[w3ctag/design-reviews] Web Authentication Level 2 (#577) from Martin Kreichgauer on 2020-11-24 (public-webapps-github@w3.org from November 2020)

From: Martin Kreichgauer <notifications@github.com>
Date: Tue, 24 Nov 2020 12:12:17 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/577@github.com>

HIQaH! QaH! TAG!

I'm requesting a TAG review of Web Authentication Level 2.

Web Authentication Level 2 is an incremental update over Level 1. New features in Level 2 include the following:
 - A new enum-valued AuthenticatorSelectionCriteria.residentKey property to allow “preferred” creation of a discoverable credential (formerly known as a “resident key”).
 - The Credential Properties Extension (credProps), which reports whether a created credential is discoverable.
 - The Large Blob Storage Extension (largeBlob), which allows associating a credential with opaque data.
 - An additional AttestationConveyancePreference enum value, “enterprise”, to allow requesting attestation statements that may include uniquely identifying information.
 - The Apple Anonymous Attestation Statement Format.
 - Additional convenience methods on AuthenticatorAttestationResponse that extract and convert certain parts of the CBOR-encoded attestationObject.

Requested Links:
  - Explainer¹ (minimally containing user needs and example code): https://docs.google.com/document/d/19tpdFvgV4qaOoudNwGOfsRskDdn989rk8NxtMHA6OEo/view

  - Specification URL: https://www.w3.org/TR/webauthn-2/

  - Tests: https://wpt.fyi/results/webauthn/

  - Security and Privacy self-review²: https://docs.google.com/document/d/1jZNgT_o1BXKJF-dZS81lHzv5hQM61KSv0mfax5xvui4/view

  - GitHub repo (if you prefer feedback filed there): https://github.com/w3c/webauthn/

  - Primary contacts (and their relationship to the specification):
      - Anthony Nadaline (nadalin), W3C Invited Experts (co-chair and editor)
      - Jeff Hodges (equalsJeffH), Google (editor)
      - Akshay Kumar (akshayku), Microsoft (editor)
      - Daniel Veditz (dveditz), Mozilla
      - Jiewen Tan (alanwaketan), Apple
      - Wendy Seltzer (wseltzer), W3C Team Contact
  - Organization(s)/project(s) driving the specification: W3C Web Authentication WG
  - Key pieces of existing multi-stakeholder review or discussion of this specification: 
   - WG meetings and Github issue/PR discussion threads
   - [PING review](https://lists.w3.org/Archives/Public/public-privacy/2020OctDec/0018.html) (ongoing)
  - External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): 
   - ChromeStatus: [1](https://chromestatus.com/feature/5701094648840192)[2](https://chromestatus.com/feature/5102556109864960)

Further details:

  - [x] I have reviewed the TAG's [API Design Principles](https://w3ctag.github.io/design-principles/)
  - Relevant time constraints or deadlines: No firm deadlines, but Level 2 is in feature freeze at this point and approaching publication
  - The group where the work on this specification is currently being done: W3C Web Authentication WG
  - The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): W3C Web Authentication WG
  - Major unresolved issues with or opposition to this specification: none
  - This work is being funded by: The member organizations of the WG members

You should also know that...

 - WebAuthn Level 1 has already gone through TAG review (see #97), so this review is only meant to cover substantial changes between Levels 1 and 2.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

  🐛 open issues in our GitHub repo for **each point of feedback**



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/577

Received on Tuesday, 24 November 2020 20:12:30 UTC