PSA: Summary of new features in WebAuthn L2 FPWD relative to the WebAuthn Level 1 Recommendation from Jeff Hodges on 2019-06-26 (public-webauthn@w3.org from June 2019)

From: Jeff Hodges <jdhodges@google.com>
Date: Tue, 25 Jun 2019 17:35:47 -0700
To: W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <CAOt3QXsfTOTucthxAqOiB2CBgHxC6=shxMZbZfgT3cA2A6x_cQ@mail.gmail.com>

[please let me know if I've missed anything of significance. ]

WebAuthn Level 2 - W3C First Public Working Draft, 4 June 2019
<https://www.w3.org/TR/2019/WD-webauthn-2-20190604/>

Diff between Webauthn L2 FPWD and L1 Recommendation:
<
https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FREC-webauthn-1-20190304%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20190604%2F
>

Summary of WebAuthn L2 FPWD's new features relative to the WebAuthn Level 1
Recommendation:

* Improved Resident Key support
    Satisfies the use case stated here: Indicate resident key credential
"preferred" during registration and find out what the authenticator offered
 (https://github.com/w3c/webauthn/issues/991).
    Includes the new section "10.10. Credential Properties Extension
(credProps)" <
https://www.w3.org/TR/webauthn-2/#sctn-authenticator-credential-properties-extension>,
and an updated "12.2. Registration Specifically with User-Verifying
Platform Authenticator" <
https://www.w3.org/TR/webauthn-2/#sctn-sample-registration-with-platform-authenticator>
section.

* Feature Policy integration (initial phase)
    See: https://www.w3.org/TR/webauthn-2/#sctn-feature-policy"
    PR #1214: <https://github.com/w3c/webauthn/pull/1214>

* String handling clarifications
    See: 6.4. String Handling
    PR #1205: <https://github.com/w3c/webauthn/pull/1205>

* Clarification of attestation limitations
    See: 13.3.1. Attestation Limitations
    PR #1095: <https://github.com/w3c/webauthn/pull/1095>

* FIDO AppID extension clarifications
    See 10.1. FIDO AppID Extension (appid)
    PRs #1143 #1118
    <https://github.com/w3c/webauthn/pull/1143>
    <https://github.com/w3c/webauthn/pull/1118>

* Authenticator-supported transports can be made RP-available at credential
creation time
    See:  AuthenticatorAttestationResponse.getTransports()
    PR #1050: <https://github.com/w3c/webauthn/pull/1050>

* "Silent authentication" is explicitly not supported in WebAuthn (at this
time)
    PR #1140: <https://github.com/w3c/webauthn/pull/1140>

* Various detail-level technical and editorial cleanups/clarifications as
well as various terminology additions and clarifications -- see the
above-linked diff.

end

Received on Wednesday, 26 June 2019 00:36:37 UTC