- From: Matthew Miller via GitHub <noreply@w3.org>
- Date: Wed, 27 Aug 2025 22:20:23 +0000
- To: public-webauthn@w3.org
The following commits were just pushed by MasterKale to https://github.com/w3c/webauthn:
* Initial packed enterprise attestation requirements.
by David Waite
https://github.com/w3c/webauthn/commit/bd15e8bdfad1becc7c7be606bcf83b4b09862791
* Clarify TPM attestation verification instructions
by Shane Weeden
https://github.com/w3c/webauthn/commit/c92aec35494e1df431ee558d0b593ad6b2904dd1
* Remove non-enterprise sepcific firmware version
This is separately proposed for general packed attestation verification.
by David Waite
https://github.com/w3c/webauthn/commit/6298db7ecdceb639e63037d5729edce86bfe049b
* abbreviate and link "RPs"
Co-authored-by: Emil Lundberg <emil@emlun.se>
by David Waite
https://github.com/w3c/webauthn/commit/d57cd65cd43cb686f52a0f225b62a26e51855904
* Merge remote-tracking branch 'origin/main' into enterprise-attestation-guidance
by David Waite
https://github.com/w3c/webauthn/commit/1a7096a9411a389e0ce83b74e650877f38187961
* Merge branch 'main' into enterprise-attestation-guidance
by David Waite
https://github.com/w3c/webauthn/commit/c86f2f870f453d75c5164a73c581ebe6491977bb
* Update per agl editorial comments
by David Waite
https://github.com/w3c/webauthn/commit/c294f84caf7dad88149d26decf86fe3b85bb5777
* Lowercase enterprise attestation in text.
Enterprise attestation is used elsewhere without capitalization, and it
could be said to be a characteristic and not a format like Packed.
Change "provisioned at manufacturing" to "provided at manufacturing" to
clarify difference from MDM-provisioned attestations.
by David Waite
https://github.com/w3c/webauthn/commit/9212bc492a2d5b303b93e7b107b26d81c835e0a5
* Update index.bs
Add topOrigin to the limited verification algorithm.
by philomathic_life
https://github.com/w3c/webauthn/commit/8d32e89b9ce1da93004c3bb1b24ea346a6093bbc
* remove manual Credential Options defs
by Tim Cappalli
https://github.com/w3c/webauthn/commit/5942577fcf0e20b3e2bfaf9cc80431c5f3953d21
* Specify topOrigin is optional in the defintions.
Co-authored-by: Emil Lundberg <emil@emlun.se>
by philomathic_life
https://github.com/w3c/webauthn/commit/9bb78e4f29bf19f5e224b94ba5641983c920f9ac
* remove geolocation ref
by Tim Cappalli
https://github.com/w3c/webauthn/commit/13e41f358831d517619ef9e97387a7279729305e
* Remove unused spec anchors
by Emil Lundberg
https://github.com/w3c/webauthn/commit/f4b107ea1d85a990d52038fdcdbb01ad1ccd21a6
* Merge link-defaults sections
by Emil Lundberg
https://github.com/w3c/webauthn/commit/2bb75e5f6ef09c3e563701748cb8fcd8907dfbb0
* Remove unused link-defaults entries
by Emil Lundberg
https://github.com/w3c/webauthn/commit/aa9e07cd3d3ca0e57d50a5091224ccf3aed0bb7f
* Remove default resolution of [=item=] to [=struct/item=]
by Emil Lundberg
https://github.com/w3c/webauthn/commit/f0c61012fc0c1e73d126cc1e08734444a601cf9e
* Make topOrigin verification backwards compatible with L2
by Emil Lundberg
https://github.com/w3c/webauthn/commit/213cb2444e984ea10cbe61bee293a394636e7fb3
* Infer crossOrigin argument from topOrigin
by Emil Lundberg
https://github.com/w3c/webauthn/commit/60fc0e8549bb3b14eee037a3f446d271dca04351
* Fix Credential*Options/PublicKeyCredential*Options confusion in RP ops
Analogue of 4800133de6cf06cb926106f35203fe5beb651598 for the RP operations.
by Emil Lundberg
https://github.com/w3c/webauthn/commit/155810689f732369c79feace1cd8078ef1ac8b9f
* Clarify meaning of "unless" in UP flag validation
by Emil Lundberg
https://github.com/w3c/webauthn/commit/115c2f9372f903ee6b14526b6411f9dd6cd5028d
* Add editorial conventions section to CONTRIBUTING.md
by Emil Lundberg
https://github.com/w3c/webauthn/commit/512fe423085b6941031b14a6063908714c4ae945
* s/PublicKeyCredentialHints/PublicKeyCredentialHint
by Tim Cappalli
https://github.com/w3c/webauthn/commit/f911218be877ee47685602b8055b211ee6a503e6
* Update CONTRIBUTING.md
adding notes for non-member IPR commitment
by Simone Onofri
https://github.com/w3c/webauthn/commit/01c666afe3858040a1c3057d05aae13080ac2c36
* Merge pull request #2125 from w3c/rp-ops-options
Fix Credential*Options/PublicKeyCredential*Options confusion in RP ops
by Emil Lundberg
https://github.com/w3c/webauthn/commit/8e0a69092a5af966e58172b9a2eaf17035964b7a
* Add Signal API
This commit adds a `PublicKeyCredential.signal` method that relying
parties can call to notify authenticators of changes on the
applicability or metadata of credentials.
Closes #1967
by Nina Satragno
https://github.com/w3c/webauthn/commit/e241e6d17f01d19295fab0b48f2f75d80f12671e
* Add first version of the algo and format
by Nina Satragno
https://github.com/w3c/webauthn/commit/b8a912e9c5d5174b97df538f8df8086d7cf6732e
* Update interface.
by Nina Satragno
https://github.com/w3c/webauthn/commit/9c9355a938b89496521580f32e4188bdbfd22d3b
* Have more flexibility for authenticators.
by Nina Satragno
https://github.com/w3c/webauthn/commit/8a8a06a4e47a4a42734ecb7d4537783020087dd4
* Polish
by Nina Satragno
https://github.com/w3c/webauthn/commit/c29e08ca46926a3520c42677c058bc9247d718b8
* make rpid required
by Nina Satragno
https://github.com/w3c/webauthn/commit/d44f313b8430549976f509e301d1a12a3f620d69
* Split signal API into three methods.
by Nina Satragno
https://github.com/w3c/webauthn/commit/02890af6cc70c7462b68647ac4968e4eeec04d5c
* emlun's comment
by Nina Satragno
https://github.com/w3c/webauthn/commit/70b267b53a4b45d7d3f0a96c3050b7bf3651fc5e
* Extra privacy considerations.
by Nina Satragno
https://github.com/w3c/webauthn/commit/a745490cff775084b86fade0bf95331a9d3e756f
* Allow unhiding credentials.
by Nina Satragno
https://github.com/w3c/webauthn/commit/00dd9c7b6de90fdbe6d9f1429c563414b7882b0c
* Update RPID validation
by Nina Satragno
https://github.com/w3c/webauthn/commit/0d990f75d49d236ce3f7f4750647ec0e66a88813
* Hiding > Deleting
by Nina Satragno
https://github.com/w3c/webauthn/commit/57815ac6b75d86e88fa50ceb2cc77aafde8daa39
* Drop the `id`
by Nina Satragno
https://github.com/w3c/webauthn/commit/84a97e45fd662d99131697c1b9a2963f59d715cf
* add to client capabilities
by Nina Satragno
https://github.com/w3c/webauthn/commit/4be9a4e2669869ee39055398ac429c97ea806198
* Add note comparing signal types
by Nina Satragno
https://github.com/w3c/webauthn/commit/981b278fc2d1430a86ac684cd55d99a056e83552
* Use CAPS for normative requirements
Co-authored-by: Emil Lundberg <emil@emlun.se>
by Nina Satragno
https://github.com/w3c/webauthn/commit/73ab0797d3924fefbfc225b8b54f782551603781
* Apply suggestions from code review
Notes are not normative.
