[w3c/webauthn] 05cd88: Relax PublicKeyCredentialRequestOptions.rpId to DO... from Emil Lundberg on 2024-07-17 (public-webauthn@w3.org from July 2024)

From: Emil Lundberg <noreply@github.com>
Date: Wed, 17 Jul 2024 05:22:15 -0700
To: public-webauthn@w3.org
Message-ID: <w3c/webauthn/push/refs/heads/issue-2066-usvstring-alt/000000-05cd88@github.com>

  Branch: refs/heads/issue-2066-usvstring-alt
  Home:   https://github.com/w3c/webauthn
  Commit: 05cd88194946d4b5fbd32210b8d5e35afce5dab3
      https://github.com/w3c/webauthn/commit/05cd88194946d4b5fbd32210b8d5e35afce5dab3
  Author: Emil Lundberg <emil@yubico.com>
  Date:   2024-07-17 (Wed, 17 Jul 2024)

  Changed paths:
    M index.bs

  Log Message:
  -----------
  Relax PublicKeyCredentialRequestOptions.rpId to DOMString

Alternative resolution to issue #2066: https://github.com/w3c/webauthn/issues/2066

This is a backwards-compatible change (changing a type bound in
input (contravariant) position to be more permissive). This could have risked
that WebAuthn calls in new implementations fail if run in clients that were
built to the older spec and still enforce the `USVString` type in `get()`, but
WebAuthn already defines that an RP ID must be a _valid domain string_:

- A [valid domain string][1] must pass the _domain to ASCII_ procedure without
  error.
- [Domain to ASCII][2] invokes the _processing steps in section 4_ of the same
  document.
- Those processing steps begin with looking up each code point in the _IDNA
  mapping table_ and then returning an error if any code point was mapped
  to **disallowed**.
- The [IDNA mapping table][3] notes that "Each table for a version of the
  Unicode Standard will always be backward compatible with previous versions of
  the table: only characters with the Status value **disallowed** may change in
  Status or Mapping value, [...]".
- [Version 15.1.0 of the mapping table][4] maps the range U+D800..U+DFFF
  to **disallowed**. This is the range of surrogate code units.
- Since this range is **disallowed** in version 15.1.0, it must also
  be **disallowed** in all previous versions.

Conclusion: WebAuthn RP IDs are already always scalar value strings, because
valid domain strings MUST NOT contain surrogate code units. Therefore this type
relaxation is backwards compatible with WebAuthn clients that still enforce
`USVString` type in `get()`.

[1]: https://url.spec.whatwg.org/#valid-domain-string
[2]: https://www.unicode.org/reports/tr46/#ToASCII
[3]: https://www.unicode.org/Public/idna/
[4]: https://www.unicode.org/Public/idna/15.1.0/IdnaMappingTable.txt



To unsubscribe from these emails, change your notification settings at https://github.com/w3c/webauthn/settings/notifications

Received on Wednesday, 17 July 2024 12:22:19 UTC