webauthn
webauthn copied to clipboard
w3c
Web Authentication: An API for accessing Public Key Credentials
`CollectedClientData.crossOrigin` is defined like so: ``` dictionary CollectedClientData { [ ... ] boolean crossOrigin; [ ... ] }; ``` In examining both the `[[Create]]()` and `[[DiscoverFromExternalSource]]()` methods, as well as...
webauthn L2 Rec references the old CTAP v2.0-ps-20190130 spec, and thus the link to "large, per-credential blobs" does not work (the latter is a webauthn L2 Rec errata item (I...
[PublicKeyCredentialParameters](https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialparameters) Currently only allows you to choose the signature algorithm to use; but not which curve. COSE standard suggests that ES256 should imply P-256, ES384 P-384 etc but this is...
This is an attempt at solving #931 through Yubico's proposed recovery extension, as proposed in https://github.com/Yubico/webauthn-recovery-extension . Formal proofs of the security of the key generation scheme are currently awaiting...
At the moment, Safari (using Touch ID/Face ID) and Windows Hello create discoverable credentials even if the RP does not require/prefer "resident key". This somewhat makes sense, since there is...
We have never allowed WebAuthn to non TLS origins. HSTS adds another property of prohibiting user recourse to invalid certificates. We should be using the existing token binding mechanism, but...
ought to change "privacy ca" term in images/fido-attestation-structures.svg (lower left corner) to "anonymization CA" or "attestation CA".
We need to provide more specific guidance for RPs about how to configure the several options for `navigator.credentials.{create,get}` and, secondly, to provide a reserve mapping of options back to intents....
Unresolved discussions from https://github.com/w3c/webauthn/pull/1270#pullrequestreview-283764559 : - https://github.com/w3c/webauthn/pull/1270#discussion_r320888115 >@equalsJeffH: I'm thinking we ought to formalize the term "re-authentication" ( "re-auth" for short -- see also issue #334) and use it instead...
we state things like "If...the authenticator is not capable of ...", or mention some-or-other authnr "capability", in several places in the spec but do not mention "these are the plausible...