[webauthn] new commits pushed by equalsJeffH

The following commits were just pushed by equalsJeffH to https://github.com/w3c/webauthn:

* Update index.bs

Add lightning transport

Fixes #1261
  by John Bradley

* Update index.bs

Fix missing comma
  by John Bradley

* Remove note about UV verifying the same user in get() as in create()
  by Emil Lundberg

* Clarify assumptions about single-user authenticators and relation to UV
  by Emil Lundberg

* Incorporate suggestion by @FabianHenneke
  by Emil Lundberg

* Update CDDL reference
  by Emil Lundberg

* Enhance spec roadmap section
  by Emil Lundberg

* Link to security/privacy considerations in spec roadmap
  by Emil Lundberg

* Add batch attestation as alias of basic attestation
  by Emil Lundberg

* Add explanatory note to step 3 in authenticatorMakeCredential
  by Emil Lundberg

* Explicitly mention running over TLS in WebAuthn API intro
  by Emil Lundberg

* Add definition link to "bound" term
  by Emil Lundberg

* feature policy integ: add link to (#1328)
  by =JeffH

* Update note in RP definition to indicate that non-WebAuthn FIDO clients MAY use origin values that are different than those specified for WebAuthn.
  by Shane Weeden

* Merge pull request #1320 from w3c/issue-1206-cddl-ref

Update CDDL reference
  by Emil Lundberg

* Merge pull request #1321 from w3c/issue-1100-spec-roadmap

Enhance spec roadmap section
  by Emil Lundberg

* Merge pull request #1313 from w3c/issue-1305-uv-same-user

Clarify assumptions about single-user authenticator and relation to UV
  by J.C. Jones

* Merge pull request #1325 from w3c/issue-1260-batch-attestation

Add batch attestation as alias of basic attestation
  by Emil Lundberg

* Merge pull request #1326 from w3c/issue-1133-makecred-authorize-collision-disclosure

Add explanatory note to step 3 in authenticatorMakeCredential
  by Emil Lundberg

* Merge pull request #1327 from w3c/issue-1201-tls

Explicitly mention running over TLS in WebAuthn API intro
  by Emil Lundberg

* Update timeout examples to better agree with guidelines
  by Emil Lundberg

* Fix off-by-factor-10 timeout example
  by Emil Lundberg

* Add explicit UV argument to registration example
  by Emil Lundberg

* Merge pull request #1319 from w3c/issue-1317-timeout-examples

Update timeout examples to better agree with guidelines
  by Emil Lundberg

* Truncate strings for authenticators where needed. (#1316)

* Truncate strings for authenticators where needed.

There exist a significant number of authenticators that do not conform
to the current WebAuthn requirements in that they fail requests with
name/displayName strings longer than 64 bytes, rather than truncating

This change adds a new requirement on user-agents that they maintain the
authenticator model for RPs by doing the truncation on their behalf in
this case. The alternative is that each RP will hit this edge-case and
do the truncation itself, thus the ecosystem will never be able to
support longer strings.

Since user-agents may now be doing truncation, this change also permits
truncation at the level of grapheme clusters (since user-agents
presumably have Unicode tables available).

Fixes #1296.

* Address Jeff and Emil's comments.
  by Adam Langley

* Create a way to reference the following figure (#1323)

* Address Jeff and Emil's comments.

* Create a way to reference the following figure.

The fact that we have to keep the figure numbers in sync manually
annoyed me. Bikeshed isn't helping out here so I don't see a way to
avoid this for long-range links, but this change eliminates the need to
manually maintain some of the absolute numbers by providing a way to
insert the number of the following figure when the reference and figure
are close by.
  by Adam Langley

* Minor updates based on reviewer feedback.
  by Shane Weeden

* Use CSS numbering for table references too (#1324)

* Generate "Figure" text in .figure-num-following

* Rename .figure-num-* to .figure-ref-*

Since the CSS rule now also generates the "Figure" text, not just the

* Use CSS counter for table number references too

* Revert "Rename .figure-num-* to .figure-ref-*"

This reverts commit ffde79d01a1353fd1e70742658038b0ba7695db9.

* Revert "Generate "Figure" text in .figure-num-following"

This reverts commit e4f3f0c4a317d7c7f4ca47aeb8496dbe94bc3175.

* Move "Table " text out from CSS rules

When generated by the CSS rules, the "Table" text is not searchable by
the "find in page" tool in browsers.

* Unbreak <figcaption>s for tables
  by Emil Lundberg

* Merge pull request #1332 from w3c/sbweeden_issue_1297

Update note in RP definition to indicate that non-WebAuthn FIDO clien…
  by Shane Weeden

* name the protocol (#1335)

* name the protocol

* fix annoying interstitial space
  by =JeffH

* Fix #1285 - Remove icons from PublicKeyCredentialEntity

As discussed in issue #1285, the image URL fields for PublicKeyCredentialEntity,
while intended for user interface design, are potent correlation mechanisms if
they are downloaded by RPs. RPs would have to take extraordinary care, beyond
reasonable measures, to avoid uses by RPs with mal-intent to cross-correlate
accounts. It is better for User Agents to use existing origin/icon mechanisms for
their UX designs, or to define new such mechanisms as-needed, that are
origin-wide rather than provide the possibility to embed detailed tracking
information into these URLs.
  by J.C. Jones

* Merge pull request #1337 from jcjones/1285-image_deprecation

Fix #1285 - Remove icons from PublicKeyCredentialEntity
  by J.C. Jones

* Reduce duplicated terminology (#1334)

* Move Assertion def in as an alias under Authentication Assertion

* De-duplicate attestation key/cert terms

* Replace "platform-provided authenticator" with "platform authenticator"

* Replace "internal authenticator" with "platform authenticator"

* Add links to [=client data=]

* Add links to [=credential public key=] and [=attestedCredentialData=]

* Replace "associated with" with "of"

* Define [=WebAuthn signature=]

* Add links to [=attestation signature=]

* De-duplicate "authentication signature"

* Add links to [=authorization gesture=]
  by Emil Lundberg

* reverting and restoring automation section et al... (#1340)
  by =JeffH

* add indication of cross-origin operation in `collectedClientData` (#1276)

* change sameOriginWithAncestors to crossOrigin, add the latter to CollectedClientData

* minor editorial

* revert back to sameOriginWithAncestors

* evauated -> evaluated

Co-Authored-By: Emil Lundberg <emil@yubico.com>

* one more time: evauated -> evaluated
  by =JeffH

* Fix typo

though should be through
  by Yanming Zhou

* Reformat and rename AuthenticatorBiometricPerfBounds
  by Kagami Sascha Rosylight

* <div> cannot appear within <figure>. See [figure content model](https://html.spec.whatwg.org/multipage/grouping-content.html#the-figure-element) (#1350)
  by Philippe Le Hegaret

* Merge pull request #1341 from quaff/patch-1

Fix typo
  by Emil Lundberg

* 'loc' extension: cite permissions and geolocation specs (#1342)

* 'loc' extension: cite permissions and geoloc specs

* mark new geoloc cites normativeto match existing cites

* Update index.bs - capitalize 'must'

Co-Authored-By: Emil Lundberg <emil@yubico.com>

* update per emlun's comment, thx!
  by =JeffH

* Use the new name for Coordinates (#1344)

Merging, per decision on the 4-Dec-19 call
  by Kagami Sascha Rosylight

* Merge pull request #1345 from saschanaz/biometric

Reformat and rename AuthenticatorBiometricPerfBounds
  by Adam Langley

* Add a WebDriver Extension Capability
  by Nina Satragno

* Apply suggestions from code review

fix nits

Co-Authored-By: =JeffH <jdhodges@google.com>
  by Nina Satragno

* Rename capability webauthn:virtualAuthenticators
  by Nina Satragno

* Fix typo
  by Emil Lundberg

* Merge pull request #1357 from w3c/typo

Fix typo
  by Emil Lundberg

* Add note about risk of ignoring excludeCredentials with mismatched transports
  by Emil Lundberg

* Merge pull request #1359 from w3c/issue-1348-excludecredentials-transports

Add note about risk of ignoring excludeCredentials with mismatched transports
  by Emil Lundberg

* Clarify exts client extension output (#1361)
  by Emil Lundberg

* Merge pull request #1353 from nsatragno/webdriver_capability

Add a WebDriver Extension Capability
  by J.C. Jones

* remove 'lightning' AuthenticatorTransport enum value (#1364)
  by =JeffH

* update CTAP reference to point to ps-20190130 (#1365)
  by =JeffH

* Add clearer recommendation on what to do with transport hints
  by Emil Lundberg

* Recommend storing/retrieving transport hints in PublicKeyCredentialDescriptor description
  by Emil Lundberg

* Add to sec cons a brief discussion of the sec properties accrued by authnr & client platform proximity (#1333)

* Add security consideration on client-authnr direct communication

See issue #1257

* Address @equalsJeffH's review comments

* Add missing CSS class .figure-num-previous

* Rewrite proximity section shorter and discuss benefits of physical proximity

* Add commas suggested by @agl

Co-Authored-By: Adam Langley <agl@google.com>

Co-authored-by: Adam Langley <agl@imperialviolet.org>
  by Emil Lundberg

* Remove the requirement accept and store a 64-byte minimum length for a name member’s value (#1354)

* Update index.bs

Remove the requirement accept and store a 64-byte minimum length for a name member’s value
Fixes #1352

* Update index.bs

add if the authenticator stores the value for equalsJeffH
  by John Bradley

* draft-hodges-webauthn-registries-04 (#1378)
  by Mike Jones

* Address @equalsJeffH's review comment
  by Emil Lundberg

* Proposed changes for draft-hodges-webauthn-registries-05 (#1380)

* Proposed changes for draft-hodges-webauthn-registries-05

* Minor polishing -05, Thx selfissued!

Co-authored-by: JeffH <jdhodges@google.com>
  by Mike Jones

* re-gen .html & .txt files from .xml file (#1384)
  by =JeffH

* Merge pull request #1369 from w3c/issue-1368-transports-instructions

Add clearer recommendation on what to do with transport hints
  by Emil Lundberg

* Use Python 3.7
  by J.C. Jones

* Add getPublicKey method.

This change adds a getPublicKey method to the
AuthenticatorAttestationResponse to save some users from having to parse
out and handle COSE keys.

(See linked issue for background.)

Fixes #1363
  by Adam Langley

* Merge pull request #1393 from jcjones/python3

Use Python 3.7 for Travis-CI
  by Adam Langley

* Default to ES256 and RS256 if pubKeyCredParams is empty (#1387)

Default to algorithm -7 ("ES256") and -257 ("RS256") when
options.pubKeyCredParams is empty.

Fixes issue 1383.
  by Nina Satragno

* Update index.bs

This removes unimplimented extensions
  by John Bradley

* Update signature counters section. (#1390)

* Update signature counters section.

This section did not reflect the specified behaviour for signature
counters and did not mention that they are returned in makeCredential
responses too. See linked bug for details.

Fixes #1370

* Apply suggestions from code review

Including Jeff and Emil's comments.

Co-authored-by: =JeffH <jdhodges@google.com>
Co-authored-by: Emil Lundberg <emil@emlun.se>
  by Adam Langley

* Update based on comments
  by Adam Langley

* restore IANA registration for credprops
  by John Bradley

* Remove reference to uvi
  by John Bradley

* Merge branch 'master' of https://github.com/ve7jtb/webauthn
  by John Bradley

* Update index.bs

REmove lightning again
  by John Bradley

* Remove  13.4.1. Browser Permissions Framework and Extensions

The only extension using it is now gone.
  by John Bradley

* Prohibit Create Credential from cross-origin iframes (#1394)

* Prohibit Create Credential from cross-origin iframes

This reverts part of PR #1276, again prohibiting the use of the Create method
when `sameOriginWithAncestors` is `false`. The `Note` is simplified, since
the integration between Credential Management and Feature Policy is now

* Split the feature-policy definition, per review comments

* Apply suggestions from code review

Co-Authored-By: =JeffH <jdhodges@google.com>

Co-authored-by: =JeffH <jdhodges@google.com>
  by J.C. Jones

* Fix markup error in three headings. (#1405)

(If you look at the current HTML output, the anchor is mistakening
getting included as part of the heading without this.)
  by Adam Langley

* Merge pull request #1399 from ve7jtb/master

remove unimplemented extensions (was: Update index.bs)
  by John Bradley

* Fix IANA Registration (#1408)

* Update index.bs

Fixes #1400 adds IANA registration for appidExclude and removes allready registerd extensions.  Changes wording from initial registrations to additional registrations.

* Fix section refrence

* Grammer fix

Change wich to that in two places
  by John Bradley

* use '(client-side) discoverable credential' terminology (#1398)

* use '(client-side) discoverable credential' terminology

..rather than the 'resident credential' and 'resident key' terms.  Also changed 'non-resident credential' to 'server-side credential', along with other related fixups. Marked the latter terms as DEPRECATED.

* address AGL's comments

* Update index.bs

Co-Authored-By: Emil Lundberg <emil@yubico.com>

* Update index.bs

Co-Authored-By: Emil Lundberg <emil@yubico.com>

* Update index.bs

Co-Authored-By: Emil Lundberg <emil@yubico.com>

* Apply suggestions from code review

thx emlun!

Co-Authored-By: Emil Lundberg <emil@yubico.com>

* fix tortured Note: language, thx emlun!

* Apply emlun's and ve7jtb's suggestions, thx!

