Re: [webauthn] Tighten security scope by port from =JeffH via GitHub on 2018-07-06 (public-webauthn@w3.org from July 2018)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Fri, 06 Jul 2018 20:47:21 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-403142789-1530910040-sysbot+gh@w3.org>

pivoting back here, sorry for the lag...

Ok, so I think I understand now what @annevk is asking for, if this clarification is correct:  by this..

> Port 443 matches 443, non-443 matches non-443.

.. @annevk actually means:

> Port 443 matches only  port 443, any non-443 matches any non-443, , when doing RP ID matching.

Essentially, [IIUC](https://en.wiktionary.org/wiki/IIUC), it is to add a port restriction to the RP ID matching algorithm, which is summarized in the [RP ID](https://w3c.github.io/webauthn/#rp-id)'s definition's **Note:**, to be:
> Note: An RP ID is based on a host's domain name, and port (only when the port is 443). It does not itself include a scheme, as an origin does. The RP ID of a public key credential determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows:
>
>   * The RP ID must be equal to the origin's effective domain, or a registrable domain suffix of the origin's effective domain.
>
>    * The origin's scheme must be https.
>
>    * The origin's port must be 443 if the RP ID's port is 443.  Otherwise, any non-443 port matches any other non-443 port.
>
> For example, given a Relying Party whose origin is https://login.example.com:1337, then the following RP IDs are valid: {login.example.com, !443} (default) and {example.com, !443}, but not {m.login.example.com, 443} and not {com, 443}, nor {com, !443}.

In the above I've invented a notation to denote an RP ID as a {[effective domain](https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain), port} pair, which is what we would need to change RP ID to be in order to effect what @annevk is asking.

@annevk in orig post:
> However, given how https://w3c.github.io/webauthn/#rp-id is defined it seems port isn't even stored so this may not be possible to do?

yeah, it'd be a pretty big breaking change at this point for the spec and for implementations.  I agree with moving this to [Level 2](https://github.com/w3c/webauthn/milestone/7
) milestone. 



-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/873#issuecomment-403142789 using your GitHub account

Received on Friday, 6 July 2018 20:47:27 UTC