Archive for the ‘W3C’ Category

Tuesday, December 5th, 2017

Web Authentication Working Draft rev 7 (WD-07) is officially published here: https://www.w3.org/TR/2017/WD-webauthn-20171205/

NOTE: the latest official WebAuthn spec release is always available here: https://www.w3.org/TR/webauthn/ (so this presently yields WD-07)

Please also note that this spec is a _Working DRAFT_ and will change, possibly in “breaking” ways.

WebAuthn WD-07 features many changes from the prior version, here’s a selected list (for details, see the diffs linked-to below):

Updated terminology to match and leverage the Credential Management spec.
Matching recent changes to Credential Management, the WebAuthn API may be utilized from non-top-level documents if and only if it is same-origin with its ancestors.
Updated [[Create]] and [[DiscoverFromExternalSource]] internal methods to match arguments with those supplied by Credential Management. Note: Credman PR w3c/webappsec-credential-management#100 is related and not completed at this time.
Updated [[Create]] and [[DiscoverFromExternalSource]] underlying algorithms in various ways:
- Explicitly facilitate roaming/external authenticator “hot-plugging” during registration and authentication operations.
- Further refined RP ID handling.
- added a type field to CollectedClientData to avoid potential signature confusion issues.
- added abort signal processing.
- refined `requireResidentKey` handling.
- added notion of “effective user verification requirement for assertion“
- added notion of RP-asserted “Attestation Conveyance Preference“.
- added “user handle” notion. The “user handle” is “plumbed-through” from the RP, to the authenticator, and back to the RP. This is useful for some RP use cases.
- Facilitate discovery of “Availability of User-Verifying Platform Authenticators“. This is useful for some RP use cases.

authenticator operations clarifications/polishing:
- added or refined various features to match those listed above, e.g., requiring resident private key, user presence test, and user verification requirement.
- added detailed signature counter considerations.
Clarified attestation object generation.
Refined relying party operations.
Refined signing procedures for Packed Attestation Statement Format and FIDO U2F Attestation Statement Format.

Diffs of WebAuthn WD-07 from WD-06:

WD-07 Release Page at github

Average Rating: 5 out of 5 based on 168 user reviews.

[ | | | from fda approved pharmacy | ]

Tags:Authentication, W3C, Web Security
Posted in Security, W3C, Web Security | No Comments »

Monday, March 7th, 2011

There’s been various fundamental issues with “HTTP cookies” for ages, e.g. technically and policy-wise (i.e. privacy). The two extant formal specifications of cookies, IETF RFCs 2109 and 2965, as well as the original informal and incomplete “Netscape cookie spec”, have not been implemented uniformly across browsers and servers. Thus how cookies are actually constructed, parsed, and used in practice has been essentially technical folklore. Anyone wanting to craft a new browser or some other application or tool that needs to consume or send cookie headers had to reverse engineer how the browsers were actually doing it as there wasn’t (until now) an accurate specification an implementer could use for reference. This has led to divergence on edge-cases for cookies within various browsers, servers, and other tools.

We’ve been working with browser, server, and web app folk in an IETF working group, “httpstate“, to rectify this, and the draft spec was recently approved for publication as an IETF RFC at the “Proposed Standard” maturity level. This spec differs from the prior specs in that it specifies how cookies are actually used on the Internet today. Anyone crafting a new client or server can implement the spec and have an interoperable implementation as a result.

This is great in that getting this finally explicitly documented will be a key underlying piece of moving “the Web“, and the wider Internet its built upon, on towards its next stage(s). Hopefully, browsers and servers can now converge their “cookie behaviors” 🙂

Our more detailed blog post (which includes some history) is here..

‘HTTP State Management Mechanism’ to Proposed Standard
http://www.thesecuritypractice.com/the_security_practice/2011/03/http-state-management-mechanism-to-proposed-standard.html

=JeffH sez check it out 🙂

Average Rating: 4.4 out of 5 based on 180 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in History, IETF, Internet, Protocols, Public Policy, Security, W3C, Web Security | No Comments »

Monday, March 7th, 2011

We have a blog post over at my work cohort’s blog, w.r.t. a recent preso we gave, here’s the link…

Web (In)Security: Remediation Efforts – Status and Outlook
http://www.thesecuritypractice.com/the_security_practice/2011/03/web-insecurity-remediation-efforts-status-and-outlook.html

Check it out 🙂

Average Rating: 4.9 out of 5 based on 174 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in IETF, Security, W3C, Web Security | No Comments »

Archive for the ‘W3C’ Category

Pages

Archives

Categories