W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2020

[webauthn] new commits pushed by equalsJeffH

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Mon, 15 Jun 2020 17:35:45 +0000
To: public-webauthn@w3.org
Message-ID: <push-f9e913c341f101bebe7e5fe923deef0e72217555-1592242542-sysbot+gh@w3.org>

The following commits were just pushed by equalsJeffH to https://github.com/w3c/webauthn:

* Update index.bs

Add lightning transport

Fixes #1261
  by John Bradley
https://github.com/w3c/webauthn/commit/fb17d3d1f2e8c399c483bdbaae3a69cfd8b7071f

* Update index.bs

Fix missing comma
  by John Bradley
https://github.com/w3c/webauthn/commit/6661d22737f2e8c74dc777f68b501d13849acdab

* Remove note about UV verifying the same user in get() as in create()
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/cd52169c863c0537cf35cbc8c75959b10c3f6344

* Clarify assumptions about single-user authenticators and relation to UV
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/7ec1c1d9d479eec2e13b59352d4e466068407b99

* Incorporate suggestion by @FabianHenneke
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/101146b9f9bf1b1fcb2c01768321ceac2c5ef1e9

* Update CDDL reference
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/562cafb89d9bc93478a07de1c8f514f0ce988372

* Enhance spec roadmap section
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/10cc310bd8df741c1d4f467f15758fd86a2291be

* Link to security/privacy considerations in spec roadmap
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/f67c44ba9ea391622c6c7903e61b737720e6336c

* Add batch attestation as alias of basic attestation
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/35c25de126b7c3bc639c7efd1c7d4ea8ee3dd1cc

* Add explanatory note to step 3 in authenticatorMakeCredential
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/50a22e4bb3730c1e83f2503c52511eaedffb2a0e

* Explicitly mention running over TLS in WebAuthn API intro
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/243d8f7598a425e99b4a2b7e699372e9fefbb672

* Add definition link to "bound" term
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/b58f3a308be5d26e7401ca7813da2ccfebd17d47

* feature policy integ: add link to (#1328)
  by =JeffH
https://github.com/w3c/webauthn/commit/a1d4e065943ad6541475279907fae35ecd6554e7

* Update note in RP definition to indicate that non-WebAuthn FIDO clients MAY use origin values that are different than those specified for WebAuthn.
  by Shane Weeden
https://github.com/w3c/webauthn/commit/09f59c6b515e27ae17194485edb3db19fb688c35

* Merge pull request #1320 from w3c/issue-1206-cddl-ref

Update CDDL reference
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/831fca24174e1be656696d2f699eaedc075600f5

* Merge pull request #1321 from w3c/issue-1100-spec-roadmap

Enhance spec roadmap section
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/597abf93b0553b96e41b0f8280e29548a8a37851

* Merge pull request #1313 from w3c/issue-1305-uv-same-user

Clarify assumptions about single-user authenticator and relation to UV
  by J.C. Jones
https://github.com/w3c/webauthn/commit/688582582e6c7fc85d74b2ac5ce110a4b1f0dc50

* Merge pull request #1325 from w3c/issue-1260-batch-attestation

Add batch attestation as alias of basic attestation
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/904e09e396fe883d14678f56cf0abf1a0cc345a6

* Merge pull request #1326 from w3c/issue-1133-makecred-authorize-collision-disclosure

Add explanatory note to step 3 in authenticatorMakeCredential
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/288cf58bed6d7967fd995d830ebf54cc50989efa

* Merge pull request #1327 from w3c/issue-1201-tls

Explicitly mention running over TLS in WebAuthn API intro
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/fc62216d8a9f50faf0eca5bbf7dbe9abe11c812f

* Update timeout examples to better agree with guidelines
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/4ec28b3c23e4406538e3148f09903e7e5d7200a3

* Fix off-by-factor-10 timeout example
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/f8c13cb2fad6663dcc8df2f94951fd551c676fd8

* Add explicit UV argument to registration example
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/235385cd007cd9d6b4efdc141ab9e2fb0b56d0b9

* Merge pull request #1319 from w3c/issue-1317-timeout-examples

Update timeout examples to better agree with guidelines
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/5dbea683ac4651254896c9080cbf7136d5944f52

* Truncate strings for authenticators where needed. (#1316)

* Truncate strings for authenticators where needed.

