W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2017

Re: [webauthn] various issues with AppId extension

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Thu, 30 Nov 2017 22:09:44 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-348336912-1512079783-sysbot+gh@w3.org>
> why is the appId extension used only during get()

I think the motivation is that sites may have many security keys that were registered with the U2F API, but don't wish to force re-registration when switching to webauthn. The tokens will expect the appId hash to be the U2F appId, however, and not the RP ID.

Newly registered keys can be all-webauthn and the appId hash at the token level can be a hash of the RP ID.

As for the questions about appIds vs RP IDs: I don't think we want to change the format of webauthn RP IDs at this point. So adding an "appid" dictionary item would work, or else just noting that poking an appId into an RP ID slot doesn't quite work but implementations will know what it means.

GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/491#issuecomment-348336912 using your GitHub account
Received on Thursday, 30 November 2017 22:09:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:44 UTC