index.bs

<pre class='metadata'>
Title: Web Authentication: An API for accessing Scoped Credentials
Status: ED
Prepare for TR: true
TR: https://www.w3.org/TR/webauthn/
ED: https://w3c.github.io/webauthn/
Previous Version: https://www.w3.org/TR/2016/WD-webauthn-20160928/
Previous Version: https://www.w3.org/TR/2016/WD-webauthn-20160902/
Previous Version: https://www.w3.org/TR/2016/WD-webauthn-20160531/
Shortname: webauthn
Level:
Editor: Vijay Bharadwaj, w3cid 55440, Microsoft, vijay.bharadwaj@microsoft.com
Editor: Hubert Le Van Gong, w3cid 84817, PayPal, hlevangong@paypal.com
Editor: Dirk Balfanz, w3cid 47648, Google, balfanz@google.com
Editor: Alexei Czeskis, w3cid 87258, Google, aczeskis@google.com
Editor: Arnar Birgisson, w3cid 87332, Google, arnarb@google.com
Editor: Jeff Hodges, w3cid 43843, PayPal, Jeff.Hodges@paypal.com
Editor: Michael B. Jones, w3cid 38745, Microsoft, mbj@microsoft.com
Editor: Rolf Lindemann, w3cid 84447, Nok Nok Labs, rolf@noknok.com
Editor: J.C. Jones, w3cid 87240, Mozilla, jc@mozilla.com
group: webauthn
Issue Tracking: Github https://github.com/w3c/webauthn/issues
Text Macro: RP Relying Party
Text Macro: RPS Relying Parties
Text Macro: INFORMATIVE <em>This section is not normative.</em>
Text Macro: WAC WebAuthn Client
Ignored Vars: op, alg, type, algorithm
Abstract: This specification defines an API enabling the creation and use of strong, attested, cryptographic scoped credentials
 by web applications, for the purpose of strongly authenticating users. Conceptually, one or more credentials, each scoped to a
 given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The
 user agent mediates access to scoped credentials in order to preserve user privacy. Authenticators are responsible for ensuring
 that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying
 parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators,
 including their signature and attestation functionality.
Boilerplate: omit conformance, omit feedback-header
Markup Shorthands: css off, markdown on
</pre>

<pre class="anchors">

<!-- spec: HTML; urlPrefix: https://html.spec.whatwg.org/multipage/ -->
spec: HTML51; urlPrefix: http://www.w3.org/TR/html51/; for: web
    type: dfn
        urlPrefix: browsers.html
            text: origin; url: concept-cross-origin
            text: opaque origin; url: opaque-origin; for:web
            text: tuple origin
            text: relaxing the same-origin restriction
    type: dfn
        urlPrefix: webappapis.html;
            text: current settings object; for:web; url:current-settings-object
            text: Navigator; for: interface; url:the-navigator-object

spec: WebCryptoAPI; urlPrefix: https://www.w3.org/TR/WebCryptoAPI/; for: web 
    type: dfn
        text: normalizing an algorithm; url: dfn-normalize-an-algorithm

</pre> <!-- class=anchors -->


# Introduction # {#intro}

[INFORMATIVE]

This specification defines an API enabling the creation and use of strong, attested, cryptographic <em><a>scoped
credentials</a></em> by web applications, for the purpose of strongly authenticating users. A <a>scoped credential</a> is
created and stored by an <em><a>authenticator</a></em> at the behest of a <em><a>[RP]</a></em>, subject to <em><a>user
consent</a></em>. Subsequently, the scoped credential can only be accessed by origins belonging to that [RP].
This scoping is enforced jointly by <em><a>conforming User Agents</a></em> and <em><a>authenticators</a></em>. 
Additionally, privacy across <a>[RPS]</a> is maintained; [RPS] are not able to detect any properties, or even
the existence, of credentials scoped to other [RPS].

[RPS] employ the <a>Web Authentication API</a> during two distinct, but related, <a>ceremonies</a> involving a user. The first
is <a>Registration</a>, where a <a>scoped credential</a> is created on an <a>authenticator</a>, and associated by a <a>[RP]</a>
with the present user's account (the account may already exist or may be created at this time). The second is
<a>Authentication</a>, where the <a>[RP]</a> is presented with a <em><a>WebAuthn Assertion</a></em> proving the presence and
consent of the user who registered the <a>scoped credential</a>. Functionally, the <a>Web Authentication API</a> comprises two
methods (along with associated data structures): <a>makeCredential()</a> and <a>getAssertion()</a>. The former is used during
<a>Registration</a> and the latter during <a>Authentication</a>.

