Closed Rodrigue2g closed 4 months ago
timcappalli
commented
5 months ago @Rodrigue2g I don't think this is a WebAuthn specification issue. Each WebAuthn client is responsible for their UI. I would recommend opening bugs against browser engines which are showing the punycode origin.
In this repo, when you click New Issue, you'll see links to the various browser engines' bug reporting sites.
Rodrigue2g
commented
5 months ago Ok yes that makes sense indeed. As this happened on all the browsers I tested, I first thought of opening the issue here but I will then open issues for each of them. Thank you for your advice.
pascoej
commented
4 months ago This is covered by https://bugs..webkit.org/show_bug.cgi?id=275493 as an implementation issue.
timcappalli
commented
4 months ago Confirmed on 20240-06-26 call that this is not a WebAuthn issue and should be reported to clients directly.
Description
Domain names becoming sometimes difficult to find, I feel like support for IDNs (domain names with special characters) is becoming more important. Personally I have a special character in my domain name and it brings along its set of complications. One of the prominent one is the UI displayed for the mediation. Even though most browsers now support IDNs, the conditional UI for a passkey ceremony displays my domain name in punycode, which can confuse users, who can end up not trusting the domain (or not understanding what is happening).
As passkey is a new technology, when introducing it to users, I often had feedback of people not really understanding what was happening and what really was a passkey. I know this might take a bit of time to make people really understand and trust passkeys, but I believe that clear UI is essential in order for this to happen. Thus it would better if we could display IDNs in unicode for the UI, while still converting them in punycode behind.
As an example, here is a screen capture of a passkey ceremony on my RP. The domain designø.com becomes in punycode xn--design-gya.com, which can lead to major trust issues or misunderstanding for users. I don't think this would be such an impacting change as well, for example, as you can see below, the username displayed also contains a special charcter, but is still converted to punycode by my RP.
Overall, I think a clear definition on where Unicode or punycode should be used (for authenticators as well) to make sure the right UI is displayed everywhere would make the life of RPs with IDNs a lot easier and confuse a lot less users.