Web Authentication Working Draft rev 7 (WD-07) is officially published here: https://www.w3.org/TR/2017/WD-webauthn-20171205/
NOTE: the latest official WebAuthn spec release is always available here: https://www.w3.org/TR/webauthn/ (so this presently yields WD-07)
Please also note that this spec is a _Working DRAFT_ and will change, possibly in “breaking” ways.
WebAuthn WD-07 features many changes from the prior version, here’s a selected list (for details, see the diffs linked-to below):
- Updated terminology to match and leverage the Credential Management spec.
- Matching recent changes to Credential Management, the WebAuthn API may be utilized from non-top-level documents if and only if it is same-origin with its ancestors.
- Updated [[Create]] and [[DiscoverFromExternalSource]] internal methods to match arguments with those supplied by Credential Management. Note: Credman PR w3c/webappsec-credential-management#100 is related and not completed at this time.
- Updated [[Create]] and [[DiscoverFromExternalSource]] underlying algorithms in various ways:
- Explicitly facilitate roaming/external authenticator “hot-plugging” during registration and authentication operations.
- Further refined RP ID handling.
- added a type field to CollectedClientData to avoid potential signature confusion issues.
- added abort signal processing.
- refined `requireResidentKey` handling.
- added notion of “effective user verification requirement for assertion“
- added notion of RP-asserted “Attestation Conveyance Preference“.
- added “user handle” notion. The “user handle” is “plumbed-through” from the RP, to the authenticator, and back to the RP. This is useful for some RP use cases.
- Facilitate discovery of “Availability of User-Verifying Platform Authenticators“. This is useful for some RP use cases.
- authenticator operations clarifications/polishing:
- added or refined various features to match those listed above, e.g., requiring resident private key, user presence test, and user verification requirement.
- added detailed signature counter considerations.
- Clarified attestation object generation.
- Refined relying party operations.
- Refined signing procedures for Packed Attestation Statement Format and FIDO U2F Attestation Statement Format.
Diffs of WebAuthn WD-07 from WD-06:
- W3C-style rendered HTML “inline” Diff
- Daisydiff-style rendered HTML “inline” Diff
- kdiff3-style PDF side-by-side text-only Diff