My concern was that if different clients use different integer thresholds for passing through unrecognized extensions (and neither WebAuthn nor RFC 7049 specify a default threshold), then that will hinder bit-for-bit comparison or hashing of CTAP2 messages with the same content. This concern is not relevant if the only purpose of canonicalizing CTAP2 messages (both in WebAuthn and elsewhere) is, as the CTAP2 protocol states, "[t]o reduce the complexity of the messages and the resources required to parse and validate them", and not also to enable bit-for-bit comparison or hashing of CTAP2 messages with semantically equal content.

My concern is not whether clients will convert some floating-point values to integers when they pass through unrecognized extensions, but at what integer threshold they do so.

@peteroupc I don't think that should be a problem, at least for WebAuthn ceremonies. The RP has no direct control of the exact bytes being sent to the authenticator anyway (because the client can add random extra stuff to the CollectedClientData, for example), so you can't rely on the same input producing the exact same outputs even with deterministic signatures.

If that's the case, then there should be an additional note that different clients might choose different integer thresholds for converting floating-point values to integers, and that this is not a problem because canonicalized CTAP2 messages generated by the protocol are not meant to be compared bit-for-bit with each other (either directly or via hash codes). This is unlike other protocols like DKIM and XML Signature, which do use canonicalization for bit-for-bit data comparison.

Perhaps the CTAP2 protocol can also clarify that the canonical form it specifies is not intended to enable bit-for-bit comparisons either.

For your information: See cbor-wg/CBORbis#117, which modifies the CBOR revision to include defaults for encoding JSON numbers as CBOR.