- From: philomathic_life via GitHub <noreply@w3.org>
- Date: Mon, 02 Jun 2025 17:08:01 +0000
- To: public-webauthn@w3.org
@emlun, one thing that's inconsistent with the spec is how some things are required in order to satisfy resource-constrained authenticators (e.g., credential ID maximum length); while other things are only recommended or cautioned against (e.g., string truncation for fields like `PublicKeyCredentialUserEntity.displayName`). To me, it would be more appropriate for the maximum length of credential ID to be a recommendation. The attested credential data already forces the maximum length to be 65,535, so I'm not sure what benefit there ever was to restrict this further to 1023. I don't care about RSA, but I think it's possible for newer keys with cryptographic benefits to "outgrow" this size constraint making them unusable for server-side situations or require a change in the spec. I think it's one thing for an authenticator to not be able to support certain keys and another thing to outright forbid keys at the spec level which this credential ID maximum length requirement does. Sure an authenticator can always choose to store the credential client-side to circumvent the credential ID length requirement in the event a private key cannot be stored in a smaller format (e.g., a "seed"), but that seems unfortunate. -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2299#issuecomment-2931631273 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 2 June 2025 17:08:02 UTC