Broadly, compliant <a>authenticators</a> protect <a>scoped credentials</a>, and
interact with user agents to implement the <a>Web Authentication API</a>. Some
authenticators may run on the same computing device (e.g., smart phone, tablet,
desktop PC) as the user agent is running on. For instance, such an authenticator
might consist of a Trusted Execution Environment (TEE) applet, a Trusted
Platform Module (TPM), or a Secure Element (SE) integrated into the computing
device in conjunction with some means for <a>user verification</a>, along with
appropriate platform software to mediate access to these components'
functionality. Other authenticators may operate autonomously from the computing
device running the user agent, and be accessed over a transport such as
Universal Serial Bus (USB), Bluetooth Low Energy (BLE) or Near Field
Communications (NFC).


## Use Cases ## {#use-cases}

The below use case scenarios illustrate use of two very different types of <a>authenticators</a>, as well as outline further
scenarios. Additional scenarios, including sample code, are given later in [[#sample-scenarios]].

### Registration ### {#usecase-registration}

- On a phone:
    * User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using
        (possibly a legacy method such as a password), or creates a new account.
    * The phone prompts, "Do you want to register this device with example.com?"
    * User agrees.
    * The phone prompts the user for a previously configured <a>authorization gesture</a> (PIN, biometric, etc.); the user
        provides this.
    * Website shows message, "Registration complete."


### Authentication ### {#usecase-authentication}

- On a laptop or desktop:
    * User navigates to example.com in a browser, sees an option to "Sign in with your phone."
    * User chooses this option and gets a message from the browser, "Please complete this action on your phone."

- Next, on their phone:
    * User sees a discrete prompt or notification, "Sign in to example.com."
    * User selects this prompt / notification.
    * User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob."
    * User picks an identity, is prompted for an <a>authorization gesture</a> (PIN, biometric, etc.) and provides this.

- Now, back on the laptop:
    * Web page shows that the selected user is signed-in, and navigates to the signed-in page.


### Other use cases and configurations ### {#other-configurations}

A variety of additional use cases and configurations are also possible, including (but not limited to):

- A user navigates to example.com on their laptop, is guided through a flow to create and register a credential on their phone.

- A user obtains an discrete, cross-platform authenticator, such as a "fob" with USB or USB+NFC/BLE connectivity options, loads example.com in their browser on a laptop or phone, and is guided though a flow to create and register a credential on the fob. 

- A [RP] prompts the user for their <a>authorization gesture</a> in order to authorize a single transaction, such as a payment 
    or other financial transaction.

# Conformance # {#conformance}

This specification defines criteria for a <a>Conforming User Agent</a>: A User Agent MUST behave as described in this
specification in order to be considered conformant. <a>Conforming User Agents</a> MAY implement algorithms given in this
specification in any way desired, so long as the end result is indistinguishable from the result that would be obtained by the
specification's algorithms. A conforming User Agent MUST also be a conforming implementation of the IDL fragments of this
specification, as described in the “Web IDL” specification. [[!WebIDL-1]]

This specification also defines a model of a conformant <a>authenticator</a> (see [[#authenticator-model]]). This is a set of
functional and security requirements for an authenticator to be usable by a <a>Conforming User Agent</a>. As described in
[[#use-cases]], an authenticator may be implemented in the operating system underlying the User Agent, or in external hardware,
or a combination of both.


## Dependencies ## {#dependencies}

This specification relies on several other underlying specifications.

: HTML
:: The concepts of <a link-for='web'>current settings object</a>, <a link-for='web'>origin</a>, 
    <a link-for='web'>opaque origin</a>, <a>relaxing the same-origin restriction</a>, and the <a>Navigator</a> interface are
    defined in [[!HTML51]].

: Web IDL
:: Many of the interface definitions and all of the IDL in this specification depend on [[!WebIDL-1]]. This updated version of
    the Web IDL standard adds support for <dfn>Promises</dfn>, which are now the preferred mechanism for asynchronous
    interaction in all new web APIs.

: DOM
:: <dfn>DOMException</dfn> and the DOMException values used in this specification are defined in [[!DOM4]].

: Web Cryptography API
:: The <dfn dictionary>AlgorithmIdentifier</dfn> type and the method for <a>normalizing an algorithm</a> are defined in
    [[WebCryptoAPI#algorithm-dictionary]].



