Regarding rp.name in PublicKeyCredentialCreationOptions

[Zhao Bin]

Hi 

I would like to know how rp.name in PublicKeyCredentialCreationOptions is used? Is it displayed in browser during FIDO2 registration process? Or is it stored in authenticator as part of the resident key?

Thank you.

Best Regards

Zhao Bin

[Shane Weeden]

Often both. For discoverable credentials it has to be store on the authenticator so that you can perform passwordless login and know who you are logging in as (since multiple discoverable credentials for the same RP might be stored on the same authenticator).

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b2a5aa30-7cc2-4ccf-9d49-fe27ebf9ef84n%40fidoalliance.org.

[My1]

that would be user.name and user.displayName, not rp.name tho as far as I remember

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/90B6B159-A12E-405F-8FE7-355A82B50680%40gmail.com.

[Zhao Bin]

Hi My1

it is under rp. Please see this link https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/WebAuthn_Client_Registration.html

rp.id is used for domain verification. That's very clear.

What I want to know is the use of rp.name. I can't find it displayed in the browser pop up during FIDO registration or in the authenticator (such as running Yubikey's command ./ykman fido credentials list).

[DUBOUCHER Thomas]

Hi,

 

rp.name is used to display the service name to which a discoverable credential is attached to, either through a built-in user interface, or through the credential management API in CTAP 2.1.

 

Best regards,

 

--

Thomas Duboucher

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/29250c3b-acc6-4200-8cf2-f6280d42df54n%40fidoalliance.org.

[My1]

Shouldn't it use the domain instead?

Rp.name sounds like creating an awful lot of fun for malicious parties

[DUBOUCHER Thomas]

Good remark (had to check for this one),

 

The rp.id is the only mandatory information, which is ~the web origin. The rp.name is an optional name that can be given for added information.

 

Think of it as the URL and the title of a web page. With exactly the same issues, which is why usually only the truncated rp.id is displayed.

 

Best regards,

 

--

Thomas Duboucher

 

[John Bradley]

I seem to recall that the RP. Name was intended to help credential management for multi tenement RP. Eg AAD where the RPID is the same for all the credentials but the name can hint at the tenement such as the enterprise vs a personal MSA login.  

WebAuthn should probably do a better job of communicating what these optional parameters are intended for now that we have more than one RP using them.  

That was why we added an explicit value the RP can set during make credential.  

Yes the RP is free to set silly values for name but that would probably be counter productive for them.  

I assume that most do not set RP.name when making credentials.  

Regards 

John B. 

Sent from my iPhone

On Mar 14, 2023, at 9:58 AM, 'DUBOUCHER Thomas' via FIDO Dev (fido-dev) <fido...@fidoalliance.org> wrote:



To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/MR1P264MB2673E079213BF3AC3C91A36B9ABE9%40MR1P264MB2673.FRAP264.PROD.OUTLOOK.COM.

[Tim Cappalli]

user.name and user.displayName usage · Issue #131 · passkeydeveloper/passkeys.dev (github.com)

If you have recommended text for passkeys.dev, please add it to this issue.

---

From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of John Bradley <ve7...@ve7jtb.com>
Sent: Tuesday, March 14, 2023 09:41
To: DUBOUCHER Thomas <thomas.d...@thalesgroup.com>

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4B2460C4-6952-45E2-8674-168305AFC44C%40ve7jtb.com.