Re: [webauthn] explicitly mention running over TLS in WebAuthn API intro (#1201) from gmandyam via GitHub on 2019-04-18 (public-webauthn@w3.org from April 2019)

From: gmandyam via GitHub <sysbot+gh@w3.org>
Date: Thu, 18 Apr 2019 20:48:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-484684656-1555620501-sysbot+gh@w3.org>

@equalsJeffH 

Would have to see the text proposal, but bear in mind that secure context does not necessarily mean the webpage was retrieved via a TLS connection.  For instance, https://www.w3.org/TR/secure-contexts/#localhost has a 127.0.0.1 carve-out that in my experience browser vendors have honored with respect to other API's requiring secure contexts (e.g. Encrypted Media Extensions).

Rather than try to paraphrase what a secure context actually means in the Webauthn intro, I would consider adding a reference to how the UA should determine if a webpage corresponds to a secure context: https://www.w3.org/TR/secure-contexts/#algorithms 

-- 
GitHub Notification of comment by gmandyam
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1201#issuecomment-484684656 using your GitHub account

Received on Thursday, 18 April 2019 20:48:24 UTC