Mobile support

[charlag]

We at Tutanota were trying to migrate from the legacy u2f API to Webauthn.
The moment that confuses us is a support for scenarios, where mobile apps are involved. With u2f APIs it is possible to specify possible domains and/or other identificatiors for apps but we've found no mention of relaxing RP ID requirements in the current standard.
Should it be covered by another standard, e.g. CTAP/FIDO2 or it should be a part of Webauthn spec but is deliberately omitted?
Thanks.

[equalsJeffH]

AFAIK the "platforms" (e.g., Windows, Android) wish to address this in platform-specific manners.

Also AFAIK, see here for Android: https://developers.google.com/identity/smartlock-passwords/android/associate-apps-and-sites

[jcjones]

I think there's application-level answer, it is as Jeff said, up to the platform.

In my opinion, I think WebAuthn can leave additional restrictions on RP ID as an exercise to the platform implementations and their documentation.

[equalsJeffH]

on 19-Sep call, decided we should just add a little note that points off to the appropriate docs (see #1045 (comment)) tho we ostensibly need a link for Windows, other wise we could just say "see platform docs/guides as appropriate" and not have any links.

@akshayku argues that such links change fairly often, so wants to just use something like the propoesed test above.

[jcjones]

I'll add a quick PR to add this to the introduction with text that says something like:

Section 1.3
Platform-Specific Implementation Guidance

This specification defines how to use Web Authentication in the general case. When using Web Authentication in connection with specific platform support (e.g. apps), it is recommended to see platform-specific documentation and guides for additional guidance and limitations.

[akshayku]

Looks fine to me.

[equalsJeffH]

#1045 (comment) LGTM, thx @jcjones !

[rlin1]

+1. Let's merge it in.

[jcjones]

Closed by 802613e

[charlag]

Honestly, I don't think that it is the solution, it is rather a workaround. It doesn't solve the problem "how do I share the key between web authentication and the app" but instead it shares the whole login through proprietary third-party system. I think such a decision will hurt federated nature of the web and will slow down Webauthn adoption significantly.

Another workaround is apps like "yubico authenticator" which shouldn't really exist if Webauthn is adopted.

May it be implemented as an extension? u2f has this and it should be possible to tell hardware key "yes, we want to generate the same key in this case". This capability totally makes sense to me and it is already implemented by some hardware so I see no reason why it should be completely ignored.

[emlun]

I appreciate the objection and the desire to use the WebAuthn infrastructure for non-web things, but ultimately WebAuthn is a www standard and fundamentally tied to web- and browser infrastructure. Non-web things, although related, are unfortunately off topic, so I don't think it's appropriate to specify normative implementation guidance for them here.