Co-Authored-By: Emil Lundberg <emil@yubico.com>
Co-Authored-By: John Bradley <ve7jtb@ve7jtb.com>

Co-authored-by: Emil Lundberg <emil@yubico.com>
Co-authored-by: John Bradley <ve7jtb@ve7jtb.com>
  by =JeffH

* Apply suggestions from code review

(Some suggestions collide with others and GitHub can't cope with that. Will apply those manually in a sec.)

Co-Authored-By: J.C. Jones <james.jc.jones@gmail.com>
Co-Authored-By: =JeffH <jdhodges@google.com>
Co-Authored-By: Emil Lundberg <emil@emlun.se>
  by Adam Langley

* Add getPublicKeyAlgorithm()

A SubjectPublicKeyInfo encodes only the public key, but COSE Key
structures also include a signature algorithm. Since RPs will need this
information too, this change adds getPublicKeyAlgorithm to return it.

(This change also includes some suggestions from the review that GitHub
couldn't automatically apply because they collided with other
  by Adam Langley

* Add “enterprise” attestation type. (#1366)

* Add “enterprise” attestation type.

In controlled deployments, organisations may wish to tie specific
registrations back to individual authenticators. Obviously this has
privacy concerns and needs to be gated on local configuration, or
special configuration on the authenticator. However, as cloud services
are increasingly used, RP IDs are no longer neatly divided into
enterprise and consumer contexts, and the RP might _not_ wish to receive
the enterprise attestation when used in a consumer context.

This change adds a new level of attestation, “enterprise”, which allows
RPs to indicate when they would like to, possibly, receive an
attestation that may include uniquely identifying information. This
leaves “direct” with its current, less privacy-impacting meaning.

Fixes #1147

* Signal attestation at the correct time.

* Merging a suggested change from Jeff

Co-Authored-By: =JeffH <jdhodges@google.com>

* Merging a suggested change from Jeff

Co-Authored-By: =JeffH <jdhodges@google.com>

* modest fixups for enterprise attestation

* Convert  to DOMString

* Remove fallback to direct

* Apply jcjones' suggestion

Co-Authored-By: J.C. Jones <james.jc.jones@gmail.com>

Co-authored-by: =JeffH <jdhodges@google.com>
Co-authored-by: J.C. Jones <james.jc.jones@gmail.com>
  by Adam Langley

* Add more requirements for ClientDataJSON serialisation. (#1375)

* Add more requirements for ClientDataJSON serialisation.

ClientDataJSON is currently defined to be the JSON encoding of the
CollectedClientData. This implies that validators require a full JSON
parsing library to check needed entries in the ClientDataJSON such as
the challenge, type, and origin.

This is a problematic dependency in some cases. This change seeks to
address that by being stricter about the encoding, while still
generating JSON. Thus existing validators do not need to change but
those willing to require recent WebAuthn-implementing browsers can avoid
the full generality of JSON.

* Address various comments.

* Apply suggestions from code review

Apply Jeff's suggestions

Co-Authored-By: =JeffH <jdhodges@google.com>

* incorp jcjones' feedback, thx!

Co-authored-by: =JeffH <jdhodges@google.com>
  by Adam Langley

* Add "MDN Panels" to spec (#1411)

* Test "MDN Panels" bikeshed feature

this adds "Include MDN Panels: yes" to the spec "metadata". They are documented here:


This will add little widgets to the right side of the spec for each interface (that's been documented in MDN's "browser compatibility data" repo). These widgets summarize the implementation status of the interface in various browsers.

MDN's "browser compatibility data" repo is here:


A rendering of MDN's present WebAuthn implementation state is here:


* try a value of 'maybe'
  by =JeffH

* Mike's proposed edits for draft-hodges-webauthn-registries-06 (#1415)
  by Mike Jones

* Mike's proposed edits for draft-hodges-webauthn-registries-07 (#1416)
  by Mike Jones

* Define the 'it' as the 'RP'

Co-authored-by: Emil Lundberg <emil@emlun.se>
  by J.C. Jones

* Merge pull request #1395 from agl/getpubkey

Add getPublicKey method.
  by J.C. Jones

* Mike's proposed changes for draft-hodges-webauthn-registries-08 (#1417)
  by Mike Jones

* Addressed IESG review comments (#1419)

* Addressed IESG review comments

* Minor wording simplification
  by Mike Jones

* Specify more about COSE algorithms.

[COSEAlgorithmIdentifiers](https://w3c.github.io/webauthn/#typedefdef-cosealgorithmidentifier) aren't very specific.

