- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Fri, 10 Jan 2020 01:10:10 +0000
- To: public-webauthn@w3.org
Yes, we _**could**_ relax the above-cited [RP ID definition](https://w3c.github.io/webauthn/#relying-party-identifier) in the webauthn spec such that any [valid host string](https://url.spec.whatwg.org/#valid-host-string) is allowed, which would allow [valid IPv4-addresses](https://url.spec.whatwg.org/#valid-ipv4-address-string) or [valid IPv6-addresses](https://url.spec.whatwg.org/#valid-ipv6-address-string). However, there would be practical deployment issues such as users having to register credential(s) with each "named-by-ip-address" server rather than being able to have a credential that is honored in "all of a domain", e.g., honored in all subdomains of `example.com`. It would be interesting to hear feedback from Firefox and Edge regarding whether they are aware of any in-production usage of webauthn with named-by-ip-address servers and whether they have received issues/bugs as a result. @jcjones @akshayku **_If_** the working group is inclined to alter this in the spec, I'd do it like so (modulo any errors in the below): > By default, the [RP ID](https://w3c.github.io/webauthn/#rp-id) for a WebAuthn operation is set to the caller’s [origin](https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin)'s [effective domain](https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain), except that [host](https://url.spec.whatwg.org/#concept-host) values matching [opaque host](https://url.spec.whatwg.org/#opaque-host), or [empty host](https://url.spec.whatwg.org/#empty-host) are disallowed. This means that [host](https://url.spec.whatwg.org/#concept-host) values matching [domain](https://url.spec.whatwg.org/#concept-domain), [IPv4 address](https://url.spec.whatwg.org/#concept-ipv4), or [IPv6 address](https://url.spec.whatwg.org/#concept-ipv6) are allowed, and such a [host](https://url.spec.whatwg.org/#concept-host) value's serialization matches a [valid host string](https://url.spec.whatwg.org/#valid-host-string) ([[URL](https://url.spec.whatwg.org/#hosts-(domains-and-ip-addresses))] [describes](https://url.spec.whatwg.org/#ref-for-valid-host-string) the relation of [host](https://url.spec.whatwg.org/#concept-host) and [valid host string](https://url.spec.whatwg.org/#valid-host-string)). > > This default MAY be overridden by the caller, as long as both of the below statements are true: > * the caller’s [origin](https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin)'s [effective domain](https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain) is a [valid domain](https://url.spec.whatwg.org/#valid-domain), and > * the caller-specified [RP ID](https://w3c.github.io/webauthn/#rp-id) value [is a registrable domain suffix of or is equal to the caller’s origin's effective domain](https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to). -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1358#issuecomment-572828141 using your GitHub account
Received on Friday, 10 January 2020 01:10:11 UTC