Niklas

I can't reproduce the issue right now. We will have to wait with reviewing this issue until we can reliably reproduce it. I did manage to see the issue when...

``` python3 -c 'import hashlib; print(hashlib.sha256("github.com".encode("utf-8")).hexdigest())' 3aeb002460381c6f258e8395d3026f571f0d9a76488dcd837639b13aed316560 ```

btw I saw some discussion in the other PR regarding fido2 not using facets (urls) any more. That seems to be the case so that companies that use multiple domains...

> Very useful! That image on https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Migrating_from_U2F.html tells me it was probably a good decision to not include `facebook.com`in #472? > If I try to register with facebook right now...

> @NickeZ > In terms of security would it matter if bb02 added both of the hashes even though FIDO2 isn't implemented yet? AFAIU we can add both yes.

I think the new IDs are called Relaying Party ID or RPID. So I think the code should distinguish if it is an RPID or an AppID.

I don't know why they removed the schema from the ID. Fortunately it still looks like they only allow a subdomain of the RPID given. https://www.w3.org/TR/webauthn/#relying-party-identifier I think the bb02...

I think it is up to GitHub to implement the portability and show the appid in case you registered when they used appid. Since they have to store the keyhandle...

cool! yeah I it seems to come from platform independent random number generation.. :( I'm not really happy about it either.

I swapped `tempdir` for `temp-dir` which has fewer dependencies, but isn't from `rust-lang` devs.