[webauthn] ban empty user ID / user handle (#1536) from =JeffH via GitHub on 2020-12-09 (public-webauthn@w3.org from December 2020)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 09 Dec 2020 16:58:54 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-760502107-1607533133-sysbot+gh@w3.org>

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== ban empty user ID / user handle ==
The spec already notes: "...a user handle having an empty value is known to be problematic in practice..."

However, in testing, its been discovered that:
Returning a `user` in GetAssertion with an empty ID: Windows 10 fails.
Same response, but omitting `user`: Windows 10 works.
([Japanese blog post about this workaround.](https://qiita.com/gebo/items/612373fc58395b2927e7))
"OpenSK users reported Windows 10 interoperability issues."

@akshayku has noted:  I would prefer RP always sending a non-zero userID or browser erroring out when it receives a zero length userID or browser/platform not setting a zero length userID in makeCredential even if RP sets it empty as clearly RP does not care about userID in this scenario.

Thus, we suggest the webauthn spec states that user.id MUST not be empty, and if an RP wishes a constant value for whatever reason, they pick something innocuous such as a single space char.




Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1536 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 9 December 2020 16:58:56 UTC