Spec status

Hi,

Since the call was cancelled today I wanted to send out a quick status so we can all know where we are and still make progress before the next call.


*       I merged in PR 144<https://github.com/w3c/webauthn/pull/144> for adding RP ID to the signature. This had been out for a little over a week and had received two positive reviews with no objections.

*       PR 145<https://github.com/w3c/webauthn/pull/145> has also been out for a few days and has no reviews. Please take a look when you have a chance, this is a simple tweak to the IDL to make the API more in line with established API patterns.

*       The next big issue to resolve is the question of alignment with Credential Management, and how to tweak the API accordingly. I have an experimental update<https://github.com/w3c/webauthn/compare/vgb-experiment-noCredType?expand=1> to show how things would look if we simply dispensed with the Credential type, and how we could add new types in future if we did so. I will send out (soon, hopefully) a different experiment with the other alternative.

*       I ran into Giri in person yesterday and he had some great feedback that I wanted to bring up:

o   The requirement for secure context should be a MUST not a SHOULD given how much sensitive information we send, and given that we depend on the origin for security.

o   We should consider moving the attestation formats into a registry (perhaps the same one as for the extensions), so that we can add an attestation format in future (like we are adding Android N now) without perturbing the core spec. If we agree, I can send out a slight refactor of the spec that makes this easier.

*       Once we have these technical issues settled, we should think about issuing a new WG draft and reopening the conversation with TAG so we can get their review.

Please let me know if you have feedback about any of the above, or anything to add to the list.

Thanks,

--
-Vijay