Re: [webauthn] Define sensible limits for User and RP Entity to be stored on Authenticator as part of create credential

If you define these maximum lengths in UTF-8 code points, the length is essentially multiplied by 4 (maximum byte length of an UTF-8 code point). In most cases this will not happen but displayName can certainly contain all kinds of exotic encodings.

If you use bytes, you force the authenticator to handle UTF-8 code points to truncate them correctly to fit inside 64 bytes or you will have to be prepared to handle incorrect code points in the client.

If you use code points, the authenticator has to store up to 1536 bytes of context data, not even counting the rpID and the private key information. For an embedded device, this is a lot of data.

I strongly prefer the limits to be in bytes but I have no problem to include code to truncate them correctly (its not that hard).

In the end, it just needs to be defined.

Again, this needs to be scoped to the use cases where it makes sense.

-- 
GitHub Notification of comment by jovasco
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/660#issuecomment-339622332 using your GitHub account

Received on Thursday, 26 October 2017 10:26:29 UTC