There exist a significant number of authenticators that do not conform
to the current WebAuthn requirements in that they fail requests with
name/displayName strings longer than 64 bytes, rather than truncating
them.

This change adds a new requirement on user-agents that they maintain the
authenticator model for RPs by doing the truncation on their behalf in
this case. The alternative is that each RP will hit this edge-case and
do the truncation itself, thus the ecosystem will never be able to
support longer strings.

Since user-agents may now be doing truncation, this change also permits
truncation at the level of grapheme clusters (since user-agents
presumably have Unicode tables available).

Fixes #1296.

* Address Jeff and Emil's comments.
  by Adam Langley
https://github.com/w3c/webauthn/commit/428bf827db5fa8d45865fcce7a41427bf910ee2f

* Create a way to reference the following figure (#1323)


* Address Jeff and Emil's comments.

* Create a way to reference the following figure.

The fact that we have to keep the figure numbers in sync manually
annoyed me. Bikeshed isn't helping out here so I don't see a way to
avoid this for long-range links, but this change eliminates the need to
manually maintain some of the absolute numbers by providing a way to
insert the number of the following figure when the reference and figure
are close by.
  by Adam Langley
https://github.com/w3c/webauthn/commit/97411db5d75aa041cffb304e89cbcd39781ae498

* Minor updates based on reviewer feedback.
  by Shane Weeden
https://github.com/w3c/webauthn/commit/a14e11d84eb916a7379b8235750e143d219daee0

* Use CSS numbering for table references too (#1324)

* Generate "Figure" text in .figure-num-following

* Rename .figure-num-* to .figure-ref-*

Since the CSS rule now also generates the "Figure" text, not just the
number.

* Use CSS counter for table number references too

* Revert "Rename .figure-num-* to .figure-ref-*"

This reverts commit ffde79d01a1353fd1e70742658038b0ba7695db9.

* Revert "Generate "Figure" text in .figure-num-following"

This reverts commit e4f3f0c4a317d7c7f4ca47aeb8496dbe94bc3175.

* Move "Table " text out from CSS rules

When generated by the CSS rules, the "Table" text is not searchable by
the "find in page" tool in browsers.

* Unbreak <figcaption>s for tables
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/88468caec499992ccbafafc8b9ca3f746d3eb8dc

* Merge pull request #1332 from w3c/sbweeden_issue_1297

Update note in RP definition to indicate that non-WebAuthn FIDO clien…
  by Shane Weeden
https://github.com/w3c/webauthn/commit/df1808614580fc73dbdcd40992f1d10706e330d2

* name the protocol (#1335)

* name the protocol

* fix annoying interstitial space
  by =JeffH
https://github.com/w3c/webauthn/commit/03f840658c7667029e9a20dcce8989cd5bad0fa9

* Fix #1285 - Remove icons from PublicKeyCredentialEntity

As discussed in issue #1285, the image URL fields for PublicKeyCredentialEntity,
while intended for user interface design, are potent correlation mechanisms if
they are downloaded by RPs. RPs would have to take extraordinary care, beyond
reasonable measures, to avoid uses by RPs with mal-intent to cross-correlate
accounts. It is better for User Agents to use existing origin/icon mechanisms for
their UX designs, or to define new such mechanisms as-needed, that are
origin-wide rather than provide the possibility to embed detailed tracking
information into these URLs.
  by J.C. Jones
https://github.com/w3c/webauthn/commit/dbcf596676749e996cf02dfb2afc0685e7861c0f

* Merge pull request #1337 from jcjones/1285-image_deprecation

Fix #1285 - Remove icons from PublicKeyCredentialEntity
  by J.C. Jones
https://github.com/w3c/webauthn/commit/28e8d9d1e5e69470e052b2dcc427a6fa4c50efa9

* Reduce duplicated terminology (#1334)

* Move Assertion def in as an alias under Authentication Assertion

* De-duplicate attestation key/cert terms

* Replace "platform-provided authenticator" with "platform authenticator"

* Replace "internal authenticator" with "platform authenticator"

* Add links to [=client data=]

* Add links to [=credential public key=] and [=attestedCredentialData=]

* Replace "associated with" with "of"

