update RP ID definition to allow URL syntax or arbitrary strings #1406
Comments
|
Makes sense to me. I'd be glad to review a PR when it's created. |
|
see also https://github.com/fido-alliance/fido-2-specs/issues/682 - Define non-web RP ID subspaces |
|
on 2020-04-29: @agl agrees that having a general Note: on this is reasonable esp. CTAP spec points here for RP ID defn. maybe also that wrt sec cons say something like "the browser validates the value....". @emlun notes that also might want to update places where we talk about appId such that there's not untoward confusion... |
|
What I meant was there's some external documentation (at least some made by Yubico) where we specifically point out that a WebAuthn RP ID differs from a U2F AppID by being just a domain name while an AppID is a full URL. So to pre-empt confusion it might be good to have a brief note mentioning that this has changed in L2, if that's what we're doing. |
|
This is (essentially) the present RP ID definition from the webauthn spec:
Primary question: Is it workable to change the above definition to be:
...? Though, see notes and discussion below. Notes:
Discussion: WRT note (1), this seems like it would nominally work. Can we imagine, or do we have, use cases (eg from SSH), where one might have a case for registrable-domain-suffix-of-or-is-equal-to matching of the host component if the URL contains one? WRT note (2), are there any reasons to disallow URLs -with-fragment-string? Given that webauthn/ctap is a two-party protocol, and the RP ID is asserted by the RP and not disclosed to other RPs, perhaps there are not first-order privacy concerns here? Thus, if we answer "yes" to the primary question above and declare that an RP ID is either (a) or (b), then a practical implementation question becomes: Impl-Q1: can UA implementations reliably correctly parse an arbitrary string as either (a) a valid domain string or (b) valid URL string or (c) neither? I think the answer is "yes" and that this is not an practical issue today, even though the (standardized) URL parsing alg does not itself handle (AFAICT) making such a distinction. I.e., AFAICT, valid domain string is distinct from a valid URL string in that the latter may contain the former, but the former is not a formally-recognized-and-standardized degenerate form of the latter. So, if we answer "yes" to the primary question above, and the answers to the first two discussion questions are "no", and "correct, agreed", then altering the RP ID definition seems straight forward (and I'll craft up a PR). cc: @emlun, @akshayku, @selfissued |
|
This makes sense to me. I'd suggest proceeding to craft the PR. |
|
Further thoughts: FT1. Could (b) be an arbitrary string rather than restricted to URL (perhaps URI) syntax? I.e., an RP ID could be either a 'valid domain string' in the case where registration is done via in-page JS calling Note: if the RP ID is not somehow related to the creating RP's domain name, and is a discoverable cred usable for cross-domain Also, ISTM there's possibly a (greater) RP-ID-collision issue in the RP-ID-as-arbitrary-string case, but if we restrict RP-ID-as-arbitrary-string to non-discoverable credentials it would seem to be moot. However, OpenSSH appently creates discoverable creds, so such a only-non-discoverable-credentials may not be workable in practice (or necessary/useful). |
equalsJeffH
changed the title
various web-enabled online services, such as SSH-in-the-browser are enabled using browser extensions (as one example) and do not have a classic domain-name-based host name, the latter being a (slightly loose) definition of an RP ID.
Given that the current RP ID definition is a proper subset of a URL (which is a subset of a URI), we ought to alter the WebAuthn spec's RP ID definition in order to officially accomodate these additional types of webauthn-wielding entities.
update 2020-07-01 1445h PT: see also issue #1372 "consider allowing cross-domain credential use"
The text was updated successfully, but these errors were encountered: