- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Mon, 25 Jun 2018 23:44:34 +0000
- To: public-webauthn@w3.org
@stpeter > do we really need to go down this path? What attacks are we trying to prevent? it seems you are referring to [your question here](https://github.com/w3c/webauthn/pull/878#issuecomment-388111270). As @emlun and @aphillips noted [here](https://github.com/w3c/webauthn/pull/878#issuecomment-388122773) and [here](https://github.com/w3c/webauthn/pull/878#issuecomment-388126103) (respectively), it does not seem that appying PRECIS to the name-ish DOMStrings aids in preventing any known attacks per se. However, do we wish to suggest to the RP that they may allow the user to supply arbitrary unicode values for [`PublicKeyCredentialUserEntity/displayName`](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-displayname) and [`PublicKeyCredentialEntity/name`](https://w3c.github.io/webauthn/#dom-publickeycredentialentity-name) without doing some form of PRECIS preparation and enforcement on them, even if only for "hygine" reasons? @selfissued > in the name of simplicity, I believe we should close this PR and #593 with no action Well, there's more going on in this PR than strictly applying PRECIS to those name-ish DOMStrings. For example, it incorporates @stpeter's [suggestion](https://github.com/w3c/webauthn/pull/878#issuecomment-388162488) wrt warning developers wrt using these name-ish DOMStrings as authz identifiers. If we decide we do not wish to impose PRECIS on the unicode values of [`PublicKeyCredentialUserEntity/displayName`](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-displayname) and [`PublicKeyCredentialEntity/name`](https://w3c.github.io/webauthn/#dom-publickeycredentialentity-name), retaining the above warning is perhaps worthwhile. -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/pull/951#issuecomment-400129830 using your GitHub account
Received on Monday, 25 June 2018 23:44:36 UTC