* Define [=WebAuthn signature=]

* Add links to [=attestation signature=]

* De-duplicate "authentication signature"

* Add links to [=authorization gesture=]
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/e48cb03ccae8ebee7a741f8c15d7e38eb223892e

* reverting and restoring automation section et al... (#1340)
  by =JeffH
https://github.com/w3c/webauthn/commit/2e18951ae7065ebce09854131517d3c5bf1f19eb

* add indication of cross-origin operation in `collectedClientData` (#1276)

* change sameOriginWithAncestors to crossOrigin, add the latter to CollectedClientData

* minor editorial

* revert back to sameOriginWithAncestors

* evauated -> evaluated

Co-Authored-By: Emil Lundberg <emil@yubico.com>

* one more time: evauated -> evaluated
  by =JeffH
https://github.com/w3c/webauthn/commit/8927216e4b1c8eb9ead1b796f084a6d8f152dd6e

* Fix typo

though should be through
  by Yanming Zhou
https://github.com/w3c/webauthn/commit/c363e4a13eb03904a1c214b86ccc5895a6a964c3

* Reformat and rename AuthenticatorBiometricPerfBounds
  by Kagami Sascha Rosylight
https://github.com/w3c/webauthn/commit/4d9264a24e7b21801744ecafdad590f581ab0bcc

* <div> cannot appear within <figure>. See [figure content model](https://html.spec.whatwg.org/multipage/grouping-content.html#the-figure-element) (#1350)
  by Philippe Le Hegaret
https://github.com/w3c/webauthn/commit/80f6cb38729aa5f1cd1285992cdf247183319d5e

* Merge pull request #1341 from quaff/patch-1

Fix typo
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/7e1bf6993ecc7fc4e8c119b511e9610ed49c29e7

* 'loc' extension: cite permissions and geolocation specs (#1342)

* 'loc' extension: cite permissions and geoloc specs

* mark new geoloc cites normativeto match existing cites

* Update index.bs - capitalize 'must'

Co-Authored-By: Emil Lundberg <emil@yubico.com>

* update per emlun's comment, thx!
  by =JeffH
https://github.com/w3c/webauthn/commit/d7c5fb1227607f1e59fd9a1bee4cfc26e0724600

* Use the new name for Coordinates (#1344)

Merging, per decision on the 4-Dec-19 call
  by Kagami Sascha Rosylight
https://github.com/w3c/webauthn/commit/947b7bcf53704f9c56ccef7ce1f927866792c016

* Merge pull request #1345 from saschanaz/biometric

Reformat and rename AuthenticatorBiometricPerfBounds
  by Adam Langley
https://github.com/w3c/webauthn/commit/90aaad999f3f57c24dc1e02477f286ecf9419c86

* Add a WebDriver Extension Capability
  by Nina Satragno
https://github.com/w3c/webauthn/commit/4a4d8f6227b68d50c4a897666123ff51fc38ce78

* Apply suggestions from code review

fix nits

Co-Authored-By: =JeffH <jdhodges@google.com>
  by Nina Satragno
https://github.com/w3c/webauthn/commit/db860156d112155547f430b3d28eaaf4f4538083

* Rename capability webauthn:virtualAuthenticators
  by Nina Satragno
https://github.com/w3c/webauthn/commit/75c00b2db0289d531245c8935f7693416d4192a3

* Fix typo
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/fd1394b4a0860a69bf77c3c6fcc94d3dbb646183

* Merge pull request #1357 from w3c/typo

Fix typo
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/b2d74e7393b606d8da85a38ae8337582be6326fa

* Add note about risk of ignoring excludeCredentials with mismatched transports
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/d7c201437016aa16f075547bdf4ea1d79ae927a4

* Merge pull request #1359 from w3c/issue-1348-excludecredentials-transports

Add note about risk of ignoring excludeCredentials with mismatched transports
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/76af1d241cbc05eab3d15fd5f19cbdb09c2d3375

* Clarify exts client extension output (#1361)
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/197565c9b9a56a5134f32740deaaae06c245162b

* Merge pull request #1353 from nsatragno/webdriver_capability

Add a WebDriver Extension Capability
  by J.C. Jones
https://github.com/w3c/webauthn/commit/6349d2422ac13318a6a54e1432ca84b79a98a1fc

