- From: David Waite via GitHub <sysbot+gh@w3.org>
- Date: Thu, 15 Jul 2021 05:03:50 +0000
- To: public-webauthn@w3.org
> Typically if you use levels so level 2 includes or bases on level 1, but as the removal of extensions shows this is not the case in WebAuthn. The removal was not a deprecation - the extensions are still valid to be used by their unchanged level 1 definitions. They were removed from the level 2 spec to better represent the reality that they do not work in the real world, and client implementations have indicated no interest in supporting them regardless of authenticator support. > In my opinion the separation of the "passwordless authentication" into WebAuthn and CTAP2 managed by two organizations (W3C/FIDO) make it pretty hard to get the full picture of what is actually usable. The quick rule of thumb is that WebAuthn is a dependency of CTAP 2.x, not vice-versa. If there are things needed to use the Web Authentication API or to process messages which are not defined in the Web Authentication specification, then those are areas of improvement. The API defined in WebAuthn lists the sum capabilities exposed to the relying party through client javascript, including by authenticators which do not conform to CTAP. That includes defining extension mechanisms for new attestation schemes and message-level extensions. CTAP defines a few of the latter, including some which make no sense to expose in a browser javascript context. You also tend to have non-javascript API for interfacing with authenticators that reference the WebAuthn spec - for instance, native application APIs on Android, Windows, and iOS/macOS platforms. These usually define a mapping into native API of the JavaScript API, and may define additional rules around RPID validation (e.g. specified origin should have a file in a well-known location with certain contents) or entitlements (such as an optional capability for an app to operate for all RPID, such as a web browser). -- GitHub Notification of comment by dwaite Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1386#issuecomment-880393371 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 15 July 2021 05:03:52 UTC