Consider whether browsers should truncate name and displayName.
#1296
Comments
|
I don't know if this is the best place to comment, but: if RPs do have to truncate in the future, it would help to have some guidance on whether it matters that the RPs do a strict truncation. Something like an ellipsis would help distinguish between names that are ≈64 bytes and those that are longer: I would assume that this is fine because the name is meant for user-facing UI, but it wouldn't be strict truncation and I'd be a tad worried that some corner cases of authenticators/browsers/servers implementations might run into issues with this in the future. |
|
@agl to create PR |
agl
added a commit
to agl/webauthn
that referenced
this issue
Oct 15, 2019
There exist a significant number of authenticators that do not conform to the current WebAuthn requirements in that they fail requests with name/displayName strings longer than 64 bytes, rather than truncating them. This change adds a new requirement on user-agents that they maintain the authenticator model for RPs by doing the truncation on their behalf in this case. The alternative is that each RP will hit this edge-case and do the truncation itself, thus the ecosystem will never be able to support longer strings. Since user-agents may now be doing truncation, this change also permits truncation at the level of grapheme clusters (since user-agents presumably have Unicode tables available). Fixes w3c#1296.
agl
added a commit
to agl/webauthn
that referenced
this issue
Oct 15, 2019
There exist a significant number of authenticators that do not conform to the current WebAuthn requirements in that they fail requests with name/displayName strings longer than 64 bytes, rather than truncating them. This change adds a new requirement on user-agents that they maintain the authenticator model for RPs by doing the truncation on their behalf in this case. The alternative is that each RP will hit this edge-case and do the truncation itself, thus the ecosystem will never be able to support longer strings. Since user-agents may now be doing truncation, this change also permits truncation at the level of grapheme clusters (since user-agents presumably have Unicode tables available). Fixes w3c#1296.
equalsJeffH
pushed a commit
that referenced
this issue
Oct 29, 2019
* Truncate strings for authenticators where needed. There exist a significant number of authenticators that do not conform to the current WebAuthn requirements in that they fail requests with name/displayName strings longer than 64 bytes, rather than truncating them. This change adds a new requirement on user-agents that they maintain the authenticator model for RPs by doing the truncation on their behalf in this case. The alternative is that each RP will hit this edge-case and do the truncation itself, thus the ecosystem will never be able to support longer strings. Since user-agents may now be doing truncation, this change also permits truncation at the level of grapheme clusters (since user-agents presumably have Unicode tables available). Fixes #1296. * Address Jeff and Emil's comments.
emlun
pushed a commit
that referenced
this issue
Nov 6, 2019
* Truncate strings for authenticators where needed. There exist a significant number of authenticators that do not conform to the current WebAuthn requirements in that they fail requests with name/displayName strings longer than 64 bytes, rather than truncating them. This change adds a new requirement on user-agents that they maintain the authenticator model for RPs by doing the truncation on their behalf in this case. The alternative is that each RP will hit this edge-case and do the truncation itself, thus the ecosystem will never be able to support longer strings. Since user-agents may now be doing truncation, this change also permits truncation at the level of grapheme clusters (since user-agents presumably have Unicode tables available). Fixes #1296. * Address Jeff and Emil's comments.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We say of PublicKeyCredentialEntity's
nameand PublicKeyCredentialUserEntity'sdisplayName, that:Some authenticators do, indeed, truncate these strings at 64 bytes. This may cut a UTF-8 sequence and thus produce invalid strings in responses. Because of this, WebAuthn now has a section on handling these truncated strings.
However, some authenticators will also reject any operations where the strings are longer than 64 bytes. Whatever the fidelity of that behaviour to the spec, it's now reality. Therefore we should consider whether it's the browser's job to do the truncation in order to ensure that requests work. If we do not, then RPs will probably do it themselves because things will fail otherwise and once RPs do it, we'll not be able to add support for future authenticators which have more storage.
(Since there exist truncating authenticators out there, the rules around string handling still apply because those authenticators aren't going away either.)
(I don't know, off-hand, what the behaviour for
iconis in practice.)(This relates to fido-alliance/fido-2-specs#673.)
The text was updated successfully, but these errors were encountered: