W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2019

Re: W3C WebAuthn Recommendation schedule

From: Jeff Hodges <jdhodges@google.com>
Date: Wed, 7 Aug 2019 11:19:24 -0700
Message-ID: <CAOt3QXuhAUyMoKEO+woOS989_pL3o06b69cmPzVrNEQ0B2mkPQ@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Cc: Akshay Kumar <Akshay.Kumar@microsoft.com>, John Bradley <jbradley@yubico.com>, W3C Web Authn WG <public-webauthn@w3.org>, John Fontana <jfontana@yubico.com>
I largely concur with JBradley & Akshay.

The only items I see in that list that would (possibly) require
accommodation in the WebAuthn API, and/or require new extensions, are..

5. Enterprise Attestation
6. Backup/Recovery
11. caBLE

fyi/fwiw, the "new stuff (so far, AFAIU)" in webauthn L2 FPWD is listed
here:

https://lists.w3.org/Archives/Public/public-webauthn/2019Jun/0248.html


hth, =JeffH

On Wed, Aug 7, 2019 at 9:22 AM Anthony Nadalin <tonynad@microsoft.com>
wrote:

> Agree this was a mixture of CTAP and WebAuthn items, I listed them as we
> tend to lock step CTAP and WebAuthn and questions come up on the cadence of
> how often we update the specs as when the specs are released there will be
> question on who supports these, also we will have to have implementations
> so add that into the mix
>
>
>
> *From:* Akshay Kumar <Akshay.Kumar@microsoft.com>
> *Sent:* Wednesday, August 7, 2019 9:07 AM
> *To:* John Bradley <jbradley@yubico.com>; Anthony Nadalin <
> tonynad@microsoft.com>
> *Cc:* W3C Web Authn WG <public-webauthn@w3.org>; John Fontana <
> jfontana@yubico.com>
> *Subject:* RE: W3C WebAuthn Recommendation schedule
>
>
>
> Few more things to the list
>
>    1. Credential Management
>    2. Biometric Enrollment
>    3. Cred Protect
>    4. UV Token
>    5. Enterprise Attestation
>    6. Backup/Recovery
>    7. FIPS
>    8. PIN Policies
>    9. Per-Credential Config (cert blobs, other configs)
>    10. Multiple Versions of CTAP on Authenticator (Session mgmt?)
>    11. caBLE (both first and second factor modes)
>    12. Authenticator Upgradability
>
> Most of the items in the list are not related to webauthn. They are purely
> CTAP issue. Some items that are slightly related to webauthn are Enterprise
> Attestation, per-credential config and caBLE. Which are not part of
> webauthn as of now.
>
> Then, as we did earlier, we need to have interoperable POC between
> authenticators and platforms platforms to have a confidence that things
> will work and figure out minute details.
>
> While I believe that CTAP spec progress is slow at times, one of main good
> security reasons for that is most authenticators cannot upgrade. So they
> have one shot of getting this right. I am not in favor of having a
> artificial deadlines here. It brings more problems than solutions
> especially for authenticator vendors.
>
>
>
> In my view, above are enhancements for a very solid FIDO_2_0 spec where
> most RPs can release their full first factor or second factor
> authentication today. As many have.
>
>
>
> Thanks
>
>
>
> *From:* John Bradley <jbradley@yubico.com>
> *Sent:* Wednesday, August 7, 2019 5:29 AM
> *To:* Anthony Nadalin <tonynad@microsoft.com>
> *Cc:* W3C Web Authn WG <public-webauthn@w3.org>; John Fontana <
> jfontana@yubico.com>
> *Subject:* Re: W3C WebAuthn Recommendation schedule
>
>
>
> The most pressing WebAuthn issue is Delegation.  By iFrame or other method.
>
>
>
> UVtoken is a CTAP issue.
>
>
>
> Enterprise Attestation is split between WebAuthn and CTAP.   I think that
> is going to take some time.
>
>
>
> The first three are being rolled out by people now.  Locking those down
> would be good but they are mostly in CTAP.
>
>
>
> John B.
>
>
>
>
>
> On Tue, Aug 6, 2019, 6:31 PM Anthony Nadalin <tonynad@microsoft.com>
> wrote:
>
> Framing for tomorrows schedule discussion:
>
>
>
> There are several top priority items that we would like to get done, some
> of these have a dependency on CTAP 2.x, some may require changes to
> authenticators. Given the fact that WebAuthn Level 1 and CTAP 2.0 were just
> released this year, would it be a good idea to release a new version
> quickly like 12/2019- 3/2020 or wait until the market has deployed Level 1
> and CTAP 2.0. Need input from browser vendors and authenticator vendors and
> anyone else that has an opinion.
>
>
>
> Some of the items between WebAuthn and CTAP I hear are important are:
>
>
>
>    1. Credential Management
>    2. Biometric Enrollment
>    3. Cred Protect
>    4. UV Token
>    5. Enterprise Attestation
>    6. Backup/Recovery
>    7. FIPS
>    8. Any others?
>
>

-- 
Thanks, HTH,

=JeffH
Received on Wednesday, 7 August 2019 18:20:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:06 UTC