From 98c81f78e7a4a48fb1e996972dc94642eb99df71 Mon Sep 17 00:00:00 2001 From: JeffH Date: Thu, 15 Sep 2016 15:39:20 -0700 Subject: [PATCH] 'web origin' -> 'origin'. fixes #173. --- index.bs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/index.bs b/index.bs index 549109463..896da0d27 100644 --- a/index.bs +++ b/index.bs @@ -58,7 +58,7 @@ spec: HTML51; urlPrefix: http://www.w3.org/TR/html51/ This specification defines an API enabling the creation and use of strong, attested, cryptographic scoped credentials by web applications, for the purpose of strongly authenticating users. A scoped credential is created and stored by an authenticator at the behest of a [RP], subject to user -consent. Subsequently, the scoped credential can only be accessed by web origins belonging to that [RP]. +consent. Subsequently, the scoped credential can only be accessed by origins belonging to that [RP]. This scoping is enforced jointly by conforming User Agents and authenticators. Additionally, privacy across [RPS] is maintained; [RPS] are not able to detect any properties, or even the existence, of credentials scoped to other [RPS]. @@ -239,7 +239,7 @@ NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and : Relying Party Identifier : RP ID -:: A Relying Party Identifier is derived from a [RP]'s web origin's hostname by computing the hostname's eTLD+1. +:: A Relying Party Identifier is derived from a [RP]'s origin's hostname by computing the hostname's eTLD+1. : Scoped Credential :: Generically, a credential is data one entity presents to another in order to authenticate the former's identity [[RFC4949]]. @@ -285,7 +285,7 @@ and/or platform on the user's behalf. At no point does the script get access to information about the credentials in the form of objects. The security properties of this API are provided by the client and the authenticator working together. The authenticator, which -holds and manages credentials, ensures that all operations are scoped to a particular web origin, and cannot be replayed against +holds and manages credentials, ensures that all operations are scoped to a particular origin, and cannot be replayed against a different origin, by incorporating the origin in its responses. Specifically, as defined in [[#signature-format]], the full origin of the requester is included, and signed over, in the attestation statement produced when a new credential is created as well as in all assertions produced by WebAuthn credentials. @@ -294,9 +294,9 @@ Additionally, to maintain user privacy and prevent malicious [RPS] from probing other [RPS], each credential is also associated with a Relying Party Identifier, or RP ID. This RP ID is provided by the client to the authenticator for all operations, and the authenticator ensures that credentials created by a [RP] can only be used in operations requested by the same RP ID. Separating the origin from the RP ID in this way allows the API to be used in cases -where a single [RP] maintains multiple web origins. +where a single [RP] maintains multiple origins. -The client facilitates these security measures by providing correct web origins and RP IDs to the authenticator for each +The client facilitates these security measures by providing correct origins and RP IDs to the authenticator for each operation. Since this is an integral part of the WebAuthn security model, user agents MUST only expose this API to callers in secure contexts, as defined in [[secure-contexts]]. @@ -718,7 +718,7 @@ string-valued keys. Values may be any type that has a valid encoding in JSON. It
The challenge member contains the base64url encoding of the challenge provided by the RP. - The origin member contains the fully qualified web origin of the requester, as provided to the authenticator by + The origin member contains the fully qualified origin of the requester, as provided to the authenticator by the client, in the syntax defined by [[RFC6454]]. The rpId member contains the RP ID of the requester, as computed by the client.