[webauthn] further explain, for RPs, lack of stipulation of maximum Credential ID length (#1617)

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== further explain, for RPs, lack of stipulation of maximum Credential ID length ==
the Note at https://www.w3.org/TR/webauthn/#dom-publickeycredential-identifier-slot says:
> This API does not constrain the format or length of this identifier, except that it MUST be sufficient for the authenticator to uniquely select a key. For example, an authenticator without on-board storage may create identifiers containing a credential private key wrapped with a symmetric key that is burned into the authenticator.

We did not specify a maximum Credential ID length for various reasons (that are not well-documented, sorry. See https://github.com/w3c/webauthn/issues/40#issuecomment-219035185 for the apparent summary decision:
> RPs should write defensive code that blocks credential IDs that are ridiculously large.

Though, we _could_ add another paragraph to the above Note along the lines of:
> RPs need to be prepared to accept credential IDs of varying length, because the credential ID's size is determined by the authenticator and can vary. For example, they may defensively decline to register credentials having credential IDs greater than some maximum length the RP decides. A possibly reasonable maximum value is 1024 bytes.

( I just pulled 1024 bytes out of the air. Has anyone been logging the credential ID lengths they've seen? )

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1617 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 25 May 2021 21:23:28 UTC