Remove rp.name - Githubissues

w3c / webauthn

Web Authentication: An API for accessing Public Key Credentials

https://w3c.github.io/webauthn/

Other

1.16k stars 166 forks source link

Remove rp.name #2121

Open nsatragno opened 1 month ago

nsatragno commented 1 month ago

Proposed Change

Remove, deprecate, or ignore PublicKeyCredentialRPEntity.name. It's not used by any credential provider that I know about.

This might be tricky because it's inherited from PublicKeyCredentialEntity.name.

emlun commented 1 month ago

Summary of the discussion on the 2024-08-14 WG call:

https://github.com/w3c/webauthn/pull/2093#issuecomment-2282813017 currently doesn't have a field for updating rp.name, and it seems inconsistent to allow updating some otherUI fields but not others.
No known client implementation actually uses rp.name in any meaningful way.
rp.name is arguably the "most phishable part" of WebAuthn, as unlike rp.id it's not subject to any security checks.
For these reasons, we don't really want to include an update signal for rp.name.
Another way to resolve the inconsistency is to deprecate/remove rp.name instead.

emlun commented 1 month ago

As also mentioned in the discussion, we probably can't actually remove rp.name, or make it optional, since it's required in L1 and L2. Both of those changes would create a trap where RPs don't include rp.name, since it's not required, but when that code happens to run in an L1 or L2 client it would raise a TypeError since the attribute is required in that version.

Instead, there was consensus on the call in favour of simply changing the definition and description of rp.name to "unused and meaningless, but still required for backwards compatibility, so just set it to empty string".

zacknewman commented 1 month ago

Instead, there was consensus on the call in favour of simply changing the definition and description of rp.name to "unused and meaningless, but still required for backwards compatibility, so just set it to empty string".

Setting it to an empty string will not be backwards compatible for clients that enforce the Nickname profile as recommended by the L2 spec since empty strings are not valid Nicknames; however enforcing Nicknames is “only” a recommendation and is likely not enforced by many clients.

nicksteele commented 3 days ago

General sentiment from the 2024-9-11 call seemed to be in favor of deprecation

emlun commented 3 days ago

2024-09-11 WG call: Hearing consensus in favour of deprecating rp.name. @emlun to write a PR.

@zacknewman has a fair point that empty string may not be an entirely safe fallback value. We don't know of any clients that actually enforce the nickname profile, but still.