Re: [webauthn] Disallow empty strings (#2073) from Emil Lundberg via GitHub on 2024-05-20 (public-webauthn@w3.org from May 2024)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 20 May 2024 10:46:05 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2120187239-1716201962-sysbot+gh@w3.org>

>maybe we keep the existing preamble, but change the "SHOULD set to an empty string" guidance to something like "MUST omit the value" instead 🤔

That won't work with the dictionary IDL as currently defined, as `displayName` is a required, non-nullable member.

But maybe we could make it optional? I think the only blocker could be compatibility with CTAP2. But it actually looks like CTAP2 would already be compatible with that change. I noticed this in particular in [§6.8.6. Updating user information](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#updateUserInformation):

>Replace the matching credential’s [`PublicKeyCredentialUserEntity`](https://w3c.github.io/webauthn/#dictdef-publickeycredentialuserentity)'s [`name`](https://w3c.github.io/webauthn/#dom-publickeycredentialentity-name), [`displayName`](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-displayname) with the passed-in user details. If a field is not present in the passed `user` details, or it is present and empty, remove it from the matching credential’s [`PublicKeyCredentialUserEntity`](https://w3c.github.io/webauthn/#dictdef-publickeycredentialuserentity).

But one problem is that in CTAP2, `PublicKeyCredentialUserEntity` appears in both input (contravariant) and output (covariant) position. Making `displayName` optional is fine in input position, but could break CTAP2 clients if they read out a `PublicKeyCredentialUserEntity` structure for a discoverable credential and expect `displayName` to always be present. But on the other hand there's also this in the definition of the [authenticatorGetAssertion response structure](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorgetassertion-response-structure):

>FIDO Devices - [discoverable](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#discoverable) credentials: For discoverable credentials on FIDO devices, at least [`user`](https://w3c.github.io/webauthn/#dictdef-publickeycredentialuserentity) "[`id`](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-id)" is mandatory.

So maybe clients are expected to expect that not all member will always be present.


-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2073#issuecomment-2120187239 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 20 May 2024 10:46:05 UTC