More feedback from @equalsJeffH

w3c · Sep 23, 2016 · f44ba9e · f44ba9e
1 parent a79f880
commit f44ba9e
Showing 1 changed file with 27 additions and 24 deletions.
diff --git a/index.bs b/index.bs
@@ -149,9 +149,8 @@ or a combination of both.
 This specification relies on several other underlying specifications.
 
 : HTML
-:: The concepts of <a>current settings object</a>, |given value|, <a>opaque origin</a>, <a link-for='web'>origin</a>, the
-    <a>Navigator</a> interface, and the <a>relaxing the same-origin restriction</a> "setting" algorithm are defined in
-    [[!HTML51]].
+:: The concepts of <a>current settings object</a>, <a link-for='web'>origin</a>, <a>opaque origin</a>,
+    <a>relaxing the same-origin restriction</a>, and the <a>Navigator</a> interface are defined in [[!HTML51]].
 
 : Web IDL
 :: Many of the interface definitions and all of the IDL in this specification depend on [[!WebIDL-1]]. This updated version of
@@ -243,19 +242,21 @@ NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
 
 : <dfn>Relying Party Identifier</dfn>
 : <dfn>RP ID</dfn>
-:: A Relying Party Identifier defines the scope of a given credential, i.e. the set of origins that the client will permit to
-    access that credential. It is derived from a <a>[RP]</a>'s origin's hostname or directly specified by the [RP]. 
+:: An identifier for the [RP] on whose behalf a given registration or authentication ceremony is being performed. Scoped
+    credentials can only be used for authentication by the same entity (as identified by RP ID) that created and registered
+    them. By default, the RP ID for a WebAuthn operation is set to the <a>current settings object</a>'s
+    <a link-for='web'>origin</a>. This default can be overridden by the caller subject to certain restrictions, as specified in
+    [[#makeCredential]] and [[#getAssertion]].
 
 : <dfn>Scoped Credential</dfn>
 :: Generically, a credential is data one entity presents to another in order to authenticate the former's identity [[RFC4949]].
 	A WebAuthn <em><a>scoped credential</a></em> is a <code>{ identifier, type }</code> pair identifying authentication
-	information established by the authenticator and the [RP], together, at <a>registration</a> time. 
-	The authentication information consists of an asymmetric key pair, where the public key portion is returned to the [RP]. who
-	stores it in conjunction with the present user's account.
-	The authenticator maps the private key to the [RP]'s <a>RP ID</a> and stores it. 
-	Subsequently, only that [RP], as identified by its <a>RP ID</a>, is able to employ the <a>scoped credential</a> in 
-	<a>authentication</a> ceremonies, via the <a>getAssertion()</a> method. 
-	The [RP] uses its copy of the stored public key to verify the resultant <a>WebAuthn Assertion</a>.
+	information established by the authenticator and the [RP], together, at <a>registration</a> time. The authentication
+    information consists of an asymmetric key pair, where the public key portion is returned to the [RP], which stores it in
+    conjunction with the present user's account. The authenticator maps the private key to the [RP]'s <a>RP ID</a> and stores
+    it. Subsequently, only that [RP], as identified by its <a>RP ID</a>, is able to employ the <a>scoped credential</a> in 
+	<a>authentication</a> ceremonies, via the <a>getAssertion()</a> method. The [RP] uses its copy of the stored public key to
+    verify the resultant <a>WebAuthn Assertion</a>.
 
