Re: [webauthn] Cross origin authentication without iframes (#1667)

>the primary issue I see with this particular approach is that the [RP ID is defined]( as a [valid domain string](, not a URL (or [serialized origin]( Setting them to the latter may be problematic.

I agree, and the proposal doesn't change that in the web-layer API. From the perspective of the RP, the RP still sets the RP ID to ``, for example. Only in the under-the-hood CTAP call does the browser add the namespace prefix so that the authenticator instead sees `scp://`.

...ah, right, but that means that the RP will need to verify the response [`rpIdHash`]( against `SHA256(prefix + rpId)` instead of the usual `SHA256(rpId)`. That doesn't seem to me like a big issue, since the RP already needs special logic to process an SPC response anyway. But it does mean that platform authenticators must necessarily work in the same way - which might also be a good thing, if [the list above]( is considered advantages.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 3 November 2021 14:37:52 UTC