Re: [webauthn] Should clients enforce challenge length? (#1115)

For the record: although length is a necessary condition for enough entropy, it's not a sufficient condition. For example, setting the challenge to `"AAAAAAAAAAAAAAAA"` always would satisfy the 16 byte recommendation but contain 0 bits of entropy. That doesn't mean that enforcement by the client is completely useless, of course - it could be an effective way to catch trivial mistakes - but it does make it less useful.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Friday, 7 December 2018 15:23:54 UTC