public-webauthn@w3.org from September 2017 by subject

09/06/2017 W3C Web Authentication WG Meeting Agenda

09/13/2017 W3C Web Authentication WG Meeting Agenda

09/20/2017 W3C Web Authentication WG Meeting Agenca

@@EDITOR-ANCHOR in index.bs?

[w3c/webauthn]

[w3c/webauthn] 0141d9: Corrected inaccuracy in authenticator extension pr...

[w3c/webauthn] 14adaa: Built by Travis-CI: eb401b78e218af43715e426ea1825f...

[w3c/webauthn] 14c273: fix proper subset tweak (#542)

[w3c/webauthn] 1559de: Remove user agent getting user consent sentence

[w3c/webauthn] 1dce39: Built by Travis-CI: db1be8059b02cb8981fbe0229f6d1e...

[w3c/webauthn] 1f096d: incorp comments from mikewest at webappsec-credent...

[w3c/webauthn] 20827e: typo

[w3c/webauthn] 2465b4: updating signcounter consideration according to su...

[w3c/webauthn] 26552c: Make user.id a byte array (#586)

[w3c/webauthn] 27d71f: Built by Travis-CI: 6589a1013cd776da57d704eb8508fc...

[w3c/webauthn] 2ec526: Clean up COSEAlgorithmIdentifier loose ends (#580)

[w3c/webauthn] 42a7e6: Built by Travis-CI: d96d7668a53bfc463968bedc9d9b95...

[w3c/webauthn] 467f31: Built by Travis-CI: 2ec526743c1fe42ea602fa31d47eed...

[w3c/webauthn] 4a376b: removed signing procedure details and referred to ...

[w3c/webauthn] 4aa72b: Fix syntax errors in JavaScript examples.

[w3c/webauthn] 515acc: Built by Travis-CI: 14c2733ca6a4a9568e4c48fef1b870...

[w3c/webauthn] 5502d4: Clarifying signing procedure for U2F attestation

[w3c/webauthn] 5e5060: Built by Travis-CI: 3ee8ed586c2ce62f7a4180cb9dcf0d...

[w3c/webauthn] 67e922: Clarify excludeCredentialDescriptorList (#573)

[w3c/webauthn] 6e45cc: Clarify Safetynet attestation return value

[w3c/webauthn] 757240: Built by Travis-CI: 67e922c011aeb2668fd7adfaf75d7f...

[w3c/webauthn] 7a8ad4: more corrections according to the comments in the ...

[w3c/webauthn] 8e8219: Built by Travis-CI: f37cfc5dfd074832ab61ed299d1ee7...

[w3c/webauthn] 92b5bf: addressed second last comment

[w3c/webauthn] a1b998: fix indents make BS happy, add some periods

[w3c/webauthn] a7dd80: Built by Travis-CI: 26552c41d086f46be877018dc2c8b0...

[w3c/webauthn] ad54fb: correction: bikeshed still wants spaces - not tabs

[w3c/webauthn] bc8e9a: corrected phrase as indicated by equalsJeffH

[w3c/webauthn] d9d171: Built by Travis-CI: 96b9a982b235144816abaaa6517d36...

[w3c/webauthn] db1be8: Fix Android attestation (#546)

[w3c/webauthn] dcf793: using descriptive names for authenticator selectio...

[w3c/webauthn] df905a: using descriptive names for authenticator selectio...

[w3c/webauthn] eb401b: Remove user agent getting user consent sentence (#...

[w3c/webauthn] ee384b: added alternative: MSB to indicate signCounter sup...

[w3c/webauthn] f37cfc: Address security and privacy issues witht the icon...

[w3c/webauthn] f8943a: Built by Travis-CI: dcf793928221b1883f4c9ac4dd5264...

[webauthn] "Authenticator extension processing" is likely wrong

[webauthn] "might be present on this authenticator" could use a clearer definition

[webauthn] "WebAuthn Authenticator model" seemingly prohibits random AAGUIDs (minor)

[webauthn] #createCredential step 12 incorrectly refers to a timer

[webauthn] #registering-a-new-credential step 10 breakage

[webauthn] .store() is confusing

[webauthn] [PR 384] Does requireUserMediation() make sense after merge

[webauthn] Add [Exposed] to all interfaces

[webauthn] Add credential type uaf

[webauthn] Add uaf attestation format

[webauthn] address needs of various webauthn spec audiences

[webauthn] Address security and privacy issues witht the iconURL

[webauthn] An issue about setAttestationChallenge() in "android-key" attestation statement

[webauthn] Android SafetyNet Attestation lacks information on authenticator provenance

[webauthn] Authenticator selection extension - should makeCredential fail if no specified authenticator can be found?

