Re: [webauthn] Remove rp.name (#2121) from Emil Lundberg via GitHub on 2024-08-14 (public-webauthn@w3.org from August 2024)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 14 Aug 2024 19:12:01 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2289642831-1723662719-sysbot+gh@w3.org>

Summary of the discussion on the 2024-08-14 WG call:

- https://github.com/w3c/webauthn/pull/2093#issuecomment-2282813017 currently doesn't have a field for updating `rp.name`, and it seems inconsistent to allow updating some `otherUI` fields but not others.
- No known client implementation actually uses `rp.name` in any meaningful way.
- `rp.name` is arguably the "most phishable part" of WebAuthn, as unlike `rp.id` it's not subject to any security checks.
- For these reasons, we don't really want to include an update signal for `rp.name`.
- Another way to resolve the inconsistency is to deprecate/remove `rp.name` instead.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2121#issuecomment-2289642831 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 14 August 2024 19:12:06 UTC