- From: Itakura, Keiko <keiko.itakura@rakuten.com>
- Date: Mon, 12 Sep 2022 02:46:37 +0000
- To: "nadalin@prodigy.net" <nadalin@prodigy.net>, 'W3C Web Authn WG' <public-webauthn@w3.org>, 'John Fontana' <jfontana@yubico.com>, "'Phillips, Addison'" <addison@lab126.com>, 'Christiaan Brand' <cbrand@google.com>, 'Ian Jacobs' <ij@w3.org>
- Message-ID: <TYZPR03MB577572C32DF1A1BCE19B3B56FB449@TYZPR03MB5775.apcprd03.prod.outlook.com>
Hello,
I raised issues related to the DPK. Hope someone can answer!
https://github.com/w3c/webauthn/issues/1799
[https://opengraph.githubassets.com/6fb7460d9b6eda821ed998424f2f5ebaecb5e562b92d7f2d2e2756c1703ebcdb/w3c/webauthn/issues/1799]<https://github.com/w3c/webauthn/issues/1799>
Requirements for attestation for DPK · Issue #1799 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1799>
Based on discussions with various RPs as well as system integrators for RPs, here are the requirements for attestation for DPK (device-bound public key). If DPK is supported, 1. an attestation stat...
github.com
Best regards,
Keiko
________________________________
From: nadalin@prodigy.net <nadalin@prodigy.net>
Sent: Wednesday, September 7, 2022 4:38 AM
To: 'W3C Web Authn WG' <public-webauthn@w3.org>; 'John Fontana' <jfontana@yubico.com>; 'Phillips, Addison' <addison@lab126.com>; 'Christiaan Brand' <cbrand@google.com>; 'Ian Jacobs' <ij@w3.org>
Subject: 09/07/2022 W3C Web Authentication Meeting
[EXTERNAL] This message comes from an external organization.
Here is the agenda for the 09/07/2022 W3C Web Authentication WG Meeting, that will take place as a 60 minute teleconference. Remember call is at NOON PDT
Select scribe please someone be willing to scribe so we can get down to the issues
1. Here is the link to the Level 2 Webauthn Recommendation https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
2. First Public Working Draft of Level 3 has now been published, https://www.w3.org/TR/webauthn-3/
3. Publish WD01 Discussion
4. TPAC Face to Face meeting update (Monday), don’t forget to register
5. TPAC Agenda
6. TPAC Face to Face Joint Meetings (Tuesday)
1. SPWG Update (John B.)
2. L3 WD01 open pull requests and open issues
Pull requests · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD-01>
* Fix inconsistencies in backup state flags by emlun · Pull Request #1772 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/pull/1772>
* Add "Code injection attacks" security consideration by emlun · Pull Request #1733 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/pull/1733>
* device public key extension by equalsJeffH · Pull Request #1663 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/pull/1663>
* Add recovery extension by emlun · Pull Request #1425 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/1425>
Pull requests · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone>
1. Improve guidance around using UV by emlun · Pull Request #1774 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/pull/1774>
2. Extract Credential Record abstraction by emlun · Pull Request #1773 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/1773><https://github.com/w3c/webauthn/pull/1774>
3. Fix dangling language in WebAuthn Extensions section by emlun · Pull Request #1768 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/pull/1768>
Issues · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL3-WD-01>
* Which "pubKeyCredParams" to use? · Issue #1757 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1757>
* Conditional Mediation feature discovery should really return a promise · Issue #1745 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1745>
* Should enterprise attestation support be flagged explicitly? · Issue #1742 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1742>
* Attestation on Get Assertion · Issue #1741 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1741>
* Inconsistencies in backup state flags · Issue #1740 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1740>
* Discussing mechanisms for enterprise RP's to enforce bound properties of credentials · Issue #1739 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1739>
* Provide passwordless example, or update 1.3.2. to be a passwordless example · Issue #1735 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1735>
* Update top level use cases to account for multi-device credentials · Issue #1720 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1720>
* Public Key Credential Source and Extensions · Issue #1719 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1719>
* RP operations: some extension processing may assume that the encompassing signature is valid · Issue #1711 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1711>
* Split RP ops "Registering a new credential" into one with and one without attestation · Issue #1710 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1710>
* Switch to permissive copyright license? · Issue #1705 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1705>
* Platform Errors for attestations. · Issue #1697 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1697>
* should reference "attestation statement format" registry instead of "extensions" registry · Issue #1689 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1689>
* Should an RP be able to provide finer grained authenticator filtering in attestation options? · Issue #1688 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1688>
* Provide request deserialization, response serialization · Issue #1683 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1683>
* Lookup Credential Source by Credential ID Algorithm returns sensitive data such as the credential private key · Issue #1678 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1678>
* Synced Credentials · Issue #1665 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1665>
* Device-bound key extension · Issue #1658 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1658>
* Cross-origin credential creation in iframes · Issue #1656 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1656>
* Trailing position of metadata · Issue #1646 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1646>
* [Editorial] Truncation description inaccurate · Issue #1645 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1645>
* Mechanism for encoding *direction* metadata may need more work · Issue #1644 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1644>
* Use of in-field metadata not preferred · Issue #1643 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1643>
* Unicode "tag" characters are deprecated for language tagging · Issue #1642 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1642>
* U+ notation incorrect · Issue #1641 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1641>
* Syncing Platform Keys, Recoverability and Security levels · Issue #1640 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1640>
* Possible experiences in a future WebAuthn · Issue #1637 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1637>
* reference CTAP2.1 PS spec and fix broken link · Issue #1635 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1635>
* Missing Test Vectors · Issue #1633 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1633>