[webauthn] Authenticator selection extension needs to define snapshotting behavior

[webauthn] authenticatorGetAssertion showing selection UI for external authenticators

[webauthn] authenticatorMakeCredential has an excludeCredentialDescriptorList parameter, but doesn't do anything with it

[webauthn] basicIntegrity in SafetyNet documentation not sufficiently defined

[webauthn] CDDL for attStmtType is confusing

[webauthn] change "credential public key" to "user public key"

[webauthn] Change user.id examples to binary encoding.

[webauthn] Clarify excludeCredentialDescriptorList

[webauthn] Clean up COSEAlgorithmIdentifier loose ends

[webauthn] Consider allowing authenticators to randomise signed hashes.

[webauthn] Consider dropping requirement for TUP on create()

[webauthn] Consider requiring canonical CBOR throughout

[webauthn] Consider using USVString instead of DOMString sometimes

[webauthn] Correct uses of "JSON string" versus "DOMString" and other string terminology usage

[webauthn] Credential ID uniqueness expectations are inconsistent/vague

[webauthn] ctsprofilematch in SafetyNet documentation not sufficiently defined

[webauthn] Description of attestation signature generation for ECDAA needs to be fixed.

[webauthn] Display name content rules?

[webauthn] Drop UAF references in favor of better explanation

[webauthn] ensure #registering-a-new-credential step 10 and the inputs to all attStmt types' verification procedures match

[webauthn] Examples should include non-ASCII [editorial]

[webauthn] Extension identifiers in examples are inconsistent with registered identifiers

[webauthn] FIDO U2F Attestation Statement Format doesn't say what to do with AAGUID

[webauthn] Fix Android attestation

[webauthn] Fix syntax errors in JavaScript examples.

[webauthn] fixup algs contd 3

[webauthn] How should the browser handle CredentialMediationRequirement for public key credentials?

[webauthn] imageURL privacy

[webauthn] impl guidelines for signature counter

[webauthn] Include Constants for COSE Algorithm Numbers

[webauthn] include public key in PublicKeyCredential

[webauthn] include public key in result from create()

[webauthn] Incorrect feedback link in 20160531 WD

[webauthn] incosistent concatenation symbols - notational conventions section?

[webauthn] isPlatformAuthenticatorAvailable() timeout really 10 minutes?

[webauthn] It would be nice if the definition of "Scoped Credential" said something about what `identifier` and `type` are

[webauthn] Key types and algorithms are confusing

[webauthn] keyType: "public-key" is superfluous

[webauthn] Make AuthenticatorSelectionCriteria more complete.

[webauthn] Make create() and get() abortable

[webauthn] Make packed attestation format Privacy CA-friendly

[webauthn] makeCredential should be more precise than NotAllowedError in its last step

[webauthn] Move {#sample-scenarios} (currently Section 10) to the top of the doc

[webauthn] musings wrt webauthn's profile of COSE_Key

[webauthn] Must returned extensions be mathematically proper subsets of requested extensions?

[webauthn] need description & illustrations of overall flow: authnr <--> platform API <--> RP

[webauthn] Need to fix android key attestation verification procedure

[webauthn] Need to remove the term "authentication key" in self attestation description

[webauthn] new commits pushed by AngeloKai

[webauthn] new commits pushed by balfanz

[webauthn] new commits pushed by christiaanbrand

[webauthn] new commits pushed by equalsJeffH

[webauthn] new commits pushed by leshi

[webauthn] new commits pushed by rlin1

[webauthn] new commits pushed by selfissued

[webauthn] new commits pushed by WebAuthnBot

[webauthn] New research suggest using ED512 instead of ED256.

[webauthn] No description regarding representation of credential Id length

[webauthn] No way to select an intended authenticator during authentication with attachment info

[webauthn] Not clear what to do with cross platform authenticators during make-an-assertion step

[webauthn] Not clear what's executed in parallel in Section 4.1.3, Step 24.3

[webauthn] Not necessary to pass AuthenticatorSelectionCriteria members to authenticatorMakeCredential()

[webauthn] Nothing required in PublicKeyCredentialEntity

[webauthn] parameter lists in #createCredential and #op-make-cred do not match

[webauthn] Plumb User ID through

[webauthn] PR#498 fixup algs contd 3

[webauthn] preventSilentAccess() -- what effect does calling it have?

