- From: Adam Langley <noreply@github.com>
- Date: Fri, 07 Oct 2022 12:34:31 -0700
- To: public-webauthn@w3.org
Branch: refs/heads/jeffh-fix-1658-device-bound-key-extension
Home: https://github.com/w3c/webauthn
Commit: 4442cb39a36a59b14a03c28462167873a5798b13
https://github.com/w3c/webauthn/commit/4442cb39a36a59b14a03c28462167873a5798b13
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-05-26 (Thu, 26 May 2022)
Changed paths:
M index.bs
Log Message:
-----------
Narrow claim about MitM resistance to tampering specifically
As noted in issue #1731: Under the given assumption alone, the ceremony is not
necessarily resistant to code injection MitM attacks that execute on a
legitimate origin but exfiltrate the assertion to a malicious remote server.
Commit: d388f9bd013da65c00ad57a4314fbb7bd8fba882
https://github.com/w3c/webauthn/commit/d388f9bd013da65c00ad57a4314fbb7bd8fba882
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-05-26 (Thu, 26 May 2022)
Changed paths:
M index.bs
Log Message:
-----------
Add security consideration: Code injection attacks
This addresses issue #1731.
See: https://github.com/w3c/webauthn/issues/1731
Commit: 74eb1b6abcf8ddca9cec3bdc6f9f43c0ff87eed6
https://github.com/w3c/webauthn/commit/74eb1b6abcf8ddca9cec3bdc6f9f43c0ff87eed6
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-06-28 (Tue, 28 Jun 2022)
Changed paths:
M index.bs
Log Message:
-----------
Address review comments
Commit: a6cc726ffa5de44f6948b27e8b91136408409690
https://github.com/w3c/webauthn/commit/a6cc726ffa5de44f6948b27e8b91136408409690
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-07-11 (Mon, 11 Jul 2022)
Changed paths:
M index.bs
Log Message:
-----------
Fix dangling language in WebAuthn Extensions section
Commit: 573b1c228a8bcc972914dab109019e65353c987c
https://github.com/w3c/webauthn/commit/573b1c228a8bcc972914dab109019e65353c987c
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-07-11 (Mon, 11 Jul 2022)
Changed paths:
M index.bs
Log Message:
-----------
Namespace authData dfns under authData/ and flags under authData/flags/
Commit: 1a15f21f32d40f58b7cce57bca25e8405493b123
https://github.com/w3c/webauthn/commit/1a15f21f32d40f58b7cce57bca25e8405493b123
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-07-11 (Mon, 11 Jul 2022)
Changed paths:
M index.bs
Log Message:
-----------
Delete unused <dfn>
Commit: 115c96b04aca6be35b6ba842d50e43a44747185a
https://github.com/w3c/webauthn/commit/115c96b04aca6be35b6ba842d50e43a44747185a
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-07-11 (Mon, 11 Jul 2022)
Changed paths:
M index.bs
Log Message:
-----------
Use backup eligible term in definition of BE flag
Commit: 0defc4bd8461908605fc1ec59dbf10ef025ac13a
https://github.com/w3c/webauthn/commit/0defc4bd8461908605fc1ec59dbf10ef025ac13a
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-07-11 (Mon, 11 Jul 2022)
Changed paths:
M index.bs
Log Message:
-----------
Link uses of [=backed up=]
Commit: b1a14865be96b79cc3661fe056b1cd976f0760b9
https://github.com/w3c/webauthn/commit/b1a14865be96b79cc3661fe056b1cd976f0760b9
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-07-11 (Mon, 11 Jul 2022)
Changed paths:
M index.bs
Log Message:
-----------
Sync descriptions of BE/BS combinations with those in flags table
Commit: 002bb488371f8b92d2337fece7023d9d8ebae343
https://github.com/w3c/webauthn/commit/002bb488371f8b92d2337fece7023d9d8ebae343
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-07-11 (Mon, 11 Jul 2022)
Changed paths:
M index.bs
Log Message:
-----------
Extract Credential Record abstraction
Commit: faba4d3fac4d1014c36edfaf44a7dcbb7b5b630d
https://github.com/w3c/webauthn/commit/faba4d3fac4d1014c36edfaf44a7dcbb7b5b630d
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-07-11 (Mon, 11 Jul 2022)
Changed paths:
M index.bs
Log Message:
-----------
Describe list of BE/BS flag handling guidance as normative
Since the list already contains normative SHOULD statements.
