W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2018

[webauthn] #sec-authenticator-data section implies authnr enforces RP ID being eTLD+1

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Tue, 05 Jun 2018 23:01:39 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-329654508-1528239698-sysbot+gh@w3.org>
equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== #sec-authenticator-data section implies authnr enforces RP ID being eTLD+1 ==
in  [§6.1 Authenticator data](https://www.w3.org/TR/webauthn/#sec-authenticator-data), there's this text:
> The RP ID is originally received from the client ... it differs from other client data in some important ways. First, ... Secondly, it is validated by the authenticator during the authenticatorGetAssertion operation, by verifying that the RP ID associated with the requested credential exactly matches the RP ID supplied by the client, and that the RP ID is a registrable domain suffix of or is equal to the effective domain of the RP’s origin's effective domain.

The last portion -- "...and that the RP ID is a registrable domain suffix of or is equal to the effective domain of the RP’s origin's effective domain." -- is actually enforced by the webauthn client AFAICT -- it is step 7 in both [#createCredential](https://www.w3.org/TR/webauthn/#createCredential) and [#getAssertion](https://www.w3.org/TR/webauthn/#getAssertion).

The last portion ought to be deleted or recast to denote that the client enforces it. 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/933 using your GitHub account
Received on Tuesday, 5 June 2018 23:01:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:50 UTC