[webauthn] Setting _rpId_ to _callerOrigin_ doesn't make sense

bzbarsky has just created a new issue for 

== Setting _rpId_ to _callerOrigin_ doesn't make sense ==
_rpId_ is set to a string by the "rpId is specified" branch.  But an 
origin is a tuple (since we already returned an error for opaque 
origins).  I really doubt the following parts of the algorithm can 
handle a non-string _rpId_, and in fact the very next bit that says 
"the SHA-256 hash of _rpId_" already doesn't handle it.

Presumably this is meant to assign a serialization of the origin to 
_rpId_.  The spec needs to be clear whether this means assigning 
https://www.w3.org/TR/html51/browsers.html#unicode-serialization or 

Once you decide that, you need to specify what it means to take an 
SHA-256 hash of _rpId_.  The serialization of an origin (either one, 
really, but this is especially bad for the not-guaranteed-ASCII one) 
is a Unicode string, whereas SHA-256 works on a byte buffer.  There is
 no canonical encoding of Unicode into bytes, so the exact encoding 
used here needs to be specified.

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/255 using your GitHub account

Received on Friday, 4 November 2016 18:06:15 UTC