- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Tue, 07 Nov 2023 10:26:30 +0000
- To: public-webauthn@w3.org
emlun has just created a new issue for https://github.com/w3c/webauthn: == rp.name, user.name and user.displayName length limit does not state binary encoding == The definitions of [`PublicKeyCredentialEntity.name`](https://w3c.github.io/webauthn/#dom-publickeycredentialentity-name) and [`PublicKeyCredentialUserEntity.displayName`](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-displayname) state that >Authenticators MAY truncate a [name](https://w3c.github.io/webauthn/#dom-publickeycredentialentity-name) member’s value so that it fits within 64 bytes [...] and >[Authenticators](https://w3c.github.io/webauthn/#authenticator) MUST accept and store a 64-byte minimum length for a [displayName](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-displayname) member’s value. Authenticators MAY truncate a [displayName](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-displayname) member’s value so that it fits within 64 bytes. [...] but do not state what binary encoding the 64 byte limit applies to. Both reference [§ 6.4.1 String Truncation](https://w3c.github.io/webauthn/#sctn-strings-truncation) which states that >[...] truncation SHOULD also respect UTF-8 sequence boundaries or [grapheme cluster](https://w3c.github.io/i18n-glossary/#dfn-grapheme-cluster) boundaries [...] so presumably UTF-8 is intended, but again this is not explicitly stated - just that the truncation should respect UTF-8 considerations. CTAP2 explicitly states that UTF-8 is used, but not all authenticators use CTAP. In fact IDL [DOMString](https://webidl.spec.whatwg.org/#idl-DOMString)s are explicitly [sequences of 16-bit code units](https://infra.spec.whatwg.org/#string), which are more naturally represented by UTF-16 or UCS-2. So it could be argued that the length limit of `name` and `displayName` varies depending on what encoding the authenticator happens to use. This makes it practically impossible (in theory, even if in practice most probably (?) use UTF-8) for an RP to determine if a user input is likely to be truncated or not. ## Proposed Change The length limit for [`PublicKeyCredentialEntity.name`](https://w3c.github.io/webauthn/#dom-publickeycredentialentity-name) and [`PublicKeyCredentialUserEntity.displayName`](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-displayname) should explicitly state the binary encoding the limit applies to. For example: >Authenticators MAY truncate a [name](https://w3c.github.io/webauthn/#dom-publickeycredentialentity-name) member’s value so that its UTF-8 encoding fits within 64 bytes [...] and >[Authenticators](https://w3c.github.io/webauthn/#authenticator) MUST accept and store a [displayName](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-displayname) member’s value whose UTF-8 encoding is 64 bytes or shorter. Authenticators MAY truncate a [displayName](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-displayname) member’s value so that its UTF-8 encoding fits within 64 bytes. [...] Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1994 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 7 November 2023 10:26:32 UTC