- From: Jeff Hodges <jdhodges@google.com>
- Date: Wed, 7 Aug 2019 11:19:24 -0700
- To: Anthony Nadalin <tonynad@microsoft.com>
- Cc: Akshay Kumar <Akshay.Kumar@microsoft.com>, John Bradley <jbradley@yubico.com>, W3C Web Authn WG <public-webauthn@w3.org>, John Fontana <jfontana@yubico.com>
- Message-ID: <CAOt3QXuhAUyMoKEO+woOS989_pL3o06b69cmPzVrNEQ0B2mkPQ@mail.gmail.com>
I largely concur with JBradley & Akshay. The only items I see in that list that would (possibly) require accommodation in the WebAuthn API, and/or require new extensions, are.. 5. Enterprise Attestation 6. Backup/Recovery 11. caBLE fyi/fwiw, the "new stuff (so far, AFAIU)" in webauthn L2 FPWD is listed here: https://lists.w3.org/Archives/Public/public-webauthn/2019Jun/0248.html hth, =JeffH On Wed, Aug 7, 2019 at 9:22 AM Anthony Nadalin <tonynad@microsoft.com> wrote: > Agree this was a mixture of CTAP and WebAuthn items, I listed them as we > tend to lock step CTAP and WebAuthn and questions come up on the cadence of > how often we update the specs as when the specs are released there will be > question on who supports these, also we will have to have implementations > so add that into the mix > > > > *From:* Akshay Kumar <Akshay.Kumar@microsoft.com> > *Sent:* Wednesday, August 7, 2019 9:07 AM > *To:* John Bradley <jbradley@yubico.com>; Anthony Nadalin < > tonynad@microsoft.com> > *Cc:* W3C Web Authn WG <public-webauthn@w3.org>; John Fontana < > jfontana@yubico.com> > *Subject:* RE: W3C WebAuthn Recommendation schedule > > > > Few more things to the list > > 1. Credential Management > 2. Biometric Enrollment > 3. Cred Protect > 4. UV Token > 5. Enterprise Attestation > 6. Backup/Recovery > 7. FIPS > 8. PIN Policies > 9. Per-Credential Config (cert blobs, other configs) > 10. Multiple Versions of CTAP on Authenticator (Session mgmt?) > 11. caBLE (both first and second factor modes) > 12. Authenticator Upgradability > > Most of the items in the list are not related to webauthn. They are purely > CTAP issue. Some items that are slightly related to webauthn are Enterprise > Attestation, per-credential config and caBLE. Which are not part of > webauthn as of now. > > Then, as we did earlier, we need to have interoperable POC between > authenticators and platforms platforms to have a confidence that things > will work and figure out minute details. > > While I believe that CTAP spec progress is slow at times, one of main good > security reasons for that is most authenticators cannot upgrade. So they > have one shot of getting this right. I am not in favor of having a > artificial deadlines here. It brings more problems than solutions > especially for authenticator vendors. > > > > In my view, above are enhancements for a very solid FIDO_2_0 spec where > most RPs can release their full first factor or second factor > authentication today. As many have. > > > > Thanks > > > > *From:* John Bradley <jbradley@yubico.com> > *Sent:* Wednesday, August 7, 2019 5:29 AM > *To:* Anthony Nadalin <tonynad@microsoft.com> > *Cc:* W3C Web Authn WG <public-webauthn@w3.org>; John Fontana < > jfontana@yubico.com> > *Subject:* Re: W3C WebAuthn Recommendation schedule > > > > The most pressing WebAuthn issue is Delegation. By iFrame or other method. > > > > UVtoken is a CTAP issue. > > > > Enterprise Attestation is split between WebAuthn and CTAP. I think that > is going to take some time. > > > > The first three are being rolled out by people now. Locking those down > would be good but they are mostly in CTAP. > > > > John B. > > > > > > On Tue, Aug 6, 2019, 6:31 PM Anthony Nadalin <tonynad@microsoft.com> > wrote: > > Framing for tomorrows schedule discussion: > > > > There are several top priority items that we would like to get done, some > of these have a dependency on CTAP 2.x, some may require changes to > authenticators. Given the fact that WebAuthn Level 1 and CTAP 2.0 were just > released this year, would it be a good idea to release a new version > quickly like 12/2019- 3/2020 or wait until the market has deployed Level 1 > and CTAP 2.0. Need input from browser vendors and authenticator vendors and > anyone else that has an opinion. > > > > Some of the items between WebAuthn and CTAP I hear are important are: > > > > 1. Credential Management > 2. Biometric Enrollment > 3. Cred Protect > 4. UV Token > 5. Enterprise Attestation > 6. Backup/Recovery > 7. FIPS > 8. Any others? > > -- Thanks, HTH, =JeffH
Received on Wednesday, 7 August 2019 18:20:15 UTC