W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2018

Re: [webauthn] Tighten security scope by port

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 09 Jul 2018 10:24:11 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-403432838-1531131850-sysbot+gh@w3.org>
Do we want to include port as one of the parameters set by the RP? Another solution could be that the RP always specifies the rpId without port, and the client adds the port before sending the (host, port) tuple down to the authenticator which matches that against the stored credentials.

It would also be preferable if we could do this in a backwards compatible way. I think one way to do this is if the client would append a `:` character to [`options.rp.id`][rpid] for non-443 origins (because an RP ID cannot contain the `:` character, right?). That should be backwards compatible with both existing authenticators and existing credentials (the latter of which would then only be usable on `:443` origins) - `github.com` and `github.com:` are just two unrelated RP IDs for all the authenticator cares, and credentials for the former continue to work as before.

[rpid]: https://www.w3.org/TR/webauthn/#dom-publickeycredentialrpentity-id

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/873#issuecomment-403432838 using your GitHub account
Received on Monday, 9 July 2018 10:24:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:52 UTC