- From: Simone Onofri via GitHub <sysbot+gh@w3.org>
- Date: Sun, 23 Feb 2025 14:59:45 +0000
- To: public-webauthn@w3.org
Hi all, I was preparing the communication for the wide review. What do you think? The Web Authentication Working Group (WebAuthn WG) is happy to announce it has published a new draft of the [Web Authentication: An API for accessing Public Key Credentials Level 3](https://www.w3.org/TR/webauthn-3/) for wide review. ## **Background** Web Authentication Level 3 defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given WebAuthn Relying Party, are created by and bound to authenticators as requested by the web application. The user agent mediates access to authenticators and their public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to Relying Parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality. In this Working Draft, there are some [changes since Web Authentication Level 2](https://www.w3.org/TR/webauthn-3/#revision-history): Changes: * Updated timeout guidance * uvm extension no longer included * aaguid in attested credential data is no longer zeroed when attestation preference is none Deprecations: * Registration parameter publicKey.rp.name * Android SafetyNet Attestation Statement Format * tokenBinding was changed to \[RESERVED\]. New features: * New JSON (de)serialization methods * Create operations in cross-origin iframes * Conditional mediation for create * Conditional mediation for get * Availability of client capabilities * New enum value hybrid * PublicKeyCredential’s signal methods * New client data attribute topOrigin * User-agent Hints Enumeration * [Use Web Authentication across related origins](https://www.w3.org/TR/webauthn-3/#sctn-related-origins) * [Authenticator data](https://www.w3.org/TR/webauthn-3/#authenticator-data) flags [BE](https://www.w3.org/TR/webauthn-3/#authdata-flags-be) and [BS](https://www.w3.org/TR/webauthn-3/#authdata-flags-bs) assigned * [Compound Attestation Statement Format](https://www.w3.org/TR/webauthn-3/#sctn-compound-attestation) * Pseudo-random function extension ## **Your Comments** Public feedback is really important to us. Based on this feedback, the proposed success criteria could be changed. We want to hear from users, authors, tool developers, policymakers, and others about the benefits of the new proposed success criteria and how achievable you feel it is to conform to the new success criteria. The main place to comment is on [Github](https://github.com/w3c/webauthn/issues), or you can send email to [public-webauthn@w3.org](mailto:public-webauthn@w3.org) ([comment archive](https://lists.w3.org/Archives/Public/public-webauthn/)). The Working Group requests that comments be submitted by **DD Mm 2025**. ## **Schedule** Over the next couple of months, the WebAuthn WG will process the public’s input. If comments lead to enough changes, there could be another review draft. Then, the guidelines will go through finalization stages, described in the [W3C Process](https://www.w3.org/policies/process/#rec-track). The Working Group hopes to publish the final version of Web Authentication Level 3 as a “W3C Recommendation” web standard in QQ 2025. -- GitHub Notification of comment by simoneonofri Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2248#issuecomment-2676910326 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 23 February 2025 14:59:46 UTC