Re: [webauthn] Should clients enforce challenge length? (#1115)

yuriy: there is contradiction here, no set length.
... should we change this?
... if not will RP do crazy things like empty buffer
... FIDO

Alliance needs to have an answer

agl: I think we are going to fix this.

yurity: should it be "must" browsers enforce 16bytes

christiaan: why is that a browser things

jc_Jones: I would argue its RP thing

16 bytes is a nice change.

scribe: why is 16 good, why not 8?

agl: 16 is canonical for this. I am fine with this.

Christiaan: it blocks other things on FIDO side.
... may in the next ersion, but not a change at this late stage.

jbradley: challenges does not go over CTAP. Authenticator gets a hash and some other things
... making it a must might not be the solution. I don't know if we get much with a minimum length

elundberg: if there is nothing, RP may have to be more vigilant.

yuriy: so next version and discuss later.

jc_Jones: I don't know if we will have more arguments later. unless we define the challenge
... the danger will persist
... the error possibility is very wide. think solution here is we need to look at nonce construction and take that chunk and drop it in here

jbradley: potentially we break implementations if we tightly control nonce

jc_jones: I would say we say this is out of scope. but is consideration for RP. I don't think we should mandate any number of bytes

jeffH: I agree with jc

agl: I do to, but tests says can't be zero.

plh: we may need to remove the test and see if we have a different conclusion later.
... I would make a pull request to remove that test.
... double check if this is the correct test or something else.

GitHub Notification of comment by plehegar
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 19 December 2018 18:54:02 UTC