W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2021

Re: [webauthn] Cross origin authentication without iframes (#1667)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 03 Nov 2021 14:37:50 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-959275180-1635950268-sysbot+gh@w3.org>
>the primary issue I see with this particular approach is that the [RP ID is defined](https://w3c.github.io/webauthn/#rp-id) as a [valid domain string](https://url.spec.whatwg.org/#valid-domain-string), not a URL (or [serialized origin](https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin)). Setting them to the latter may be problematic.

I agree, and the proposal doesn't change that in the web-layer API. From the perspective of the RP, the RP still sets the RP ID to `acmebank.com`, for example. Only in the under-the-hood CTAP call does the browser add the namespace prefix so that the authenticator instead sees `scp://acmebank.com`.

...ah, right, but that means that the RP will need to verify the response [`rpIdHash`](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#rpidhash) against `SHA256(prefix + rpId)` instead of the usual `SHA256(rpId)`. That doesn't seem to me like a big issue, since the RP already needs special logic to process an SPC response anyway. But it does mean that platform authenticators must necessarily work in the same way - which might also be a good thing, if [the list above](https://github.com/w3c/webauthn/issues/1667#issuecomment-957887836) is considered advantages.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-959275180 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 3 November 2021 14:37:52 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:44 UTC