Re: [webauthn] Allow caller to pick between strict and eTLD+1 matching from balfanz via GitHub on 2016-08-31 (public-webauthn@w3.org from August 2016)

From: balfanz via GitHub <sysbot+gh@w3.org>
Date: Wed, 31 Aug 2016 17:28:16 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-243838435-1472664494-sysbot+gh@w3.org>

How about we do something akin to domain lowering:

```
dictionary CredentialOptions {
  unsigned long                       timeoutSeconds;
  DOMString                           rpId;
  sequence < CredentialDescription >  excludeList;
  WebAuthnExtensions                  extensions;
};
```

rpId would be optional, and if left unspecified, the caller's origin 
shall be used. If it *is* specified, then valid values are postfixes 
of the caller's origin, up to - but no further than - eTLD+1.

We'd have to define what happens to the scheme and port of the 
caller's origin, but I assume domain lowering already deals with this 
in some way (i.e., both http://foo.example.com:1234 and 
https://foo.example.com:9876 are allowed to lower to "example.com").

-- 
GitHub Notification of comment by balfanz
Please view or discuss this issue at 
https://github.com/w3c/webauthn/pull/162#issuecomment-243838435 using 
your GitHub account

Received on Wednesday, 31 August 2016 17:28:26 UTC