-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of "valid domain" seems wrong #2206
Comments
The use of this term in the spec is pretty old. I think the authors were trying to communicate that the RP ID (which doesn't have to be related to the origin) is a domain name, and they fished around for a more formal term to use, and picked this from the URL spec. I think if we just said that it was a string, then we would be failing to communicate an important point. The RP ID isn't a URL and doesn't have a scheme, it's just a domain name. We could say that it's a "domain name", and not link to anything, which doesn't seem great? As is, I'm not sure what change would be in a positive direction here. |
I'm of the opposite mindset in that RP ID should be more strictly defined since it's essential for both signature verification and matching the SHA-256 hashes that all parties involved know exactly what RP ID was used. It's the same reason While WebAuthn is only defined for web platforms, there is a history of PRs that are motivated by non-web platforms like defining a strict JSON serialization to appease OpenSSH and
It also provides an example for non-web platforms when talking about origin validation:
As argued in #2059, it's more than reasonable to expect the RP ID to be transformed to a canonical form; so if one party does not perform this transformation, then there will be issues. I propose defining RP ID as the output of the domain-to-ASCII algorithm when passed |
@agl I think that's probably what you want to do here. You just need to check that it's of type domain (domain referencing the URL standard). @zacknewman the field in question here is well-defined and canonicalized as it's derived from an origin. (Modulo the usage of effective domain which is wrong, but I filed a separate issue for that.) |
Another issue with using valid domain as mentioned in #2059 is that it's possibly too strict. The following domains are not "valid domains"; yet I wouldn't be surprised if RPs would like them to be treated as valid:
There are real-world domains that are not valid domains thus can never use WebAuthn as mentioned in the
|
Yeah, it's definitely not what we want as an implementation requirement for user agents. It's meant for those generating domain names. |
No user agent implements "valid domain". I suspect that instead you simply want to do a type check that the host of an origin is a domain.
Also, what kind of schemes can this origin have and do those need to be checked?
The text was updated successfully, but these errors were encountered: