emlun
commented
1 week ago This problem would also apply to any other "preference-ordered sequence" parameters, namely pubKeyCredParams and hints. For hints it is explicitly specified that duplicates are ignored, but pubKeyCredParams and attestationFormats have no explicit statement like that.
I don't think this is a problem in practice, though, precisely because both pubKeyCredParams and attestationFormats are meant so that the authenticator simply iterates through them and picks the first option it supports. Thus if a supported option appears more than once, the authenticator will just pick the first occurrence and ignore the rest. If an unsupported option appears more than once, it will just be rejected each time it is encountered. In both cases, everything works as expected.
One could make the argument that duplicates are most likely unintended, so it's better to reject them so the RP finds out about the issue. This would, however, not be backwards compatible with existing RP implementations that (intentionally or accidentally) rely on duplicates being silently ignored.
Kieun
Proposed Change
In the spec, we introduce
attestationFormatsfor RPs to indicate the attestation statement format preference for create options. The definition in the spec is as follows.Since the value itself is the list of ordered preferences, it implies that the element of the fields would be
unique. The sequence<'T'> does not have any such constraints for uniqueness.Thus, duplicated entries in the
attestationFormatsmay be valid input as per the current spec. We may add some constraints around the field itself or we could describe the way for authenticator and client to handle such duplicated entries without throwing errors.This issue is related to the #2145 and maybe we could resolve this issue with similar manner.