* remove 'lightning' AuthenticatorTransport enum value (#1364)
  by =JeffH
https://github.com/w3c/webauthn/commit/87ec85967dbb645e6c7452f2ba316f081c59cb70

* update CTAP reference to point to ps-20190130 (#1365)
  by =JeffH
https://github.com/w3c/webauthn/commit/66ad76b907e618e2a709bbb2be9a6544baedfc56

* Add clearer recommendation on what to do with transport hints
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/4cb04a8d6aa06486a25347aae1dc2d42b6c34165

* Recommend storing/retrieving transport hints in PublicKeyCredentialDescriptor description
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/96af7212935e10f9aeb5b96fb6013de938bb2ed5

* Add to sec cons a brief discussion of the sec properties accrued by authnr & client platform proximity (#1333)

* Add security consideration on client-authnr direct communication

See issue #1257
https://github.com/w3c/webauthn/issues/1257

* Address @equalsJeffH's review comments

* Add missing CSS class .figure-num-previous

* Rewrite proximity section shorter and discuss benefits of physical proximity

* Add commas suggested by @agl

Co-Authored-By: Adam Langley <agl@google.com>

Co-authored-by: Adam Langley <agl@imperialviolet.org>
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/d54a92aacc2fd8767f5188e3543f5bad62a29aa7

* Remove the requirement accept and store a 64-byte minimum length for a name member’s value (#1354)

* Update index.bs

Remove the requirement accept and store a 64-byte minimum length for a name member’s value
Fixes #1352

* Update index.bs

add if the authenticator stores the value for equalsJeffH
  by John Bradley
https://github.com/w3c/webauthn/commit/dbff4e5bb1daaed49e38012eae3312e6b07c9eef

* draft-hodges-webauthn-registries-04 (#1378)
  by Mike Jones
https://github.com/w3c/webauthn/commit/c45cdc6c5324fd671bacc68c62746b856f7fa619

* Address @equalsJeffH's review comment
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/eb027381d72dfc9a4d31d95be747f16b6afbf6d9

* Proposed changes for draft-hodges-webauthn-registries-05 (#1380)

* Proposed changes for draft-hodges-webauthn-registries-05

* Minor polishing -05, Thx selfissued!

Co-authored-by: JeffH <jdhodges@google.com>
  by Mike Jones
https://github.com/w3c/webauthn/commit/eb93a7f6dd24fdc1556bceda39a6d49d817521c9

* re-gen .html & .txt files from .xml file (#1384)
  by =JeffH
https://github.com/w3c/webauthn/commit/d8184568f85801d155e4be0e405f5dcc7f80313a

* Merge pull request #1369 from w3c/issue-1368-transports-instructions

Add clearer recommendation on what to do with transport hints
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/ae29ff01fa7ab3839c28ccfc45e660be7a3ae491

* Use Python 3.7
  by J.C. Jones
https://github.com/w3c/webauthn/commit/279f84a10e9e84498dc92f5bf1b8c2554251134f

* Add getPublicKey method.

This change adds a getPublicKey method to the
AuthenticatorAttestationResponse to save some users from having to parse
out and handle COSE keys.

(See linked issue for background.)

Fixes #1363
  by Adam Langley
https://github.com/w3c/webauthn/commit/40d9511f003e48f8a965309f2755b18934b33e28

* Merge pull request #1393 from jcjones/python3

Use Python 3.7 for Travis-CI
  by Adam Langley
https://github.com/w3c/webauthn/commit/a0249afd3429ae158ee4f0abdfebab5b2fb2faad

* Default to ES256 and RS256 if pubKeyCredParams is empty (#1387)

Default to algorithm -7 ("ES256") and -257 ("RS256") when
options.pubKeyCredParams is empty.

Fixes issue 1383.
  by Nina Satragno
https://github.com/w3c/webauthn/commit/a6368172ed38b0d649274852f15308ae9bbf8aaa

* Update index.bs

This removes unimplimented extensions
  by John Bradley
https://github.com/w3c/webauthn/commit/fdd8da6b64bcbfb3f785afce910cfccbb673b77d

* Update signature counters section. (#1390)

* Update signature counters section.

