Re: changes in WD-09 from WD-07 from John Fontana on 2018-03-14 (public-webauthn@w3.org from March 2018)

From: John Fontana <w3c@yubico.com>
Date: Wed, 14 Mar 2018 16:25:57 -0600
To: W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <CANNOEbJwFSXUSwY9c9ekn2NoR+xc6e9FCKSRGp2AO=F03yD2ZA@mail.gmail.com>
Will this turn into a similar file now tagged to WD08
https://services.w3.org/htmldiff?doc1=&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2018%2FWD-webauthn-20180306%2F


On Wed, Mar 14, 2018 at 3:34 PM, =JeffH <Jeff.Hodges@kingsmountain.com>
wrote:

> [ note: we agreed on the call today to publish a WD-09 containing these
> new modest commits..
>
> * e155bae 2018-03-14 | fix linking errors, ref
> PublicKeyCredentialCreationOptions rather than
> MakePublicKeyCredentialOptions (#840) (HEAD -> master, origin/master,
> origin/HEAD) [=JeffH]
> * c53c1d1 2018-03-14 | move Johan from contributors to acknowledgements
> (#839) [Samuel Weiler]
> * f0a495b 2018-03-14 | Remove vestigial reference to
> CollectedClientData/clientExtensions (#835) [Mike Jones]
> * 9c60eed 2018-03-12 | Add links to two previous working drafts  (#834)
> [Angelo Liao]
>
> ..since WD-08. ]
>
>
> here's a compendium of the changes in WD-09 from WD-07 I gleaned this
> afternoon using <http://kingsmountain.com/doc/
> diff/diff-webauthn-WD-08a--from--WD-07.pdf>:
>
> * Clarifies backwards compatibility with FIDO U2F, and its reliance on
> FIDO AppID.
>
> * Adopts the the CTAP2 canonical CBOR encoding form for all CBOR-encoded
> data.
>
> * Further alignment with Credential Management, e.g., defining Public Key
> Credential Source, adding [[preventSilentAccess]] internal method.
>
> * Futher refines the [[Create]] (aka createCredential) and
> [[DiscoverFromExternalSource]] (aka getAssertion) algorithms in order to
> address potential side-channel timing attacks that could enable
> user-identifying information.
>
> * Adds authenticatorCancel operation to the Authenticator Model.
>
> * Uses only SHA-256 for hashing the client data.
>
> * Authentication extension data is no longer included in collected client
> data.
>
> * Clarifies the WebAuthn Authenticator Model, and refines & corrects the
> authenticatorMakeCredential and authenticatorMakeCredential operations.
>
> * Clarifies Attested Credential data, and adds examples of
> credentialPublicKey values encoded in COSE_Key format.
>
> * Renames Privacy CA as Attestation CA to conform with TCG TPMv2 specs.
>
> * Adds "None" as a formal Attestation Type, and defines a "None
> attestation statement format".
>
> * Clarifies the signature formats for Packed Attestation, FIDO U2F
> Attestation, and Assertion Signatures.
>
> * Refines and corrects the Relying Party registration and authentication
> assertion verification operations.
>
> * Clarifies and corrects the Packed, TPM, and FIDO U2F attestation
> statement formats.
>
> * Refines the Extensions framework:  clarifies the WebAuthn extensions
> model regarding passing-through unrecognized extensions, authenticator
> extension processing, and the inputs & outputs of defined extensions. Also:
>
>     * Clarifies and corrects the FIDO AppID extension.
>
>     * Refines and corrects the Location extension.
>
>     * Adds the Biometric Authenticator Performance Bounds Extension
> (biometricPerfBounds)
>
> * Coalesces Security Considerations section, adds attestation security
> considerations. Adds discrete Privacy Considerations section, touching upon
> attestation, registration, and authentication privacy.
>
>
>
> HTH,
>
> =JeffH
>
>
Received on Wednesday, 14 March 2018 22:26:53 UTC