[webauthn] Can userHandle be an empty string? (#1722)

infinisil has just created a new issue for https://github.com/w3c/webauthn:

== Can userHandle be an empty string? ==
The specification on [`userHandle`](https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-userhandle) only mentions that it can be null, it doesn't mention whether the empty string is an allowed value:

> `userHandle`, of type [ArrayBuffer](https://heycam.github.io/webidl/#idl-ArrayBuffer), readonly, nullable: This attribute contains the [user handle](https://www.w3.org/TR/webauthn-2/#user-handle) returned from the authenticator, or null if the authenticator did not return a [user handle](https://www.w3.org/TR/webauthn-2/#user-handle). See [§ 6.3.3 The authenticatorGetAssertion Operation](https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion).

In the reference to [user handle](https://www.w3.org/TR/webauthn-2/#user-handle) there's also no mention regarding empty strings, but there's this:

> The user handle is specified by a [Relying Party](https://www.w3.org/TR/webauthn-2/#relying-party), as the value of [user](https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-user).[id](https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-id)

Where the specification for [id](https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-id) mentions:

> The [user handle](https://www.w3.org/TR/webauthn-2/#user-handle) MUST NOT contain personally identifying information about the user, such as a username or e-mail address; see [§ 14.6.1 User Handle Contents](https://www.w3.org/TR/webauthn-2/#sctn-user-handle-privacy) for details. The [user handle](https://www.w3.org/TR/webauthn-2/#user-handle) MUST NOT be empty, though it MAY be null.

This is the only mention in the specification disallowing empty values for user handle, but it's very hard to find, and non-obvious whether it actually applies to user handles (does `The user handle is specified by a Relying Party as the value of user.id` mean that only values of `user.id` are valid as a user handle?).

In practice, Safari indeed returns the empty string as a user handle, see https://bugs.webkit.org/show_bug.cgi?id=239737 and https://github.com/tweag/webauthn/pull/148.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1722 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 25 April 2022 19:33:38 UTC