Re: [webauthn] Could not use Webauthn `PublicKeyCredential.create` when the RP ID is a Host string(ip). (#1358)


I’m happy that the WG has [discussed]( this issue.

For those interested, I’ll provide a test result of Firefox 72.0.1 and Edge 18362 using Windows problem step recorder (PSR).

Besides, I do not think the difference between browser implementation is the key point.

I suggest the `Webauthn` shell works with IP address site because it’s common in real life. For example, a firewall / router / switch config page could use Webauthn for authentication, but they are not likely to have a domain name. 

Notice that there’s some difficulty to correctly deploy an internal DNS sever like elundberg said (And some DNS service provider won’t respond to DNS queries that result in non-routable IP addresses.). And the more Webauthn require, the harder it is to become popular.

Besides, I think the spec could distinguish between domain RPID and the IP address RPID. in case of domain, we could have a credential that is honored in all subdomains (and a LDAP or AD server might be required to do so).

I sincerely hope that you will reconsider your decision.


GitHub Notification of comment by slayercat
Please view or discuss this issue at using your GitHub account

Received on Thursday, 16 January 2020 10:59:19 UTC