- From: Petr Dvořák via GitHub <sysbot+gh@w3.org>
- Date: Mon, 11 Mar 2024 18:33:10 +0000
- To: public-webauthn@w3.org
I am OK with keeping the content plain text. Anything is better for us than nothing. 😊 @andrewkozlik I have spent quite some time in mobile banking, dealing with various screen sizes and varying line-break outputs. This does not present a problem in practice. I would even say that the WYSIWYS principle is even more open. You always sign some bits, but you never see those - WYSIWIS does not have to take into account: - font family, color and size (which the user can modify by enabling color filters or assistive features) - text breaking on a display (which may depend on screen resolution) - symbol replacement (i.e., changing EUR for € sign) - even the localization (meaning it is OK to see "Please approve payment of 100.00 EUR to account 123123/0100" message while signing byte representation of `A2*A100.00EUR*Q123123/0100`, as long as you can justify the texts have equal meaning and the mapping is correct, plus this allows you to change language dynamically) After all, at various points, you need to trust the system for the correct WYSIWYS, i.e., the display has to display what you tell it to (which is kind of expected), the fonts installed in the system must result in displaying the right message, etc. We have confirmed this principle when discussing signing in our mobile authenticator. As a result, if we put some text in the `txAuthSimple`, I would argue that we should work with this text "as is" in anything related to cryptography. Authenticators can put any formatting to the text for presentation purposes, but this should live independently from signing... -- GitHub Notification of comment by petrdvorak Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2020#issuecomment-1989173085 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 11 March 2024 18:33:11 UTC