W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2018

Re: [webauthn] Fix #593: employ PRECIS RFC8264 et al for 'name'-ish domstring values

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Mon, 25 Jun 2018 23:44:34 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-400129830-1529970273-sysbot+gh@w3.org>
@stpeter 
> do we really need to go down this path? What attacks are we trying to prevent?

it seems you are referring to [your question here](https://github.com/w3c/webauthn/pull/878#issuecomment-388111270).

As @emlun and @aphillips noted [here](https://github.com/w3c/webauthn/pull/878#issuecomment-388122773) and [here](https://github.com/w3c/webauthn/pull/878#issuecomment-388126103) (respectively), it does not seem that appying PRECIS  to the name-ish DOMStrings aids in preventing any known attacks per se.  

However, do we wish to suggest to the RP that they may allow the user to supply arbitrary unicode values for [`PublicKeyCredentialUserEntity/displayName`](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-displayname) and [`PublicKeyCredentialEntity/name`](https://w3c.github.io/webauthn/#dom-publickeycredentialentity-name) without doing some form of PRECIS preparation and enforcement on them, even if only for "hygine" reasons?

@selfissued 
> in the name of simplicity, I believe we should close this PR and #593 with no action

Well, there's more going on in this PR than strictly applying PRECIS to those name-ish DOMStrings.  For example, it incorporates @stpeter's [suggestion](https://github.com/w3c/webauthn/pull/878#issuecomment-388162488) wrt warning developers wrt using these name-ish DOMStrings as authz identifiers. 

If we decide we do not wish to impose PRECIS on the unicode values of [`PublicKeyCredentialUserEntity/displayName`](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-displayname) and [`PublicKeyCredentialEntity/name`](https://w3c.github.io/webauthn/#dom-publickeycredentialentity-name), retaining the above warning is perhaps worthwhile. 



-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/951#issuecomment-400129830 using your GitHub account
Received on Monday, 25 June 2018 23:44:36 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:33 UTC