Security Review Request for WebAuthn Level 2

Hi Security,

The Web Authentication WG requests review of Web Authentication: An API
for accessing Public Key Credentials, Level 2
https://w3c.github.io/webauthn/
as it prepares for an updated CR publication.

This is an incremental update to WebAuthn Level 1,
https://www.w3.org/TR/2019/REC-webauthn-1-20190304/

Substantive changes since Rec:
-- Added new method to allow Discoverable/Resident Credentials Preferred
-- New methods added for Attestation Objects
-- Added Enterprise Attestation, Apple Attestation
-- Added Large Blob storage and credential properties
-- Modified cross-origin iFrame usage (only 'get' command)
-- Removed unused extensions (they remain in Level 1); also simple tx
auth, generic tx auth, UVI, biometrics.
-- Clarified some inputs and outputs in extensions
-- Fixed some serialization issues with JSON parser

Security Considerations:
https://www.w3.org/TR/webauthn-2/#sctn-security-considerations

Comments welcome on github, https://github.com/w3c/webauthn/issues

Thank you,
--Wendy, as WebAuthn WG team contact
-- 
-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Strategy Lead and Counsel, World Wide Web Consortium (W3C)
https://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Received on Monday, 19 October 2020 12:30:51 UTC