Allow caller to explicitly specify its claimed RP ID

Alternative to #162 as suggested by @balfanz. This change also gets rid of references to PSL and eTLD+1, replacing them with references to the HTML specification instead.
w3c · Sep 14, 2016 · 443482e · 443482e
1 parent 6651690
commit 443482e
Showing 1 changed file with 26 additions and 15 deletions.
diff --git a/index.bs b/index.bs
@@ -130,8 +130,8 @@ or a combination of both.
 
 This specification relies on several other underlying specifications.
 
-: HTML5
-:: The concept of <dfn for='web'>origin</dfn> and the <dfn>Navigator</dfn> interface are defined in [[!HTML5]].
+: HTML 5.1
+:: The concept of <dfn for='web'>origin</dfn> and the <dfn>Navigator</dfn> interface are defined in [[!HTML51-20160621]].
 
 : Web IDL
 :: Many of the interface definitions and all of the IDL in this specification depend on [[!WebIDL-1]]. This updated version of
@@ -204,10 +204,6 @@ NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
 :: A user agent implementing, in conjunction with the underlying platform, the <a>Web Authentication API</a> and algorithms
 	given in this specification, and handling communication between <a>Authenticators</a> and <a>[RPS]</a>.
 
-: <dfn>eTLD+1</dfn>
-:: Also known as a <em>Registered Domain</em> [[PSL]], an eTLD+1 is an <em>effective Top-Level Domain Name</em> (eTLD), plus the
-	next domain name label, proceeding from right to left. An eTLD is also known as a <em>public suffix</em> [[RFC7719]].
-
 : <dfn>Registration</dfn>
 :: The <a>ceremony</a> where a user, a <a>[RP]</a>, and the user's computing device(s) (containing at least one
 	<a>authenticator</a>) work in concert to create a <a>scoped credential</a> and associate it with the user's <a>[RP]</a>
@@ -222,7 +218,8 @@ NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
 
 : <dfn>Relying Party Identifier</dfn>
 : <dfn>RP ID</dfn>
-:: A Relying Party Identifier is derived from a <a>[RP]</a>'s web origin's hostname by computing the hostname's <a>eTLD+1</a>. 
+:: A Relying Party Identifier defines the scope of a given credential, i.e. the set of web origins that the client will permit
+    to access that credential. It is derived from a <a>[RP]</a>'s web origin's hostname or directly specified by the [RP]. 
 
 : <dfn>Scoped Credential</dfn>
 :: Generically, a credential is data one entity presents to another in order to authenticate the former's identity [[RFC4949]].
@@ -345,10 +342,13 @@ When this method is invoked, the user agent MUST execute the following algorithm
 2. Let |promise| be a new <a data-lt="Promises">Promise</a>. Return |promise| and start a timer for |adjustedTimeout| seconds.
     Then asynchronously continue executing the following steps.
 
-3. Set |callerOrigin| to the <a link-for='web'>origin</a> of the caller. Derive the RP ID from |callerOrigin| by computing the
-    "public suffix + 1" or "PS+1" (which is also referred to as the "Effective Top-Level Domain plus One" or "<a>eTLD+1</a>")
-    part of |callerOrigin| [[PSL]]. Let |rpId| be the lowercase form of this RP ID. Set |rpIdHash| to the SHA-256 hash of the
-    UTF-8 encoding of |rpId|.
+3. Set |callerOrigin| to the <a link-for='web'>origin</a> of the caller. If {{CredentialOptions/rpId}} is not specified, then
+    set |rpId| to the Unicode serialization of |callerOrigin| as specified in [[!HTML51-20160621]] section 6.4. If
+    {{CredentialOptions/rpId}} is specified, then check if its value would be an acceptable setting for the current document's
+    `domain` by running the algorithm in [[!HTML51-20160621]] section 6.4.1 (but do not change the current document's `domain`).
+    If it is not permissible, reject |promise| with a <a>DOMException</a> whose name is "SecurityError", and terminate this
+    algorithm. If it is permissible, then set |rpId| to the Unicode serialization of {{CredentialOptions/rpId}}. Set |rpIdHash|
+    to the SHA-256 hash of the UTF-8 encoding of |rpId|.
 
