diff --git a/index.bs b/index.bs index 4178af162..b82dd68f1 100644 --- a/index.bs +++ b/index.bs @@ -1338,10 +1338,12 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S [[#sctn-getAssertion]].
- Note: An [=RP ID=] is based on a [=host=]'s [=domain=] name. It does not itself include a [=scheme=] or [=port=], as an [=origin=] does. The [=RP ID=] of a [=public key credential=] determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows: + Note: An [=RP ID=] is based on a [=origin/host=]'s [=domain=] name. It does not itself include a [=origin/scheme=] or [=port=], as an [=origin=] does. The [=RP ID=] of a [=public key credential=] determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows: - The [=RP ID=] must be equal to the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=], or a [=is a registrable domain suffix of or is equal to|registrable domain suffix=] of the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=]. - - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=scheme=] must be `https`. + - One of the following must be true: + - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=origin/scheme=] is `https`. + - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=origin/host=] is `localhost` and its [=origin/scheme=] is `http`. - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=port=] is unrestricted. For example, given a [=[RP]=] whose origin is `https://login.example.com:1337`, then the following [=RP ID=]s are valid: `login.example.com` (default) and `example.com`, but not `m.login.example.com` and not `com`.