Re: [webauthn] Fix #593 - Refer to RFC 8266 for RP-controlled UI strings from Emil Lundberg via GitHub on 2018-05-02 (public-webauthn@w3.org from May 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 02 May 2018 10:33:04 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-385934608-1525257183-sysbot+gh@w3.org>

>[...] as a suggestion we should perhaps specify in [5.4.1. Public Key Entity Description](https://w3c.github.io/webauthn/#dictionary-pkcredentialentity) that the RP is responsible for [the preparation and the enforcement](https://tools.ietf.org/html/rfc8264#section-3) of [PublicKeyCredentialEntity.name](https://w3c.github.io/webauthn/#dictdef-publickeycredentialentity)'s value, [...]
>
>Similarly in [5.4.3. User Account Parameters for Credential Generation](https://w3c.github.io/webauthn/#sctn-rp-credential-params) specify the same for  [PublicKeyCredentialUserEntity.displayName](https://w3c.github.io/webauthn/#dictdef-publickeycredentialuserentity)'s value.

Shouldn't that be the client's responsibility? As @jcjones points out, this is primarily meant to defend against malicious RPs, so it seems odd to put this responsibility on the RP.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/878#issuecomment-385934608 using your GitHub account

Received on Wednesday, 2 May 2018 10:33:19 UTC