- From: Marcos Caceres <marcos@marcosc.com>
- Date: Thu, 27 Sep 2018 06:05:17 +1000
- To: John Fontana <jfontana@yubico.com>
- Cc: ralph@w3.org, Philippe Le Hegaret <plh@w3.org>, Tim Berners-Lee <timbl@w3.org>, W3C Comm Team <w3t-comm@w3.org>, chairs@w3.org, W3C Web Authn WG <public-webauthn@w3.org>, Anthony Nadalin <tonynad@microsoft.com>, Samuel Weiler <weiler@w3.org>, Wendy Seltzer <wseltzer@w3.org>
- Message-Id: <5AFDAE6E-1C55-40C6-89BE-51B7E8B7E0A2@marcosc.com>
Hi, Sorry for top post! Should issue 750 be addressed first before moving this spec out of CR? https://github.com/w3c/webauthn/issues/750 The null cases lead to undefined behaviour in the spec. For example, we’ve had to add the nulls to various defaults in Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1368949 We (Mozilla) would probably want to see that resolved before transitioning. > On 22 Sep 2018, at 7:21 am, John Fontana <jfontana@yubico.com> wrote: > > # Document title, URLs, estimated publication date > > Title: Web Authentication: An API for accessing Public Key Credentials Level 1 > > URL: https://www.w3.org/TR/2017/WD-webauthn-20170811/ > > Publication date: 25 September 2018 > > Last Published: > https://www.w3.org/TR/webauthn/ > > Latest Editor’s Draft: > https://w3c.github.io/webauthn/ > > # Abstract > This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. > > # Status > https://www.w3.org/TR/webauthn/ > > # Comments > Send comments to: public-webauthn@w3.org > Feedback is due 02 October 2018 > [Or 7 days from day Request is approved] > > # Link to group's decision to request transition > Call for Consensus: > https://lists.w3.org/Archives/Public/public-webauthn/2018Sep/0043.html > > # Substantive Changes > None > > # Requirements satisfied > Yes. No changes > > # Dependencies met (or not) > Met > ## *The spec has normative dependencies on the following W3C Recs:* > https://www.w3.org/TR/webauthn/#normative > > ## *The spec has normative dependencies on the following non-W3C standards:* > > Base64url encoding [RFC4648] > > CBOR [RFC7049] > > CDDL [Internet Draft] > > COSE [RFC8152]. > > DOM [DOM4]. > > ECMAScript [ECMAScript]. > > HTML [HTML5.2]. > > OAUTH 2 [RFC6749] > > JSON Web Key [RFC7517] > > CTAP (Client to Authenticator Protocol) [FIDO Alliance] > > # Wide Review > TAG: > https://www.w3.org/Search/Mail/Public/search?keywords=%22TAG+review+feedback%22&hdr-1-name=subject&hdr-1-query=&index-grp=Public_FULL&index-type=t&type-index=public-webauthn > > Privacy Interest Group: > https://www.w3.org/2018/01/11-privacy-minutes.html > > Web Payments Working Group: WG discussion (12/14/2017): https://www.w3.org/2017/12/14-wpwg-minutes#item02 > > https://lists.w3.org/Archives/Public/public-webauthn/2018Mar/0230.html (03/18/2018) > > Accessible Platform Architectures (APA) Working Group: > https://github.com/w3c/webauthn/issues/733 > > IETF Token Binding Working Group: > > https://lists.w3.org/Archives/Public/public-webauthn/2018Mar/0054.html > > Public review: > The API was the subject a critical blog post. The WG reviewed these claims and decided that changes in this API are not needed - changes might be advisable (but optional) in CTAP (the companion FIDO spec). Of note, these crypto-savvy researchers identified less-than-ideal choices the WG had made, typically for good reason, and did not identify any showstopper issues: > https://paragonie.com/blog/2018/08/security-concerns-surrounding-webauthn-don-t-implement-ecdaa-yet > > FIDO Alliance FIDO2 WG review > > # Issues addressed > https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2Fwebauthn%2F&doc2=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F > > # Formal Objections > None > > # Implementation > Web Payments Demo implementation https://www.w3.org/2018/06/lyra-webauthpay.mp4 > Worldpay Web Payments and Web Authentication Demo https://www.w3.org/2018/08/worldpay.html > > Mozilla’s Firefox browser implements W3C Web Authentication API since Version 60. > https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API > > Microsoft has added support in its Edge Browser. > > Google’s Chrome supports the W3C Web Authentication API in Chrome 70 (Sept. 2018). > > The Web AuthN WG has conducted three interop events. > > # Patent disclosures > https://www.w3.org/2004/01/pp-impl/87227/status#current-disclosures > https://www.w3.org/2017/03/webauthn-pag-report.html > > Co-chairs > Tony Nadalin > John Fontana > > -- > John Fontana > Identity and Standards Analyst | Yubico > Phone: +1 303 301 4437 > Skype: j_fontana
Received on Wednesday, 26 September 2018 20:05:45 UTC