Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rp.name, user.name and user.displayName length limit does not state binary encoding #1994

Closed
emlun opened this issue Nov 7, 2023 · 2 comments · Fixed by #2017
Closed

rp.name, user.name and user.displayName length limit does not state binary encoding #1994

emlun opened this issue Nov 7, 2023 · 2 comments · Fixed by #2017
Assignees
@emlun @nsatragno
Labels
i18n-needs-resolution Issue the Internationalization Group has raised and looks for a response on. stat:pr-open type:technical
Milestone
L3-WD-02

Comments

@emlun
Copy link
Member

emlun commented Nov 7, 2023

The definitions of PublicKeyCredentialEntity.name and PublicKeyCredentialUserEntity.displayName state that

Authenticators MAY truncate a name member’s value so that it fits within 64 bytes [...]

and

Authenticators MUST accept and store a 64-byte minimum length for a displayName member’s value. Authenticators MAY truncate a displayName member’s value so that it fits within 64 bytes. [...]

but do not state what binary encoding the 64 byte limit applies to. Both reference § 6.4.1 String Truncation which states that

[...] truncation SHOULD also respect UTF-8 sequence boundaries or grapheme cluster boundaries [...]

so presumably UTF-8 is intended, but again this is not explicitly stated - just that the truncation should respect UTF-8 considerations. CTAP2 explicitly states that UTF-8 is used, but not all authenticators use CTAP.

In fact IDL DOMStrings are explicitly sequences of 16-bit code units, which are more naturally represented by UTF-16 or UCS-2. So it could be argued that the length limit of name and displayName varies depending on what encoding the authenticator happens to use. This makes it practically impossible (in theory, even if in practice most probably (?) use UTF-8) for an RP to determine if a user input is likely to be truncated or not.

Proposed Change

The length limit for PublicKeyCredentialEntity.name and PublicKeyCredentialUserEntity.displayName should explicitly state the binary encoding the limit applies to. For example:

Authenticators MAY truncate a name member’s value so that its UTF-8 encoding fits within 64 bytes [...]

and

Authenticators MUST accept and store a displayName member’s value whose UTF-8 encoding is 64 bytes or shorter. Authenticators MAY truncate a displayName member’s value so that its UTF-8 encoding fits within 64 bytes. [...]
@emlun emlun mentioned this issue Nov 7, 2023
Merged
@Firstyear
Copy link
Contributor

Seems like a reasonable change to me :)

@emlun emlun self-assigned this Dec 13, 2023
@nadalin nadalin added this to the L3-WD-02 milestone Dec 13, 2023
@plehegar plehegar added the i18n-tracker Group bringing to attention of Internationalization, or tracked by i18n but not needing response. label Dec 13, 2023
@w3cbot w3cbot mentioned this issue Dec 13, 2023
Closed
@aphillips aphillips mentioned this issue Dec 14, 2023
Open
@aphillips aphillips added i18n-needs-resolution Issue the Internationalization Group has raised and looks for a response on. and removed i18n-tracker Group bringing to attention of Internationalization, or tracked by i18n but not needing response. labels Dec 14, 2023
@aphillips
Copy link

The I18N WG discussed this in our teleconference of 2023-12-14 and has promoted this to a "needs-resolution" item. We agree that the description of truncation needs to clarify about the character encoding (not just the length).

The discussion of truncation in the current document appears to assume UTF-8 and that would be appropriate to specify, if it were limited to (say) a JSON file. However, it is possible to interpret the authenticator's length restriction to mean some sort of local storage in some arbitrary encoding.

@This78 This78 mentioned this issue Dec 18, 2023
Merged
@emlun emlun mentioned this issue Jan 19, 2024
Merged
@nsatragno nsatragno self-assigned this Jan 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emlun emlun

@nsatragno nsatragno

Labels
i18n-needs-resolution Issue the Internationalization Group has raised and looks for a response on. stat:pr-open type:technical
Projects
None yet
Milestone
L3-WD-02
Development

Successfully merging a pull request may close this issue.

Explicitly specify binary encoding for string truncation w3c/webauthn
6 participants
@aphillips @Firstyear @emlun @plehegar @nsatragno @nadalin