W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2018

Re: [webauthn] Should clients enforce challenge length? (#1115)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 07 Dec 2018 15:23:53 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-445265906-1544196232-sysbot+gh@w3.org>
For the record: although length is a necessary condition for enough entropy, it's not a sufficient condition. For example, setting the challenge to `"AAAAAAAAAAAAAAAA"` always would satisfy the 16 byte recommendation but contain 0 bits of entropy. That doesn't mean that enforcement by the client is completely useless, of course - it could be an effective way to catch trivial mistakes - but it does make it less useful.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1115#issuecomment-445265906 using your GitHub account
Received on Friday, 7 December 2018 15:23:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:59 UTC