- From: Philippe Le Hegaret via GitHub <sysbot+gh@w3.org>
- Date: Wed, 19 Dec 2018 18:54:01 +0000
- To: public-webauthn@w3.org
[[ yuriy: there is contradiction here, no set length. ... should we change this? ... if not will RP do crazy things like empty buffer ... FIDO Alliance needs to have an answer agl: I think we are going to fix this. yurity: should it be "must" browsers enforce 16bytes christiaan: why is that a browser things jc_Jones: I would argue its RP thing 16 bytes is a nice change. scribe: why is 16 good, why not 8? agl: 16 is canonical for this. I am fine with this. Christiaan: it blocks other things on FIDO side. ... may in the next ersion, but not a change at this late stage. jbradley: challenges does not go over CTAP. Authenticator gets a hash and some other things ... making it a must might not be the solution. I don't know if we get much with a minimum length elundberg: if there is nothing, RP may have to be more vigilant. yuriy: so next version and discuss later. jc_Jones: I don't know if we will have more arguments later. unless we define the challenge ... the danger will persist ... the error possibility is very wide. think solution here is we need to look at nonce construction and take that chunk and drop it in here jbradley: potentially we break implementations if we tightly control nonce jc_jones: I would say we say this is out of scope. but is consideration for RP. I don't think we should mandate any number of bytes jeffH: I agree with jc agl: I do to, but tests says can't be zero. plh: we may need to remove the test and see if we have a different conclusion later. ... I would make a pull request to remove that test. ... double check if this is the correct test or something else. ]] https://www.w3.org/2018/12/19-webauthn-minutes.html -- GitHub Notification of comment by plehegar Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1115#issuecomment-448705121 using your GitHub account
Received on Wednesday, 19 December 2018 18:54:02 UTC