changes in WD-09 from WD-07 from =JeffH on 2018-03-14 (public-webauthn@w3.org from March 2018)

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Wed, 14 Mar 2018 14:34:06 -0700
To: W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <655e47dd-f06e-3dbe-ac4f-5bc6069b4632@KingsMountain.com>

[ note: we agreed on the call today to publish a WD-09 containing these 
new modest commits..

* e155bae 2018-03-14 | fix linking errors, ref 
PublicKeyCredentialCreationOptions rather than 
MakePublicKeyCredentialOptions (#840) (HEAD -> master, origin/master, 
origin/HEAD) [=JeffH]
* c53c1d1 2018-03-14 | move Johan from contributors to acknowledgements 
(#839) [Samuel Weiler]
* f0a495b 2018-03-14 | Remove vestigial reference to 
CollectedClientData/clientExtensions (#835) [Mike Jones]
* 9c60eed 2018-03-12 | Add links to two previous working drafts  (#834) 
[Angelo Liao]

..since WD-08. ]


here's a compendium of the changes in WD-09 from WD-07 I gleaned this 
afternoon using 
<http://kingsmountain.com/doc/diff/diff-webauthn-WD-08a--from--WD-07.pdf>:

* Clarifies backwards compatibility with FIDO U2F, and its reliance on 
FIDO AppID.

* Adopts the the CTAP2 canonical CBOR encoding form for all CBOR-encoded 
data.

* Further alignment with Credential Management, e.g., defining Public 
Key Credential Source, adding [[preventSilentAccess]] internal method.

* Futher refines the [[Create]] (aka createCredential) and 
[[DiscoverFromExternalSource]] (aka getAssertion) algorithms in order to 
address potential side-channel timing attacks that could enable 
user-identifying information.

* Adds authenticatorCancel operation to the Authenticator Model.

* Uses only SHA-256 for hashing the client data.

* Authentication extension data is no longer included in collected 
client data.

* Clarifies the WebAuthn Authenticator Model, and refines & corrects the 
authenticatorMakeCredential and authenticatorMakeCredential operations.

* Clarifies Attested Credential data, and adds examples of 
credentialPublicKey values encoded in COSE_Key format.

* Renames Privacy CA as Attestation CA to conform with TCG TPMv2 specs.

* Adds "None" as a formal Attestation Type, and defines a "None 
attestation statement format".

* Clarifies the signature formats for Packed Attestation, FIDO U2F 
Attestation, and Assertion Signatures.

* Refines and corrects the Relying Party registration and authentication 
assertion verification operations.

* Clarifies and corrects the Packed, TPM, and FIDO U2F attestation 
statement formats.

* Refines the Extensions framework:  clarifies the WebAuthn extensions 
model regarding passing-through unrecognized extensions, authenticator 
extension processing, and the inputs & outputs of defined extensions. Also:

     * Clarifies and corrects the FIDO AppID extension.

     * Refines and corrects the Location extension.

     * Adds the Biometric Authenticator Performance Bounds Extension 
(biometricPerfBounds)

* Coalesces Security Considerations section, adds attestation security 
considerations. Adds discrete Privacy Considerations section, touching 
upon attestation, registration, and authentication privacy.



HTH,

=JeffH

Received on Wednesday, 14 March 2018 21:34:38 UTC