[webauthn] Empty strings are not valid RFC 8266 Nicknames (#2068) from philomathic_life via GitHub on 2024-05-04 (public-webauthn@w3.org from May 2024)

From: philomathic_life via GitHub <sysbot+gh@w3.org>
Date: Sat, 04 May 2024 22:08:51 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-2279217747-1714860529-sysbot+gh@w3.org>

zacknewman has just created a new issue for https://github.com/w3c/webauthn:

== Empty strings are not valid RFC 8266 Nicknames ==
[The enforcement rule for the Nickname Profile in RFC 8266](https://www.rfc-editor.org/rfc/rfc8266#section-2.3) expressly forbids empty strings:

> After all of the foregoing rules have been enforced, the entity MUST ensure that the nickname is not zero bytes in length (this is done after enforcing the rules to prevent applications from mistakenly omitting a nickname entirely, because when internationalized strings are accepted a non-empty sequence of characters can result in a zero-length nickname after canonicalization).

This seems to contradict the recommendation for RPs to set [`PublicKeyCredentialUserEntity.displayName`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialuserentity-displayname) to the empty string when "no suitable or [human-palatable](https://www.w3.org/TR/webauthn-3/#human-palatability) name is available" while also recommending RPs and clients enforce the rule:

> [Relying Parties](https://www.w3.org/TR/webauthn-3/#relying-party) SHOULD perform enforcement, as prescribed in Section 2.3 of [[RFC8266]](https://www.w3.org/TR/webauthn-3/#biblio-rfc8266) for the Nickname Profile of the PRECIS FreeformClass [[RFC8264]](https://www.w3.org/TR/webauthn-3/#biblio-rfc8264), when setting [displayName](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialuserentity-displayname)'s value, or displaying the value to the user.

> [Clients](https://www.w3.org/TR/webauthn-3/#client) SHOULD perform enforcement, as prescribed in Section 2.3 of [[RFC8266]](https://www.w3.org/TR/webauthn-3/#biblio-rfc8266) for the Nickname Profile of the PRECIS FreeformClass [[RFC8264]](https://www.w3.org/TR/webauthn-3/#biblio-rfc8264), on [displayName](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialuserentity-displayname)'s value prior to displaying the value to the user or including the value as a parameter of the [authenticatorMakeCredential](https://www.w3.org/TR/webauthn-3/#authenticatormakecredential) operation.

Should the spec be changed to state rule enforcement SHOULD only occur when `displayName` is not empty? I was personally bit by this omission in the RP library I am writing.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2068 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 4 May 2024 22:08:52 UTC