- From: philomathic_life via GitHub <noreply@w3.org>
- Date: Sun, 01 Jun 2025 17:03:15 +0000
- To: public-webauthn@w3.org
zacknewman has just created a new issue for https://github.com/w3c/webauthn: == Increase/remove maximum length requirement for credential ID == [According to the spec](https://w3c.github.io/webauthn/#credential-id), the maximum length of a credential ID is 1023 bytes. This length is far too limiting at least for server-side credentials. This has always been true for RSA keys of substantial length. For example, [RFC 8230 ยง 6.1](https://www.rfc-editor.org/rfc/rfc8230#section-6.1) recommends support for keys whose modulus is up to 16K bits/2048 bytes which is impossible to encrypt and embed within a credential ID and maintain a length of at most 1023. Now with post-quantum signatures schemes becoming more popular, the length limit is literally impossible to meet for server-side credentials. For example, ML-DSA was added to the COSE registry [specifically for WebAuthn](https://www.ietf.org/archive/id/draft-vitap-ml-dsa-webauthn-00.html). The private keys for ML-DSA are quite large (e.g., ML-DSA-44 private keys are 2560 bytes) and consequently cannot be used for server-side-stored credentials. I don't think it makes sense to (implicitly) restrict signature schemes with actual cryptographic benefits to just passkeys. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2299 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 1 June 2025 17:03:16 UTC