- From: John Fontana <jfontana@yubico.com>
- Date: Fri, 21 Sep 2018 15:21:36 -0600
- To: ralph@w3.org, Philippe Le Hegaret <plh@w3.org>, Tim Berners-Lee <timbl@w3.org>, W3C Comm Team <w3t-comm@w3.org>, chairs@w3.org
- Cc: W3C Web Authn WG <public-webauthn@w3.org>, Anthony Nadalin <tonynad@microsoft.com>, Samuel Weiler <weiler@w3.org>, Wendy Seltzer <wseltzer@w3.org>
- Message-ID: <CANNOEbJM50JSU4ez9D6Fbu9oyeh_Boe2re5sWDC0kUrrPX79Og@mail.gmail.com>
*# Document title, URLs, estimated publication date* *Title:* Web Authentication: An API for accessing Public Key Credentials Level 1 *URL*: https://www.w3.org/TR/2017/WD-webauthn-20170811/ *Publication date:* 25 September 2018 *Last Published:* https://www.w3.org/TR/webauthn/ *Latest Editor’s Draft:* https://w3c.github.io/webauthn/ *# Abstract* This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. *# Status* https://www.w3.org/TR/webauthn/ *# Comments* Send comments to: public-webauthn@w3.org Feedback is due 02 October 2018 [Or 7 days from day Request is approved] *# Link to group's decision to request transition* Call for Consensus: https://lists.w3.org/Archives/Public/public-webauthn/2018Sep/0043.html *# Substantive Changes* None *# Requirements satisfied* Yes. No changes *# Dependencies met (or not)*Met ## *The spec has normative dependencies on the following W3C Recs:* https://www.w3.org/TR/webauthn/#normative ## *The spec has normative dependencies on the following non-W3C standards:* Base64url encoding [RFC4648] CBOR [RFC7049] CDDL [Internet Draft] COSE [RFC8152]. DOM [DOM4]. ECMAScript [ECMAScript]. HTML [HTML5.2]. OAUTH 2 [RFC6749] JSON Web Key [RFC7517] CTAP (Client to Authenticator Protocol) [FIDO Alliance] *# Wide Review* *TAG:* https://www.w3.org/Search/Mail/Public/search?keywords=%22TAG +review+feedback%22&hdr-1-name=subject&hdr-1-query=&inde x-grp=Public_FULL&index-type=t&type-index=public-webauthn *Privacy Interest Group:* https://www.w3.org/2018/01/11-privacy-minutes.html *Web Payments Working Group:* WG discussion (12/14/2017): https://www.w3. org/2017/12/14-wpwg-minutes#item02 https://lists.w3.org/Archives/Public/public-webauthn/2018Mar/0230.html (03/18/2018) *Accessible Platform Architectures (APA) Working Group:* https://github.com/w3c/webauthn/issues/733 *IETF Token Binding Working Group:* https://lists.w3.org/Archives/Public/public-webauthn/2018Mar/0054.html *Public review:* The API was the subject a critical blog post. The WG reviewed these claims and decided that changes in this API are not needed - changes might be advisable (but optional) in CTAP (the companion FIDO spec). Of note, these crypto-savvy researchers identified less-than-ideal choices the WG had made, typically for good reason, and did not identify any showstopper issues: https://paragonie.com/blog/2018/08/security-concerns-surroun ding-webauthn-don-t-implement-ecdaa-yet *FIDO Alliance FIDO2 WG review* *# Issues addressed* https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3. org%2FTR%2Fwebauthn%2F&doc2=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F *# Formal Objections* None *# Implementation* *Web Payments Demo implementation* https://www.w3. org/2018/06/lyra-webauthpay.mp4 *Worldpay Web Payments and Web Authentication Demo *https://www.w3.org/2018/ 08/worldpay.html *Mozilla’s Firefox browser implements W3C Web Authentication API since Version 60.* https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API *Microsoft has added support in its Edge Browser.* *Google’s Chrome supports the W3C Web Authentication API in Chrome 70 (Sept. 2018).* *The Web AuthN WG has conducted three interop events.* *# Patent disclosures* https://www.w3.org/2004/01/pp-impl/87227/status#current-disclosures https://www.w3.org/2017/03/webauthn-pag-report.html Co-chairs Tony Nadalin John Fontana -- John Fontana Identity and Standards Analyst | Yubico <http://www.yubico.com/> Phone: +1 303 301 4437 Skype: j_fontana
Received on Friday, 21 September 2018 21:22:20 UTC