Web Authentication Working Draft rev 7 (WD-07)

Web Authentication Working Draft rev 7 (WD-07) is officially published here: https://www.w3.org/TR/2017/WD-webauthn-20171205/

NOTE: the latest official WebAuthn spec release is always available here: https://www.w3.org/TR/webauthn/ (so this presently yields WD-07)

Please also note that this spec is a Working DRAFT and will change, possibly in "breaking" ways.

WebAuthn WD-07 features many changes from the prior version, here's a selected list (for details, see the diffs linked-to below):

• Updated terminology to match and leverage the Credential Management spec.

• Matching recent changes to Credential Management, the WebAuthn API may be utilized from non-top-level documents if and only if it is same-origin with its ancestors.

• Updated [[Create]] and [[DiscoverFromExternalSource]] internal methods to match arguments with those supplied by Credential Management. Note: Credman PR w3c/webappsec-credential-management#100 is related and not completed at this time.

• Updated [[Create]] and [[DiscoverFromExternalSource]] underlying algorithms in various ways:

  • Explicitly facilitate roaming/external authenticator "hot-plugging" during registration and authentication operations.
  • Further refined RP ID handling.
  • added a type field to CollectedClientData to avoid potential signature confusion issues.
  • added abort signal processing.
  • refined requireResidentKey handling.
  • added notion of "effective user verification requirement for assertion"
  • added notion of RP-asserted "Attestation Conveyance Preference".
  • added "user handle" notion. The "user handle" is "plumbed-through" from the RP, to the authenticator, and back to the RP. This is useful for some RP use cases.
  • Facilitate discovery of "Availability of User-Verifying Platform Authenticators". This is useful for some RP use cases.

• authenticator operations clarifications/polishing

  • added or refined various features to match those listed above, e.g., requiring resident private key, user presence test, and user verification requirement.
  • added detailed signature counter considerations.

• Clarified attestation object generation.

• Refined relying party operations.

• Refined signing procedures for Packed Attestation Statement Format and FIDO U2F Attestation Statement Format.

Diffs of WebAuthn WD-07 from WD-06:

• W3C-style rendered HTML "inline" Diff

• Daisydiff-style rendered HTML "inline" Diff: http://kingsmountain.com/doc/diff/diff-webauthn-WD-07--from--WD-06.html

• kdiff3-style PDF side-by-side text-only Diff: http://kingsmountain.com/doc/diff/diff-webauthn-WD-07--from--WD-06.pdf

WD-07 Release Page at github: https://github.com/w3c/webauthn/releases/tag/WD-07-20171205