Co-authored-by: Emil Lundberg <emil@emlun.se>
by Nina Satragno
https://github.com/w3c/webauthn/commit/e4a9de894f61f98b95c6008c539c3285494c8a0c
* Make alternative methods normative.
by Nina Satragno
https://github.com/w3c/webauthn/commit/1454bf79a74028faaaea3c2cb8ef936d1ba70313
* Update index.bs
Co-authored-by: Emil Lundberg <emil@emlun.se>
by Nina Satragno
https://github.com/w3c/webauthn/commit/40753fdc93609809489c25a1d8d94a1e68194f0b
* Address emlun's comments.
by Nina Satragno
https://github.com/w3c/webauthn/commit/74d3cf083752b38e2eb44285d95a7ddc18979afa
* Apply suggestions from code review
Co-authored-by: Tim Cappalli <tim@cappalli.me>
by Nina Satragno
https://github.com/w3c/webauthn/commit/7687a40fe85e7c69e1509cadae170c3a9e8baa3d
* Merge pull request #2131 from w3c/simoneonofri-contributing
Update CONTRIBUTING.md for non-member IPR commitment
by Simone Onofri
https://github.com/w3c/webauthn/commit/a871f796c591721c9556f119924ee29484b441f5
* Update obsolete privacy concerns about throwing errors early
by Emil Lundberg
https://github.com/w3c/webauthn/commit/e0fb9b2326cc00a9331444f855af7b67375f020f
* Add dfn for passkey in passkey platform authenticator and export
by Tim Cappalli
https://github.com/w3c/webauthn/commit/06340fddf29944fffeb6d0700383d4d5192520e5
* first pass at use case updates
by Tim Cappalli
https://github.com/w3c/webauthn/commit/0e580b5f995b711b27efe56c1f528fd038fb7ce8
* Rename first-factor roaming authenticator and integrate passkey term in text
by Emil Lundberg
https://github.com/w3c/webauthn/commit/ee25baebbe4390c8eea167072ad31d4ff03602ec
* add BE/BS steps to authData
by Tim Cappalli
https://github.com/w3c/webauthn/commit/ad88a31055c1c2e4af370ab86e1b876b180cdac7
* s/MUST not/MUST NOT
by Tim Cappalli
https://github.com/w3c/webauthn/commit/823ce16ac3ff854e85623d0b5d9ee5ae70ced0e8
* Clarify behaviour of duplicate hints
by Emil Lundberg
https://github.com/w3c/webauthn/commit/693a498452f4596c18f7a37e2ee39231333ee5bb
* Update index.bs
Co-authored-by: Emil Lundberg <emil@yubico.com>
by Tim Cappalli
https://github.com/w3c/webauthn/commit/caf217a1adb757202d854c335ddadfe0121fb16b
* Merge pull request #2141 from w3c/2064-tc-bebs-steps
Add BE/BS steps to authData generation
by Emil Lundberg
https://github.com/w3c/webauthn/commit/2e757932a8584aad34dfc0593d9b728d6b602f8c
* Merge pull request #2127 from w3c/issue-2045-semantic-line-breaks
Codify semantic line breaks as editorial convention
by Michael B. Jones
https://github.com/w3c/webauthn/commit/54e634695e7dfdc41270eb129117bea70b9c1cf3
* Merge pull request #2138 from w3c/2136-tc-dfn-passkey
Adds dfn for passkey in passkey platform authenticator and exports
by Adam Langley
https://github.com/w3c/webauthn/commit/fb6351bd6cccce319531dc3638f3008738a16ac1
* Merge pull request #2104 from zacknewman/zacknewman-patch-1
Add topOrigin to the limited verification algorithm.
by Anthony Nadalin
https://github.com/w3c/webauthn/commit/403c2b3380a976ed162fc6833b3ee124adfc0e4f
* Merge remote-tracking branch 'origin/main' into enterprise-attestation-guidance
by David Waite
https://github.com/w3c/webauthn/commit/e9a482a826cd3445e6ed98718c3e7c78e5a6ce2f
* Added simplified text based on feedback
by David Waite
https://github.com/w3c/webauthn/commit/39733f08b59471c641abc458bd60fd05662bc704
* Merge pull request #2129 from w3c/2112-tc-hints-to-hint
Rename PublicKeyCredentialHints to PublicKeyCredentialHint
by Nick Steele
https://github.com/w3c/webauthn/commit/caefa8a1be35da86ce30e6205badd71f298011d6
* Remove prior bikeshed workaround
by David Waite
https://github.com/w3c/webauthn/commit/176ea8173cc571abf7fb787aaebed7ef84d31402
* Reword UP flag validation per review suggestion
by Matthew Miller
https://github.com/w3c/webauthn/commit/6cae8a57d3afbcc513a0ab2381866eae750a93a4
* Merge pull request #2126 from w3c/issue-2122-rp-up-conditional-clarify
Clarify meaning of "unless" in UP flag validation
by Emil Lundberg
https://github.com/w3c/webauthn/commit/0ca1c85f19c6a80b65c2c833b51b67699011e3f3
* Merge pull request #2145 from w3c/issue-2135-duplicate-hints
Clarify behaviour of duplicate hints
by Tim Cappalli
https://github.com/w3c/webauthn/commit/7cd62699eda269e44efe9584bc0dc661ac025d7f
* Merge pull request #1926 from sbweeden/sbweeden_1925
Clarify TPM attestation verification instructions
by Nick Steele
https://github.com/w3c/webauthn/commit/199dcdad48045aca69bab819bf54e0fe59aeb066
* Merge pull request #2134 from w3c/issue-2132-obsolete-privacy-cons
Update obsolete privacy concerns about throwing errors early
by Emil Lundberg
https://github.com/w3c/webauthn/commit/adf7a95537499f79ad72a76422836116387c246e
* Merge pull request #2149 from dwaite/remove-packed-bikeshed-workaround
Remove bikeshed workaround
by David Waite
https://github.com/w3c/webauthn/commit/ed636a2d166b0652f744ff321e0a893a2d60d1ef
* Merge pull request #1954 from dwaite/enterprise-attestation-guidance
Enterprise packed attestation guidance
by David Waite
https://github.com/w3c/webauthn/commit/efdf948e44720b848985820d2083196c590124ab
* Mark Android SafetyNet attestation as deprecated.
Google have
[announced](https://developer.android.com/privacy-and-security/safetynet/deprecation-timeline)
the deprecation of SafetyNet in general, and [specifically
for](https://android-developers.googleblog.com/2024/09/attestation-format-change-for-android-fido2-api.html)
WebAuthn.
This change adds a note in the SafetyNet section that it may be removed
in a future revision of the spec.
by Adam Langley
https://github.com/w3c/webauthn/commit/bcd428d84e3f0094fc75a77aa45985bd4e0ff9f9
* Deprecate rp.name
by Emil Lundberg
https://github.com/w3c/webauthn/commit/2e2e3c6dc421a89a6801233f724cbd33bc4f0ef5
* Fix CredentialRequestOptions hyperlink
by philomathic_life
https://github.com/w3c/webauthn/commit/ae49b8200c5fadbbf60be748afee0f96813353d2
* Add aliased link texts for "human palatability"
by Emil Lundberg
https://github.com/w3c/webauthn/commit/e2ab213df8a99fc976cea08dbde42bfcf6851f3c
* Add [credential record/authenticatorDisplayName] handling to RP operations
by Emil Lundberg
https://github.com/w3c/webauthn/commit/8b137245bcf3667fd2909063eda0411eced38a5c
* Fix Unicode example syntax
by Emil Lundberg
https://github.com/w3c/webauthn/commit/434a77fb9578bc2c5d70a31c60b6588343063e28
* Validate CollectedClientData.crossOrigin in RP ops
by Emil Lundberg
https://github.com/w3c/webauthn/commit/561144ed0cf95123e66dcf68703db4a3084cd6d3
* Move extension processing to after signature verification
by Emil Lundberg
https://github.com/w3c/webauthn/commit/3fb838eb5ece8dc1855e2710ba246ce2d7bcc56b
* Fix reference to step 22 in Create()
by Emil Lundberg
https://github.com/w3c/webauthn/commit/cf7202ba2b56d041ac9cf1e773919fd15e65f8c5
* Modernize extension processing step of RP ops
by Emil Lundberg
https://github.com/w3c/webauthn/commit/1ba9322f3375d2946a50a6f354ebe954cff55417
* Remove NOTE from normative caveats on extension processing
by Emil Lundberg
https://github.com/w3c/webauthn/commit/560fe0e3567875ca6e7e12d70e69f565d5ef156b
* Don't return an algorithm from [[DiscoverFromExternalSource]]
This initialization of |settings| and |global| is copied from the equivalent
steps of [§2.5.4. Create a Credential][1] in CredMan, which sets the arguments
used to invoke the |constructCredentialAlg| in WebAuthn's [[Create]]:
>Let |settings| be the [current settings object][2].
>
>Assert: |settings| is a [secure context][3].
>
>Let |global| be |settings|’ [global object][4].
[1]: https://w3c.github.io/webappsec-credential-management/#algorithm-create
[2]: https://html.spec.whatwg.org/multipage/webappapis.html#current-settings-object
[3]: https://html.spec.whatwg.org/multipage/webappapis.html#secure-context
[4]: https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global
by Emil Lundberg
https://github.com/w3c/webauthn/commit/bdcb938b242ff8b7a9ec74f1afdfcc54a14cc3c1
* Fix reference to extensions input in get()
by Emil Lundberg
https://github.com/w3c/webauthn/commit/4866b1390a1ea511d9aa67f53d8eae5a75383939
* Acknowledge Simone Onofri and Philippe Le Hégaret as W3C Team Contacts
by Emil Lundberg
https://github.com/w3c/webauthn/commit/9e0fe6ae6f8484007d8df50fe45f6b26d88a205f
* Acknowledge Zack Newman for reviews and contributions
by Emil Lundberg
https://github.com/w3c/webauthn/commit/3b5a8d1e253f0eff76f26ee5d20d472d1c710520
* Add test vectors for PRF extension
by Emil Lundberg
https://github.com/w3c/webauthn/commit/37dacdae7de4a08b08b99a10843c37fb7babb418
* Apply review suggestion
Co-authored-by: Adam Langley <agl@google.com>
by Emil Lundberg
https://github.com/w3c/webauthn/commit/fe68eaec8f4402d98c329deb737a8766d90035b9
* Add userName and userDisplayName to webdriver
This PR adds the userName and userDisplayName properties to the
webdriver's credential parameters. These properties are useful to test
the new signalCurrentUserDetails method, both on WPTs and for web
developers.
