Re: [webauthn] Fix #593 - Refer to RFC 8266 for RP-controlled UI strings

If I understand your question right:

>what prevents an RP from (say) [asserting it is Stripe](https://www.comodoca.com/en-us/about/blog/on-comodo-ca%e2%80%99s-recent-revocation-of-an-ssl-certifi/)

The [credentials.create()][create] method accepts parameters to set the [RP ID][rpid] and a human-friendly `name` for the operation. The `name` is only displayed to the user as part of the "Do you want to create a credential for 'GitHub'?" prompt; the RP ID has two functions:

- It is included in the challenge to be signed by the authenticator.
- It identifies the scope in which the authenticator will look up the private key with which to sign the challenge.

The RP ID cannot be set freely. The browser enforces that the value of the RP ID parameter must be [a registrable domain suffix of or equal to][regsuf] the effective domain of the loaded page (e.g., a page loaded from `www.github.com` may set its RP ID to `github.com`, but not to `internal.github.com`).

However, we don't currently have any restrictions on the `name` parameter. A malicious RP could concievably construct a `name` value that would look like "GitHub" and fool the user into creating a credential for a different domain. I'm not sure what the actual impact would be, though, other than some light confusion - because of the above scoping rules, the created credential would in that case be bound to the fake domain and not usable on `github.com`.

Does that answer your question?


[create]: https://w3c.github.io/webauthn/#createCredential
[get]: https://w3c.github.io/webauthn/#getAssertion
[rpid]: https://w3c.github.io/webauthn/#relying-party-identifier
[regsuf]: https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/878#issuecomment-388122773 using your GitHub account

Received on Thursday, 10 May 2018 17:22:07 UTC