[webauthn] truncation to 64-byte upper limit doesn't mention character boundaries from Addison Phillips via GitHub on 2018-06-27 (public-webauthn@w3.org from June 2018)

From: Addison Phillips via GitHub <sysbot+gh@w3.org>
Date: Wed, 27 Jun 2018 17:39:57 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-336324768-1530121196-sysbot+gh@w3.org>

aphillips has just created a new issue for https://github.com/w3c/webauthn:

== truncation to 64-byte upper limit doesn't mention character boundaries ==
https://w3c.github.io/webauthn/#dictionary-pkcredentialentity

When referring to the `name` the spec says:

> Authenticators MUST accept and store a 64-byte minimum length for a name member’s value. Authenticators MAY truncate a name member’s value to a length equal to or greater than 64 bytes.

Note that the specification does not require truncation on a Unicode character boundary. Arbitrary truncation at a 64-byte limit on a multibyte encoding such as UTF-8 can corrupt the last character in the string. The spec should require that the truncation occur on a character boundary (is there a reason you didn't use character count instead of byte count in the first place?)

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/973 using your GitHub account

Received on Wednesday, 27 June 2018 17:40:00 UTC