W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2018

Re: Transition Request: Web Authentication to Proposed Recommendation

From: Marcos Caceres <marcos@marcosc.com>
Date: Thu, 27 Sep 2018 06:05:17 +1000
Cc: ralph@w3.org, Philippe Le Hegaret <plh@w3.org>, Tim Berners-Lee <timbl@w3.org>, W3C Comm Team <w3t-comm@w3.org>, chairs@w3.org, W3C Web Authn WG <public-webauthn@w3.org>, Anthony Nadalin <tonynad@microsoft.com>, Samuel Weiler <weiler@w3.org>, Wendy Seltzer <wseltzer@w3.org>
Message-Id: <5AFDAE6E-1C55-40C6-89BE-51B7E8B7E0A2@marcosc.com>
To: John Fontana <jfontana@yubico.com>
Hi,
Sorry for top post! 

Should issue 750 be addressed first before moving this spec out of CR?
https://github.com/w3c/webauthn/issues/750

The null cases lead to undefined behaviour in the spec. For example, we’ve had to add the nulls to various defaults in Firefox:
https://bugzilla.mozilla.org/show_bug.cgi?id=1368949

We (Mozilla) would probably want to see that resolved before transitioning. 


> On 22 Sep 2018, at 7:21 am, John Fontana <jfontana@yubico.com> wrote:
> 
> # Document title, URLs, estimated publication date
> 
> Title: Web Authentication: An API for accessing Public Key Credentials Level 1
> 
> URL: https://www.w3.org/TR/2017/WD-webauthn-20170811/
> 
> Publication date: 25 September 2018
> 
> Last Published:
> https://www.w3.org/TR/webauthn/
> 
> Latest Editor’s Draft:
> https://w3c.github.io/webauthn/
> 
> # Abstract
> This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.
> 
> # Status
> https://www.w3.org/TR/webauthn/
> 
> # Comments
> Send comments to: public-webauthn@w3.org
> Feedback is due 02 October 2018
> [Or 7 days from day Request is approved]
> 
> # Link to group's decision to request transition
> Call for Consensus:
> https://lists.w3.org/Archives/Public/public-webauthn/2018Sep/0043.html
> 
> # Substantive Changes
> None
> 
> # Requirements satisfied
> Yes. No changes
> 
> # Dependencies met (or not)
> Met
> ## *The spec has normative dependencies on the following W3C Recs:*
> https://www.w3.org/TR/webauthn/#normative
> 
> ## *The spec has normative dependencies on the following non-W3C standards:*
> 
> Base64url encoding  [RFC4648]
> 
> CBOR [RFC7049]
> 
> CDDL [Internet Draft]
> 
> COSE [RFC8152].
> 
> DOM [DOM4].
> 
> ECMAScript  [ECMAScript].
> 
> HTML [HTML5.2].
> 
> OAUTH 2 [RFC6749]
> 
> JSON Web Key [RFC7517]
> 
> CTAP (Client to Authenticator Protocol) [FIDO Alliance]
> 
> # Wide Review
> TAG:
> https://www.w3.org/Search/Mail/Public/search?keywords=%22TAG+review+feedback%22&hdr-1-name=subject&hdr-1-query=&index-grp=Public_FULL&index-type=t&type-index=public-webauthn
> 
> Privacy Interest Group:
> https://www.w3.org/2018/01/11-privacy-minutes.html
> 
> Web Payments Working Group: WG discussion (12/14/2017): https://www.w3.org/2017/12/14-wpwg-minutes#item02
> 
> https://lists.w3.org/Archives/Public/public-webauthn/2018Mar/0230.html (03/18/2018)
> 
> Accessible Platform Architectures (APA) Working Group:
> https://github.com/w3c/webauthn/issues/733
> 
> IETF Token Binding Working Group:
> 
> https://lists.w3.org/Archives/Public/public-webauthn/2018Mar/0054.html
> 
> Public review:
> The API was the subject a critical blog post.  The WG reviewed these claims and decided that changes in this API are not needed - changes might be advisable (but optional) in CTAP (the companion FIDO spec).  Of note, these crypto-savvy researchers identified less-than-ideal choices the WG had made, typically for good reason, and did not identify any showstopper issues:
> https://paragonie.com/blog/2018/08/security-concerns-surrounding-webauthn-don-t-implement-ecdaa-yet
> 
> FIDO Alliance FIDO2 WG review
> 
> # Issues addressed
> https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2Fwebauthn%2F&doc2=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F
> 
> # Formal Objections
> None
> 
> # Implementation
> Web Payments Demo implementation https://www.w3.org/2018/06/lyra-webauthpay.mp4
> Worldpay Web Payments and Web Authentication Demo https://www.w3.org/2018/08/worldpay.html
> 
> Mozilla’s Firefox browser implements W3C Web Authentication API since Version 60.
> https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
> 
> Microsoft has added support in its Edge Browser.
> 
> Google’s Chrome supports the W3C Web Authentication API in Chrome 70 (Sept. 2018).
> 
> The Web AuthN WG has conducted three interop events.
> 
> # Patent disclosures
> https://www.w3.org/2004/01/pp-impl/87227/status#current-disclosures
> https://www.w3.org/2017/03/webauthn-pag-report.html
> 
> Co-chairs
> Tony Nadalin
> John Fontana
> 
> -- 
> John Fontana
> Identity and Standards Analyst | Yubico
> Phone: +1 303 301 4437
> Skype: j_fontana

Received on Wednesday, 26 September 2018 20:05:45 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:35 UTC