Commit: 196f0759a1fdc317b222e3eac5a8d6c9ecbd57b8
https://github.com/w3c/webauthn/commit/196f0759a1fdc317b222e3eac5a8d6c9ecbd57b8
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-07-11 (Mon, 11 Jul 2022)
Changed paths:
M index.bs
Log Message:
-----------
Fix typo
Commit: f754904a85127c82e894b2163b2da4a3d57ca4a5
https://github.com/w3c/webauthn/commit/f754904a85127c82e894b2163b2da4a3d57ca4a5
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-08-22 (Mon, 22 Aug 2022)
Changed paths:
M index.bs
Log Message:
-----------
Merge pull request #1771 from w3c/flags-namespace
Namespace authData dfns under authData/ and flags under authData/flags/
Commit: 91c3aba5ae44064c7741151e10a0d6b279caa2c0
https://github.com/w3c/webauthn/commit/91c3aba5ae44064c7741151e10a0d6b279caa2c0
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-09-08 (Thu, 08 Sep 2022)
Changed paths:
M index.bs
Log Message:
-----------
Fix reference to "get a copy of the bytes held by the buffer source"
Changed in WebIDL commit d6e71e53a96151fe02659e2cbe46a77aa976a2bc
See: https://github.com/whatwg/webidl/commit/d6e71e53a96151fe02659e2cbe46a77aa976a2bc
Commit: cfb347672a8bac51a9b488786ce7bdadfa02c5bb
https://github.com/w3c/webauthn/commit/cfb347672a8bac51a9b488786ce7bdadfa02c5bb
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-09-08 (Thu, 08 Sep 2022)
Changed paths:
M index.bs
Log Message:
-----------
Fix reference to "same site"
Moved to HTML spec in URL spec commit 3703f92854207564b21301418d28a0ac647be06d
See: https://github.com/whatwg/url/commit/3703f92854207564b21301418d28a0ac647be06d
Commit: d5deef95b91e4e4e89ab4fedd375e16383419ddc
https://github.com/w3c/webauthn/commit/d5deef95b91e4e4e89ab4fedd375e16383419ddc
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-09-08 (Thu, 08 Sep 2022)
Changed paths:
M index.bs
Log Message:
-----------
Fix reference to "extension command"
Changed in WebDriver commit 9990bb27e57e8fd8bd0d9ad8f5b7353eeaebaaa4
See: https://github.com/w3c/webdriver/commit/9990bb27e57e8fd8bd0d9ad8f5b7353eeaebaaa4
Also remove unused references.
Commit: 797e76ebb4f08f769890f0597736382de8737662
https://github.com/w3c/webauthn/commit/797e76ebb4f08f769890f0597736382de8737662
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-09-21 (Wed, 21 Sep 2022)
Changed paths:
M index.bs
Log Message:
-----------
Merge pull request #1733 from w3c/issue-1731-code-injection-cons
Add "Code injection attacks" security consideration
Commit: 0bfc0d08a554b38378ed9666640b966236c7ea08
https://github.com/w3c/webauthn/commit/0bfc0d08a554b38378ed9666640b966236c7ea08
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-09-21 (Wed, 21 Sep 2022)
Changed paths:
M index.bs
Log Message:
-----------
Merge pull request #1772 from w3c/issue-1740-backup-flags
Fix inconsistencies in backup state flags
Commit: 5d0cc6183876f8f971118cc4b9e2b3a9011fb812
https://github.com/w3c/webauthn/commit/5d0cc6183876f8f971118cc4b9e2b3a9011fb812
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-09-22 (Thu, 22 Sep 2022)
Changed paths:
M index.bs
Log Message:
-----------
Replace obsolete RFC8152 with RFC9052 and RFC9053
The spec "CBOR Object Signing and Encryption (COSE)" [[RFC8152]] has been
superseded and split into the two specs "CBOR Object Signing and Encryption
(COSE): Structures and Process" [[RFC9052]] and "CBOR Object Signing and
Encryption (COSE): Initial Algorithms" [[RFC9053]].