* CollectedClientData.crossOrigin default value and whether it is required · Issue #1631 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1631>
* Support for remote desktops · Issue #1577 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1577>
* Prevent browsers from deleting credentials that the RP wanted to be server-side · Issue #1569 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1569>
* Support a "create or get [or replace]" credential re-association operation · Issue #1568 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1568>
* Questions about user handle when supporting usernameless · Issue #1559 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1559>
* Move step 16 of Registration to between 21 and 22 · Issue #1555 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1555>
* Adding info about HSTS for the RPID to client Data. · Issue #1554 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1554>
* Add support for non-modal UI · Issue #1545 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1545>
* Making PublicKeyCredentialDescriptor.transports mandatory · Issue #1522 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1522>
* double check whether the Secure Payment Confirmation effort has implications on the WebAuthn spec · Issue #1492 · w3c/webauthn (github..com)<https://github.com/w3c/webauthn/issues/1492>
* cleanup <pre class=anchors> and use <pre class="link-defaults"> as appropriate · Issue #1489 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1489>
* Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? · Issue #1484 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1484>
* Move PRF Extension into its own specification · Issue #1462 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1462>
* Personal information updates & webauthn · Issue #1456 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1456>
* Requesting properties of created credentials. · Issue #1449 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1449>
* PublicKeyCredentialParameters can't select curve (E.g. ed448) · Issue #1446 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1446>
* "privacy ca" term in images/fido-attestation-structures.svg · Issue #1421 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1421>
* More explicitly document use cases · Issue #1389 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1389>
* Addition of a network transport · Issue #1381 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1381>
* Minor cleanups from PR 1270 review · Issue #1291 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1291>
* Specify authenticator attachment for authentication operation · Issue #1267 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1267>
* Clearly define the way how RP handles the extensions · Issue #1258 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1258>
* add feature detection blurb... · Issue #1208 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1208>
* think about adding note wrt how client platform might obtain authenticator capabilities · Issue #1207 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1207>
* Update name, displayname and icon for RP and user · Issue #1200 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1200>
* export definitions? · Issue #1049 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1049>
* ReIssues · w3c/webauthn (github.com)covering from Device Loss · Issue #931 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/931>
* undefined terms and terms we really ought to define · Issue #462 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/462>
Issues · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat%3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone>
1. Support Filtering by Username in Conditional UI · Issue #1793 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1793>
2. Must assertions with attestation include attested credential data? · Issue #1792 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1792>
3. Enforce backup eligibility during assertion · Issue #1791 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1791>
4. Specify what happens when a WebAuthn request is issued while there is another one in progress · Issue #1790 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1790>
5. Credential discovery is unclear · Issue #1789 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1789>
6. Add ability to query for feasibility of registering a credential that is backup eligible · Issue #1788 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1788>
7. continuous assertion · Issue #1785 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1785>
8. Add SM2 Digital Signature Algorithm Support · Issue #1783 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1783>
9. Facility for an RP to indicate a change of displayName to a discoverable credential · Issue #1779 · w3c/webauthn (github.com)<https://github..com/w3c/webauthn/issues/1779>
10. Extend WebAuthn spec to support interoperability in WebExtensions · Issue #1766 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1766>
11. Authenticator flag to indicate internal knowledge of rk (discoverable credential creation). · Issue #1761 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1761>
12. Platform authentication registration promotion when the user has authenticated with the external authenticator · Issue #1759 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1759>
13. Incorrect use of `options` variable in `create()` and `get()` definitions · Issue #1752 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1752>
14. Split the standard by focus driven use cases. · Issue #1751 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1751>
15. How to declare that a registration only awaits for a Security Key? · Issue #1750 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1750>
16. Use aPAKE/OPAQUE for FIDO multi-device credentials (PassKey) · Issue #1747 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1747>
17. Spec abstract is out of date on the eve of multi-device credentials and cross-device auth · Issue #1743 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1743>
18. Cross origin authentication without iframes (accommodating SPC in WebAuthn) · Issue #1667 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1667>
4. Other open issues
5. Adjourn
Because of toll fraud issues MIT has been experiencing, I've been asked to change our call coordinates and password and, as an ongoing thing, not distribute the call coordinates publicly. That means not including the WebEx call number or URL in our agendas or minutes.
You can find the new call coordinates at this link, accessible with your W3C member login credentials.
https://www.w3.org/2016/01/webauth-password.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2F2016%2F01%2Fwebauth-password.html&data=04%7C01%7Ctonynad%40microsoft.com%7C9cd59d2cfccb46b0986d08d82dcf4b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309715629125857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rRnXdea9sqPx%2B7Z8fbc7bv%2F5nY%2BLZStYSARGKVdH1pA%3D&reserved=0>
Get Outlook for Android<https://aka.ms/ghei36>
Received on Monday, 12 September 2022 03:17:12 UTC