[webauthn] Additional guidance/clarification on RP ID and origin validation (#2059) from philomathic_life via GitHub on 2024-04-21 (public-webauthn@w3.org from April 2024)

From: philomathic_life via GitHub <sysbot+gh@w3.org>
Date: Sun, 21 Apr 2024 17:05:52 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-2255176428-1713719150-sysbot+gh@w3.org>

zacknewman has just created a new issue for https://github.com/w3c/webauthn:

== Additional guidance/clarification on RP ID and origin validation ==
[RP ID](https://www.w3.org/TR/webauthn-3/#rp-id) is required to be a [valid domain string](https://url.spec.whatwg.org/#valid-domain-string) which is the string representation of a [valid domain](https://url.spec.whatwg.org/#valid-domain-string). The definition of a valid domain cites [issue 245](https://github.com/whatwg/url/issues/245) which raises the following points:

1. [ASCII case insensitivity](https://github.com/whatwg/url/issues/245#issue-206825525).
2. [`_` among potentially other ASCII code points should be allowed](https://github.com/whatwg/url/issues/245#issuecomment-1708226267).

The algorithm for determining a valid domain does not require the original `domain` input to match the final `result` output in step 3.

Currently [origin validation](https://www.w3.org/TR/webauthn-3/#sctn-validating-origin) only states "Validation MAY be performed by exact string matching or any other method as needed".

It would be nice if some guidance were provided on origin validation where the RP ID and origin disagree on case alone or even more complicatedly disagree on the syntactic representation of a domain whose semantics are equivalent according to IDNA.

For example as it stands now, any `domain` with an `_` is not a valid domain as a failure will result from applying the [domain-to-ascii algorithm](https://url.spec.whatwg.org/#concept-domain-to-ascii). This goes against point 2 raised in issue 245.

Additionally the below are all valid domains that are semantically equivalent according to IDNA, but are syntactically different:

1.  `λ.example.com`
2. `Λ.ExaMple.com`
3. `xn--wxa.example.com`
4. `Xn--Wxa.ExAmple.com`

Is there any recommendation on requiring both RP IDs and origins to not only be a valid domain string but more strictly that it match _exactly_ with the `result` returned from step 3 (e.g., only item 3 above is valid)? A relaxed recommendation that would allow all four items above and require them to be treated the same as each other?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2059 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Sunday, 21 April 2024 17:05:54 UTC