- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Wed, 01 Jul 2020 22:40:31 +0000
- To: public-webauthn@w3.org
thoughts wrt how to effect setting a cross-domain RP ID (RP ID is only a hostname at this time, not an origin (ie (scheme, host, port))) if we were to allow the latter: 1. Entirely relax RP ID definition and allow an RP to assert an arbitrary RP ID (valid domain string or arbitrary string) via in-page JS calling `nav.creds.create()` ? 2. Or, only allow asserting an arbitrary RP ID (valid domain string or not) via a (newly defined) WebAuthn extension. Note: A concern with this is the potential for tracking and abuse: e.g., by RP's client-side JS creating and exercising _discoverable_ credentials and then sharing the RP ID of the credential with other entities (eg for tracking purposes). A suggested mitigation is that any cred created with a RP ID not conformant with the creating RP's domain name MUST be a non-discoverable credential. -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1372#issuecomment-652680873 using your GitHub account
Received on Wednesday, 1 July 2020 22:40:32 UTC