- From: J.C. Jones via GitHub <sysbot+gh@w3.org>
- Date: Wed, 22 Jan 2020 20:59:00 +0000
- To: public-webauthn@w3.org
On today's WebAuthn call, I made the argument that since IP addresses are frowned upon for PKI certificates, they should be frowned upon here. However, further investigation shows that the Secure Contexts spec doesn't outlaw use on IPs as I suspected. I don't know that WebAuthn actually has any real need to be more strict than Secure Contexts, but I do feel that if we want to support IP addresses, in addition to language updates like @equalsJeffH comments on above, we should consider: 1) Adding Web Platform Tests using IP addresses, because I'm honestly surprised this works as-is in Firefox 2) Adding an implementation note to the security considerations that relying on Secure Contexts built upon enterprise PKIs should include the trust model of the enterprise PKI in their planning of whether a WebAuthn host can be considered trustworthy. Whether it's an IP-address certificate, or self-signed certs, all Secure Contexts can say is that a host is "potentially trustworthy" for a reason. -- GitHub Notification of comment by jcjones Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1358#issuecomment-577382552 using your GitHub account
Received on Wednesday, 22 January 2020 20:59:01 UTC