RE: W3C WebAuthn Recommendation schedule from Anthony Nadalin on 2019-08-07 (public-webauthn@w3.org from August 2019)

From: Anthony Nadalin <tonynad@microsoft.com>
Date: Wed, 7 Aug 2019 16:20:53 +0000
To: Akshay Kumar <Akshay.Kumar@microsoft.com>, John Bradley <jbradley@yubico.com>
CC: W3C Web Authn WG <public-webauthn@w3.org>, John Fontana <jfontana@yubico.com>
Message-ID: <CO2PR00MB0087A6D24767DCCDB834F763A6D40@CO2PR00MB0087.namprd00.prod.outlook.com>

Agree this was a mixture of CTAP and WebAuthn items, I listed them as we tend to lock step CTAP and WebAuthn and questions come up on the cadence of how often we update the specs as when the specs are released there will be question on who supports these, also we will have to have implementations so add that into the mix

From: Akshay Kumar <Akshay.Kumar@microsoft.com>
Sent: Wednesday, August 7, 2019 9:07 AM
To: John Bradley <jbradley@yubico.com>; Anthony Nadalin <tonynad@microsoft.com>
Cc: W3C Web Authn WG <public-webauthn@w3.org>; John Fontana <jfontana@yubico.com>
Subject: RE: W3C WebAuthn Recommendation schedule

Few more things to the list

  1.  Credential Management
  2.  Biometric Enrollment
  3.  Cred Protect
  4.  UV Token
  5.  Enterprise Attestation
  6.  Backup/Recovery
  7.  FIPS
  8.  PIN Policies
  9.  Per-Credential Config (cert blobs, other configs)
  10. Multiple Versions of CTAP on Authenticator (Session mgmt?)
  11. caBLE (both first and second factor modes)
  12. Authenticator Upgradability

Most of the items in the list are not related to webauthn. They are purely CTAP issue. Some items that are slightly related to webauthn are Enterprise Attestation, per-credential config and caBLE. Which are not part of webauthn as of now.

Then, as we did earlier, we need to have interoperable POC between authenticators and platforms platforms to have a confidence that things will work and figure out minute details.
While I believe that CTAP spec progress is slow at times, one of main good security reasons for that is most authenticators cannot upgrade. So they have one shot of getting this right. I am not in favor of having a artificial deadlines here. It brings more problems than solutions especially for authenticator vendors.

In my view, above are enhancements for a very solid FIDO_2_0 spec where most RPs can release their full first factor or second factor authentication today. As many have.

Thanks

From: John Bradley <jbradley@yubico.com<mailto:jbradley@yubico.com>>
Sent: Wednesday, August 7, 2019 5:29 AM
To: Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>
Cc: W3C Web Authn WG <public-webauthn@w3.org<mailto:public-webauthn@w3.org>>; John Fontana <jfontana@yubico.com<mailto:jfontana@yubico.com>>
Subject: Re: W3C WebAuthn Recommendation schedule

The most pressing WebAuthn issue is Delegation.  By iFrame or other method.

UVtoken is a CTAP issue.

Enterprise Attestation is split between WebAuthn and CTAP.   I think that is going to take some time.

The first three are being rolled out by people now.  Locking those down would be good but they are mostly in CTAP.

John B.

On Tue, Aug 6, 2019, 6:31 PM Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>> wrote:
Framing for tomorrows schedule discussion:

There are several top priority items that we would like to get done, some of these have a dependency on CTAP 2.x, some may require changes to authenticators. Given the fact that WebAuthn Level 1 and CTAP 2.0 were just released this year, would it be a good idea to release a new version quickly like 12/2019- 3/2020 or wait until the market has deployed Level 1 and CTAP 2.0. Need input from browser vendors and authenticator vendors and anyone else that has an opinion.

Some of the items between WebAuthn and CTAP I hear are important are:

  1.  Credential Management
  2.  Biometric Enrollment
  3.  Cred Protect
  4.  UV Token
  5.  Enterprise Attestation
  6.  Backup/Recovery
  7.  FIPS
  8.  Any others?

Received on Wednesday, 7 August 2019 16:21:20 UTC