Re: [webauthn] Add considerations for string truncation. (#1205)

The client can detect it was provided a truncated code point in UTF-8 after-the-fact, but won't be able to necessarily detect a truncated grapheme. The grapheme combining rules are also too complex to be static - they can change in later unicode releases, and you could also have fun edge cases like the Taiwanese flag on devices sold in mainland China. 

I believe the RP information is only ever displayed by the authenticator itself, so if it wishes to alter the data (such as truncating it) then it is responsible for doing so appropriately.

I suspect from reading the CTAP spec that client could detect truncation of user metadata by doing a getAssertion following makeCredential, and then potentially do a second makeCredential supplying a better form. But I don't think this would then meet the current webauthn spec, as this would be truncating below the minimum maximum of 64 bytes.

-- 
GitHub Notification of comment by dwaite
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1205#issuecomment-491146456 using your GitHub account

Received on Friday, 10 May 2019 03:54:24 UTC