Releases: w3c/webauthn
Web Authentication Proposed Recommendation (PR-00)
This tags the commit used as the basis for the published Proposed Recommendation version of WebAuthn Level 1: https://www.w3.org/TR/2019/PR-webauthn-20190117/
Note that the milestones associated with the Proposed Rec effort use "PropRec" in their identifiers rather than "PR" in order to try to reduce confusion with PRs (git pull requests) when referring to them (i.e., the PropRec milestones).
Diffs, change summary, etc. TBD.
Web Authentication Candidate Recommendation (CR-00)
Web Authentication Candidate Recommendation (CR-00) is officially published here: https://www.w3.org/TR/2018/CR-webauthn-20180320/
NOTE: the latest official WebAuthn spec release is always available here: https://www.w3.org/TR/webauthn/ (thus the latter presently yields CR-00)
WebAuthn CR-00 features a number of changes from WD-07 (NOTE: there are essentially no changes between CR-00 and WD-09 (the latest WebAuthn Working Draft prior to CR-00), and there is only one minor normative change between WD-09 and WD-08).
Here's a selected list of the changes between CR-00 and WD-07 (for details, see the diffs linked-to below):
-
Clarifies backwards compatibility with FIDO U2F, and its reliance on FIDO AppID.
-
Adopts the the CTAP2 canonical CBOR encoding form for all CBOR-encoded data.
-
Further alignment with Credential Management, e.g., defining Public Key Credential Source, adding [[preventSilentAccess]] internal method.
-
Futher refines the [[Create]] (aka createCredential) and [[DiscoverFromExternalSource]] (aka getAssertion) algorithms in order to address potential side-channel timing attacks that could enable user-identifying information.
-
Adds authenticatorCancel operation to the Authenticator Model.
-
Uses only SHA-256 for hashing the client data.
-
Authentication extension data is no longer included in collected client data.
-
Clarifies the WebAuthn Authenticator Model, and refines & corrects the authenticatorMakeCredential and authenticatorMakeCredential operations.
-
Clarifies Attested Credential data, and adds examples of credentialPublicKey values encoded in COSE_Key format.
-
Renames Privacy CA as Attestation CA to conform with TCG TPMv2 specs.
-
Adds "None" as a formal Attestation Type, and defines a "None attestation statement format".
-
Clarifies the signature formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures.
-
Refines and corrects the Relying Party registration and authentication assertion verification operations.
-
Clarifies and corrects the Packed, TPM, and FIDO U2F attestation statement formats.
-
Refines the Extensions framework: clarifies the WebAuthn extensions model regarding passing-through unrecognized extensions, authenticator extension processing, and the inputs & outputs of defined extensions. Also:
-
Clarifies and corrects the FIDO AppID extension.
-
Refines and corrects the Location extension.
-
Adds the Biometric Authenticator Performance Bounds Extension (biometricPerfBounds)
-
-
Coalesces Security Considerations section, adds attestation security considerations. Adds discrete Privacy Considerations section, touching upon attestation, registration, and authentication privacy.
Diffs of WebAuthn CR-00 from WD-07:
-
Daisydiff-style rendered HTML "inline" Diff: http://jeffhodges.org/doc/diff/diff-webauthn-CR-00-20180320--from--WD-07-20171205.html
-
kdiff3-style PDF side-by-side text-only Diff: http://jeffhodges.org/doc/diff/diff-webauthn-CR-00-20180320--from--WD-07-20171205.pdf
CR-00 Release Page at github: https://github.com/w3c/webauthn/releases/tag/CR-00-20180320
Web Authentication Working Draft rev 9 (WD-09)
Web Authentication Working Draft rev 9 (WD-09) is officially published here: https://www.w3.org/TR/2018/WD-webauthn-20180315/
NOTE: WebAuthn WD-09 (20180315) morphed into CR-00 on 20180320 -- there are no differences between the latter and the former other than the maturity level designations.
The latest official WebAuthn spec release is always available here: https://www.w3.org/TR/webauthn/
There is only one minor normative difference between WebAuthn WD-09 and WD-08.
There are substantial differences between WD-09/WD-08 and WD-07 -- see CR-00 for details and diffs.
Web Authentication Working Draft rev 8 (WD-08)
Web Authentication Working Draft rev 8 (WD-08) is officially published here: https://www.w3.org/TR/2018/WD-webauthn-20180306/
NOTE: There are substantial differences between WD-08 and WD-07 -- see CR-00 for relevant details and diffs, because:
There is only one minor normative difference between WebAuthn WD-09 and WD-08, and, WebAuthn WD-09 (20180315) morphed into CR-00 on 20180320.
Web Authentication Working Draft rev 7 (WD-07)
Web Authentication Working Draft rev 7 (WD-07) is officially published here: https://www.w3.org/TR/2017/WD-webauthn-20171205/
NOTE: the latest official WebAuthn spec release is always available here: https://www.w3.org/TR/webauthn/ (so this presently yields WD-07)
Please also note that this spec is a Working DRAFT and will change, possibly in "breaking" ways.
WebAuthn WD-07 features many changes from the prior version, here's a selected list (for details, see the diffs linked-to below):
-
Updated terminology to match and leverage the Credential Management spec.
-
Matching recent changes to Credential Management, the WebAuthn API may be utilized from non-top-level documents if and only if it is same-origin with its ancestors.
-
Updated [[Create]] and [[DiscoverFromExternalSource]] internal methods to match arguments with those supplied by Credential Management. Note: Credman PR w3c/webappsec-credential-management#100 is related and not completed at this time.
-
Updated [[Create]] and [[DiscoverFromExternalSource]] underlying algorithms in various ways:
- Explicitly facilitate roaming/external authenticator "hot-plugging" during registration and authentication operations.
- Further refined RP ID handling.
- added a type field to CollectedClientData to avoid potential signature confusion issues.
- added abort signal processing.
- refined
requireResidentKeyhandling. - added notion of "effective user verification requirement for assertion"
- added notion of RP-asserted "Attestation Conveyance Preference".
- added "user handle" notion. The "user handle" is "plumbed-through" from the RP, to the authenticator, and back to the RP. This is useful for some RP use cases.
- Facilitate discovery of "Availability of User-Verifying Platform Authenticators". This is useful for some RP use cases.
-
authenticator operations clarifications/polishing
- added or refined various features to match those listed above, e.g., requiring resident private key, user presence test, and user verification requirement.
- added detailed signature counter considerations.
-
Clarified attestation object generation.
-
Refined relying party operations.
-
Refined signing procedures for Packed Attestation Statement Format and FIDO U2F Attestation Statement Format.
Diffs of WebAuthn WD-07 from WD-06:
-
Daisydiff-style rendered HTML "inline" Diff: http://kingsmountain.com/doc/diff/diff-webauthn-WD-07--from--WD-06.html
-
kdiff3-style PDF side-by-side text-only Diff: http://kingsmountain.com/doc/diff/diff-webauthn-WD-07--from--WD-06.pdf
WD-07 Release Page at github: https://github.com/w3c/webauthn/releases/tag/WD-07-20171205
Web Authentication Working Draft rev 6 (WD-06)
Web Authentication Working Draft rev 6 (WD-06) is officially published here: https://www.w3.org/TR/2017/WD-webauthn-20170811/
NOTE: the latest official WebAuthn spec release is always available here: https://www.w3.org/TR/webauthn/ (so this presently yields WD-06)
Please also note that this spec is a Working DRAFT and will change, possibly in "breaking" ways.
WebAuthn WD-06 features several subtle-but-important changes from the prior version:
- The specification of the WebAuthn Relying Party Identifier (RP ID), and its processing, is corrected.
- Refined handling of authenticator transports in the #getAssertion algorithm
- Support for discovery of available platform authenticators
- Use of COSE algorithm identifiers and the COSE_Key format [RFC8152] for conveyance of the attested Credential Public Key (aka User Public Key).
- Attestation clarifications.
- Refined authenticator selection at credential creation time, and signaling of successful user verification at either credential creation time or assertion generation time.
HTML "inline" Diff: http://kingsmountain.com/doc/diff/diff-webauthn-index-master-tr-598ac41-WD-06--from--dda3e24-WD-05.html
PDF side-by-side text-only Diff: http://kingsmountain.com/doc/diff/diff-webauthn-index-master-tr-598ac41-WD-06--from--dda3e24-WD-05.pdf
WD-06 Release Page at github: https://github.com/w3c/webauthn/releases/tag/WD-06-20170811
Web Authentication Working Draft rev 5 (WD-05)
Web Authentication Working Draft rev 5 (WD-05) is officially published here: https://www.w3.org/TR/2017/WD-webauthn-20170505/
The latest official WebAuthn spec release is always available here: https://www.w3.org/TR/webauthn/
Please note that this spec is only a Working DRAFT and will change, possibly in "breaking" ways. While not a candidate recommendation, this version is informally intended by the working group to be an Implementer’s Draft, which will be used for experimenting with implementations of the API.
WebAuthn WD-05 features many significant changes from the prior version:
- Alignment with Credential Management (CredMan): https://w3c.github.io/webappsec-credential-management/
- Using the term Public Key Credentials rather than Scoped Credentials
- Algorithms updated to more precisely define their operations and to be CredMan compatible
- Expanded and more explicit specification of the extensions framework
- Terminology expansion and polishing
- and more...
HTML "inline" Diff: http://www.kingsmountain.com/doc/diff/diff-webauthn-index-master-tr-dda3e24-WD-05--from--index-master-tr-ce7925c-WD-04.html
PDF side-by-side text-only Diff: http://kingsmountain.com/doc/diff/diff-webauthn-index-master-tr-dda3e24-WD-05--from--index-master-tr-ce7925c-WD-04.pdf