W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2018

Re: [webauthn] truncation to 64-byte upper limit doesn't mention character boundaries

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 28 Jun 2018 15:32:02 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-401076101-1530199920-sysbot+gh@w3.org>
Asking constrained hardware authenticators to include full UTF-8 parsing logic is not really feasible - that's _a lot_ of really complicated logic which, if history is any indication, also comes with a lot of security vulnerabilities. The proper way to solve this would be, as @equalsJeffH alludes to, to provide a way for the client to query the authenticator for a maximum size in bytes, so that the client can do the appropriate truncations (respecting character boundaries) before sending the data to the authenticator. It doesn't look like CTAP currently provides that, though, so I think we're stuck with the current (admittedly brittle) approach for the Level 1 spec.

What we _could_ do to prevent truncation issues, without needing changes to CTAP, is to specify that clients MUST NOT allow input that would result in byte strings longer than 64 bytes. But I think that would have to wait until Level 2, since it would be a breaking normative change.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/973#issuecomment-401076101 using your GitHub account
Received on Thursday, 28 June 2018 15:32:06 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:33 UTC