New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unspecified CBOR encoding of high-valued integer numbers due to unspecified threshold #1044
Comments
I think we should write something to state the obvious here, that implementations are not allowed to arbitrarily change integers into floating-point values. However, it seems unlikely that we'll tidy this up prior to PR. |
(From the call of 2019-02-06:) It's also possible for a floating-point value in Javascript to happen to be an integer. Thus the type of the translated CBOR will depend on the values of the input, which seems like it would break things. However, since we don't have any implementations of the generic transform of extensions that I'm aware of, we could change things in level two without breaking any existing systems. |
Note that if values used by an extension are floating point, the extension can specify that they always be represented as floating point - even if values happen to be integers. The location extension https://www.w3.org/TR/webauthn/#sctn-location-extension does this for the coordinate values, for instance. |
@jcjones Please review |
Unless @jcjones disagrees, I believe that we should close this with no action. |
I agree with closing this no action. Ultimately, this has to be some other spec's fix. |
Cross-referencing the issue for the draft revision of the CBOR specification. |
I should make an observation: Strictly speaking there are no "integer numbers" (that is, integer number types) in JavaScript (until perhaps recently with BigInt). JavaScript until recently has only one number type, namely a 64-bit floating-point number (of the class |
I see that currently, of the defined WebAuthn extensions, only
With these changes, this issue becomes resolved as moot. |
Section 9 contains the following text:
However, because section 4.2 of the RFC says the following:
and section 9 doesn't specify a threshold in this sense, then CBOR canonicalization is not possible if those integers are present — as a result it is not specified unambiguously whether certain integers higher than a threshold (232? 231? 264? some other threshold?) should be encoded as integers as or as floating-point numbers, since the relevant threshold is "implementation-defined".
The text was updated successfully, but these errors were encountered: