- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Mon, 13 Feb 2017 14:08:29 +0000
- To: public-webauthn@w3.org
As @balfanz wrote in https://lists.w3.org/Archives/Public/public-webauthn/2016Aug/0045.html: > I'll point out that the webauthn spec is currently strictly enforcing same-origin (where origin is defined by scheme-host-port) by requiring that the so-defined origin is included in the client data. An assertion generated on one origin won't be valid on another origin. > > The PSL [eTLD] dependency is there simply as a recommendation on how to scope key pairs, meaning that two origins within the same public suffix [eTLD+1] may know the client by the same public key. See my comment on the original github thread as to why that is: https://github.com/w3ctag/spec-reviews/issues/97#issuecomment-175766580 -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/338#issuecomment-279401645 using your GitHub account
Received on Monday, 13 February 2017 14:08:35 UTC