W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

[webauthn] Define sensible limits for User and RP Entity to be stored on Authenticator as part of create credential

From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
Date: Wed, 25 Oct 2017 04:41:18 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-268264638-1508906476-sysbot+gh@w3.org>
akshayku has just created a new issue for https://github.com/w3c/webauthn:

== Define sensible limits for User and RP Entity to be stored on Authenticator as part of create credential ==
Currently, we have not defined limits to individual fields for User and RP entity to be stored on Authenticator apart from `User.id` which can be maximum of 64 bytes. We should define a scheme which can work for both constrained and non-constrained authenticators for a predictable ecosystem.

Here is one proposal:

**User Entity:**
- Id: Authenticators MUST support maximum of 64 bytes.
- Name: Authenticators must support minimum 64 UTF8 characters. If RP provides more than 64 UTF8 characters, authenticator optionally can **truncate** how much it wants to store. 
- DisplayName: Authenticators MUST support minimum of 64 UTF8 characters. If RP provides more than 64 UTF8 characters, authenticator optionally can **truncate** how much it wants to store.
- Icon: Authenticators MUST support minimum of 128 UTF8 characters. If RP provides more than 128 UTF8 characters, authenticator optionally can **drop** this field all together. Here truncation does not makes sense.

**RP Entity:**
- Id: Authenticators can use HASH of this field as a primary index inside their database. So limit is not really needed. For completeness, we can say maximum 256 UTF characters.
- Name: Authenticators must support minimum 64 UTF8 characters. If RP provides more than 64 UTF8 characters, authenticator optionally can **truncate** how much it wants to store. 
- Icon: Authenticators MUST support minimum of 128 UTF8 characters. If RP provides more than 128 UTF8 characters, authenticator optionally can **drop** this field all together. Here truncation does not makes sense.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/660 using your GitHub account
Received on Wednesday, 25 October 2017 04:41:39 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:29 UTC