PSA: Summary of changes in WebAuthn L2 WD-03 relative to WebAuthn L2 WD-02 from Jeff Hodges on 2020-08-23 (public-webauthn@w3.org from August 2020)

From: Jeff Hodges <jdhodges@google.com>
Date: Sun, 23 Aug 2020 15:54:02 -0700
To: W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <CAOt3QXtrNzz4hxUsMOcVm73GBxW9Gh9VdWSn=Ae+pnTj1=N34A@mail.gmail.com>
WebAuthn L2 WD-03 <https://www.w3.org/TR/2020/WD-webauthn-2-20200730/> was
published on 30-July-2020.  Please see below for details on how it differs
from WD-02 <https://www.w3.org/TR/2019/WD-webauthn-2-20191126/>.

HTH,

=JeffH

Diff of WebAuthn L2 WD-03 relative to WebAuthn L2 WD-02
<https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F>

[ Note: the links below are to a dynamically-constructed diff thus it takes
a while for a given link to load. ]

   - New Features and technical enhancements:

   - Enumerations as DOMString types
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#sct-domstring-backwards-compatibility>

      - Easily accessing credential data
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#sctn-public-key-easy>:
      added new, additional accessor methods to the attestationObject
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#dom-authenticatorattestationresponse-attestationobject>
      .

      - Clarified syntaxes of Authentication Extensions Authenticator Inputs
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#iface-authentication-extensions-authenticator-inputs>
      & Outputs
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#iface-authentication-extensions-authenticator-outputs>
      as CDDL types.

      - Provided specific lightweight serialization
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#clientdatajson-serialization>
      and verification
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#clientdatajson-verification>
      algorithms for CollectedClientData for implementations not wishing to
      incorporate a full JSON parser.

      - Restrict cross-origin iFrame usage (via Feature Policy) to only
      authentication operations
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#sctn-feature-policy>,
      i.e., when invoking navigator.credentials.get(). See also WebAuthn
      iframe guidance
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#sctn-iframe-guidance>
      .

      - Clarify that RP IDs, outside of the specific WebAuthn API context,
      MAY be either valid domain strings OR URIs
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#rp-id>
      .

      - New attestation conveyance: enterprise
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#dom-attestationconveyancepreference-enterprise>
      (affects the [[Create]]() internal method's algorithm)

      - Added specific elliptic curves for specific COSE Algorithm
      Identifiers
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#sctn-alg-identifier>
      when used in the WebAuthn context.

      - Refined Signature Counter considerations
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#sctn-sign-counter>
      .

      - New extensions:
         - Credential Properties (credProps)
         <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#sctn-authenticator-credential-properties-extension>
         - Pseudo-random function  (prf)
         <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#prf-extension>
         - Large blob storage  (largeBlob)
         <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#sctn-large-blob-extension>

         - Removal of unused extensions:

   - Simple Transaction Authorization (txAuthSimple)
      - Generic Transaction Authorization (txAuthGeneric)
      - User Verification Index  (uvi)
      - Authenticator Selection  (authnSel)
      - Supported extensions  (exts)
      - Location  (loc)
      - Biometric Authenticator Performance Bounds (biometricPerfBounds)

      - Additions to Security Considerations:

   - Physical Proximity between Client and Authenticator
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#sctn-client-authenticator-proximity>

      - Terminology clarifications and updates:

   - Redefine Resident Credential as Client-side discoverable Public Key
      Credential Source <http://Client-side discoverable Public Key
      Credential Source>
      Deprecate: Resident Credential
      - Add: Non-Discoverable Credential
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#non-discoverable-credential>
      - Clarify: Registration Ceremony
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#registration-ceremony>
      - Redefine non-Resident Credential as Server-side Public Key
      Credential Source
      <https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F#server-side-public-key-credential-source>
      Deprecate:  non-Resident Credential

      - Editorial additions:

   - enabled "MDN" (Mozilla developers' network) links for WebAuthn API
      components.


Not all of the changes are detailed above, scrolling through the entire diff
<https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2F2019%2FWD-webauthn-2-20191126%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2020%2FWD-webauthn-2-20200730%2F>
is recommended.


end
Received on Sunday, 23 August 2020 22:54:52 UTC