[w3c/webauthn] 428bf8: Truncate strings for authenticators where needed. ... from Adam Langley on 2019-10-29 (public-webauthn@w3.org from October 2019)

From: Adam Langley <noreply@github.com>
Date: Tue, 29 Oct 2019 15:16:15 -0700
To: public-webauthn@w3.org
Message-ID: <w3c/webauthn/push/refs/heads/master/5dbea6-428bf8@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/w3c/webauthn
  Commit: 428bf827db5fa8d45865fcce7a41427bf910ee2f
      https://github.com/w3c/webauthn/commit/428bf827db5fa8d45865fcce7a41427bf910ee2f
  Author: Adam Langley <agl@imperialviolet.org>
  Date:   2019-10-29 (Tue, 29 Oct 2019)

  Changed paths:
    A images/string-truncation.svg
    M index.bs

  Log Message:
  -----------
  Truncate strings for authenticators where needed. (#1316)

* Truncate strings for authenticators where needed.

There exist a significant number of authenticators that do not conform
to the current WebAuthn requirements in that they fail requests with
name/displayName strings longer than 64 bytes, rather than truncating
them.

This change adds a new requirement on user-agents that they maintain the
authenticator model for RPs by doing the truncation on their behalf in
this case. The alternative is that each RP will hit this edge-case and
do the truncation itself, thus the ecosystem will never be able to
support longer strings.

Since user-agents may now be doing truncation, this change also permits
truncation at the level of grapheme clusters (since user-agents
presumably have Unicode tables available).

Fixes #1296.

* Address Jeff and Emil's comments.

Received on Tuesday, 29 October 2019 22:16:18 UTC