This section did not reflect the specified behaviour for signature
counters and did not mention that they are returned in makeCredential
responses too. See linked bug for details.

Fixes #1370

* Apply suggestions from code review

Including Jeff and Emil's comments.

Co-authored-by: =JeffH <jdhodges@google.com>
Co-authored-by: Emil Lundberg <emil@emlun.se>
  by Adam Langley
https://github.com/w3c/webauthn/commit/50679f5b0b12725c09f12f8510c3534afe992114

* Update based on comments
  by Adam Langley
https://github.com/w3c/webauthn/commit/f4eb334f52424f833bf3adfb1b9f2dc59d56f17e

* restore IANA registration for credprops
  by John Bradley
https://github.com/w3c/webauthn/commit/781c7aed995628491d8d1d3e0361b38df727d9c4

* Remove reference to uvi
  by John Bradley
https://github.com/w3c/webauthn/commit/78e1af40a28d7619440268f279d7a6806271c084

* Merge branch 'master' of https://github.com/ve7jtb/webauthn
  by John Bradley
https://github.com/w3c/webauthn/commit/f0a34aafb5b691062c4fb3ca33cfd6fd67cccfb1

* Update index.bs

REmove lightning again
  by John Bradley
https://github.com/w3c/webauthn/commit/b787c8b585dbacc2a1d6a57fea0561718bc0f7fa

* Remove  13.4.1. Browser Permissions Framework and Extensions

The only extension using it is now gone.
  by John Bradley
https://github.com/w3c/webauthn/commit/83092b516b5387801ed2337db929be07b18016b9

* Prohibit Create Credential from cross-origin iframes (#1394)

* Prohibit Create Credential from cross-origin iframes

This reverts part of PR #1276, again prohibiting the use of the Create method
when `sameOriginWithAncestors` is `false`. The `Note` is simplified, since
the integration between Credential Management and Feature Policy is now
complete.

* Split the feature-policy definition, per review comments

* Apply suggestions from code review

Co-Authored-By: =JeffH <jdhodges@google.com>

Co-authored-by: =JeffH <jdhodges@google.com>
  by J.C. Jones
https://github.com/w3c/webauthn/commit/6626671ac60b4731943a1d024b892a16ae47c6b5

* Fix markup error in three headings. (#1405)

(If you look at the current HTML output, the anchor is mistakening
getting included as part of the heading without this.)
  by Adam Langley
https://github.com/w3c/webauthn/commit/b81f8f6f7d9d8dd48679c9af4783ac9c3ae2e952

* Merge pull request #1399 from ve7jtb/master

remove unimplemented extensions (was: Update index.bs)
  by John Bradley
https://github.com/w3c/webauthn/commit/b978138325fff0d285f02217058e5fb91e34c1de

* Fix IANA Registration (#1408)

* Update index.bs

Fixes #1400 adds IANA registration for appidExclude and removes allready registerd extensions.  Changes wording from initial registrations to additional registrations.

* Fix section refrence

* Grammer fix

Change wich to that in two places
  by John Bradley
https://github.com/w3c/webauthn/commit/b16ec8d6bc3fae54bec527a240ca62370b65f480

* use '(client-side) discoverable credential' terminology (#1398)

* use '(client-side) discoverable credential' terminology

..rather than the 'resident credential' and 'resident key' terms.  Also changed 'non-resident credential' to 'server-side credential', along with other related fixups. Marked the latter terms as DEPRECATED.

* address AGL's comments

* Update index.bs

Co-Authored-By: Emil Lundberg <emil@yubico.com>

* Update index.bs

Co-Authored-By: Emil Lundberg <emil@yubico.com>

* Update index.bs

Co-Authored-By: Emil Lundberg <emil@yubico.com>

* Apply suggestions from code review

thx emlun!

Co-Authored-By: Emil Lundberg <emil@yubico.com>

* fix tortured Note: language, thx emlun!

* Apply emlun's and ve7jtb's suggestions, thx!

Co-Authored-By: Emil Lundberg <emil@yubico.com>
Co-Authored-By: John Bradley <ve7jtb@ve7jtb.com>

Co-authored-by: Emil Lundberg <emil@yubico.com>
Co-authored-by: John Bradley <ve7jtb@ve7jtb.com>
  by =JeffH
https://github.com/w3c/webauthn/commit/8d0060ab32508aeac53e7350ccae03a694321348

* Apply suggestions from code review

(Some suggestions collide with others and GitHub can't cope with that. Will apply those manually in a sec.)

