I'm looking for support regarding specifying the RP ID for sub-domains:
Case #1: Let's consider an RP whose origin is https://test.login.example.com. When the RP creates PK creds from that origin the default RP ID is test.login.example.com. Can RP specify login.example.com or example.com as RP ID?
Case #2: Let's assume a PK credential was created with RP ID login.example.com. Can the RP whose origin is https://test.login.example.com specify the login.example.com as the RP to assert with the credential?
Case #3: Let's assume a PK credential was created with RP ID example.com. Can the RP whose origin is https://test.login.example.com specify the example.com as the RP to assert with the credential?
So, the specification says that the RP ID has to be a valid domain string and by default is the effective domain being used. It can be overridden to be a registrable domain suffix of the effective domain.
So if the page you are on is test.login.example.com then test.login.example.com, login.example.com and example.com are all valid however system.test.login.example.com would not be valid.
The specification also says that the public key credential can only be used for authentication with the same RP ID it was registered with.
CTAP actually also hashes the RP ID so the hash has to match on assertion.
Case #1:
Yes both login.example.com and example.com would be valid RP IDs for that request.
Case #2:
Yes, you would actually need to specify the RP ID as login.example.com if you originally registered as with that RP ID.
Case #3: That would be the same case as with 2.