Can you clarify whether you mean only the `attestationObject` should be sent to the server or that everything should be encoded as a single CBOR object and then sent to the server?

I mean why are ther multiple objects that have to be sent instead of a single cbor object. And why is some of it cbor and some of it json?

There are two complementary parts participating in the registration and authentication ceremonies, WebAuthn and CTAP. The response from the authenticator, as per the CTAP protocol standard, is encoded as CBOR. We need the JSON parts from the WebAuthn browser API for the parts in the ceremony that talk to the relying party (particularly for relaying the challenge responses, and allowed authenticator algorithms and behaviors).

Gets worse. Some of it is ASN.1 inside CBOR too. Some of it is custom binary format containing CBOR

The answer is as far as I know:

Backwards compatibility with bad decisions made in U2F

Also; relying on base64url is odd as there are no built in functions in JavaScript to encode and decode it.

> Also; relying on base64url is odd as there are no built in functions in JavaScript to encode and decode it.

I'm probably missing something, but aren't window.atob and window.btoa just that? It's not available in Node though.

btoa is base64 not base64url. And even if it was base64url, it takes a "binary string", so using it on, say, a Uint8Array is non-trivial.

Thank you, I didn't realize the URL safe variant of Base64 had a name and that it was this!