[L3 CR] Horizontal Review: Wide Review

[timcappalli]

Communication

Draft communication (if you like to edit, just asks for permission)

Recipients (from the charter):

W3C Groups

Web Application Security Working Group
Coordination with Credential Management API and application security.
Web Applications Working Group
Coordination on API design.
Web Payments Working Group
To liaison over issues related to strong authentication for payments and tokenization.
Web Payments Security Interest Group
To liaison over issues related to strong authentication for payments and tokenization with FIDO, W3C and EMVCo.
Privacy Interest Group
Coordination on privacy implications.
Accessible Platform Architectures (APA) Working Group
Coordination to review accessibility requirements for APIs and for any direct user interfaces that may be specified.
WebAuthn Adoption Community Group
This group helps coordinate research and actions to help with broader adoption of the Web Authentication ecosystem.

External Organizations

IETF Security Area Directorate
The IETF Security Area Directorate consists of the Working Group Chairs of the Security Area and selected individuals chosen for their technical knowledge in security.
FIDO2 Technical Working Group
Coordination on Client to Authenticator Protocol

When we're ready, I can send it

[simoneonofri]

Hi all, I was preparing the communication for the wide review. What do you think?

The Web Authentication Working Group (WebAuthn WG) is happy to announce it has published a new draft of the Web Authentication: An API for accessing Public Key Credentials Level 3 for wide review.

Background

Web Authentication Level 3 defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given WebAuthn Relying Party, are created by and bound to authenticators as requested by the web application. The user agent mediates access to authenticators and their public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to Relying Parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.

In this Working Draft, there are some changes since Web Authentication Level 2:

Changes:

• Updated timeout guidance
• uvm extension no longer included
• aaguid in attested credential data is no longer zeroed when attestation preference is none

Deprecations:

• Registration parameter publicKey.rp.name
• Android SafetyNet Attestation Statement Format
• tokenBinding was changed to [RESERVED].

New features:

• New JSON (de)serialization methods
• Create operations in cross-origin iframes
• Conditional mediation for create
• Conditional mediation for get
• Availability of client capabilities
• New enum value hybrid
• PublicKeyCredential’s signal methods
• New client data attribute topOrigin
• User-agent Hints Enumeration
• Use Web Authentication across related origins
• Authenticator data flags BE and BS assigned
• Compound Attestation Statement Format
• Pseudo-random function extension

Your Comments

Public feedback is really important to us. Based on this feedback, the proposed success criteria could be changed. We want to hear from users, authors, tool developers, policymakers, and others about the benefits of the new proposed success criteria and how achievable you feel it is to conform to the new success criteria. The main place to comment is on Github, or you can send email to public-webauthn@w3.org (comment archive). The Working Group requests that comments be submitted by DD Mm 2025.

Schedule

Over the next couple of months, the WebAuthn WG will process the public’s input. If comments lead to enough changes, there could be another review draft. Then, the guidelines will go through finalization stages, described in the W3C Process. The Working Group hopes to publish the final version of Web Authentication Level 3 as a “W3C Recommendation” web standard in QQ 2025.

[timcappalli]

LGTM!

[MasterKale]

From WG F2F: FIDO raised no major issues, but we are open to the possibility of them sending comments in the future. IETF sent request for comments to the mailing list, so far no known comments have come from them. This issue can be closed out if no major concerns are raised by the end of April.

[nicksteele]

As co-chair of the FIDO2 TWG, we have no major concerns and I would expect any major comments from the members of the working group

[simoneonofri]

Pointers to the requests:

• IETF SecDir: https://mailarchive.ietf.org/arch/msg/saag/iMVJFpEjf0Rj4G2hK0jMcLJhGqU/
• FIDO: https://lists.w3.org/Archives/Team/w3t-archive/2025Apr/0097.html (Team only)