Re: [webauthn] Could not use Webauthn `PublicKeyCredential.create` when the RP ID is a Host string(ip). (#1358)

Yes, we _**could**_ relax the above-cited [RP ID definition]( in the webauthn spec such that any [valid host string]( is allowed, which would allow  [valid IPv4-addresses]( or [valid IPv6-addresses](

However, there would be practical deployment issues such as users having to register credential(s) with each "named-by-ip-address" server rather than being able to have a credential that is honored in "all of a domain", e.g., honored in all subdomains of ``.

It would be interesting to hear feedback from Firefox and Edge regarding whether they are aware of any in-production usage of webauthn with named-by-ip-address servers and whether they have received issues/bugs as a result. @jcjones @akshayku 

**_If_** the working group is inclined to alter this in the spec, I'd do it like so (modulo any errors in the below):

> By default, the [RP ID]( for a WebAuthn operation is set to the caller’s [origin]('s [effective domain](, except that [host]( values matching [opaque host](, or [empty host]( are disallowed. This means that [host]( values matching [domain](, [IPv4 address](, or [IPv6 address]( are allowed, and such a  [host]( value's serialization matches a [valid host string]( ([[URL](] [describes]( the relation of  [host](  and  [valid host string](
> This default MAY be overridden by the caller, as long as both of the below statements are true:
> * the caller’s [origin]('s [effective domain]( is a [valid domain](, and
> * the caller-specified [RP ID]( value [is a registrable domain suffix of or is equal to the caller’s origin's effective domain]( 

GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at using your GitHub account

Received on Friday, 10 January 2020 01:10:11 UTC