RpID, RpOrigins &RpTopOrigins

[gaxelac0]

Hello all, I'm doubtful about how RPID works.
I've read that the RPID has to be the host's origin FQDN or a registrable prefix of this.

Imagine I'm enrolling on a webpage with browser shows https://upper.example.com/.

Based on the definition of RPID I could use RPID=example.com, but when trying to enroll on that https://upper.example.com/ page with that defined RPID I get this error on the CompleteEnrollment:

webauthn complete registration error: RP Hash mismatch. Expected 4bade21efbd1301982d8d633b98cc6128f1ef13267539099382ad197e460e0ec and Received 937a6b15f90e6051a6d4293697be3ff90ea03f45923fec3ddcd7cdb371888e1c

What is the problem there?

On the other hand, what are RpOrigins and RpTopOrigins?
For example, I've tried the RpOrigins this way, I enrolled a authenticator with this settings
Browser origin: https://upper.lower.example.com/
RpId: upper.lower.example.com
RpOrigins: https://upper.lower.example.com, https://upper.other.example.com

With this settings, users should be able to Login on both origins? currently failing.

[james-d-elliott]

From the spec:

The RP ID must be equal to the origin's effective domain, or a registrable domain suffix of the origin's effective domain.

My reading of that to get it to work you'd need to register the credentials with the example.com RP ID.