: Base64url encoding
:: The term <dfn>Base64url Encoding</dfn> refers to the base64 encoding using the URL- and filename-safe character set defined
    in Section 5 of [[!RFC4648]], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the
    inclusion of any line breaks, whitespace, or other additional characters. This is the same encoding as used by JSON Web
    Signature (JWS) [[RFC7515]].

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[[!RFC2119]].


# Terminology # {#terminology}

: <dfn>ASCII case-insensitive match</dfn>
:: A method of testing two strings for equality by comparing them exactly, code point for code point, except that the codepoints
    in the range U+0041 .. U+005A (i.e. LATIN CAPITAL LETTER A to LATIN CAPITAL LETTER Z) and the corresponding codepoints in
    the range U+0061 .. U+007A (i.e. LATIN SMALL LETTER A to LATIN SMALL LETTER Z) are also considered to match.

: <dfn>Assertion</dfn>
:: See <a>WebAuthn Assertion</a>.

: <dfn>Attestation</dfn>
:: Generally, a statement that serves to bear witness, confirm, or authenticate.
    In the WebAuthn context, attestation is employed to attest to the provenance of an authenticator and the data it emits;
    including, for example: credential IDs, credential key pairs, signature counters, etc. <dfn>Attestation information</a> is 
    conveyed in <a>attestation statements</a>. 
    See also <a>attestation format</a>, and <a>attestation type</a>.

: <dfn>Attestation Certificate</dfn>
:: A X.509 Certificate for the <dfn>attestation key pair</dfn> used by an <a>Authenticator</a> to attest to its manufacture 
    and capabilities. At <a>registration</a> time, the <a>authenticator</a> uses the <dfn>attestation private key</dfn> to sign
    the <a>[RP]</a>-specific <a>credential public key</a> (and additional data) that it generates and returns via the
    <a>authenticatorMakeCredential</a> operation. [RPS] use the <dfn>attestation public key</dfn> conveyed in the <a>attestation
    certificate</a> to verify the attestation signature. Note that in the case of <a>self attestation</a>, the
    <a>authenticator</a> has no distinct <a>attestation key pair</a> nor <a>attestation certificate</a>, see <a>self
    attestation</a> for details.

: <dfn>Authentication</dfn>
:: The <a>ceremony</a> where a user, and the user's computing device(s) (containing at least one <a>authenticator</a>) work in
	concert to cryptographically prove to an <a>[RP]</a> that the user controls the private key associated with a
	previously-registered <a>scoped credential</a> (see <a>Registration</a>). Note that this includes employing <a>user
	verification</a>.

: <dfn>Authenticator</dfn>
:: A cryptographic device used by a <a>[WAC]</a> to (i) generate a <a>scoped credential</a> and register it with a <a>[RP]</a>,
	and (ii) subsequently used to cryptographically sign and return, in the form of an <a>WebAuthn Assertion</a>, a challenge
	and other data presented by a <a>[RP]</a> (in concert with the <a>[WAC]</a>) in order to effect authentication.

: <dfn>Authorization Gesture</dfn>
:: Essentially the same as <a>user verification</a>.

: <dfn>Ceremony</dfn>
:: The concept of a ceremony [[Ceremony]] is an extension of the concept of a network protocol, with human nodes alongside
	computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects
	that carry data. What is out-of-band to a protocol is in-band to a ceremony. In this specification, <a>Registration</a>,
	<a>Authentication</a>, and <a>user verification</a> are ceremonies.

: <dfn>Client</dfn>
:: See <a>Conforming User Agent</a>.

: <dfn>Conforming User Agent</dfn>
:: A user agent implementing, in conjunction with the underlying platform, the <a>Web Authentication API</a> and algorithms
	given in this specification, and handling communication between <a>Authenticators</a> and <a>[RPS]</a>.

: <dfn>Credential Public Key</dfn>
:: The public key portion of an <a>[RP]</a>-specific <dfn>credential key pair</dfn>, generated by an <a>authenticator</a> and 
    returned to an [RP] at <a>registration</a> time (see also <a>scoped credential</a>). The private key portion of the 
    <a>credential key pair</a> is known as the <dfn>credential private key</dfn>. Note that in the case of <a>self
    attestation</a>, the <a>credential key pair</a> is also used as the <a>attestation key pair</a>, see <a>self attestation</a>
    for details. 

