- From: Arian van Putten via GitHub <sysbot+gh@w3.org>
- Date: Wed, 10 Jan 2024 12:30:15 +0000
- To: public-webauthn@w3.org
The spec is pretty clear that `userId` should _not_ be a string identifier but a random array buffer. Those will almost never be valid UTF-8 strings. Encoding as UTF-8 seems incompatible with what the spec wants? Or do we also want to change that? > the [Relying Party](https://w3c.github.io/webauthn/#relying-party) MUST NOT include personally identifying information, e.g., e-mail addresses or usernames, in the [user handle](https://w3c.github.io/webauthn/#user-handle). This includes hash values of personally identifying information, unless the hash function is [salted](https://tools.ietf.org/html/rfc4949#page-258) with [salt](https://tools.ietf.org/html/rfc4949#page-258) values private to the [Relying Party](https://w3c.github.io/webauthn/#relying-party), since hashing does not prevent probing for guessable input values. **It is RECOMMENDED to let the [user handle](https://w3c.github.io/webauthn/#user-handle) be 64 random bytes, and store this value in the [user account](https://w3c.github.io/webauthn/#user-account).** -- GitHub Notification of comment by arianvp Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2013#issuecomment-1884760400 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 10 January 2024 12:30:18 UTC