diff --git a/CHANGELOG.md b/CHANGELOG.md
index e262809..7206e46 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Remove `AuthenticatorDataFlags::EMPTY` (use `AuthenticatorDataFlags::empty()` instead)
 - Allow missing algorithms in COSE keys ([#8][])
 - Remove unused `REALISTIC_MAX_MESSAGE_SIZE` constant
+- Handle overlong `icon` values in `PublicKeyCredentialUserEntity` ([#27][])
 
 [#8]: https://github.com/trussed-dev/ctap-types/pull/8
 [#9]: https://github.com/solokeys/ctap-types/issues/9
@@ -24,6 +25,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#16]: https://github.com/trussed-dev/ctap-types/pull/16
 [#17]: https://github.com/trussed-dev/ctap-types/pull/17
 [#18]: https://github.com/trussed-dev/ctap-types/pull/18
+[#27]: https://github.com/trussed-dev/ctap-types/pull/27
 
 ## [0.1.2] - 2022-03-07
 
diff --git a/src/webauthn.rs b/src/webauthn.rs
index 5fef572..14489ce 100644
--- a/src/webauthn.rs
+++ b/src/webauthn.rs
@@ -71,8 +71,10 @@ fn deserialize_from_str_and_skip_if_too_long<'de, D, const L: usize>(
 where
     D: serde::Deserializer<'de>,
 {
-    let result: Result<String<L>, D::Error> = serde::Deserialize::deserialize(deserializer);
-    match result {
+    let s: &'de str = Deserialize::deserialize(deserializer)?;
+    // String::from(s) could panic and is not really infallibe.  It is removed in heapless 0.8.
+    #[allow(clippy::unnecessary_fallible_conversions)]
+    match String::try_from(s) {
         Ok(string) => Ok(Some(string)),
         Err(_err) => {
             info_now!("skipping field: {:?}", _err);