- From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
- Date: Thu, 15 Sep 2016 08:34:12 +0000
- To: public-webauthn@w3.org
I see two potential approaches to deal with such situation: Approach 1: Some JavaScript without a clear association of a creator browsing context could be seen as using the Browser as an "App". Remember: outside the web use case, Apps can also create such scoped authentication credentials. But instead of scoping the credential to some web server the App might be talking to, we scope the credential to the App itself. A web browser apparently can act on behalf of some RP identified by a non-opaque origin, or it could act as an App, i.e. within the scope of a browser vendor. Approach 2: Such opaque origin will never be equal to any other opaque-origin. Consequently, it seems impossible at any later point in time to access things which have been scoped to such Opaque Origin. Persistently stored credentials scoped to such Opaque Origin could never be re-used at a later point (i.e. after this opaque-origin is gone). Why would someone want to do that? So we might argue there is no point in supporting that and makeCredential would just fail. Opinions? -- GitHub Notification of comment by rlin1 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/172#issuecomment-247269186 using your GitHub account
Received on Thursday, 15 September 2016 08:34:20 UTC