Re: Transition Request: Web Authentication to Proposed Recommendation from Adam Powers on 2018-09-26 (public-webauthn@w3.org from September 2018)

From: Adam Powers <adam@fidoalliance.org>
Date: Wed, 26 Sep 2018 10:06:08 -0700
To: Ralph Swick <swick@w3.org>, W3C Comm Team <w3t-comm@w3.org>, John Fontana <jfontana@yubico.com>, chairs@w3.org
Cc: Philippe Le Hegaret <plh@w3.org>, Anthony Nadalin <tonynad@microsoft.com>, Samuel Weiler <weiler@w3.org>, Tim Berners-Lee <timbl@w3.org>, W3C Web Authn WG <public-webauthn@w3.org>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <etPan.5babbeba.2ae8944a.17d3@fidoalliance.org>
Regarding WPTs: the WebAuthn API depends on external authenticator hardware or browser-specific mocks that are enabled via flags. Since those flags / hardware are not used during the running of the automated tests you will most likely see these failures for the foreseeable future.  

Also note that Edge with WebAuthn is available to the public as part of the “Windows Insider” open beta, even though it doesn’t show up in the results below.  

Hope that helps,  
Adam


On September 26, 2018 at 9:54:26 AM, Ralph Swick (swick@w3.org(mailto:swick@w3.org)) wrote:

