agl
commented
4 months ago Backwards compatibility, and aspects of browser/security key interaction require the non-JSON field to be optional. But those cases don't apply here.
Closed zacknewman closed 4 months ago
agl
commented
4 months ago Backwards compatibility, and aspects of browser/security key interaction require the non-JSON field to be optional. But those cases don't apply here.
agl
commented
4 months ago Hmm, having just said that, it does beg the question of what a browser is to do when converting to JSON a response for which it does not recognise the public key algorithm. Still, more nuance than simply making them optional is called for: the point is that COSE is an obscure standard and forcing people to decode it is an impediment to implementations, which as much as possible should be able to depend on these fields being populated.
zacknewman
commented
4 months ago Upon reflecting more, I think the best way forward would be to define a separate dictionary that contains required fields for authenticatorData, publicKey, and publicKeyAlgorithm; and this dictionary is an optional field called <whateverYouWant>.
I understand the motivation behind providing this data, but the data really only makes sense if all of the fields exist. As soon as publicKey does not exist, then the other two just provide more work for a client for no benefit since the RP will still have to parse the COSE payload.
AuthenticatorAttestationResponseJSON.publicKeyAlgorithmserves no purpose withoutAuthenticatorAttestationResponseJSON.publicKeyalso existing. The latter is wisely optional, so this should be too. Fixes #2106.Preview | Diff