-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sensible limits for RP and User Entity fields. #667
Conversation
PR for #660 |
Is this meant for resident credentials only? |
I presume you are referring to Client-side-resident Credential Private Keys ? |
@equalsJeffH Yes, that's what I meant. The presumption that the values will be stored make sense only in that context, right? Actually there's no mention at all in #op-make-cred about storing any of the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems nominally ok to me. Suggested rephrasing below, hence changes requested.
Overall, authenticator-vendor type folk ought to weigh-in on whether these stipulations are OK.
index.bs
Outdated
@@ -1274,11 +1274,14 @@ associated. | |||
<div dfn-type="dict-member" dfn-for="PublicKeyCredentialEntity"> | |||
: <dfn>name</dfn> | |||
:: A human-friendly identifier for the entity. For example, this could be a company name for a [=[RP]=], or a | |||
user's name. This identifier is intended for display. | |||
user's name. This identifier is intended for display. Authenticators while creating a credential MUST support | |||
minimum of 64 bytes for this field and optionally can truncate how much it wants to store if this field is more than 64 bytes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggested re-write:
[=Authenticators=] MUST support a 64 byte minimum length for a [=PublicKeyCredentialEntity/name=] members's value. Authenticators MAY truncate a [=PublicKeyCredentialEntity/name=] member's value to a length equal to or greater than 64 bytes.
index.bs
Outdated
a user's avatar or a [=[RP]=]'s logo. This URL MUST be an [=a priori authenticated URL=]. | ||
a user's avatar or a [=[RP]=]'s logo. This URL MUST be an [=a priori authenticated URL=]. Authenticators while | ||
creating a credential MUST support minimum of 128 bytes for this field and optionally can drop this field if | ||
this field is more than 128 bytes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggested re-write:
[=Authenticators=] MUST support a 128 byte minimum length for a [=PublicKeyCredentialEntity/icon=] members's value. Authenticators MAY ignore a [=PublicKeyCredentialEntity/icon=] members's value if its length is greater than 128 byes.
index.bs
Outdated
@@ -1315,7 +1318,8 @@ credential. | |||
:: The [=user handle=] of the user account entity. | |||
|
|||
: <dfn>displayName</dfn> | |||
:: A friendly name for the user account (e.g., "John P. Smith"). | |||
:: A friendly name for the user account (e.g., "John P. Smith"). Authenticators while creating a credential MUST support | |||
minimum of 64 bytes for this field and optionally can truncate how much it wants to store if this field is more than 64 bytes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggested re-write:
[=Authenticators=] MUST support a 64 byte minimum length for a [=PublicKeyCredentialEntity/displayName=] members's value. Authenticators MAY truncate a [=PublicKeyCredentialEntity/displayName=] member's value to a length equal to or greater than 64 bytes.
review submitted, changes requested: #667 (review) |
Sorry, I didn't mean to imply that a length limit is nonsensical for RP-stored credentials. My thinking was that the MUST could seem to clash with if the authenticator won't store the values at all - like U2F devices, do they "support" 64 bytes by not storing the value? Anyway, #623 looks like it addresses most of my above thoughts. |
@equalsJeffH : Can you review again? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"support" is open to interpretation.
index.bs
Outdated
user's name. This identifier is intended for display. | ||
user's name. This identifier is intended for display. [=Authenticators=] MUST support a 64 byte minimum length | ||
for a [=PublicKeyCredentialEntity/name=] members's value. Authenticators MAY truncate a | ||
[=PublicKeyCredentialEntity/name=] member's value to a length equal to or greater than 64 bytes. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"support" is open to interpretation. Are you requiring for example that the authenticator must be able to display 64 bytes worth of characters?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Displaying is not applicable for UI less authenticators on authenticator side but needed for multiple accounts scenario where Platform shows the UI. So Authenticators MUST "Store". I think we don't need to be explain every type of authenticators now or come in future? I believe "support" is better word. What do you suggest?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you mean accept and store, then write accept and store? It is what you need while "support" covers every possible use of the string, including displaying.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright.. I changed it to "accept and store".
I approved these revised changes from my non-authnr-vendor-perspective, as they appear to be a step in the right direction. However, I offer the following observations/caveats:
These items perhaps should be turned into yet more issues :) |
btw, I observed several bikeshed errors when compiling index.bs -- we oughta clean those up before any merging. |
Incorporated feedback and merging. |
Preview | Diff