=JeffH

device public key extension

8

The resolves #1658 by defining the `devicePubKey` extension et al. It is admittedly rough and will need further work, thus am casting it as a "draft" PR. update 4-Mar-2022: @ve7jtb...

RP operations: some extension processing may assume that the encompassing signature is valid

2

In both of the [RP Operations subsections](https://www.w3.org/TR/webauthn/#sctn-rp-operations) (Registering a new cred, and verifying an authn assertion), the step for verifying/processing of extension outputs is placed _before_ the step for verifying...

Recovering from Device Loss

28

[submitting on behalf of @leshi & @arnar and their collaborator Alex Takakuwa ] **https://lists.w3.org/Archives/Public/public-webauthn/2018May/0464.html:** Subject: Recovering from Device Loss in WebAuthn **From: Alex Takakuwa ** To: [email protected] In April, we...

Synced/multi-device user Credentials

7

Issue #1637 introduces possible experiences in a future WebAuthn, various aspects of which are enabled by "syncing platform credentials" via platform providers' sync fabrics. The spec will need updating to...

at the end of section 8.1. Attestation Statement Format Identifiers, we say: > The up-to-date list of registered WebAuthn Extensions is maintained in the IANA "WebAuthn Attestation Statement Format Identifiers"...

the [Lookup Credential Source by Credential ID Algorithm](https://www.w3.org/TR/webauthn/#sctn-op-lookup-credsource-by-credid) is presently used only in internal-to-the-authenticator operations, namely in authenticatorMakeCredential and authenticatorGetAssertion. The result of [Lookup Credential Source by Credential ID Algorithm](https://www.w3.org/TR/webauthn/#sctn-op-lookup-credsource-by-credid)...

double check whether the Secure Payment Confirmation effort has implications on the WebAuthn spec

3

WRT [Secure Payment Confirmation](https://chromestatus.com/feature/5702310124584960), it is possible, but am not sure how likely, that we might want to put a Note or other mention of different RP hostname mapping/handling in...

CollectedClientData.crossOrigin default value and whether it is required

1

`CollectedClientData.crossOrigin` is defined like so: ``` dictionary CollectedClientData { [ ... ] boolean crossOrigin; [ ... ] }; ``` In examining both the `[[Create]]()` and `[[DiscoverFromExternalSource]]()` methods, as well as...

webauthn L2 Rec references the old CTAP v2.0-ps-20190130 spec, and thus the link to "large, per-credential blobs" does not work (the latter is a webauthn L2 Rec errata item (I...

"privacy ca" term in images/fido-attestation-structures.svg

1

ought to change "privacy ca" term in images/fido-attestation-structures.svg (lower left corner) to "anonymization CA" or "attestation CA".