[webauthn] Privacy Considerations should describe risks of storing userID/displayName in "second-factor" authenticators

[webauthn] PublicKeyCredentialDescriptor.id and PublicKeyCredentialEntity.id type differ

[webauthn] RawId vs Id is confusing

[webauthn] Refine meaning of PublicKeyCredentialType to be "signature & assertion format (and version thereof)"

[webauthn] Remove "proper subset" from extension algorithm

[webauthn] remove "required" on ScopedCredentialDescriptor.id

[webauthn] Remove user agent getting user consent sentence

[webauthn] rename "attestation data" to be "attested credential"

[webauthn] Replace Authenticator Model with CTAP

[webauthn] Restore identifier alignment with CTAP and WD-06

[webauthn] restrict WebAuthentication API to only top level browsing context

[webauthn] RP guidelines should allow RP to not check attestation

[webauthn] Safetynet attestation does not return byte array as a response.

[webauthn] should authenticatorExtensions really be a dictionary?

[webauthn] Sign counter alg 507

[webauthn] Sign counter alg 507 alternative: optional sig counter

[webauthn] Specify what happens when the Client receives invalid CBOR

[webauthn] The authenticatorMakeCredential operation section doesn't specify how to pass extensions to authenticator

[webauthn] The description for creating a new credential has the browser prompting the user for consent

[webauthn] The W3C HTML spec is broken, and probably shouldn't be referenced

[webauthn] U2F Attestation only lists Basic Attestation as supported

[webauthn] undefined terms

[webauthn] user id should be returned in get()

[webauthn] User Verification Method (uvm) extension incorrectly mentions user verification *index*

[webauthn] using descriptive names for authenticator selection criteria

[webauthn] UVM Extension Editorial Change

[webauthn] various issues with AppId extension

[webauthn] Where are rsaAlgName and eccAlgName defined?

Accessibility Questions from APA

Closed: [webauthn] "Authenticator extension processing" is likely wrong

Closed: [webauthn] "might be present on this authenticator" could use a clearer definition

Closed: [webauthn] [PR 384] Does requireUserMediation() make sense after merge

Closed: [webauthn] An issue about setAttestationChallenge() in "android-key" attestation statement

Closed: [webauthn] authenticatorGetAssertion showing selection UI for external authenticators

Closed: [webauthn] authenticatorMakeCredential has an excludeCredentialDescriptorList parameter, but doesn't do anything with it

Closed: [webauthn] Consider allowing authenticators to randomise signed hashes.

Closed: [webauthn] Consider requiring canonical CBOR throughout

Closed: [webauthn] Consider using USVString instead of DOMString sometimes

Closed: [webauthn] Credential ID uniqueness expectations are inconsistent/vague

Closed: [webauthn] Drop UAF references in favor of better explanation

Closed: [webauthn] It would be nice if the definition of "Scoped Credential" said something about what `identifier` and `type` are

Closed: [webauthn] Make U2F Attestation Format "sig" more precise

Closed: [webauthn] makeCredential should be more precise than NotAllowedError in its last step

Closed: [webauthn] Must returned extensions be mathematically proper subsets of requested extensions?

Closed: [webauthn] New research suggest using ED512 instead of ED256.

Closed: [webauthn] PublicKeyCredentialDescriptor.id and PublicKeyCredentialEntity.id type differ

Closed: [webauthn] Safetynet attestation does not return byte array as a response.

Closed: [webauthn] should authenticatorExtensions really be a dictionary?

Closed: [webauthn] Specify what happens when the Client receives invalid CBOR

Closed: [webauthn] The authenticatorMakeCredential operation section doesn't specify how to pass extensions to authenticator

Closed: [webauthn] The description for creating a new credential has the browser prompting the user for consent

Closed: [webauthn] Where are rsaAlgName and eccAlgName defined?

Eleven comments on " Web Authentication: An API for accessing Public Key Credentials". W3C Working Draft, 5 May 2017

fyi: client nonce security analysis

please review credman PR#100 and webauthn PR#498.. (fixup algs contd 3)

PR #586 review submitted

reviewed current state of PR #539

Updated Web Platform Tests

WebAuthn Spec Status

Last message date: Saturday, 30 September 2017 23:41:03 UTC