Co-Authored-By: J.C. Jones <james.jc.jones@gmail.com>
Co-Authored-By: =JeffH <jdhodges@google.com>
Co-Authored-By: Emil Lundberg <emil@emlun.se>
  by Adam Langley
https://github.com/w3c/webauthn/commit/8dae5f241c2dcb90a98589b229e8d5de6c4fe1e9

* Add getPublicKeyAlgorithm()

A SubjectPublicKeyInfo encodes only the public key, but COSE Key
structures also include a signature algorithm. Since RPs will need this
information too, this change adds getPublicKeyAlgorithm to return it.

(This change also includes some suggestions from the review that GitHub
couldn't automatically apply because they collided with other
suggestions.)
  by Adam Langley
https://github.com/w3c/webauthn/commit/0b910c6659e00b6ff98fe325a4a50a50f1b6d5ce

* Add “enterprise” attestation type. (#1366)

* Add “enterprise” attestation type.

In controlled deployments, organisations may wish to tie specific
registrations back to individual authenticators. Obviously this has
privacy concerns and needs to be gated on local configuration, or
special configuration on the authenticator. However, as cloud services
are increasingly used, RP IDs are no longer neatly divided into
enterprise and consumer contexts, and the RP might _not_ wish to receive
the enterprise attestation when used in a consumer context.

This change adds a new level of attestation, “enterprise”, which allows
RPs to indicate when they would like to, possibly, receive an
attestation that may include uniquely identifying information. This
leaves “direct” with its current, less privacy-impacting meaning.

Fixes #1147

* Signal attestation at the correct time.

* Merging a suggested change from Jeff

Co-Authored-By: =JeffH <jdhodges@google.com>

* Merging a suggested change from Jeff

Co-Authored-By: =JeffH <jdhodges@google.com>

* modest fixups for enterprise attestation

* Convert  to DOMString

* Remove fallback to direct

* Apply jcjones' suggestion

Co-Authored-By: J.C. Jones <james.jc.jones@gmail.com>

Co-authored-by: =JeffH <jdhodges@google.com>
Co-authored-by: J.C. Jones <james.jc.jones@gmail.com>
  by Adam Langley
https://github.com/w3c/webauthn/commit/b44009c0bc24ed76f79c94c4bf6a3d5a111439ae

* Add more requirements for ClientDataJSON serialisation. (#1375)

* Add more requirements for ClientDataJSON serialisation.

ClientDataJSON is currently defined to be the JSON encoding of the
CollectedClientData. This implies that validators require a full JSON
parsing library to check needed entries in the ClientDataJSON such as
the challenge, type, and origin.

This is a problematic dependency in some cases. This change seeks to
address that by being stricter about the encoding, while still
generating JSON. Thus existing validators do not need to change but
those willing to require recent WebAuthn-implementing browsers can avoid
the full generality of JSON.

* Address various comments.

* Apply suggestions from code review

Apply Jeff's suggestions

Co-Authored-By: =JeffH <jdhodges@google.com>

* incorp jcjones' feedback, thx!

Co-authored-by: =JeffH <jdhodges@google.com>
  by Adam Langley
https://github.com/w3c/webauthn/commit/d5306690bf8000c98421319a21416b22d735ad8a

* Add "MDN Panels" to spec (#1411)

* Test "MDN Panels" bikeshed feature

this adds "Include MDN Panels: yes" to the spec "metadata". They are documented here:

https://tabatkins.github.io/bikeshed/#metadata-include-mdn-panels

This will add little widgets to the right side of the spec for each interface (that's been documented in MDN's "browser compatibility data" repo). These widgets summarize the implementation status of the interface in various browsers.