: <dfn>Registration</dfn>
:: The <a>ceremony</a> where a user, a <a>[RP]</a>, and the user's computing device(s) (containing at least one
	<a>authenticator</a>) work in concert to create a <a>scoped credential</a> and associate it with the user's <a>[RP]</a>
	account. Note that this includes employing <a>user verification</a>.

: <dfn>[RP]</dfn>
:: The entity whose web application utilizes the <a>Web Authentication API</a> to register and authenticate users. See
    <a>Registration</a> and <a>Authentication</a>, respectively.

    Note: While the term [RP] is used in other contexts (e.g., X.509 and OAuth), an entity acting as a [RP] in one context is
        not necessarily a [RP] in other contexts.

: <dfn>Relying Party Identifier</dfn>
: <dfn>RP ID</dfn>
:: An identifier for the [RP] on whose behalf a given registration or authentication ceremony is being performed. Scoped
    credentials can only be used for authentication by the same entity (as identified by RP ID) that created and registered
    them. By default, the RP ID for a WebAuthn operation is set to the <a link-for='web'>current settings object</a>'s
    <a link-for='web'>origin</a>. This default can be overridden by the caller subject to certain restrictions, as specified in
    [[#makeCredential]] and [[#getAssertion]].

: <dfn>Scoped Credential</dfn>
:: Generically, a credential is data one entity presents to another in order to authenticate the former's identity [[RFC4949]].
	A WebAuthn <em><a>scoped credential</a></em> is a <code>{ identifier, type }</code> pair identifying authentication
	information established by the authenticator and the [RP], together, at <a>registration</a> time. The authentication
    information consists of an asymmetric key pair, where the public key portion is returned to the [RP], which stores it in
    conjunction with the present user's account. The authenticator maps the private key to the [RP]'s <a>RP ID</a> and stores
    it. Subsequently, only that [RP], as identified by its <a>RP ID</a>, is able to employ the <a>scoped credential</a> in
	<a>authentication</a> ceremonies, via the <a>getAssertion()</a> method. The [RP] uses its copy of the stored public key to
    verify the resultant <a>WebAuthn Assertion</a>.


: <dfn>User Consent</dfn>
:: User consent means the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts.
	<a>User verification</a> encompasses the means employed by the user to indicate consent.

: <dfn>User Verification</dfn>
:: The process by which an <a>authenticator</a> <em>locally authorizes</em> the invocation of the
	<a>authenticatorMakeCredential</a> and <a>authenticatorGetAssertion</a> operations, for example through a touch plus pin
	code, a password, a gesture (e.g., presenting a fingerprint), or other modality. Note that invocation of said operations
	implies use of key material managed by the authenticator.

: <dfn>WebAuthn Assertion</dfn>
:: The cryptographically signed {{WebAuthnAssertion}} object returned by an <a>authenticator</a> as the result of a
	<a>authenticatorGetAssertion</a> operation.

: <dfn>[WAC]</dfn>
:: See <a>Conforming User Agent</a>.




# <dfn>Web Authentication API</dfn> # {#api}

This section normatively specifies the API for creating and using scoped credentials. Support for deleting credentials is
deliberately omitted; this is expected to be done through platform-specific user interfaces rather than from a script. The basic
idea is that the credentials belong to the user and are managed by an authenticator, with which the [RP] interacts through the
client (consisting of the browser and underlying OS platform). Scripts can (with the user's consent) request the browser to
create a new credential for future use by the [RP]. Scripts can also request the user’s permission to perform authentication
operations with an existing credential. All such operations are performed in the authenticator and are mediated by the browser
and/or platform on the user's behalf. At no point does the script get access to the credentials themselves; it only gets
information about the credentials in the form of objects.

The security properties of this API are provided by the client and the authenticator working together. The authenticator, which
holds and manages credentials, ensures that all operations are scoped to a particular origin, and cannot be replayed against
a different origin, by incorporating the origin in its responses. Specifically, as defined in [[#signature-format]], the full
origin of the requester is included, and signed over, in the attestation statement produced when a new credential is created as
well as in all assertions produced by WebAuthn credentials.

Additionally, to maintain user privacy and prevent malicious [RPS] from probing for the presence of credentials belonging to
other [RPS], each credential is also associated with a Relying Party Identifier, or RP ID. This RP ID is provided by the client
to the authenticator for all operations, and the authenticator ensures that credentials created by a [RP] can only be used in
operations requested by the same RP ID. Separating the origin from the RP ID in this way allows the API to be used in cases
where a single [RP] maintains multiple origins.

