Re: [webauthn] Disallow empty strings (#2073) from philomathic_life via GitHub on 2024-05-23 (public-webauthn@w3.org from May 2024)

From: philomathic_life via GitHub <sysbot+gh@w3.org>
Date: Thu, 23 May 2024 15:15:32 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2127397763-1716477329-sysbot+gh@w3.org>

> If the value can't be empty, what should sites who don't have a value set it to?
> 
> Also, we can't make it `optional` without leaving a trap for sites which will then break with all clients that haven't been updated with that.
> 
> It's not clear that RFC8266 is worth the reference here. It's concerned with contexts where a nickname is presented to other users of the system. But, in WebAuthn, it's only presented to that _same_ person.

To be clear, I never advocated for disallowing empty strings for `displayName`. I advocated for consistency in the spec recommendations where adherence to the stated recommendations doesn't cause issues. Merely amending the spec to explicitly state that Nickname enforcement SHOULD be done by both RPs and clients for _non-empty strings_ is fine with me.

Something like below:


> - [Relying Parties](https://www.w3.org/TR/webauthn-3/#relying-party) SHOULD perform enforcement, as prescribed in Section 2.3 of [[RFC8266]](https://www.w3.org/TR/webauthn-3/#biblio-rfc8266) for the Nickname Profile of the PRECIS FreeformClass [[RFC8264]](https://www.w3.org/TR/webauthn-3/#biblio-rfc8264), when setting [`displayName`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialuserentity-displayname)'s value to a non-empty string, or displaying the non-empty value to the user.
>
> -    This string MAY contain language and direction metadata. [Relying Parties](https://www.w3.org/TR/webauthn-3/#relying-party) SHOULD consider providing this information. See [§ 6.4.2 Language and Direction Encoding](https://www.w3.org/TR/webauthn-3/#sctn-strings-langdir) about how this metadata is encoded.
>
> -    [Clients](https://www.w3.org/TR/webauthn-3/#client) SHOULD perform enforcement, as prescribed in Section 2.3 of [[RFC8266]](https://www.w3.org/TR/webauthn-3/#biblio-rfc8266) for the Nickname Profile of the PRECIS FreeformClass [[RFC8264]](https://www.w3.org/TR/webauthn-3/#biblio-rfc8264), on [`displayName`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialuserentity-displayname)'s value prior to displaying the value to the user or including the value as a parameter of the [authenticatorMakeCredential](https://www.w3.org/TR/webauthn-3/#authenticatormakecredential) operation when the value is non-empty.

The RP library I am writing followed the spec precisely; and when I set the `displayName` to an empty string while simultaneously enforcing the Nickname Profile, an error came up.

-- 
GitHub Notification of comment by zacknewman
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2073#issuecomment-2127397763 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 23 May 2024 15:15:33 UTC