Closes #2143
by Nina Satragno
https://github.com/w3c/webauthn/commit/96ed2bd5dbbc6aa66e9ea7b9adf3a8c66ec260e0
* Merge pull request #2173 from w3c/issue-2170-ack-zacknewman
Acknowledge Zack Newman for reviews and contributions
by Emil Lundberg
https://github.com/w3c/webauthn/commit/333861889d0840806d6db2ea334d154dc19bc59a
* Merge pull request #2171 from w3c/ack-simoneonofri-plehegar
Acknowledge Simone Onofri and Philippe Le Hégaret as W3C Team Contacts
by Emil Lundberg
https://github.com/w3c/webauthn/commit/8da6300be11ed30d362b01fcc670f87bea57dac7
* Merge pull request #2161 from zacknewman/CredentialRequestOptions-hyperlink
Fix CredentialRequestOptions hyperlink
by Emil Lundberg
https://github.com/w3c/webauthn/commit/bd799352b8efc8af773868010eba926b414770bb
* Merge pull request #2155 from w3c/safetynetdeprecate
Mark Android SafetyNet attestation as deprecated.
by Emil Lundberg
https://github.com/w3c/webauthn/commit/5831a2c9b2cc7765a24309f14db027a6f1bffa65
* Use <xmp> instead of <pre>, fixing CDDL highlighting
Using <pre> causes some single quotes in the CDDL examples to be converted into
"’" (U+2019) instead of "'" (U+0027), which is incorrect CDDL and also breaks
the CDDL syntax highlighting.
See the [Bikeshed documentation][1] for more on using `<xmp>`.
[1]: https://speced.github.io/bikeshed/#xmp
by Emil Lundberg
https://github.com/w3c/webauthn/commit/ebfe871f78f5d5be6cefecabf5a723b119dacae2
* Consistently use <xmp> instead of <pre> for code examples
Using `<pre>` sometimes causes some characters to be converted into others. This
is especially apparent in CDDL examples, where for example the first single
quote in `foo = h'001122'` gets converted into "’" (U+2019) instead of
"'" (U+0027), which is incorrect and also breaks CDDL syntax highlighting.
See the [Bikeshed documentation][1] for more on using `<xmp>`.
[1]: https://speced.github.io/bikeshed/#xmp
by Emil Lundberg
https://github.com/w3c/webauthn/commit/41c514f6e1db4b4aaba77c3145990f0f99c5bd7b
* Fix syntax highlighting tags
by Emil Lundberg
https://github.com/w3c/webauthn/commit/ef54852bf773d82174798bfff3e87469380db325
* Use 0x0a instead of 0x10 as 11th test vector PRNG index
by Emil Lundberg
https://github.com/w3c/webauthn/commit/c2395cbbb6351654ef1a2d40ceba252ca73d4683
* Fix order of middle bytes in Uint32Array example
by Emil Lundberg
https://github.com/w3c/webauthn/commit/b953fed1340f3c97096444960c6107c07cebb442
* Escape single quote in CDDL-style byte string literal in <code>
by Emil Lundberg
https://github.com/w3c/webauthn/commit/a23151753ccc9857a00831250b196828c84907e3
* Address #2172
by Shane Weeden
https://github.com/w3c/webauthn/commit/85717cce29586ec9fec3bf75bbb00da8ee39e4c6
* Merge pull request #2159 from w3c/issue-2121-rp-name
Deprecate rp.name
by Shane Weeden
https://github.com/w3c/webauthn/commit/1e2256dae3c7f0dedc2f87ff66494c6b3f274518
* Fix create-to-get copy-paste error
by Emil Lundberg
https://github.com/w3c/webauthn/commit/aa8728aa5504769fce9c0fe765a8815f0a77e24b
* Move <dfn> of [[Create]] to heading like [[DiscoverFromExternalSource]]
by Emil Lundberg
https://github.com/w3c/webauthn/commit/70fb37a378e50943f1652195d7420452f061807c
* Extract macros for referring to [[Create]] and [[DiscoverFromExternalSource]]
This also fixes some inconsistencies in parameter lists between references to
these methods.
by Emil Lundberg
https://github.com/w3c/webauthn/commit/6744192e08e90fd90f2636e0ad076d19daf8e132
* Merge pull request #2165 from w3c/issue-1641-unicode-syntax
Fix Unicode example syntax
by Emil Lundberg
https://github.com/w3c/webauthn/commit/386ad79021e52c2ef660009e54b13e5f1ba91625
* Drop definition "User Credential" unused since 2ec45f8b34638b0c62bb4208507bc4a76cd0ef4f
by Emil Lundberg
https://github.com/w3c/webauthn/commit/5887b9f253fcc738db8a5c66818bb3ad954bc84f
* Fix typo in reference to variable |effectiveDomain|
Fixes this Bikeshed lint:
```
LINE ~3100: The var 'effective domain' (in global scope) is only used once.
If this is not a typo, please add an ignore='' attribute to the <var>.
```
by Emil Lundberg
https://github.com/w3c/webauthn/commit/1fcb7aad5898035244ecc26a96da3074e8d6a516
* Add warning about sending PRF outputs to server
by Emil Lundberg
https://github.com/w3c/webauthn/commit/8c6827e6b9dd1dc602b0bb2aad40fab95c75118f
* Remove apparent reference to non-existent [[Get]] internal method
by Emil Lundberg
https://github.com/w3c/webauthn/commit/39da7b119eabee3b75529586712f28be22cf51de
* Change "Method" to "Internal Method" in headings where appropriate
by Emil Lundberg
https://github.com/w3c/webauthn/commit/c258674eceafbb05545f596cb37b3703b3fbc931
* Simplify reference to default [[CollectFromCredentialStore]]
by Emil Lundberg
https://github.com/w3c/webauthn/commit/8d76185ae7b8c0a3069872fbd1f8d3789b5bfb94
* Add reference to #sctn-discover-from-external-source from discussion of get() internals
by Emil Lundberg
https://github.com/w3c/webauthn/commit/068d7f56764c6a48d7de74f7fcf99267a2b726b1
* Merge pull request #2180 from w3c/issue-2169-no-credman-get
Remove apparent reference to non-existent [[Get]] internal method
by Michael B. Jones
https://github.com/w3c/webauthn/commit/9942c9cefccb1d5006bb104a61b22e8faae4423b
* Merge pull request #2179 from w3c/internal-method-macros
Extract macros for referring to [[Create]] and [[DiscoverFromExternalSource]]
by Michael B. Jones
https://github.com/w3c/webauthn/commit/b253c3b1e4ddfbb9575c8a9677d9126d8d13017d
* Merge pull request #2175 from w3c/example-code-xmp
Fix encoding and syntax highlighting of example code
by Michael B. Jones
https://github.com/w3c/webauthn/commit/cfa73332d4aeed226074903ae09508cb2b39177a
* Merge pull request #2174 from w3c/issue-2088-prf-test-vectors
Add test vectors for PRF extension
by Nick Steele
https://github.com/w3c/webauthn/commit/d9204428c6d92ec1a0712110939cdf8156bc1818
* Merge pull request #2168 from w3c/issue-1984-get-return-alg
Don't return an algorithm from [[DiscoverFromExternalSource]]
by Nick Steele
https://github.com/w3c/webauthn/commit/9f20a4d3a7fa8163432627f7b909e5c6871211f0
* Merge pull request #2182 from w3c/lint-var-effective-domain
Fix typo in reference to variable |effectiveDomain|
by Michael B. Jones
https://github.com/w3c/webauthn/commit/1fcb5c2cef539021f7ed9339753b886475feb69e
* Merge pull request #2181 from w3c/lint-unused-def-user-credential
Drop definition "User Credential" unused since PR #2109
by Michael B. Jones
https://github.com/w3c/webauthn/commit/7e716a14c14eeecd3dd26b871eb713c194fc1e01
* No credentials or referrer for RoR well-known
by Tim Cappalli
https://github.com/w3c/webauthn/commit/875486f36312ffe907c25ba8b9ad520aad94c59e
* require HTTPS scheme for all well-known calls and redirects
by Tim Cappalli
https://github.com/w3c/webauthn/commit/241833d9b964e4b4c5b1a82e04d23d9ae9038d77
* Update index.bs
accepting line breaks as elum suggested
Co-authored-by: Emil Lundberg <emil@emlun.se>
by Shane Weeden
https://github.com/w3c/webauthn/commit/8c2cfdd4a7e6fec4eef91c31f2b0fc0ef972eef6
* Merge pull request #2176 from sbweeden/sweeden_2172
Non-incrementing signature counters could be due to race condition
by Shane Weeden
https://github.com/w3c/webauthn/commit/3154b78e210e6e498b8a34daa587f9159ca6ad2f
* Clarified signing and verification procedures for TPM attestation
by Monty Wiseman
https://github.com/w3c/webauthn/commit/8d690aa48c5dd5ed23de4724aa8a302e6ae9a4de
* Minor formatting fixes
by Monty Wiseman
https://github.com/w3c/webauthn/commit/e51255db9de99e86544b02771940b7b471a7c3f7
* Add note that qualifiedSigner, clockInfo, and firmwareVersion may be obfuscated.
