[webauthn] Clarity on challenge length (#1803)

sbweeden has just created a new issue for https://github.com/w3c/webauthn:

== Clarity on challenge length  ==
## Proposed Change

In an examples 1, 3 and 4 in section 1 there is a comment associated with the challenge: 

```
/* 29 more random bytes generated by the server */
```

This intimates the "example" challenge is 32 bytes long. 

In the security considerations section we say: 

```
In order to prevent replay attacks, the challenges MUST contain enough entropy to make guessing them infeasible. Challenges SHOULD therefore be at least 16 bytes long.
```

Also in the appidExclude extension processing the challenge sent to the authenticator is described discretely as `32 random bytes`. What would happen if the challenge was shorter, or longer, than this?

I think we should at least define a max challenege length, and potentially a recommended length (which should probably be the max).



Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1803 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 21 September 2022 20:00:14 UTC