Implement Related Origins support (WebAuthn L3 § 5.11)

[AlfioEmanueleFresta]

Summary

WebAuthn Level 3 introduces Related Origins (§ 5.11), allowing credentials to be used across unrelated domains. The RP hosts a JSON document at https://{rpId}/.well-known/webauthn listing allowed origins.

Proposed Implementation

1. New module: ops/webauthn/related_origins.rs

   • RelatedOriginsDocument struct for parsing the well-known JSON
   • RelatedOriginsHttpClient trait for fetching (pluggable, testable)
   • validate_related_origins() implementing the validation procedure from § 5.11.1

2. Enhance RelyingPartyId (addresses Relying Party ID (RPID) validation #137)

   • Add validate_for_origin() to check if RP ID is a registrable suffix
   • Return whether related origins validation is required

3. Dependencies

   • url for origin parsing
   • publicsuffix for registrable domain detection

Feature Flags

[features]
related-origins = []
related-origins-client = ["related-origins", "reqwest"]

• related-origins: Core validation logic with trait-based HTTP client
• related-origins-client: Optional embedded HTTP client for testing/convenience

Future Consideration

The existing WebSocket/Noise implementation for caBLE could be refactored to follow the same pattern (trait + optional default implementation behind a feature flag) for consistency.