by Monty Wiseman
https://github.com/w3c/webauthn/commit/4d5c9ea96b0a81692436b9f535a4d2f2d0420ffc
* Change verify to check sig of certInfo before processing it
by Monty Wiseman
https://github.com/w3c/webauthn/commit/73435ba83e68f4d669c52beeff2db69d168203d1
* Disallow HardwareModuleName in attestation certificate's SAN. Update referece to EK-Profile to current version.
by Monty Wiseman
https://github.com/w3c/webauthn/commit/96e5e072fa1cfcf22fcaca25af3a5997b2f06460
* Merge branch 'main' into issue-2156-rp-ops-authenticatorDisplayName
by Emil Lundberg
https://github.com/w3c/webauthn/commit/43697f7e388b8d995b55dfde19a83a45c723a67c
* Merge pull request #2163 from w3c/issue-2156-rp-ops-authenticatorDisplayName
Add [credential record/authenticatorDisplayName] handling to RP operations
by Emil Lundberg
https://github.com/w3c/webauthn/commit/d6b0d2cedc94865c7ff6141417b628e7600e767f
* Merge pull request #2166 from w3c/issue-2113-rp-ops-crossOrigin
Validate CollectedClientData.crossOrigin in RP ops
by Emil Lundberg
https://github.com/w3c/webauthn/commit/3c506d45dc133046028f8dec18eb8ab77d6e1fbd
* Merge pull request #2183 from w3c/issue-2178-prf-warning
Add warning about sending PRF outputs to server
by Emil Lundberg
https://github.com/w3c/webauthn/commit/406ec42a3b8667405f4b9056efa49808c0f5aaac
* Correct spelling
by Monty Wiseman
https://github.com/w3c/webauthn/commit/1314870b7b60a00ceee1a1f3598c3b8085b7d70c
* Merge branch 'w3c:main' into main
by Monty Wiseman
https://github.com/w3c/webauthn/commit/21d38c0acecbf5fc4e608e379e07b71999793321
* Merge branch 'main' into issue-1711-ext-proc-before-sig-verify
by Emil Lundberg
https://github.com/w3c/webauthn/commit/34b98ecedf2b80ab7114ef80b2c662755977166c
* Merge pull request #2167 from w3c/issue-1711-ext-proc-before-sig-verify
Move extension processing to after signature verification, and modernize it
by Emil Lundberg
https://github.com/w3c/webauthn/commit/92e101570d4b1f06121b3f7d3215cc68e5da4019
* Delete authenticatorDisplayName
by Emil Lundberg
https://github.com/w3c/webauthn/commit/26ae8150418cbfc2b9c48042d9607d8bf4b6d64a
* Move RP ID related definitions outside Note
by Emil Lundberg
https://github.com/w3c/webauthn/commit/beca3e1f550dddd23cf381199bd3fa2d5075d1e7
* Drop outdated "Issue 1" from spec
This issue was originally added in commit
931b46eece69f5d780ce4b317e3a377a3a67f85c in 2017. The referenced discussion
seems to have stalled shortly thereafter, so this issue is most likely no longer
relevant.
by Emil Lundberg
https://github.com/w3c/webauthn/commit/e2923ba1e40d3a8a82a04685dbde14e9acc37be4
* Further clarification of nameAlg in TPMS_CERTIFY_INFO structure and PublicArea
by Monty Wiseman
https://github.com/w3c/webauthn/commit/9618b97762365855aa2d52e1992a1ab66cc1f8dc
* Un-Note normative note about performing UV within authenticator boundary
by Emil Lundberg
https://github.com/w3c/webauthn/commit/e515fb767b6b8d49549049ed6053e57e4bf9739b
* Fix emphasis markup
by Emil Lundberg
https://github.com/w3c/webauthn/commit/cc8c0f615275993eea63d31349e8d1ee7f706ccd
* Fix and un-Note note about constraints on credential ID length/format
by Emil Lundberg
https://github.com/w3c/webauthn/commit/33f825951d1dcf5bd781649b18deb1dfebee8b25
* Un-Note note with requirements on snapshotting BufferSources in create()
by Emil Lundberg
https://github.com/w3c/webauthn/commit/0ea765373aed2e962439eb691a5bd29a86aaff40
* Convert Note about top origin warning to normative algorithm step
by Emil Lundberg
https://github.com/w3c/webauthn/commit/2da634d590db86056e7eea5e96491af417fff0fc
* Un-Note normative note about cognitive guidelines on timeout
by Emil Lundberg
https://github.com/w3c/webauthn/commit/e51728794dbc1d87699b9583fe60ab71239484ec
* Un-Note note with requirements on snapshotting BufferSources in get()
by Emil Lundberg
https://github.com/w3c/webauthn/commit/74b0259913f7475f7e9373aa5ecd2604b24e6c8e
* Un-Note normative note about cognitive guidelines on timeout
by Emil Lundberg
https://github.com/w3c/webauthn/commit/0378481e22908d4d2b75e576c31e53dbb2a54050
* Un-Note normative note about discoverable credential prompt
by Emil Lundberg
https://github.com/w3c/webauthn/commit/1298e51b023fe9a1f607b1c5354134386bccf1dc
* Rephrase procedure to prompt to choose DiscoverableCredentialMetadata
by Emil Lundberg
https://github.com/w3c/webauthn/commit/18e39e9741a64026fca0459dd665875202001290
* Un-Note normative note about client capabilities not covering authenticator extensions
by Emil Lundberg
https://github.com/w3c/webauthn/commit/7d5efb67ee427da8696a7527aa91708dbc4700d9
* Un-Note normative note about preferring to hide credentials
by Emil Lundberg
https://github.com/w3c/webauthn/commit/ae5cf835da4326ef86cda335b3ebb6922c00b74e
* Rephrase recommendation to prefer hiding credentials
by Emil Lundberg
https://github.com/w3c/webauthn/commit/1e327a2fb335a13488c6311318cad4d09a1ada80
* Change "may" to "might" to make it less normative-looking
by Emil Lundberg
https://github.com/w3c/webauthn/commit/69e804ac84210a108fe2da1bbed7c1cca3450577
* Un-note normative part of note about getPublicKey() etc backward-compatibility
by Emil Lundberg
https://github.com/w3c/webauthn/commit/56b7fe83db61b0595d5dd6137e7e77a385fdf357
* Un-note normative recommendation against constant user handle
by Emil Lundberg
https://github.com/w3c/webauthn/commit/f2bf8dac732fc20350554fef6ae74c93e4f7c9ac
* Remove normative language from note about no attachment option in get()
by Emil Lundberg
https://github.com/w3c/webauthn/commit/3365ff7c2d7213371409800c9a32b4a4cf7cbf39
* Un-Note normative note about not ignoring all allowCredentials
by Emil Lundberg
https://github.com/w3c/webauthn/commit/bc4ba5b08da62841fae277e7d39dbf2707a7a90a
* Fix grammar
by Emil Lundberg
https://github.com/w3c/webauthn/commit/8c9bf0493e69b46cd4688d43fe4d73c40e8bc52e
* Fix leading lowercase
by Emil Lundberg
https://github.com/w3c/webauthn/commit/75fc32d917483e2d937f13cbdd70af0e3d1ce9a3
* Un-Note normative notes about aborting other authenticator operations
by Emil Lundberg
https://github.com/w3c/webauthn/commit/f3fdceb8a91a2dca00573e7e61a8de0b88eff54d
* Make note about equivalent UTF-8 decode non-normative
by Emil Lundberg
https://github.com/w3c/webauthn/commit/bfc59b442d9cf2cc217e372233fe898a350c2b0b
* Rewrite normative note about not failing untrusted attestation
by Emil Lundberg
https://github.com/w3c/webauthn/commit/13d750bef184fbe4d3411e2a314cdf60c5fb6dbf
* Make note about domain-based attestation statement format identifiers non-normative
by Emil Lundberg
https://github.com/w3c/webauthn/commit/81dd166ef892c14ba2bcf37913af946c2c33069a
* Make note about extension identifiers non-normative
by Emil Lundberg
https://github.com/w3c/webauthn/commit/30cadd4c8df8a999ba25dd2475654e77553c6b8d
* Un-Note normative note about minimizing authenticator extension inputs
by Emil Lundberg
https://github.com/w3c/webauthn/commit/7df2c26e6fa76100019e81f01f10643416a62e61
* Convert "Note:" to uppercase to match Bikeshed macro
by Emil Lundberg
https://github.com/w3c/webauthn/commit/bb2e3295e345bb2613ba1a881f9267264b8c2a38
* Unify markup of multi-paragraph NOTEs
by Emil Lundberg
https://github.com/w3c/webauthn/commit/e3c1b5008df37eceec5dd130a7db6992170bbae9
* Add editor's note about autofill token order requirements not being ours
by Emil Lundberg
https://github.com/w3c/webauthn/commit/72d47d07a3da8c653c0844071c9ccdda0b388d07
* fixup! Fix and un-Note note about constraints on credential ID length/format
by Emil Lundberg
https://github.com/w3c/webauthn/commit/476e46b2e0c92e199c07658a80b0da0a456fe879
* Revert extending credProps to apply to authentication ceremonies
This reverts commits 76e88e1d80947284a422894fe81d686f478ed67b and
2472df637429f96be24dcb361df087c1cbaa50bb.
