Skip to content

Web Authentication Candidate Recommendation (CR-00)

Latest
Latest
Compare
Choose a tag to compare
@equalsJeffH equalsJeffH released this 20 Mar 13:11
· 1710 commits to main since this release
CR-00-20180320
e155bae
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Web Authentication Candidate Recommendation (CR-00) is officially published here: https://www.w3.org/TR/2018/CR-webauthn-20180320/

NOTE: the latest official WebAuthn spec release is always available here: https://www.w3.org/TR/webauthn/ (thus the latter presently yields CR-00)

WebAuthn CR-00 features a number of changes from WD-07 (NOTE: there are essentially no changes between CR-00 and WD-09 (the latest WebAuthn Working Draft prior to CR-00), and there is only one minor normative change between WD-09 and WD-08).

Here's a selected list of the changes between CR-00 and WD-07 (for details, see the diffs linked-to below):

  • Clarifies backwards compatibility with FIDO U2F, and its reliance on FIDO AppID.

  • Adopts the the CTAP2 canonical CBOR encoding form for all CBOR-encoded data.

  • Further alignment with Credential Management, e.g., defining Public Key Credential Source, adding [[preventSilentAccess]] internal method.

  • Futher refines the [[Create]] (aka createCredential) and [[DiscoverFromExternalSource]] (aka getAssertion) algorithms in order to address potential side-channel timing attacks that could enable user-identifying information.

  • Adds authenticatorCancel operation to the Authenticator Model.

  • Uses only SHA-256 for hashing the client data.

  • Authentication extension data is no longer included in collected client data.

  • Clarifies the WebAuthn Authenticator Model, and refines & corrects the authenticatorMakeCredential and authenticatorMakeCredential operations.

  • Clarifies Attested Credential data, and adds examples of credentialPublicKey values encoded in COSE_Key format.

  • Renames Privacy CA as Attestation CA to conform with TCG TPMv2 specs.

  • Adds "None" as a formal Attestation Type, and defines a "None attestation statement format".

  • Clarifies the signature formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures.

  • Refines and corrects the Relying Party registration and authentication assertion verification operations.

  • Clarifies and corrects the Packed, TPM, and FIDO U2F attestation statement formats.

  • Refines the Extensions framework: clarifies the WebAuthn extensions model regarding passing-through unrecognized extensions, authenticator extension processing, and the inputs & outputs of defined extensions. Also:

    • Clarifies and corrects the FIDO AppID extension.

    • Refines and corrects the Location extension.

    • Adds the Biometric Authenticator Performance Bounds Extension (biometricPerfBounds)

  • Coalesces Security Considerations section, adds attestation security considerations. Adds discrete Privacy Considerations section, touching upon attestation, registration, and authentication privacy.

Diffs of WebAuthn CR-00 from WD-07:

CR-00 Release Page at github: https://github.com/w3c/webauthn/releases/tag/CR-00-20180320

Assets 2
Loading