- From: Boris Zbarsky via GitHub <sysbot+gh@w3.org>
- Date: Fri, 04 Nov 2016 18:06:09 +0000
- To: public-webauthn@w3.org
bzbarsky has just created a new issue for https://github.com/w3c/webauthn: == Setting _rpId_ to _callerOrigin_ doesn't make sense == _rpId_ is set to a string by the "rpId is specified" branch. But an origin is a tuple (since we already returned an error for opaque origins). I really doubt the following parts of the algorithm can handle a non-string _rpId_, and in fact the very next bit that says "the SHA-256 hash of _rpId_" already doesn't handle it. Presumably this is meant to assign a serialization of the origin to _rpId_. The spec needs to be clear whether this means assigning https://www.w3.org/TR/html51/browsers.html#unicode-serialization or https://www.w3.org/TR/html51/browsers.html#ascii-serialization-of-an-origin Once you decide that, you need to specify what it means to take an SHA-256 hash of _rpId_. The serialization of an origin (either one, really, but this is especially bad for the not-guaranteed-ASCII one) is a Unicode string, whereas SHA-256 works on a byte buffer. There is no canonical encoding of Unicode into bytes, so the exact encoding used here needs to be specified. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/255 using your GitHub account
Received on Friday, 4 November 2016 18:06:15 UTC