W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2020

Re: [webauthn] Could not use Webauthn `PublicKeyCredential.create` when the RP ID is a Host string(ip). (#1358)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Fri, 10 Jan 2020 01:10:10 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-572828141-1578618608-sysbot+gh@w3.org>
Yes, we _**could**_ relax the above-cited [RP ID definition](https://w3c.github.io/webauthn/#relying-party-identifier) in the webauthn spec such that any [valid host string](https://url.spec.whatwg.org/#valid-host-string) is allowed, which would allow  [valid IPv4-addresses](https://url.spec.whatwg.org/#valid-ipv4-address-string) or [valid IPv6-addresses](https://url.spec.whatwg.org/#valid-ipv6-address-string).

However, there would be practical deployment issues such as users having to register credential(s) with each "named-by-ip-address" server rather than being able to have a credential that is honored in "all of a domain", e.g., honored in all subdomains of `example.com`.

It would be interesting to hear feedback from Firefox and Edge regarding whether they are aware of any in-production usage of webauthn with named-by-ip-address servers and whether they have received issues/bugs as a result. @jcjones @akshayku 

**_If_** the working group is inclined to alter this in the spec, I'd do it like so (modulo any errors in the below):

> By default, the [RP ID](https://w3c.github.io/webauthn/#rp-id) for a WebAuthn operation is set to the caller’s [origin](https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin)'s [effective domain](https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain), except that [host](https://url.spec.whatwg.org/#concept-host) values matching [opaque host](https://url.spec.whatwg.org/#opaque-host), or [empty host](https://url.spec.whatwg.org/#empty-host) are disallowed. This means that [host](https://url.spec.whatwg.org/#concept-host) values matching [domain](https://url.spec.whatwg.org/#concept-domain), [IPv4 address](https://url.spec.whatwg.org/#concept-ipv4), or [IPv6 address](https://url.spec.whatwg.org/#concept-ipv6) are allowed, and such a  [host](https://url.spec.whatwg.org/#concept-host) value's serialization matches a [valid host string](https://url.spec.whatwg.org/#valid-host-string) ([[URL](https://url.spec.whatwg.org/#hosts-(domains-and-ip-addresses))] [describes](https://url.spec.whatwg.org/#ref-for-valid-host-string) the relation of  [host](https://url.spec.whatwg.org/#concept-host)  and  [valid host string](https://url.spec.whatwg.org/#valid-host-string)).
> This default MAY be overridden by the caller, as long as both of the below statements are true:
> * the caller’s [origin](https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin)'s [effective domain](https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain) is a [valid domain](https://url.spec.whatwg.org/#valid-domain), and
> * the caller-specified [RP ID](https://w3c.github.io/webauthn/#rp-id) value [is a registrable domain suffix of or is equal to the caller’s origin's effective domain](https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to). 

GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1358#issuecomment-572828141 using your GitHub account
Received on Friday, 10 January 2020 01:10:11 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:37 UTC