JOSE [defines](https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms) an algorithm called “ES256” as “ECDSA using P-256 and SHA-256” — which is fine. COSE [also defines](https://www.iana.org/assignments/cose/cose.xhtml#algorithms) an algorithm called “ES256”, except that the COSE version isn't specific to any curve! It's just ECDSA with SHA-256 hashing. COSE only [says](https://tools.ietf.org/html/rfc8152#section-8.1) that “in order to promote interoperability, it is suggested that SHA-256 be used only with curve P-256”. Technically, an authenticator could return a public key over some other curve, although I bet it breaks lots of RPs.

Similarly, COSE defines an algorithm for “EdDSA”, which is commonly interpreted to mean EdDSA with Ed25519. But, technically, it could also mean EdDSA with the much rarer X448.

I think people thought that they were getting JOSE-style precise algorithms with a COSE algorithm identifier, but that's not true. Thus this change nails down some standard assumptions that are (I believe) currently true in all cases anyway.

(See also fido-alliance/fido-2-specs#862.)
  by Adam Langley

* Fix examples to use current Extensions
  by John Bradley

* Substitute enum types in dictionaries with DOMStrings (#1392)

* Update PublicKeyCredentialCreationOptions

* Update PublicKeyCredentialRequestOptions

* Update for PublicKeyCredential/transports

* Update for AuthenticatorSelectionCriteria

* Update for PublicKeyCredentialDescriptor

* Update for TokenBinding

* Update for PublicKeyCredentialParameters

* Updates per @agl's review comments

* Use the same 'ignore unknown values' language, which is used 8 times already in the document

* Update ResidentKeyRequirement to be a DOMString, too.

* Address @equalsJeffH's https://github.com/w3c/webauthn/pull/1392#issuecomment-621401303 and fix linking to infra:map/exists (which was unused)

* Address @equalsJeffH - Add 2.1.1 "Enumerations as DOMString Types"

Addresses https://github.com/w3c/webauthn/pull/1392#pullrequestreview-390185376
by adding a new conformance section and referring to it at the description of
each enumeration type.
  by J.C. Jones

* Remove mentions of ECDAA. (#1418)

* Remove mentions of ECDAA.

Fixes #1410

* Remove some other references.

(I forgot to search for “ecdaa” in lowercase.)
  by Adam Langley

* Use Python 3 in bikeshed Dockerfile (#1423)
  by Emil Lundberg

* Update index.bs

Co-authored-by: Emil Lundberg <emil@yubico.com>
  by John Bradley

* Fix credential ID syntax in appIdExclude example
  by Emil Lundberg

* Update .spec-data .bikeshed-include cache

Ran the following set of commands:

./update-bikeshed-cache.sh && \
  git add .spec-data .bikeshed-include && \
  git commit .

It’s necessary either that one of the spec editors run those same
commands periodically, or else the .travis.yml CI build file needs to be
changed to stop using cached files in .spec-data and .bikeshed-include.

Prior to running the above commands and committing the changes, the
cached files in .spec-data and .bikeshed-include were more than 2 years
out of date.
  by Michael[tm] Smith

* Fix typo in update-bikeshed-cache.sh (#1427)
  by Michael[tm] Smith

* Addressed additional IESG comment by Magnus Westerlund (#1431)
  by Mike Jones

* Spelling fix.

Co-authored-by: =JeffH <jdhodges@google.com>
  by Adam Langley

* Merge pull request #1420 from agl/cosealg

Specify more about COSE algorithms.
  by Adam Langley

* Merge pull request #1426 from w3c/ve7jtb-fix-1401-Example-4-in1.3.3-uses-tcSimple

Update examples to use current Extensions
  by John Bradley

* Remove webdriver-spec.html from WebDriver URLs (#1432)

* Remove webdriver-spec.html from WebDriver URLs

It redirects.

* Update index.bs
  by Philip Jägenstedt

* Document how to use update-bikeshed-cache.sh (#1428)

* Document how to use update-bikeshed-cache.sh

* Update README.md

Co-authored-by: =JeffH <jdhodges@google.com>

* Update README.md

* Update README.md

* Update README.md

Co-authored-by: =JeffH <jdhodges@google.com>
  by Michael[tm] Smith

* fix "present" link errors along with a couple others (#1433)

* fix "present" link errors along with a couple others

this is editorial clean up: fixes #1397 along with a couple other linking errors that were showing up when building the spec.

* remove unused biblio references, thx emlun!
  by =JeffH

* Fix references to AuthenticatorAttestationResponse.getTransports()
  by Emil Lundberg

* Merge pull request #1438 from w3c/issue-1436-gettransports

Fix references to AuthenticatorAttestationResponse.getTransports()
  by Emil Lundberg

* Merge branch 'master' into issue-1099-enrichen-ceremony-defs
  by JeffH

Received on Monday, 15 June 2020 17:35:49 UTC