by Emil Lundberg
https://github.com/w3c/webauthn/commit/1ef1781f943af27deb2491180e0ab5e3d3c09eb4
* Restore note that only one credential property is defined
by Emil Lundberg
https://github.com/w3c/webauthn/commit/9ac5dad2ef0b3cf8cac29b06996a257b0c6b78a6
* Fix undefined reference to client-side discoverable credential property
by Emil Lundberg
https://github.com/w3c/webauthn/commit/92ccb542574e532ad33a4d2e0913224599b91251
* Merge pull request #2193 from mwiseman-byid/main
Clarify use creating and verifying TPM attestation statements.
by Shane Weeden
https://github.com/w3c/webauthn/commit/0633494704a6319cdfd7b03fb8ff782e01e5b481
* Merge pull request #2186 from w3c/tc-relatedorigins-tweaks
Mozilla feedback: Related Origins
by Tim Cappalli
https://github.com/w3c/webauthn/commit/b287006438e4522132b0b6419ace3818d914f984
* Merge pull request #2194 from w3c/issue-2187-drop-credentialRecord-authenticatorDisplayName
Delete authenticatorDisplayName
by Emil Lundberg
https://github.com/w3c/webauthn/commit/fd53e2c3d890118f7dd022a143927b815073f441
* Merge pull request #2195 from w3c/stalled-spec-issue-1
Drop outdated "Issue 1" from spec
by Michael B. Jones
https://github.com/w3c/webauthn/commit/814e03a24c87b89e3500758370f572038ff9a10f
* Update index.bs
Allow the passing of the aaguid for all Authenticators, not just the platform ones.
by John Bradley
https://github.com/w3c/webauthn/commit/5d74429fba21da5c194489e7d74c14efc220b7cf
* Small tweak to PR template
Adds missing close paren
by Tim Cappalli
https://github.com/w3c/webauthn/commit/0bf6ddb51db0e4293c857b54bcfef7b7781370b9
* Merge pull request #2199 from w3c/ve7jtb-Fix-2198-WebAuthn-Clients-should-NOT-zero-out-AAGUIDs-from-security-keys-when-attestation-is-none-
WebAuthn Clients should NOT zero out AAGUIDs from security keys when attestation is none
by Emil Lundberg
https://github.com/w3c/webauthn/commit/654d38406a07133d2788a316f4f590a40578159b
* Merge pull request #2200 from w3c/timcappalli-patch-1
chore: Small tweak to PR template
by Tim Cappalli
https://github.com/w3c/webauthn/commit/e2987a9e30186cf588ad262a904b535b896aaaee
* Add test vectors
by Emil Lundberg
https://github.com/w3c/webauthn/commit/6737d23798f11e8574086464eeb7a5adfbc81a0c
* Move PRF test vectors to Test Vectors section
by Emil Lundberg
https://github.com/w3c/webauthn/commit/d8898af4bd35630f687892d2993a77fc48bea49a
* Add blurb about why PRF test vectors have two sections
by Emil Lundberg
https://github.com/w3c/webauthn/commit/643273b0c000051fe42d9ba1e9d76675352e14bc
* Re-order test vectors for better legibility
by Emil Lundberg
https://github.com/w3c/webauthn/commit/83772885bd493a9b99a8db0368ace7fae829e97d
* Merge pull request #2197 from w3c/level3
Merge branch 'level3' into branch 'main'
by Emil Lundberg
https://github.com/w3c/webauthn/commit/3bba180028005ff7cbb60ae4cff6330dde0398a0
* Clarify behaviour of duplicate pubKeyCredParams and attestationFormats
by Emil Lundberg
https://github.com/w3c/webauthn/commit/dcf0ddb03bece66e6b2618b7422238ed12193761
* Use same wording of preference order for attestationFormats as pubKeyCredParams
by Emil Lundberg
https://github.com/w3c/webauthn/commit/eb13ee19cb4647991bbde2bb9da5685fe8fde0cd
* Merge branch 'main' into issue-1979-notes
by Emil Lundberg
https://github.com/w3c/webauthn/commit/e1428eee68bf3cae8cb485267a114f1824c8d962
* Store credential record last in RP registration ops
by Emil Lundberg
https://github.com/w3c/webauthn/commit/2b9d8af35e2843dc2dd60dcf95664567d12f3575
* Update credential record last in RP authentication ops
by Emil Lundberg
https://github.com/w3c/webauthn/commit/4d7da39e950b3add1be49f509fac6ece29896fb1
* Equalize wording of last step of RP assertion ops with registration ops
by Emil Lundberg
https://github.com/w3c/webauthn/commit/91cd386e2f1b580f31329b68b17c6be156275a10
* Fix reference to $$attStmtType in definition of attestation statement formats
by Emil Lundberg
https://github.com/w3c/webauthn/commit/804cece99aa047cc2c84af0d484e1a357cd88050
* Formalize attStmtTemplate as more correct CDDL
I don't think the expression `attStmtTemplate .within $$attStmtType`
successfully encodes the intent "Every attestation statement format must have
the above fields", for two reasons: it does not define a CDDL rule since it
contains no = sign, and even if it did, the `.within` control operator would apply
only to the new type defined by that rule, but not to the `attObj` type.
CDDL generally makes a distinction between types and groups, and only mentions
control operators applying to types, so I don't think we can apply `.within` to
`$$attStmtType` directly. This is why we need to duplicate the `authData` field
in `attStmtTemplate`.
by Emil Lundberg
https://github.com/w3c/webauthn/commit/e6a998eb823871d7f6f7d51ebd0bfe4b8cdc68d2
* Allow attStmt to be of array type
This is required by the new "compound" attestation statement format.
by Emil Lundberg
https://github.com/w3c/webauthn/commit/9b161676e556d1f855d4bfc3b9819bf32e2227fd
* Fix .within operator in nonCompountAttStmt
[CDDL][1] defines that:
>A map matches a specification given as a group when the group matches
>a sequence of name/value pairs such that all of these name/value
>pairs are present in the map and the map has no name/value pair that
>is not covered by the group.
Therefore the control `.within { fmt: text .ne "compound" }` forbids any maps
that contain additional fields besides `fmt`, which is clearly not what was
intended.
[1]: https://datatracker.ietf.org/doc/html/rfc8610#section-2.1
by Emil Lundberg
https://github.com/w3c/webauthn/commit/8b29bec5a3db3f803478403a7ec41c80bec0d28e
* Rewrite Test Vectors introduction as applicable to all audiences
by Emil Lundberg
https://github.com/w3c/webauthn/commit/a0854aa1aca9980c5f07100c50d1d90aa6343a8c
* Note that test vectors have no attestation unless noted otherwise
by Emil Lundberg
https://github.com/w3c/webauthn/commit/abee3307949f314d737b1137b4bdd3cfa8b317e1
* Make remaining USVStrings into DOMStrings
by philomathic_life
https://github.com/w3c/webauthn/commit/95fb560b547d5f8a631d96298f6fa013a0c67e7b
* Link "Object" to WebDriver instead of File API
by Emil Lundberg
https://github.com/w3c/webauthn/commit/8982a978d95e607693b1174ae74deac44f544f9b
* Fix AuthenticationExtensionsAuthenticatorInputs/Outputs CDDL
According to the CDDL grammar, after a control operator (called `ctlop` in the
ABNF grammar), there can only be a `type2` production:
https://datatracker.ietf.org/doc/html/rfc8610#appendix-B
In a `type2` production, wrapping parentheses can only be used to wrap a `type`
production. `tstr => any` is a `group` production, and needs to be wrapped in
curly braces or brackets.
