- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Tue, 10 Sep 2019 18:36:24 +0000
- To: public-webauthn@w3.org
agl has just created a new issue for https://github.com/w3c/webauthn: == Consider whether browsers should truncate `name` and `displayName`. == We say of [PublicKeyCredentialEntity](https://www.w3.org/TR/webauthn/#dictionary-pkcredentialentity)'s `name` and [PublicKeyCredentialUserEntity](https://www.w3.org/TR/webauthn/#sctn-user-credential-params)'s `displayName`, that: > Authenticators MAY truncate […] to a length equal to or greater than 64 bytes. Some authenticators do, indeed, truncate these strings at 64 bytes. This may cut a UTF-8 sequence and thus produce invalid strings in responses. Because of this, WebAuthn now has [a section](https://w3c.github.io/webauthn/#sctn-strings) on handling these truncated strings. However, some authenticators will also reject any operations where the strings are longer than 64 bytes. Whatever the fidelity of that behaviour to the spec, it's now reality. Therefore we should consider whether it's the browser's job to do the truncation in order to ensure that requests work. If we do not, then RPs will probably do it themselves because things will fail otherwise and once RPs do it, we'll not be able to add support for future authenticators which have more storage. (Since there exist truncating authenticators out there, [the rules](https://w3c.github.io/webauthn/#sctn-strings) around string handling still apply because those authenticators aren't going away either.) (I don't know, off-hand, what the behaviour for `icon` is in practice.) (This relates to fido-alliance/fido-2-specs#673.) Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1296 using your GitHub account
Received on Tuesday, 10 September 2019 18:36:26 UTC