MDN's "browser compatibility data" repo is here:

https://github.com/mdn/browser-compat-data

A rendering of MDN's present WebAuthn implementation state is here:

https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API#Browser_compatibility

* try a value of 'maybe'
  by =JeffH
https://github.com/w3c/webauthn/commit/a4da5bebc666c7c0cb99984bebb0ae10f49e6111

* Mike's proposed edits for draft-hodges-webauthn-registries-06 (#1415)
  by Mike Jones
https://github.com/w3c/webauthn/commit/7a045318c5ba6e49ee4849a41142117f038a8044

* Mike's proposed edits for draft-hodges-webauthn-registries-07 (#1416)
  by Mike Jones
https://github.com/w3c/webauthn/commit/13289a22b9bcd92414c1d583fa53f9d0207e6300

* Define the 'it' as the 'RP'

Co-authored-by: Emil Lundberg <emil@emlun.se>
  by J.C. Jones
https://github.com/w3c/webauthn/commit/0e3c67b5b20a5b9198ee6125a319db44a90a6e50

* Merge pull request #1395 from agl/getpubkey

Add getPublicKey method.
  by J.C. Jones
https://github.com/w3c/webauthn/commit/0226490cf6afbe62fda5374cb6a867929d8c24f4

* Mike's proposed changes for draft-hodges-webauthn-registries-08 (#1417)
  by Mike Jones
https://github.com/w3c/webauthn/commit/61ad26aaba0c560288ac276f6f3cade5870f9648

* Addressed IESG review comments (#1419)

* Addressed IESG review comments

* Minor wording simplification
  by Mike Jones
https://github.com/w3c/webauthn/commit/f10427d699882e8d7c4c173b25bed83f1e382b3c

* Specify more about COSE algorithms.

[COSEAlgorithmIdentifiers](https://w3c.github.io/webauthn/#typedefdef-cosealgorithmidentifier) aren't very specific.

JOSE [defines](https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms) an algorithm called “ES256” as “ECDSA using P-256 and SHA-256” — which is fine. COSE [also defines](https://www.iana.org/assignments/cose/cose.xhtml#algorithms) an algorithm called “ES256”, except that the COSE version isn't specific to any curve! It's just ECDSA with SHA-256 hashing. COSE only [says](https://tools.ietf.org/html/rfc8152#section-8.1) that “in order to promote interoperability, it is suggested that SHA-256 be used only with curve P-256”. Technically, an authenticator could return a public key over some other curve, although I bet it breaks lots of RPs.

Similarly, COSE defines an algorithm for “EdDSA”, which is commonly interpreted to mean EdDSA with Ed25519. But, technically, it could also mean EdDSA with the much rarer X448.

I think people thought that they were getting JOSE-style precise algorithms with a COSE algorithm identifier, but that's not true. Thus this change nails down some standard assumptions that are (I believe) currently true in all cases anyway.

(See also fido-alliance/fido-2-specs#862.)
  by Adam Langley
https://github.com/w3c/webauthn/commit/73fb44b5e37b0770ceb120a85488043cd653c4f7

* Fix examples to use current Extensions
  by John Bradley
https://github.com/w3c/webauthn/commit/1fb7028e730ccb7556848583fc434e330daa019d

* Substitute enum types in dictionaries with DOMStrings (#1392)

* Update PublicKeyCredentialCreationOptions

* Update PublicKeyCredentialRequestOptions

* Update for PublicKeyCredential/transports

* Update for AuthenticatorSelectionCriteria

* Update for PublicKeyCredentialDescriptor

* Update for TokenBinding

* Update for PublicKeyCredentialParameters

* Updates per @agl's review comments

* Use the same 'ignore unknown values' language, which is used 8 times already in the document

* Update ResidentKeyRequirement to be a DOMString, too.

* Address @equalsJeffH's https://github.com/w3c/webauthn/pull/1392#issuecomment-621401303 and fix linking to infra:map/exists (which was unused)

* Address @equalsJeffH - Add 2.1.1 "Enumerations as DOMString Types"

Addresses https://github.com/w3c/webauthn/pull/1392#pullrequestreview-390185376
by adding a new conformance section and referring to it at the description of
each enumeration type.
  by J.C. Jones
https://github.com/w3c/webauthn/commit/a133711055b3b13c700fe2ea2acd62fe749a3f74

* Remove mentions of ECDAA. (#1418)

* Remove mentions of ECDAA.

Fixes #1410

* Remove some other references.