In other words, from a CDDL grammar perspective, this is an invalid type:
`foo .within ( tstr => any )`
This is valid:
`foo .within { tstr => any }`
This update fixes the CDDL type definitions that used the `.within` operator
with an invalid type2.
by Francois Daoust
https://github.com/w3c/webauthn/commit/8fa10df31c3c2eadbcb797164890563eb8ab6c5a
* Move .within control to correct position in extension input/outputs CDDL
by Emil Lundberg
https://github.com/w3c/webauthn/commit/5d855e79c4242c330c737f00a1f6b15c85c1fd1a
* Merge pull request #2218 from w3c/issue-2212-file-object
Link "Object" to WebDriver instead of File API
by Adam Langley
https://github.com/w3c/webauthn/commit/81077df3d88c2b5762bb7c917cbc9db9d3cda7a2
* Merge pull request #2216 from w3c/issue-2210-compound-attStmtTemplate
Fix CDDL inconsistencies in attStmtType and compound format
by Adam Langley
https://github.com/w3c/webauthn/commit/3bc830109a1092de107fefc557b33f182e358775
* Merge pull request #2214 from w3c/issue-2202-pref-list-duplicates
Clarify behaviour of duplicate pubKeyCredParams and attestationFormats
by Adam Langley
https://github.com/w3c/webauthn/commit/09969718b3cb9dbbfe020bf5cd1d3a0086d2a696
* Merge pull request #2215 from w3c/issue-2204-premature-store-credential
Store/update credential record last in RP ops
by Adam Langley
https://github.com/w3c/webauthn/commit/08d33dc98f8012d01e7edc81f052c785af7726af
* small tweaks
by Tim Cappalli
https://github.com/w3c/webauthn/commit/e0ff44df1c93fad606b1a7b7fd6bd049e16273ab
* Merge pull request #2221 from w3c/pr-2219-tidoust
Fix AuthenticationExtensionsAuthenticatorInputs/Outputs CDDL
by Michael B. Jones
https://github.com/w3c/webauthn/commit/57efac8e788c3ac058fcc995dbb4c2d177545fc1
* Merge pull request #2217 from zacknewman/domorigins
Make remaining `USVString`s `DOMString`s
by Michael B. Jones
https://github.com/w3c/webauthn/commit/26e28ecd791dee84575284f55e61514637accc74
* Merge pull request #2209 from w3c/issue-1633-test-vectors
Add test vectors
by Michael B. Jones
https://github.com/w3c/webauthn/commit/b36a79a8ff0f184c08d4e5b676acda0c6d5cab45
* add period
Co-authored-by: Michael B. Jones <michael_b_jones@hotmail.com>
by Tim Cappalli
https://github.com/w3c/webauthn/commit/42f253e037a661b278dec1e7d79eb4fa527b9707
* Adding Revision history section
https://github.com/w3c/webauthn/issues/2223
by Simone Onofri
https://github.com/w3c/webauthn/commit/736fc66a6bc770d6ca3b0601eb43440631800d38
* Update index.bs
fix
by Simone Onofri
https://github.com/w3c/webauthn/commit/f7f8f78425f902a040a899eebe956ff6806ea285
* Update index.bs
by Simone Onofri
https://github.com/w3c/webauthn/commit/170471596dbadd98dfea7e381461c67c3e06a2d5
* Update index.bs
fix
by Simone Onofri
https://github.com/w3c/webauthn/commit/f0832675274d3919eb13bf309f7a3ac425008b31
* Merge branch 'main' into issue-1979-notes
by Nick Steele
https://github.com/w3c/webauthn/commit/6be55028e5e9896fcc25d11eb336c9f7849de29e
* Re-add merge conflct text
by Nick Steele
https://github.com/w3c/webauthn/commit/b6fde375672d06e5980ca7d51dbfe9092ad3456c
* Merge pull request #2196 from w3c/issue-1979-notes
Merged per decision on 8-Jan-25 working group call.
by Michael B. Jones
https://github.com/w3c/webauthn/commit/15cebd75a9af573e056f861be5830a1b688dc449
* add additional items and tweak format
by Tim Cappalli
https://github.com/w3c/webauthn/commit/93afb92ef8c3639979cdf53802ee8b6f119be3ed
* add ID to section
by Tim Cappalli
https://github.com/w3c/webauthn/commit/0e4288f9fb8eb2424b2355831fef27c994f8b950
* fix bikeshed issues
by Tim Cappalli
https://github.com/w3c/webauthn/commit/6d153a6a60682ec2b010192b8d3f5ad1443353c8
* optimize SVGs
by Tim Cappalli
https://github.com/w3c/webauthn/commit/210109d6953de00472b9fdb0867897b1b628cf26
* s/width/no-autosize
by Tim Cappalli
https://github.com/w3c/webauthn/commit/28cef52d2e059a9bc503ea715b00795e5e3f4899
* Apply changes proposed in review
by Emil Lundberg
https://github.com/w3c/webauthn/commit/9f986b417dc102b7fb5d79b4e9259bc8e2717b21
* Tweak changelog style
by Emil Lundberg
https://github.com/w3c/webauthn/commit/3feccb4261c628a33b7cd0018fb78506eadd49b4
* Update index.bs
Co-authored-by: Emil Lundberg <emil@yubico.com>
by Simone Onofri
https://github.com/w3c/webauthn/commit/f1dc50c4391aeddbff8f17b2d1b882993ca8665a
* Sort L3 changes in order of occurrence in spec
by Emil Lundberg
https://github.com/w3c/webauthn/commit/ecd7e7c1e50983a610d3941296a07f3d84906f21
* Merge pull request #2230 from w3c/pr-2224-review
Proposed changes from review of PR 2224
by Emil Lundberg
https://github.com/w3c/webauthn/commit/2c138b5d5e661d729e6160f65bc2ca56acc242f6
* Address cross-origin create() in §5.10
by Emil Lundberg
https://github.com/w3c/webauthn/commit/1afec06e5f293efcbec14592b456c8b5fc852651
* Link related privacy consideration section alongside client capabilities
by Emil Lundberg
https://github.com/w3c/webauthn/commit/7f2486f967a55f514dcbd1b5d950d6d27711256b
* Add (some) changes, deprecations and editorial changes to L3 revision history
by Emil Lundberg
https://github.com/w3c/webauthn/commit/de3d11a2890e19ba86c55187ec09ebfe5c27a7d5
* editorial nits
Co-authored-by: Emil Lundberg <emil@yubico.com>
by Tim Cappalli
https://github.com/w3c/webauthn/commit/24a29682fc5997f944ff15fdd940519725d7f3d2
* add disclaimer for use cases
by Tim Cappalli
https://github.com/w3c/webauthn/commit/06cffbd033d3d4d2f6255b32910bb9ce433cc568
* Merge branch 'main' into tc-manualrefcleanup
by Tim Cappalli
https://github.com/w3c/webauthn/commit/89f1be9c31a889df824f41ea650d127166b47ac6
* Merge pull request #2232 from w3c/pr-2224-more-changes
Add more to L3 revision history
by Emil Lundberg
https://github.com/w3c/webauthn/commit/0c33e4d34689f5ee96e84cfd340ed611b93ee3b8
* Merge pull request #2227 from w3c/tc-2226-bikeshed
Fix bikeshed warnings
by Tim Cappalli
https://github.com/w3c/webauthn/commit/1572d48b07f89a5f2328104b0ec1285a8b573684
* Merge branch 'main' into tc-manualrefcleanup
by Tim Cappalli
https://github.com/w3c/webauthn/commit/78fe79a0de7d3e537626eb7bc797911f91964ce0
* Merge pull request #2111 from w3c/tc-manualrefcleanup
Cleanup: Manual References
by Tim Cappalli
https://github.com/w3c/webauthn/commit/e9ea05c2fb58e8fc170ac0aa27a291e4182b965a
* Merging, per decision on 15-Jan-25 working group call.
Adding Revision history section
by Michael B. Jones
https://github.com/w3c/webauthn/commit/34cc85e2aeb9bf495dff0d44f97dd513425ba34a
* intro for consumer
by Tim Cappalli
https://github.com/w3c/webauthn/commit/0ac2e40c71c3e8dbb691f40d0f18ffeee0efdae7
* Merge pull request #2231 from w3c/issue-2229-sctn-5-10-create
Address cross-origin create() in §5.10
by Emil Lundberg
https://github.com/w3c/webauthn/commit/eef83ec8f2cb92d1ef75ad6382d3a27a87a30872
* Say that tokenBinding is RESERVED in History
by Michael Jones
https://github.com/w3c/webauthn/commit/77e81062610b19f8697ca4771536cfb0930686a8
* Update issue template
Adds passkey developer item and clarifies FIDO2
by Tim Cappalli
https://github.com/w3c/webauthn/commit/e8ee043c903293a6382791261ab9dc6566a8e47d
* Merge pull request #2239 from selfissued/mbj-tokenBinding-RESERVED
Say that tokenBinding is RESERVED in History
by Michael B. Jones
https://github.com/w3c/webauthn/commit/51c239fef7f8dfe8e148eeeabc437f38ae785136
* Merge pull request #2242 from w3c/tc-issuetemplate
chore: Update issue template
by Tim Cappalli
https://github.com/w3c/webauthn/commit/de513a7d4f3b92df9b942aaeca0c3e7716250ab3
* Merge pull request #2139 from w3c/1720-tc-use-cases-update
Update Use Cases for L3
by Emil Lundberg
https://github.com/w3c/webauthn/commit/34d93ac0391ccb9ef37f9d4c0af399171153fe23
* Bikeshed fixes
Some fixes for bikeshed generation
by Simone Onofri
https://github.com/w3c/webauthn/commit/4a54f30f6fbf737e522e2e31551690252a633d45
* Merge pull request #2243 from w3c/simoneonofri-patch-1
Bikeshed fixes
by Michael B. Jones
https://github.com/w3c/webauthn/commit/315d68cf508a65d3d887aaa9fea6b9fd509c7c01
* Handle Bikeshed 5.0.3
Using macros inside of autolinks previously worked only accidentally; I made it work *explicitly* in Bikeshed 5.0. I've since walked back that decision, and put it behind a pref in 5.0.3.
by Tab Atkins Jr.