>  
>  
> On 2018-09-21 05:21 PM, John Fontana wrote:
> > *# Document title, URLs, estimated publication date*
> >  
> > *Title:* Web Authentication: An API for accessing Public Key Credentials
> > Level 1
> >  
> > *URL*:https://www.w3.org/TR/2017/WD-webauthn-20170811/
> > <https://www.w3.org/TR/2017/WD-webauthn-20170811/>
>  
> I believe you meant
>  
> https://www.w3.org/TR/2018/CR-webauthn-20180807/
>  
> > *Publication date:* 25 September 2018
> >  
> > *Last Published:*
> > https://www.w3.org/TR/webauthn/ <https://www.w3.org/TR/webauthn/>
> >  
> > *Latest Editor’s Draft:*
> > https://w3c.github.io/webauthn/ <https://w3c.github.io/webauthn/>
> >  
> > *# Abstract*
> > This specification defines an API enabling the creation and use of
> > strong, attested, scoped, public key-based credentials by web
> > applications, for the purpose of strongly authenticating users.
>  
> (there's more in the CR abstract, with some edits in the ED abstract)
>  
> > *# Status*
> > https://www.w3.org/TR/webauthn/ <https://www.w3.org/TR/webauthn/>
> >  
> > *# Comments*
> > Send comments to:public-webauthn@w3.org <mailto:public-webauthn@w3.org>
> > Feedback is due 02 October 2018
> > [Or 7 days from day Request is approved]
> >  
> > *# Link to group's decision to request transition*
> > Call for Consensus:
> > https://lists.w3.org/Archives/Public/public-webauthn/2018Sep/0043.html
> > <https://lists.w3.org/Archives/Public/public-webauthn/2018Sep/0043.html>
>  
> There's a question from Giri about the extensions in
>  
> https://lists.w3.org/Archives/Public/public-webauthn/2018Sep/0046.html
>  
> for which I don't see an explicit answer in the mail archive. Looking
> at the diff between the CR and the ED I observe the following change in
> Section 10:
>  
> These /-are RECOMMENDED for implementation-/ /+can be implemented+/
> by user agents targeting broad interoperability.
>  
> At a minimum this would be more clear if it used the RFC 2119
> terminology "These MAY be implemented ...".
>  
> However this is still unclear; my understanding is that the Group's
> intent is that optional features, if implemented, must conform to the
> specification. Therefore it is still necessary to state which parts, if
> any, of the extension specifications do not have sufficient
> implementation evidence and therefore would be dropped or made informative.
>  
> Where is the evidence for interoperable implementation of these extensions?
>  
> > # Substantive Changes*
> > None
> >  
> > *# Requirements satisfied*
> > Yes. No changes
> >  
> > *# Dependencies met (or not)
> > *Met
> > ## *The spec has normative dependencies on the following W3C Recs:*
> > https://www.w3.org/TR/webauthn/#normative
> > <https://www.w3.org/TR/webauthn/#normative>
> >  
> > ## *The spec has normative dependencies on the following non-W3C standards:*
> >  
> > Base64url encoding [RFC4648]
> >  
> > CBOR [RFC7049]
> >  
> > CDDL [Internet Draft]
> >  
> > COSE [RFC8152].
> >  
> > DOM [DOM4].
> >  
> > ECMAScript [ECMAScript].
> >  
> > HTML [HTML5.2].
> >  
> > OAUTH 2 [RFC6749]
> >  
> > JSON Web Key [RFC7517]
> >  
> > CTAP (Client to Authenticator Protocol) [FIDO Alliance]
>  
> Thank you for the IETF Token Binding Working Group chair's statement on
> the dependency on the IETF Token Binding Protocol which is still IETF
> draft state. Please confirm with that group whether there are changes
> likely to that specification which will require changes the WebAuthn
> specification. Also, the Token Binding protocol should be included in
> the References section.
>  
> Also, there are many in-line references to github.io versions of
> specifications. These will need to be to stable URIs for the PR and
> REC. If there are not /TR URIs yet for some of these, that will require
> additional explanation.
>  
> >  
> > *# Wide Review*
> > *TAG:*
> > https://www.w3.org/Search/Mail/Public/search?keywords=%22TAG+review+feedback%22&hdr-1-name=subject&hdr-1-query=&index-grp=Public_FULL&index-type=t&type-index=public-webauthn
> > <https://www.w3.org/Search/Mail/Public/search?keywords=%22TAG+review+feedback%22&hdr-1-name=subject&hdr-1-query=&index-grp=Public_FULL&index-type=t&type-index=public-webauthn>
> >  
> > *Privacy Interest Group:*
> > https://www.w3.org/2018/01/11-privacy-minutes.html
> > <https://www.w3.org/2018/01/11-privacy-minutes.html>
> > *
> > Web Payments Working Group:*WG discussion
> > (12/14/2017):https://www.w3.org/2017/12/14-wpwg-minutes#item02
> > <https://www.w3.org/2017/12/14-wpwg-minutes#item02>
> >  
> > https://lists.w3.org/Archives/Public/public-webauthn/2018Mar/0230.html
> > <https://lists.w3.org/Archives/Public/public-webauthn/2018Mar/0230.html>(03/18/2018)
> >  
> > *Accessible Platform Architectures (APA) Working Group:*
> > https://github.com/w3c/webauthn/issues/733
> > <https://github.com/w3c/webauthn/issues/733>
> >  
> > *IETF Token Binding Working Group:*
> >  
> > https://lists.w3.org/Archives/Public/public-webauthn/2018Mar/0054.html
> > <https://lists.w3.org/Archives/Public/public-webauthn/2018Mar/0054.html>
> >  
> > *Public review:*
> > The API was the subject a critical blog post. The WG reviewed these
> > claims and decided that changes in this API are not needed - changes
> > might be advisable (but optional) in CTAP (the companion FIDO spec). Of
> > note, these crypto-savvy researchers identified less-than-ideal choices
> > the WG had made, typically for good reason, and did not identify any
> > showstopper issues:
> > https://paragonie.com/blog/2018/08/security-concerns-surrounding-webauthn-don-t-implement-ecdaa-yet
> > <https://paragonie.com/blog/2018/08/security-concerns-surrounding-webauthn-don-t-implement-ecdaa-yet>
> >  
> > *FIDO Alliance FIDO2 WG review*
> >  
> > *# Issues addressed*
> > https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2Fwebauthn%2F&doc2=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F
> > <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2Fwebauthn%2F&doc2=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F>
>  
> We noticed in section 5.6 that there is a informative dependency on an
> open issue in the HTML spec:
>  
> https://www.w3.org/TR/webauthn/#abortoperation
>  
> It's great to have this documented in the ED (and future WDs). For the
> PR and REC the text "the above paragraph will be updated to include"
> should say something like "developers may be able to use".
>  
> > *# Formal Objections*
> > None
> >  
> > *# Implementation*
> > *Web Payments Demo
> > implementation*https://www.w3.org/2018/06/lyra-webauthpay.mp4
> > <https://www.w3.org/2018/06/lyra-webauthpay.mp4>
> > *Worldpay Web Payments and Web Authentication
> > Demo*https://www.w3.org/2018/08/worldpay.html
> > <https://www.w3.org/2018/08/worldpay.html>
> >  
> > *Mozilla’s Firefox browser implements W3C Web Authentication API since
> > Version 60.*
> > https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
> > <https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API>
> >  
> > *Microsoft has added support in its Edge Browser.*
> >  
> > *Google’s Chrome supports the W3C Web Authentication API in Chrome 70
> > (Sept. 2018).*
> >  
> > *The Web AuthN WG has conducted three interop events.*
>  
> The Web Platform Test results are inconclusive:
>  
> https://wpt.fyi/results/webauthn?label=stable&aligned=true
>  
> Please explain these results. If these test are relevant, and I hope
> they are, it would be good to have an accurate test result report somewhere.
>  
> We understand that these tests require extra effort to run due to the
> need to supply credentials. PLH was able to show much better results
> for at least the IDL harness tests using his (hardware) key in both
> Chrome and Firefox so we have some hope of better implementation evidence.
>  
>  
> > *# Patent disclosures*
> > https://www.w3.org/2004/01/pp-impl/87227/status#current-disclosures
> > <https://www.w3.org/2004/01/pp-impl/87227/status#current-disclosures>
> > https://www.w3.org/2017/03/webauthn-pag-report.html
> > <https://www.w3.org/2017/03/webauthn-pag-report.html>
> >  
> > Co-chairs
> > Tony Nadalin
> > John Fontana
> >  
> > --
> >  
> > John Fontana
> >  
> > Identity and Standards Analyst | Yubico <http://www.yubico.com/>
> >  
> > Phone: +1 303 301 4437
> >  
> > Skype: j_fontana
>
Received on Wednesday, 26 September 2018 17:16:09 UTC