rpID origin relaxation?

[mikewest]

@annevk pointed out the algorithm in https://w3c.github.io/webauthn/#makeCredential which makes use of bits and pieces of document.domain that I would dearly love to remove from the platform. :)

It doesn't look like this (or the corresponding bits of getAssertion()) intend to change the document's origin, but it's not clear to me what impact they do have. Is the intent to support sharing auth tokens cross-origin? If so, could you help me understand why the origin model fails to support the use cases y'all have in mind?

Thanks!

[equalsJeffH]

As @balfanz wrote in https://lists.w3.org/Archives/Public/public-webauthn/2016Aug/0045.html:

I'll point out that the webauthn spec is currently strictly enforcing
same-origin (where origin is defined by scheme-host-port) by requiring that
the so-defined origin is included in the client data. An assertion
generated on one origin won't be valid on another origin.

The PSL [eTLD] dependency is there simply as a recommendation on how to scope key
pairs, meaning that two origins within the same public suffix [eTLD+1] may know the
client by the same public key. See my comment on the original github thread
as to why that is:
w3ctag/design-reviews#97 (comment)

[equalsJeffH]

see also issue #241 and #256 and PR #319 and whatwg/html#2365

[vijaybh]

Seems to have been addressed by #319.