https://github.com/w3c/webauthn/commit/89ba883b4bd2c7d39b6c9d82f59252af5bd1cd86
* Merge pull request #2254 from tabatkins/patch-1
Handle Bikeshed 5.0.3
by Emil Lundberg
https://github.com/w3c/webauthn/commit/f616b28268a0552939fb6fd897cec43338dca928
* Fix test vectors heading levels
These were subsections of "Attestation trust root certificate", which does not
seem appropriate.
by Emil Lundberg
https://github.com/w3c/webauthn/commit/559de50ec9386fff5e24937176877a507d3fa4ac
* chore: Fix issue template contact links
The previous PR didn't seem to apply. Attempting to add "about" key to fix it
by Tim Cappalli
https://github.com/w3c/webauthn/commit/7eff864f21644d6bbb94601e67b2b3e115d84947
* Merge pull request #2264 from w3c/timcappalli-patch-2
by Tim Cappalli
https://github.com/w3c/webauthn/commit/ebffdfd38600698091bf35cb1c4f2c70bd66695c
* chore: try 3 for fixing the issue template
thank you GH for not natively validating yaml 😭
by Tim Cappalli
https://github.com/w3c/webauthn/commit/d7a03d4b8ba5a71736c464f17aaece86c1dda9f0
* Merge pull request #2265 from w3c/timcappalli-patch-3
chore: try 3 for fixing the issue template
by Tim Cappalli
https://github.com/w3c/webauthn/commit/8a061d748ccfda66c5ad2c1c5c595068a2123ae2
* Merge pull request #2261 from w3c/test-vectors-heading-level
Fix test vectors heading levels
by Emil Lundberg
https://github.com/w3c/webauthn/commit/e461bfa2f41a48a69fa343897294ea436c5eda59
* Remove outdated notes about permissions policy
by Matthew Miller
https://github.com/w3c/webauthn/commit/425cfab3414c99856f7ba69d17b33e0536b10f64
* #2269 Fix JavaScript sample code snippets
by Kosuke Koiwai (aka.) 小岩井 航介
https://github.com/w3c/webauthn/commit/6d3fe7ca3a68ed393ebaa48b7e558d732c32ee92
* Fix PublicKeyCredentialDescriptor attribute name
Fixes the PublicKeyCredentialDescriptor attribute name to read `type` instead of `id`
by Joost van Dijk
https://github.com/w3c/webauthn/commit/7ad66141a7708712fa53c48f13644d0f5a707cbd
* w3c#2269 another fix of JavaScript sample code snippets
Made EdDSA to the top priority
Deleted the normative change in line 1825
by Kosuke Koiwai (aka.) 小岩井 航介
https://github.com/w3c/webauthn/commit/0c7395c930a4ec03b7f0a59f319a2dbf1d06fd27
* Merge pull request #2267 from w3c/mm/2251-remove-permissions-policy-notes
Remove outdated notes about permissions policy on `isUVPAA()` and `getCC()`
by Matthew Miller
https://github.com/w3c/webauthn/commit/76e670657c0e0a1af7371d5a65b817ecd52ba86a
* Fix spelling in README.md
While reading through the README I found a few mistakes.
Please let me know if this is inappropriate and you may close this.
by Jonathan Underwood
https://github.com/w3c/webauthn/commit/c49105eac06f84b1ff6b7e5b2e517c7e5a2d9b26
* Merge pull request #2273 from joostd/patch-1
Fix PublicKeyCredentialDescriptor attribute name
by Nick Steele
https://github.com/w3c/webauthn/commit/01fb6f54bb6e03874e73d69a5d51e31e965136b8
* Merge pull request #2274 from junderw/patch-1
Fix spelling in README.md
by Michael B. Jones
https://github.com/w3c/webauthn/commit/1e0f5e032a901818d9989950acfb4888860f4211
* Merge pull request #2271 from kkoiwai/patch-1
#2269 Fix JavaScript sample code snippets
by Matthew Miller
https://github.com/w3c/webauthn/commit/ea670c37bcf3c3ba966eaec9e329c881a1b31b6f
* Fix number of PRFs in AuthenticationExtensionsPRFOutputs.enabled description
by Emil Lundberg
https://github.com/w3c/webauthn/commit/cddb53a43fe05de222596e05e9e010504bad4ba3
* Merge pull request #2277 from w3c/prf-enabled-fix-description
Fix number of PRFs in AuthenticationExtensionsPRFOutputs.enabled description
by Michael B. Jones
https://github.com/w3c/webauthn/commit/1745d5f3a1842ed11a3c01da05cf9d83575d501f
* Fix lint: unambiguous ref 'allowed to use'
Fixes this Bikeshed lint:
```
LINE 4469:1: Multiple possible 'allowed to use' dfn refs.
Arbitrarily chose https://html.spec.whatwg.org/multipage/iframe-embed-object.html#allowed-to-use
To auto-select one of the following refs, insert one of these lines into a <pre class=link-defaults> block:
spec:html; type:dfn; text:allowed to use
spec:private-aggregation-api; type:dfn; text:allowed to use
[=allowed to use=]
LINE 4471:65: Multiple possible 'allowed to use' dfn refs.
Arbitrarily chose https://html.spec.whatwg.org/multipage/iframe-embed-object.html#allowed-to-use
To auto-select one of the following refs, insert one of these lines into a <pre class=link-defaults> block:
spec:html; type:dfn; text:allowed to use
spec:private-aggregation-api; type:dfn; text:allowed to use
[=allowed to use=]
```
by Emil Lundberg
https://github.com/w3c/webauthn/commit/d99912f4abe750483c97a52290b970b194137a11
* Fix lint: Undefined ref PublicKeyCredential/CollectFromCredentialStore
Fixes this Bikeshed lint:
```
LINE 2258:27: No 'idl' refs found for '[[CollectFromCredentialStore]]()' with for='['PublicKeyCredential']'.
{{PublicKeyCredential/[[CollectFromCredentialStore]]()}}
```
by Emil Lundberg
https://github.com/w3c/webauthn/commit/4655be08e69b3ed22eb435b1b537db06aaee0049
* Merge pull request #2279 from w3c/bikeshed-lint
Fix Bikeshed lint
by Emil Lundberg
https://github.com/w3c/webauthn/commit/43b55de14af82585342977f8533ec6284aca8a2d
* Add script for generating PRF test vectors
by Emil Lundberg
https://github.com/w3c/webauthn/commit/e5cbfe352b55ae56ec514420017b227e70e8306a
* Fix mistake in description of how hmac-secret inputs were generated
by Emil Lundberg
https://github.com/w3c/webauthn/commit/946490376a44df546c6745f2d17d5dbe5aa3089c
* Use initially claimed values for hmac-secret input generation
by Emil Lundberg
https://github.com/w3c/webauthn/commit/87cab44efad607ee370416f4cf517eb77f28d632
* Add COSEAlgorithmIdentifier values -9 and -50 to examples and recommendations
by Emil Lundberg
https://github.com/w3c/webauthn/commit/bf68caf4bfb63e4631c306c5c77166e6584949df
* Require that ESP256 keys MUST NOT use compressed form
by Emil Lundberg
https://github.com/w3c/webauthn/commit/22b5cc8ead19fdc5514d9fbbc3a27b1c0b8ef944
* Add JSON partial dictionaries for extensions
by Emil Lundberg
https://github.com/w3c/webauthn/commit/43972a4495d4247f4fac0257a9382b4b7dbe0087
* Merge pull request #2284 from w3c/issue-1968-extensions-json
Add JSON partial dictionaries for extensions
by Emil Lundberg
https://github.com/w3c/webauthn/commit/06dfbc8badb0249c6c002cb8788df8d4d79d8a7c
* Add uncompressed form requirement for ESP384 and ESP512
by Emil Lundberg
https://github.com/w3c/webauthn/commit/928c6684a87c0a1e1efc7c0506009fac3e9a1b76
* Add script used to generate test vectors
by Emil Lundberg
https://github.com/w3c/webauthn/commit/c867cf24871a13c3619c1d2d0c87062771f463c3
* Include file name in END GENERATED CONTENT tag
by Emil Lundberg
https://github.com/w3c/webauthn/commit/4ad98b617720ad9e2f0863df8d8890877e1f88f0
* Add script for injecting generated test vectors into index.bs
by Emil Lundberg
https://github.com/w3c/webauthn/commit/d51a7ad1327a3a6f5649f0b3c63953b922c251a2
* Add and prefer fully-specified COSE algorithm identifers in test vectors
by Emil Lundberg
https://github.com/w3c/webauthn/commit/a4575b3f039d932a2f6168e025ea6cba08684a55
* Add Ed448 test vectors
by Emil Lundberg
https://github.com/w3c/webauthn/commit/48f24023b2a37f5fd63fc774f6ae3019bd7bd2cc
* Check that test vectors are up to date in GitHub Actions workflow
by Emil Lundberg
https://github.com/w3c/webauthn/commit/00542a65b4da5ace4aaf3d3c281a75ae4fe82e36
* Use same attestation alg as credential alg in self attestation test vector
by Emil Lundberg
https://github.com/w3c/webauthn/commit/865c94ac3581a98a46402e0cfe4bbf70b5465a9b
