webauthn
webauthn copied to clipboard
w3c
Web Authentication: An API for accessing Public Key Credentials
We use credential descriptors "`PublicKeyCredentialDescriptor`" for allow lists & exclude lists. The spec says > [...][client platforms](https://w3c.github.io/webauthn/#client-platform) MUST ignore any [PublicKeyCredentialDescriptor](https://w3c.github.io/webauthn/#dictdef-publickeycredentialdescriptor) with an unknown [type](https://w3c.github.io/webauthn/#dom-publickeycredentialdescriptor-type). There's no further specification for...
[§5.1.3. Create a New Credential](https://w3c.github.io/webauthn/#sctn-createCredential) and [§5.1.4. Use an Existing Credential to Make an Assertion](https://w3c.github.io/webauthn/#sctn-discover-from-external-source) both declare their **options** parameter as the `Credential[Creation|Request]Options` object inherited from CredMan: >**options** >This argument...
_(filing a new issue for this as it's a small change and I don't want to pile more stuff on the conditional mediation issue / pr)_ @emlun [pointed out](https://github.com/w3c/webauthn/pull/1576/files#r750426635) that...
Topic from June F2F meeting With the changing security properties of WebAuthn credentials, we need to re-evaluate the need for an RP to request attestation during a Get Assertion.
Several members have requested ([thread](https://lists.w3.org/Archives/Member/w3c-ac-forum/2022JanMar/thread.html#msg90)) that W3C switch its specifications to a [permissive license, the Software and Document License](https://www.w3.org/Consortium/Legal/2015/copyright-software-and-document), for continuity planning. The WebAuthn charter (current and proposed re-charter) [states](https://www.w3.org/2019/10/webauthn-wg-charter.html#licensing)...
The use case in mind is when an RP is required to enforce attestation-based registration requirements. Why not allow the RP to suggest in attestation options a richer set of...
Motivated by #1709. Many RPs will not need attestation, and the default `attestationConveyance` is `"none"`. It is of little use to these RPs to implement all the complexity around verifying...
In both of the [RP Operations subsections](https://www.w3.org/TR/webauthn/#sctn-rp-operations) (Registering a new cred, and verifying an authn assertion), the step for verifying/processing of extension outputs is placed _before_ the step for verifying...
The current top level use cases (`sctn-use-cases`) were written prior to the multi-device credential effort and should be rewritten to include this new topic. Be sure to include: https://github.com/w3c/webauthn/issues/1735
Hi, just a suggestion to help clarify the passwordless registration flow for people. [1.3.2. Registration Specifically with User-Verifying Platform Authenticator](https://w3c.github.io/webauthn/#sctn-sample-registration-with-platform-authenticator) walks through a process of registering where a user provides...
