- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 03 Nov 2021 14:37:50 +0000
- To: public-webauthn@w3.org
>the primary issue I see with this particular approach is that the [RP ID is defined](https://w3c.github.io/webauthn/#rp-id) as a [valid domain string](https://url.spec.whatwg.org/#valid-domain-string), not a URL (or [serialized origin](https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin)). Setting them to the latter may be problematic. I agree, and the proposal doesn't change that in the web-layer API. From the perspective of the RP, the RP still sets the RP ID to `acmebank.com`, for example. Only in the under-the-hood CTAP call does the browser add the namespace prefix so that the authenticator instead sees `scp://acmebank.com`. ...ah, right, but that means that the RP will need to verify the response [`rpIdHash`](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#rpidhash) against `SHA256(prefix + rpId)` instead of the usual `SHA256(rpId)`. That doesn't seem to me like a big issue, since the RP already needs special logic to process an SPC response anyway. But it does mean that platform authenticators must necessarily work in the same way - which might also be a good thing, if [the list above](https://github.com/w3c/webauthn/issues/1667#issuecomment-957887836) is considered advantages. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-959275180 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 3 November 2021 14:37:52 UTC