- From: Alex Russell <notifications@github.com>
- Date: Wed, 02 Nov 2016 01:20:05 -0700
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
- Message-ID: <w3ctag/spec-reviews/issues/97/257799820@github.com>
Discussed again at the F2F in Tokyo. If we're reading the current spec correctly, [it appears that the eTLD+1 logic is still in place, but using a new form of it (the `document.domain` relaxation)](https://www.w3.org/Submission/2015/SUBM-fido-web-api-20151120/#dom-fidocredentials-makecredential). It seems this is now opt-in based on setting the RP ID directly. In discussion, we've come around to the use of eTLD+1 here (given that it is in an explicit opt-in form). We continue to prefer that eTLD+1 not be used in other specs in the future, acknowledging that the operational burden in this case is unique. As an editorial note, the examples that are currently in Section 10 would be best at the top of the document or in a separate Explainer-style document. It's odd that `timeoutSeconds` is specified in seconds. Most of the rest of the platform uses milliseconds. Is there a reason not to do so here? Lastly we note that the [`goog-android2` Attestation Format name](https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?modeAsFormat=html/ascii&url=https://raw.githubusercontent.com/w3c/webauthn/master/draft-hodges-webauthn-registries.xml#rfc.section.4.2) is...um....really ugly. In general these are nits. Thanks for taking the time to engage with us and for being responsive to feedback. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/spec-reviews/issues/97#issuecomment-257799820
Received on Wednesday, 2 November 2016 08:20:44 UTC