[wbs] response to 'Call for Review: Web Authentication: An API for accessing Public Key Credentials Level 1 is W3C Proposed Recommendation' from David Baron via WBS Mailer on 2019-02-14 (public-new-work@w3.org from February 2019)

From: David Baron via WBS Mailer <sysbot+wbs@w3.org>
Date: Thu, 14 Feb 2019 00:36:01 +0000
To: public-new-work@w3.org
Message-Id: <wbs-3c87652f85523bb8cd1a7e8f21dea30f@w3.org>

The following answers have been successfully submitted to 'Call for Review:
Web Authentication: An API for accessing Public Key Credentials Level 1 is
W3C Proposed Recommendation' (Advisory Committee) for Mozilla Foundation by
David Baron.

Regarding the "Web Authentication: An API for accessing Public Key
Credentials Level 1" specification, the reviewer supports publication as a
W3C Recommendation as is.

Additional comments about the specification:
Web Authentication is our best technical response to phishing. It
ties public-key cryptography into web logins, and dramatically
raises the bar for phishing from a simple confusable website and
replay attack to an HTTPS network man-in-the-middle. In practice,
Web Authentication forces adversaries to move to attack account
recovery methods, which often have stronger controls than a standard
login.

The reviewer's organization:
- produces products addressed by this specification
- expects to produce products conforming to this specification.
- expects to use products conforming to this specification.

Comments about products related to these specifications:
The specification has many backward compatibility pieces that
Firefox is likely to never need to implement. The compatibility
pieces are useful for providing the installed base of existing FIDO
or TCG devices a path forward. The core website functions aren't so
complex; Duo's explainer is very good, at https://webauthn.guide/ .
There's also forward-extensibility, leading toward a password-less
future built on digital signatures rather than disclosing shared
secrets.

General comments:
Major sites that we know of using Web authentication:

* For the United States, https://login.gov/ uses it -- so as an
example applying for the Global Entry traveler program will
exercise a Web Authentication security key, if you choose.

* Dropbox has also supported Web Authentication since Firefox 60
shipped:
https://blogs.dropbox.com/tech/2018/05/introducing-webauthn-support-for-secure-dropbox-sign-in��

Many other major properties have indicated they'll support Web
Authentication sooner or later.

Demos are available at https://webauthn.io/,
https://webauthndemo.appspot.com/, https://demo.yubico.com/webauthn/, or
even the lowly https://webauthn.bin.coffee/.

Answers to this questionnaire can be set and changed at
https://www.w3.org/2002/09/wbs/33280/webauthn-1/ until 2019-02-14.

Regards,

The Automatic WBS Mailer

Received on Thursday, 14 February 2019 00:36:03 UTC