I'm of the opinion that there are plenty of items which are coming up for WebAuthn deployments to justify a new WebAuthn specification. To the extent new authenticator features affect relying parties and affect user experience, both behaviors will need to be supported anyway. It would be nice to have features like Cred Protect in WebAuthn Layer 2, but it sounds like we are considering Layer 2 CR in 2-4 months, and (using Cred Protect as an example) this email chain is AFAIK the first mention of the term in public. My understanding is that CTAP is a consumer of the WebAuthn specification, and functionality needed by CTAP is contributed back as requirements to this working group. So far, very few of these items have been publicly discussed. Thats not to say that a final CTAP 2.1 spec is needed for WebAuthn changes - WebAuthn is the API for exposing authenticator features. But so far there hasn't been any W3C discourse, so it is challenging to establish them as important requirements for Layer 2. -DW -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
Received on Thursday, 8 August 2019 05:23:45 UTC