(I forgot to search for “ecdaa” in lowercase.)
  by Adam Langley
https://github.com/w3c/webauthn/commit/0881ded86d5eb9347efd19d0b669c34bac1fe8ba

* Use Python 3 in bikeshed Dockerfile (#1423)
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/8f7ef70d94b696d203bb55f95c96988b242c21ca

* Update index.bs

Co-authored-by: Emil Lundberg <emil@yubico.com>
  by John Bradley
https://github.com/w3c/webauthn/commit/29d1f9188d83b5d7b11f00fba3cecaaef67edc80

* Fix credential ID syntax in appIdExclude example
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/5e89d7ac7028971d4e43af0fb6ba297db6a021a5

* Update .spec-data .bikeshed-include cache

Ran the following set of commands:

./update-bikeshed-cache.sh && \
  git add .spec-data .bikeshed-include && \
  git commit .

It’s necessary either that one of the spec editors run those same
commands periodically, or else the .travis.yml CI build file needs to be
changed to stop using cached files in .spec-data and .bikeshed-include.

Prior to running the above commands and committing the changes, the
cached files in .spec-data and .bikeshed-include were more than 2 years
out of date.
  by Michael[tm] Smith
https://github.com/w3c/webauthn/commit/d8e15df7b206e1cbbd0ae30644c6109598a14ee3

* Fix typo in update-bikeshed-cache.sh (#1427)
  by Michael[tm] Smith
https://github.com/w3c/webauthn/commit/7b1bc66ee671e0eae755a8388781997e29dde57b

* Addressed additional IESG comment by Magnus Westerlund (#1431)
  by Mike Jones
https://github.com/w3c/webauthn/commit/7f541a26c796fd90d1be02fe85332f25bed3c291

* Spelling fix.

Co-authored-by: =JeffH <jdhodges@google.com>
  by Adam Langley
https://github.com/w3c/webauthn/commit/6513a003c289d8046483c590bd82469d2d397b3f

* Merge pull request #1420 from agl/cosealg

Specify more about COSE algorithms.
  by Adam Langley
https://github.com/w3c/webauthn/commit/b463fc898a36d28b26b0d469352946e0fea21024

* Merge pull request #1426 from w3c/ve7jtb-fix-1401-Example-4-in1.3.3-uses-tcSimple

Update examples to use current Extensions
  by John Bradley
https://github.com/w3c/webauthn/commit/c853bffa4454e0334c40fba48e3fafb5d3e8f3f2

* Remove webdriver-spec.html from WebDriver URLs (#1432)

* Remove webdriver-spec.html from WebDriver URLs

It redirects.

* Update index.bs
  by Philip Jägenstedt
https://github.com/w3c/webauthn/commit/d96c5c1baa008aeeb05d530ecf829df1c58047ae

* Document how to use update-bikeshed-cache.sh (#1428)

* Document how to use update-bikeshed-cache.sh

* Update README.md

Co-authored-by: =JeffH <jdhodges@google.com>

* Update README.md

* Update README.md

* Update README.md

Co-authored-by: =JeffH <jdhodges@google.com>
  by Michael[tm] Smith
https://github.com/w3c/webauthn/commit/c37dd4ac5b3149ece47ed15713f8bd4de757741f

* fix "present" link errors along with a couple others (#1433)

* fix "present" link errors along with a couple others

this is editorial clean up: fixes #1397 along with a couple other linking errors that were showing up when building the spec.

* remove unused biblio references, thx emlun!
  by =JeffH
https://github.com/w3c/webauthn/commit/dbd82205cc86fc00a7287224363ce79ea4fb960b

* Fix references to AuthenticatorAttestationResponse.getTransports()
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/72c200169084749bfa66f5996060a88c5b3e6c99

* Merge pull request #1438 from w3c/issue-1436-gettransports

Fix references to AuthenticatorAttestationResponse.getTransports()
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/2824aa4bc56e841076c4a7147c7ff83013ae5cef

* Merge branch 'master' into issue-1099-enrichen-ceremony-defs
  by JeffH
https://github.com/w3c/webauthn/commit/f9e913c341f101bebe7e5fe923deef0e72217555
Received on Monday, 15 June 2020 17:35:49 UTC

This archive was generated by hypermail 2.4.0 : Monday, 15 June 2020 17:35:50 UTC