 4. Process each element of <a>cryptoParameters</a> using the following steps, to produce a new sequence `normalizedParameters`:
     - Let |current| be the currently selected element of <a>cryptoParameters</a>.
@@ -421,10 +421,13 @@ When this method is invoked, the user agent MUST execute the following algorithm
 2. Let |promise| be a new <a data-lt="Promises">Promise</a>. Return |promise| and start a timer for |adjustedTimeout| seconds.
     Then asynchronously continue executing the following steps.
 
-3. Set |callerOrigin| to the <a link-for='web'>origin</a> of the caller. Derive the RP ID from |callerOrigin| by computing the
-    "public suffix + 1" or "PS+1" (which is also referred to as the "Effective Top-Level Domain plus One" or "<a>eTLD+1</a>")
-    part of |callerOrigin| [[PSL]]. Let |rpId| be the lowercase form of this RP ID. Set |rpIdHash| to the SHA-256 hash of the
-    UTF-8 encoding of |rpId|.
+3. Set |callerOrigin| to the <a link-for='web'>origin</a> of the caller. If {{CredentialOptions/rpId}} is not specified, then
+    set |rpId| to the Unicode serialization of |callerOrigin| as specified in [[!HTML51-20160621]] section 6.4. If
+    {{CredentialOptions/rpId}} is specified, then check if its value would be an acceptable setting for the current document's
+    `domain` by running the algorithm in [[!HTML51-20160621]] section 6.4.1 (but do not change the current document's `domain`).
+    If it is not permissible, reject |promise| with a <a>DOMException</a> whose name is "SecurityError", and terminate this
+    algorithm. If it is permissible, then set |rpId| to the Unicode serialization of {{CredentialOptions/rpId}}. Set |rpIdHash|
+    to the SHA-256 hash of the UTF-8 encoding of |rpId|.
 
 4. If {{AssertionOptions/extensions}} was specified, process any extensions supported by this client platform, to produce the
     extension data that needs to be sent to the authenticator. Call this data |clientExtensions|.
@@ -553,6 +556,7 @@ authorizing an authenticator with which to complete the operation.
 <pre class="idl">
     dictionary CredentialOptions {
         unsigned long                       timeoutSeconds;
+        USVString                           rpId;
         sequence < CredentialDescription >  excludeList;
         WebAuthnExtensions                  extensions;
     };
@@ -564,6 +568,9 @@ authorizing an authenticator with which to complete the operation.
 
     - The <dfn>timeoutSeconds</dfn> parameter specifies a time, in seconds, that the caller is willing to wait for the call to
         complete. This is treated as a hint, and may be overridden by the platform.
+
+    - The <dfn>rpId</dfn> parameter explicitly specifies the RP ID that the credential should be associated with. If it is
+        omitted, the RP ID will be set to the caller's origin.
 
     - The <dfn>excludeList</dfn> parameter is intended for use by <a>[RPS]</a> that wish to limit the creation of multiple
         credentials for the same account on a single authenticator. The platform is requested to return an error if the new
@@ -610,6 +617,7 @@ user consent to a specific transaction. The structure of these signatures is def
 <pre class="idl">
     dictionary AssertionOptions {
         unsigned long                      timeoutSeconds;
+        USVString                          rpId;
         sequence < CredentialDescription > allowList;
         WebAuthnExtensions                 extensions;
     };
@@ -620,6 +628,9 @@ user consent to a specific transaction. The structure of these signatures is def
 
     - The optional <dfn>timeoutSeconds</dfn> parameter specifies a time, in seconds, that the caller is willing to wait for the
         call to complete. This is treated as a hint, and may be overridden by the platform.
+
+    - The optional <dfn>rpId</dfn> parameter specifies the rpId claimed by the caller. If it is omitted, it will be assumed to
+        be equal to the caller's origin.
 
     - The optional <dfn>allowList</dfn> member contains a list of credentials acceptable to the caller, in order of the caller's
         preference.