* Use ESP256 instead of ES256 as attestation alg in test vectors
by Emil Lundberg
https://github.com/w3c/webauthn/commit/b4d412c2c36e715dd709aabf0d2540fda04b3de1
* Add to list of new features since L2
by Matthew Miller
https://github.com/w3c/webauthn/commit/b56d7e9e758f41caeaaa9be9f0c1a7b58fa0fec8
* Incorporate feedback
by Matthew Miller
https://github.com/w3c/webauthn/commit/9037c7330d945cb980edabf2e3a76dc2ee70f7a2
* Merge pull request #2289 from w3c/gen-test-vectors
Add scripts used to generate test vectors
by Emil Lundberg
https://github.com/w3c/webauthn/commit/86e50a933516932288e81c50e7bfde5c59188abc
* Merge branch 'main' into issue-2282-fully-spec-algs
by Emil Lundberg
https://github.com/w3c/webauthn/commit/8cffb7acae1e88f558db6ef7cb4de46a2191565f
* Merge pull request #2290 from w3c/test-vectors-fully-spec-algs
Add and prefer fully-specified COSE algorithm identifers in test vectors
by Emil Lundberg
https://github.com/w3c/webauthn/commit/c47f7e94e313f7ebff61ea0e0bce751c3a99cd7c
* Update test vectors to draft 12 of COSE fully-specified algs
ESP384, ESP512, Ed25519 and Ed448 values were changed in draft 12 due
to conflict with those values assigned to ML-DSA:
https://www.ietf.org/archive/id/draft-ietf-jose-fully-specified-algorithms-12.html#name-fully-specified-digital-sig
by Emil Lundberg
https://github.com/w3c/webauthn/commit/9187c326e508b69ad27dc9873bcd8fe2b052c50c
* Update to match draft 12 of draft-ietf-jose-fully-specified-algorithms
ESP384, ESP512, Ed25519 and Ed448 values were changed in draft 12 due to
conflict with those values assigned to ML-DSA:
https://www.ietf.org/archive/id/draft-ietf-jose-fully-specified-algorithms-12.html#name-fully-specified-digital-sig
by Emil Lundberg
https://github.com/w3c/webauthn/commit/c129a055c23e97b01caf513aa130a48d3904afe2
* Update test-vectors fido2 dependency to official version
by Emil Lundberg
https://github.com/w3c/webauthn/commit/ab50d193bd7b50bb4fb07092a750e5364d127ddf
* Revert preferring new COSE identifiers in examples and test vectors
by Emil Lundberg
https://github.com/w3c/webauthn/commit/3bde13862e16d0e8ec6a9a19be3360a483e2d519
* Rename Ed25519 test vector section anchor and seed to EdDSA
To reflect that the COSEAlgorithmIdentifier used in this test vector is in fact
`EdDSA (-8)`, not the recently registered `Ed25519 (-19)`.
by Emil Lundberg
https://github.com/w3c/webauthn/commit/1882f7ff6d01f4894e58747d7a46f88cdb0e5ba5
* Merge pull request #2292 from w3c/mm/2268-add-attestationformats-changes-since-L2
Add `attestationFormats` to the list of new features since L2
by Emil Lundberg
https://github.com/w3c/webauthn/commit/ca16c48e8b68c183eb80f2602a95063b6e76ae5c
* Revert adding new COSE algs to recommendations and examples
by Emil Lundberg
https://github.com/w3c/webauthn/commit/1c88e2926458008b92213a2e39a307b9b0c682df
* Recommend against ESP* and Ed25519 COSEAlgorithmIdentifiers
by Emil Lundberg
https://github.com/w3c/webauthn/commit/472e8d0bc6cbf4f09e69fc0561c4199e3fe3a630
* Merge pull request #2283 from w3c/issue-2282-fully-spec-algs
Account for new fully-specified ECDSA and Ed448 COSEAlgorithmIdentifiers
by Emil Lundberg
https://github.com/w3c/webauthn/commit/3bcf9d52f1541aecfe050c6bdc41ed30e4f5dcba
* Clarify relationship between PRF and hmac-secret extensions
by Emil Lundberg
https://github.com/w3c/webauthn/commit/5e38d659f2334b88f299e6b0ba4652789100cc32
* Generalize prf processing steps for non-CTAP implementations
by Emil Lundberg
https://github.com/w3c/webauthn/commit/88426f7b2bd4f3d7340ee6393fcdebd3a544a371
* Fix typo in PRF extension introduction
by Emil Lundberg
https://github.com/w3c/webauthn/commit/3f98b01f252c110a5a6bc0e373739a31634834a6
* Require non-CTAP PRF to be independent of UV
by Emil Lundberg
https://github.com/w3c/webauthn/commit/bfcbed21adeb8e6432b533c500c42d498d9611b8
* Drop redundant collision resistance qualifier from abstract PRF procedure
by Emil Lundberg
https://github.com/w3c/webauthn/commit/6ba2237d3ba9d8c299efa46838bb4c03286f6b85
* Add change history since Level 3 Working Draft 2
by Emil Lundberg
https://github.com/w3c/webauthn/commit/c71ec5625db2228879235f78d15ed9f769e7e340
* Add missing period to uvm document history item
by Emil Lundberg
https://github.com/w3c/webauthn/commit/17d5b9f8e8bc93bf3f58abefe3aa054d14beccc2
* Merge pull request #2301 from w3c/history-since-l3-wd2
Add change history since Level 3 Working Draft 2
by Emil Lundberg
https://github.com/w3c/webauthn/commit/3e3cfc31a68acc1ef3d54e7ae7bf6c9f96f18e82
* Fix PRF registration inputs referencing eval instead of salt1 and salt2
by Emil Lundberg
https://github.com/w3c/webauthn/commit/e75c208cae67809bb91b50f8cf1d8495a5a01a28
* Fix COSEAlgorithmIdentifier in section 5.4
by Lennart Kloock
https://github.com/w3c/webauthn/commit/b29a599e056363fdad7e0eeb7206f0b9701ca580
* Consistently refer to COSE IDs as "int (name)" instead of "name (int)"
by Emil Lundberg
https://github.com/w3c/webauthn/commit/c8490b1ed61a65e10825dcbecc8bc08017dd863a
* Merge pull request #2305 from w3c/cose-id-formatting
Consistently refer to COSE IDs as "int (name)" instead of "name (int)"
by Michael B. Jones
https://github.com/w3c/webauthn/commit/4e2f45c51ae0d02c192c7853d56efc0e230e78ef
* Merge pull request #2304 from lennartkloock/fix-cose-alg-identifier
Fix COSEAlgorithmIdentifier in section 5.4
by Michael B. Jones
https://github.com/w3c/webauthn/commit/c591bcbe690f8e4b32cf7017d0368ae1244a2c76
* Merge pull request #2298 from w3c/issue-2285-clarify-prf-hmac-secret
Generalize PRF extension processing to non-CTAP authenticators
by Pascoe
https://github.com/w3c/webauthn/commit/a61ad90d7b225e0bb7e17b6f29dea3635391466b
* Deprecate in-field language/direction metadata
See discussions in:
- https://github.com/w3c/webauthn/pull/2280
- https://github.com/w3c/webauthn/issues/1643#issuecomment-2985299304
by Emil Lundberg
https://github.com/w3c/webauthn/commit/b063a8723395de369769034b302d003434e4b8bf
* Fix typo
Pointed out in:
https://github.com/w3c/webauthn/issues/2295#issuecomment-3054350895
by Emil Lundberg
https://github.com/w3c/webauthn/commit/899089f19d2650b9f356360de2c8066bba15d623
* Merge pull request #2311 from w3c/typo
Fix typo
by Emil Lundberg
https://github.com/w3c/webauthn/commit/96cc62b627f0b17114931e1bbc546f376f372c5d
* Add note that DER lengths vary with INTEGER magnitude and curve size
by Emil Lundberg
https://github.com/w3c/webauthn/commit/d7ff4e555875885952254458c9dae4c7da4c7671
* Change DER signature example to include INTEGERs of different lengths
Example copied from test vectors "ES256 Credential with very long credential ID"
whose signature happens to have components of different lengths.
by Emil Lundberg
https://github.com/w3c/webauthn/commit/00160d514a7dd412ceb77400702a98d0d97b43e3
* Change DER signature example to include long and short INTEGERs
by Emil Lundberg
https://github.com/w3c/webauthn/commit/81514c74078ede304139ff95c0430984058950bc
* Merge pull request #2315 from w3c/issue-2314-der-example
Clarify that DER lengths vary with INTEGER magnitude and curve size
by Matthew Miller
https://github.com/w3c/webauthn/commit/cc8c1e1936b619c91d97dc609073584d0ba0e41a
* Merge pull request #2308 from w3c/issue-1643-drop-in-field-meta-2
Deprecate in-field language/direction metadata
by Nick Steele
https://github.com/w3c/webauthn/commit/1147dcca0892af7a7cc1ebd756e851230139aae8
* Merge branch 'main' into 2062-new-error-codes
# Conflicts:
# index.bs
by Matthew Miller
https://github.com/w3c/webauthn/commit/008495a3d9fb80b054070d1c669314e5b632cc52
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 27 August 2025 22:20:25 UTC