webauthn/#extensions claims that
> Clients wishing to support the widest possible range of extensions MAY choose to pass through any extensions that they do not recognize to authenticators, generating the authenticator extension input by simply encoding the client extension input in CBOR.

However,
1. "simply encoding the client extension input in CBOR" is underspecified: it could refer to https://tools.ietf.org/html/rfc7049#section-4.2, but like with canonical CBOR, the RFC's suggestion is probably not quite right for our use. For example, should the value `1.9` be sent as-is, rejected, or converted to an integer first? If it's sent as-is, as suggested by the RFC, we'll need to extend CTAP's definition of canonical CBOR, which doesn't support floating point values.
2. As long as extensions define their own conversions as requested by #626, these conversions are likely to be different from the generic conversion, forcing authenticators to deal with two different input formats, which they're likely to do wrong.

To keep things simple, I suggest requiring that UAs drop unknown extensions instead of forwarding them. If someone disagrees, I'd like them to write a PR defining the generic conversion from JS objects to CBOR that UAs are supposed to use.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/738 using your GitHub account

Received on Tuesday, 9 January 2018 17:51:06 UTC