The client facilitates these security measures by providing correct origins and RP IDs to the authenticator for each
operation. Since this is an integral part of the WebAuthn security model, user agents MUST only expose this API to callers in
<dfn>secure contexts</dfn>, as defined in [[secure-contexts]].

The Web Authentication API is defined by the union of the Web IDL fragments presented in the following sections. A combined IDL listing is given in the [[#idl-index]]. The API is defined as a part of the <a>Navigator</a> interface:


<pre class="idl">
    partial interface Navigator {
        readonly attribute WebAuthentication authentication;
    };
</pre>


## <dfn interface>WebAuthentication</dfn> Interface ## {#iface-credential}

<pre class="idl">
    [SecureContext]
    interface WebAuthentication {
        Promise < ScopedCredentialInfo > makeCredential (
            Account                                 accountInformation,
            sequence < ScopedCredentialParameters > cryptoParameters,
            BufferSource                            attestationChallenge,
            optional ScopedCredentialOptions        options
        );

        Promise < WebAuthnAssertion > getAssertion (
            BufferSource               assertionChallenge,
            optional AssertionOptions  options
        );
    };
</pre>

This interface has two methods, which are described in the following subsections.


### Create a new credential (<dfn method for="WebAuthentication">makeCredential()</dfn> method) ### {#makeCredential}

With this method, a script can request the User Agent to create a new credential of a given type and persist it to the
underlying platform, which may involve data storage managed by the browser or the OS. The user agent will prompt the user to
approve this operation. On success, the promise will be resolved with a {{ScopedCredentialInfo}} object describing the newly
created credential.

This method takes the following parameters:

- The <dfn>accountInformation</dfn> parameter specifies information about the user account for which the credential is being
    created. This is meant for later use by the authenticator when it needs to prompt the user to select a credential. An
    authenticator is only required to store one credential for any given value of {{accountInformation}}. Specifically, if an
    authenticator already has a credential for the specified value of {{Account/id}} in {{accountInformation}}, and if this
    credential is not listed in the {{ScopedCredentialOptions/excludeList}} member of {{options}}, then after successful
    execution of this method:
    - Any calls to {{getAssertion()}} that do not specify {{AssertionOptions/allowList}} will not result in the older
        credential being offered to the user.
    - Any calls to {{getAssertion()}} that specify the older credential in the {{AssertionOptions/allowList}} may also not
        result in it being offered to the user.

- The <dfn>cryptoParameters</dfn> parameter supplies information about the desired properties of the credential to be created.
    The sequence is ordered from most preferred to least preferred. The platform makes a best effort to create the most
    preferred credential that it can.

- The <dfn>attestationChallenge</dfn> parameter contains a challenge intended to be used for generating the attestation
    statement of the newly created credential.

- The optional <dfn dfn-for="makeCredential()">options</dfn> parameter specifies additional options, as described in
    [[#credential-options]].

When this method is invoked, the user agent MUST execute the following algorithm:

1. If the {{ScopedCredentialOptions/timeoutSeconds}} member of {{options}} is <a>present</a>, check if its value lies 
    within a reasonable range as defined by
    the platform and if not, correct it to the closest value lying within that range. Set |adjustedTimeout| to this adjusted
    value. If {{ScopedCredentialOptions/timeoutSeconds}} was not specified, then set |adjustedTimeout| to a platform-specific
    default.

2. Let |promise| be a new <a data-lt="Promises">Promise</a>. Return |promise| and start a timer for |adjustedTimeout| seconds.
    Then asynchronously continue executing the following steps. If any fatal error is encountered in this process other than the
    ones enumerated below, cancel the timer, reject |promise| with a DOMException whose name is "UnknownError", and terminate
    this algorithm.