 
 : <dfn>User Consent</dfn>
@@ -381,11 +382,12 @@ When this method is invoked, the user agent MUST execute the following algorithm
 3. Set |callerOrigin| to the <a>current settings object</a>'s <a link-for='web'>origin</a>. If |callerOrigin| is an <a>opaque
     origin</a>, reject |promise| with a <a>DOMException</a> whose name is "NotAllowedError", and terminate this algorithm.
     Otherwise, if {{ScopedCredentialOptions/rpId}} is not specified, then set |rpId| to |callerOrigin|. If
-    {{ScopedCredentialOptions/rpId}} is specified, then invoke the <a>relaxing the same-origin restriction</a> "setting"
-    algorithm, using {{ScopedCredentialOptions/rpId}} as the |given value| and without changing the current document's `domain`.
-    If any errors are thrown, reject |promise| with a <a>DOMException</a> whose name is "SecurityError", and terminate this
-    algorithm. If no errors are thrown, set |rpId| to the value of `host` as computed by the algorithm. Set |rpIdHash| to the
-    SHA-256 hash of the UTF-8 encoding of |rpId|.
+    {{ScopedCredentialOptions/rpId}} is specified, then invoke the procedure used for
+    <a>relaxing the same-origin restriction</a> by setting the `document.domain` attribute, using
+    {{ScopedCredentialOptions/rpId}} as the given value but without changing the current document's `domain`. If any errors are
+    thrown, reject |promise| with a <a>DOMException</a> whose name is "SecurityError", and terminate this algorithm. If no
+    errors are thrown, set |rpId| to the value of `host` as computed by the algorithm. Set |rpIdHash| to the SHA-256 hash of the
+    UTF-8 encoding of |rpId|.
 
 4. Process each element of {{cryptoParameters}} using the following steps, to produce a new sequence |normalizedParameters|.
     - Let |current| be the currently selected element of {{cryptoParameters}}.
@@ -467,11 +469,12 @@ When this method is invoked, the user agent MUST execute the following algorithm
 3. Set |callerOrigin| to the <a>current settings object</a>'s <a link-for='web'>origin</a>. If |callerOrigin| is an <a>opaque
     origin</a>, reject |promise| with a <a>DOMException</a> whose name is "NotAllowedError", and terminate this algorithm.
     Otherwise, if {{ScopedCredentialOptions/rpId}} is not specified, then set |rpId| to |callerOrigin|. If
-    {{ScopedCredentialOptions/rpId}} is specified, then invoke the <a>relaxing the same-origin restriction</a> "setting"
-    algorithm, using {{ScopedCredentialOptions/rpId}} as the |given value| and without changing the current document's `domain`.
-    If any errors are thrown, reject |promise| with a <a>DOMException</a> whose name is "SecurityError", and terminate this
-    algorithm. If no errors are thrown, set |rpId| to the value of `host` as computed by the algorithm. Set |rpIdHash| to the
-    SHA-256 hash of the UTF-8 encoding of |rpId|.
+    {{ScopedCredentialOptions/rpId}} is specified, then invoke the procedure used for
+    <a>relaxing the same-origin restriction</a> by setting the `document.domain` attribute, using
+    {{ScopedCredentialOptions/rpId}} as the given value but without changing the current document's `domain`. If any errors are
+    thrown, reject |promise| with a <a>DOMException</a> whose name is "SecurityError", and terminate this algorithm. If no
+    errors are thrown, set |rpId| to the value of `host` as computed by the algorithm. Set |rpIdHash| to the SHA-256 hash of the
+    UTF-8 encoding of |rpId|.
 
 4. If {{AssertionOptions/extensions}} was specified, process any extensions supported by this client platform, to produce the
     extension data that needs to be sent to the authenticator. If an error is encountered while processing an extension, skip
@@ -616,7 +619,7 @@ authorizing an authenticator with which to complete the operation.
         complete. This is treated as a hint, and may be overridden by the platform.
 
     - The <dfn>rpId</dfn> parameter explicitly specifies the RP ID that the credential should be associated with. If it is
-        omitted, the RP ID will be set to the caller's origin.
+        omitted, the RP ID will be set to the <a>current settings object</a>'s <a link-for='web'>origin</a>.
 
     - The <dfn>excludeList</dfn> parameter is intended for use by <a>[RPS]</a> that wish to limit the creation of multiple
         credentials for the same account on a single authenticator. The platform is requested to return an error if the new
@@ -677,7 +680,7 @@ user consent to a specific transaction. The structure of these signatures is def
         call to complete. This is treated as a hint, and may be overridden by the platform.
 
     - The optional <dfn>rpId</dfn> parameter specifies the rpId claimed by the caller. If it is omitted, it will be assumed to
-        be equal to the caller's origin.
+        be equal to the <a>current settings object</a>'s <a link-for='web'>origin</a>.
 
     - The optional <dfn>allowList</dfn> member contains a list of credentials acceptable to the caller, in order of the caller's
         preference.