Summary of affected terms and references:
| Before | After |
|:-----------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------|
| [kty](https://www.rfc-editor.org/rfc/rfc8152#section-7.1) ([RFC8152]) | [kty](https://www.rfc-editor.org/rfc/rfc9052#name-cose-key-common-parameters) ([RFC9052]) |
| [crv](https://www.rfc-editor.org/rfc/rfc8152#section-13.1.1) ([RFC8152]) | [crv](https://tools.ietf.org/html/rfc9053#name-double-coordinate-curves) ([RFC9053]) |
| [COSE key](https://www.rfc-editor.org/rfc/rfc8152#section-7) ([RFC8152][rfc8152]) | [COSE key](https://tools.ietf.org/html/rfc9052#name-key-objects) ([RFC9052]) |
| [Section 7](https://www.rfc-editor.org/rfc/rfc8152#section-7) of [[RFC8152]] | [Section 7](https://www.rfc-editor.org/rfc/rfc9052#section-7) of [[RFC9052]] |
| [Section 8](https://www.rfc-editor.org/rfc/rfc8152#section-8) of [[RFC8152]] | [Section 2](https://www.rfc-editor.org/rfc/rfc9053#section-2) of [[RFC9053]] |
| [Section 8.1](https://www.rfc-editor.org/rfc/rfc8152#section-8.1) of [[RFC8152]] | [Section 2.1](https://www.rfc-editor.org/rfc/rfc9053#section-2.1) of [[RFC9053]] |
| [Section 13.1](https://www.rfc-editor.org/rfc/rfc8152#section-13.1) of [[RFC8152]] | [Section 7.1](https://www.rfc-editor.org/rfc/rfc9053#section-7.1) of [[RFC9053]] |
[rfc8152]: https://www.rfc-editor.org/rfc/rfc8152
[rfc9052]: https://www.rfc-editor.org/rfc/rfc9052
[rfc9053]: https://www.rfc-editor.org/rfc/rfc9053
Commit: 36b4ccff60d7626d5a7f0cc59ff55ff3a0c85997
https://github.com/w3c/webauthn/commit/36b4ccff60d7626d5a7f0cc59ff55ff3a0c85997
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-09-22 (Thu, 22 Sep 2022)
Changed paths:
M index.bs
Log Message:
-----------
Add missing type member in credential record creation
Commit: a5710f6fe905fa953aaae9a7dd5e7413fc126adc
https://github.com/w3c/webauthn/commit/a5710f6fe905fa953aaae9a7dd5e7413fc126adc
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-09-22 (Thu, 22 Sep 2022)
Changed paths:
M index.bs
Log Message:
-----------
Allow extensions to extend the credential record struct
Commit: f6479ef09a686472f90220f09be5c50594332889
https://github.com/w3c/webauthn/commit/f6479ef09a686472f90220f09be5c50594332889
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-09-22 (Thu, 22 Sep 2022)
Changed paths:
M index.bs
Log Message:
-----------
Add attestation data as optional credential record items
Commit: 6285f729a6cc2bf152174ed377bc150bdb491b25
https://github.com/w3c/webauthn/commit/6285f729a6cc2bf152174ed377bc150bdb491b25
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-09-22 (Thu, 22 Sep 2022)
Changed paths:
M index.bs
Log Message:
-----------
Fix reference to ECDSA+hash choice recommendation in RFC9053
Commit: 6c823f1f8af0c7e63c4a309b141559fcb8990ff5
https://github.com/w3c/webauthn/commit/6c823f1f8af0c7e63c4a309b141559fcb8990ff5
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-09-22 (Thu, 22 Sep 2022)
Changed paths:
M index.bs
Log Message:
-----------
Merge pull request #1773 from w3c/credential-record
Extract Credential Record abstraction
Commit: 3a543c49828b86ecd1266a42534d6a25e32cc7e2
https://github.com/w3c/webauthn/commit/3a543c49828b86ecd1266a42534d6a25e32cc7e2
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-09-22 (Thu, 22 Sep 2022)
Changed paths:
M index.bs
Log Message:
-----------
Fix incorrect use of options variables in create() and get()
_§5.1.3. Create a New Credential_ and _§5.1.4. Use an Existing Credential to
Make an Assertion_ both declare their **options** parameter as the
`Credential[Creation|Request]Options` object inherited from CredMan:
>**options**
>This argument is a `CredentialCreationOptions` object whose
>_options_.`publicKey` member contains a `PublicKeyCredentialCreationOptions`
>object [...]
Both also re-assign the _options_ variable:
>Let _options_ be the value of _options_.`publicKey`.
But both then also reference _options_.`signal`, which is a member of
`Credential[Creation|Request]Options` but not
`PublicKeyCredential[Creation|Request]Options`:
>If _options_.`signal` is present and aborted, throw the _options_.`signal`’s
abort reason.
_§5.1.4. Use an Existing Credential to Make an Assertion_ also incorrectly
references _options_.`mediation` in a similar way.
This fixes the issue by introducing a new variable _pkOptions_ instead of
re-assigning the existing variable _options_, so that _options_ can keep its
original value.
Commit: 2ccb9f820fe7fbb2c9dbf942a3013a93ef06596b
https://github.com/w3c/webauthn/commit/2ccb9f820fe7fbb2c9dbf942a3013a93ef06596b
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-09-22 (Thu, 22 Sep 2022)
Changed paths:
M index.bs
Log Message:
-----------
Change definition type of credential record items to abstract-op
This will help avoid conflicts with existing definitions, including [=scope=],
as we introduce a struct for devicePubKey records as well.
