Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

should authenticator layer send hashed or unhashed rpId to authenticators? #188

Closed
equalsJeffH opened this issue Aug 30, 2016 · 4 comments
Closed

should authenticator layer send hashed or unhashed rpId to authenticators? #188

equalsJeffH opened this issue Aug 30, 2016 · 4 comments
Labels
stat:Discuss type:technical
Milestone
Last Working Draft

Comments

@equalsJeffH
Copy link
Contributor

see: #154 (comment) where @leshi wrote:

Should authenticatorMakeCredential and authenticatorGetAssertion as defined in this specification send the hashed or unhashed rpId?

see also: #176
@equalsJeffH equalsJeffH added this to the CR milestone Aug 30, 2016
@equalsJeffH equalsJeffH mentioned this issue Aug 31, 2016
Merged
@vijaybh
Copy link
Contributor

vijaybh commented Sep 16, 2016

Sending unhashed rpId would sure make it easier to show UI on the authenticator. OTOH the transport may become more complex.

@rlin1
Copy link
Contributor

rlin1 commented Sep 16, 2016

Note in section 1.1.2 we already assume the rpId to be passed to the authenticator: User sees a discreet prompt or notification, "Sign in to example.com."

@rlin1
Copy link
Contributor

rlin1 commented Sep 16, 2016
edited
Loading

So if we would decide to only send hash(rpId), we would need to change that (note in section 1.1.2, see above)!

@AngeloKai
Copy link
Contributor

What is the benefit of sending a hashed rpId? What kind of attack are we avoiding here? Passing an unhashed rpId allows for a UI that gives user more relevant information about what their gestures are meant for and ultimately helps user make more informed decision.

vijaybh added a commit that referenced this issue Jan 9, 2017
@vijaybh
Client sends RP ID, not its hash, to authenticators
5789b4b 
Fixes #188
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stat:Discuss type:technical
Projects
None yet
Milestone
Last Working Draft
Development

No branches or pull requests
4 participants
@equalsJeffH @rlin1 @AngeloKai @vijaybh