[webauthn] Consider rewording restrictions around origin (#1297)

sbweeden has just created a new issue for https://github.com/w3c/webauthn:

== Consider rewording restrictions around origin ==
At present section https://w3c.github.io/webauthn/#relying-party-identifier states a restriction in the green Note box about origin scheme must be https. 

Whilst this is true when the RP is only used by browsers using WebAuthn, the platform authenticator of Android when used in a native app doesn't do this - it uses a URN for origin and a hosted assetlinks.json file to bind this to the RPID.

Should the WebAuthn spec be inclusive of this type of use case, or at least mention that RPs MAY accept other origins for non-browser clients provided there is a trust mechanism in place to ensure the client validates that the origin is permitted by the RPs domain? 


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1297 using your GitHub account

Received on Tuesday, 10 September 2019 21:04:22 UTC