Commit: 05fe54d5cebd4aaeb958eefd64f83aad831d2edf
https://github.com/w3c/webauthn/commit/05fe54d5cebd4aaeb958eefd64f83aad831d2edf
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-09-22 (Thu, 22 Sep 2022)
Changed paths:
M index.bs
Log Message:
-----------
Move state updates to last in in RP verification steps
The state should be updated only after verifying the signature. This change will
be useful for the devicePubKey branch.
Commit: 76e4a16631753ffdc5c0d06382ae728d7a309ca1
https://github.com/w3c/webauthn/commit/76e4a16631753ffdc5c0d06382ae728d7a309ca1
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-10-05 (Wed, 05 Oct 2022)
Changed paths:
M index.bs
Log Message:
-----------
Mention RFC8152 for original COSE Algorithms registry
See: https://github.com/w3c/webauthn/pull/1804#pullrequestreview-1117070769
Commit: e0d10dd63207720e1fb42f96515ab9fe2b442248
https://github.com/w3c/webauthn/commit/e0d10dd63207720e1fb42f96515ab9fe2b442248
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-10-05 (Wed, 05 Oct 2022)
Changed paths:
M index.bs
Log Message:
-----------
Merge pull request #1805 from w3c/issue-1752-incorrect-options-variable
Fix incorrect use of options variable: rename to pkOptions
Commit: 6b92f43960c1b8d23ec365b20d01bdbce47aa3f6
https://github.com/w3c/webauthn/commit/6b92f43960c1b8d23ec365b20d01bdbce47aa3f6
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-10-05 (Wed, 05 Oct 2022)
Changed paths:
M index.bs
Log Message:
-----------
Merge pull request #1796 from w3c/issue-1794-broken-refs
Fix broken cross-spec references
Commit: c7a3c121e7297fa8f8eda489fd4b3cfda6083e66
https://github.com/w3c/webauthn/commit/c7a3c121e7297fa8f8eda489fd4b3cfda6083e66
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-10-05 (Wed, 05 Oct 2022)
Changed paths:
M index.bs
Log Message:
-----------
Merge pull request #1768 from w3c/pr-1737-fixup
Fix dangling language in WebAuthn Extensions section
Commit: d5873cf2a7ee4ba4a97c5f336c2b480926a59eae
https://github.com/w3c/webauthn/commit/d5873cf2a7ee4ba4a97c5f336c2b480926a59eae
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-10-05 (Wed, 05 Oct 2022)
Changed paths:
M index.bs
Log Message:
-----------
Merge pull request #1807 from w3c/verify-assertion-update-order
Move state updates to last in RP verification steps
Commit: 008b979e234ac939138606b469d136f9c2ad6026
https://github.com/w3c/webauthn/commit/008b979e234ac939138606b469d136f9c2ad6026
Author: Emil Lundberg <emil@yubico.com>
Date: 2022-10-06 (Thu, 06 Oct 2022)
Changed paths:
M index.bs
Log Message:
-----------
Merge pull request #1804 from w3c/issue-1802-new-cose
Replace obsolete RFC8152 with RFC9052 and RFC9053
Commit: 8a6daecd998e3144a4a3e17629919a1c2d110327
https://github.com/w3c/webauthn/commit/8a6daecd998e3144a4a3e17629919a1c2d110327
Author: Nina Satragno <nsatragno@gmail.com>
Date: 2022-10-07 (Fri, 07 Oct 2022)
Changed paths:
M index.bs
Log Message:
-----------
Conditional request allowList credential filtering (#1810)
Allow filtering credentials during conditional requests by passing an
allowList to navigator.credentials.get. This allows relying parties who
know who the user attempting to authenticate is (e.g. because they
entered their username) to have autofill only show credentials for that
user. See the bug for a description of use-cases.
Fixes #1793
Commit: 6ae32a0bc0722f1f1e32a9eb89e57f6f09996586
https://github.com/w3c/webauthn/commit/6ae32a0bc0722f1f1e32a9eb89e57f6f09996586
Author: Adam Langley <agl@imperialviolet.org>
Date: 2022-10-07 (Fri, 07 Oct 2022)
Changed paths:
M index.bs
Log Message:
-----------
Merge branch 'main' into dpk
Compare: https://github.com/w3c/webauthn/compare/f7808700683c...6ae32a0bc072
Received on Friday, 7 October 2022 19:34:43 UTC