3. Set |callerOrigin| to the <a link-for='web'>current settings object</a>'s <a link-for='web'>origin</a>. If |callerOrigin| is 
    an <a link-for='web'>opaque origin</a>, reject |promise| with a <a>DOMException</a> whose name is "NotAllowedError", and
    terminate this algorithm. Otherwise,
    - If the {{ScopedCredentialOptions/rpId}} member of {{options}} is not <a>present</a>, then set |rpId| to |callerOrigin|, 
        and |rpIdHash| to the SHA-256 hash of |rpId|.
    - If the {{ScopedCredentialOptions/rpId}} member of {{options}} is <a>present</a>, then invoke the procedure used for 
        <a>relaxing the same-origin
        restriction</a> by setting the `document.domain` attribute, using {{ScopedCredentialOptions/rpId}} as the given value
        but without changing the current document's `domain`. If no errors are thrown, set |rpId| to the value of `host` as
        computed by this procedure, and |rpIdHash| to the SHA-256 hash of |rpId|. Otherwise, reject |promise| with a
        <a>DOMException</a> whose name is "SecurityError", and terminate this algorithm.

4. Process each element of {{cryptoParameters}} using the following steps, to produce a new sequence |normalizedParameters|.
    - Let |current| be the currently selected element of {{cryptoParameters}}.
    - If `current.type` does not contain a {{ScopedCredentialType}} supported by this implementation, then stop processing
        |current| and move on to the next element in {{cryptoParameters}}.
    - Let |normalizedAlgorithm| be the result of <a>normalizing an algorithm</a> [[!WebCryptoAPI]], 
        with |alg| set to `current.algorithm` and |op| set to 'generateKey'. If an error occurs during this
        procedure, then stop processing |current| and move on to the next element in {{cryptoParameters}}.
    - Add a new object of type {{ScopedCredentialParameters}} to |normalizedParameters|, with |type| set to `current.type` and
        |algorithm| set to |normalizedAlgorithm|.

5. If |normalizedAlgorithm| is empty and {{cryptoParameters}} was not empty, cancel the timer started in step 2, reject
    |promise| with a DOMException whose name is "NotSupportedError", and terminate this algorithm.

6. If the {{ScopedCredentialOptions/extensions}} member of {{options}} is <a>present</a>, process any extensions supported by
    this client platform, to produce the extension data that needs to be sent to the authenticator. If an error is encountered
    while processing an extension, skip that extension and do not produce any extension data for it. Call the result of this
    processing |clientExtensions|.

7. Use {{attestationChallenge}}, |callerOrigin| and |rpId|, along with the token binding key associated with |callerOrigin| (if
    any), to create a {{ClientData}} structure representing this request. Choose a hash algorithm for {{ClientData/hashAlg}} and
    compute the <a>clientDataJSON</a> and <a>clientDataHash</a>.

8. Initialize |issuedRequests| to an empty list.

9. For each authenticator currently available on this platform: asynchronously invoke the <a>authenticatorMakeCredential</a>
    operation on that authenticator with |rpIdHash|, <a>clientDataHash</a>, {{accountInformation}}, |normalizedParameters|,
    {{ScopedCredentialOptions/excludeList}} and |clientExtensions| as parameters. Add a corresponding entry to |issuedRequests|.
    - For each credential C in the {{ScopedCredentialOptions/excludeList}} member of {{options}} that has a non-empty
    |transports| list, optionally use only the specified transports to test for the existence of C.

10. While |issuedRequests| is not empty, perform the following actions depending upon the |adjustedTimeout| timer and responses
    from the authenticators:
    - If the |adjustedTimeout| timer expires, then for each entry in |issuedRequests| invoke the <a>authenticatorCancel</a>
        operation on that authenticator and remove its entry from the list.
    - If any authenticator returns a status indicating that the user cancelled the operation, delete that authenticator's
        entry from |issuedRequests|. For each remaining entry in |issuedRequests| invoke the <a>authenticatorCancel</a>
        operation on that authenticator and remove its entry from the list.
    - If any authenticator returns an error status, delete the corresponding entry from |issuedRequests|.
    - If any authenticator indicates success:
        - Remove this authenticator's entry from |issuedRequests|.
        - Create a new {{ScopedCredentialInfo}} object named |value| and populate its fields with the values returned from the
            authenticator as well as the <a>clientDataJSON</a> computed earlier.
        - For each remaining entry in |issuedRequests| invoke the <a>authenticatorCancel</a> operation on that authenticator and
            remove its entry from the list.
        - Resolve |promise| with |value| and terminate this algorithm.

11. Reject |promise| with a <a>DOMException</a> whose name is "NotAllowedError", and terminate this algorithm.

During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator.


### Use an existing credential (<dfn method for="WebAuthentication">getAssertion()</dfn> method) ### {#getAssertion}

This method is used to discover and use an existing scoped credential, with the user's consent. The script optionally specifies
some criteria to indicate what credentials are acceptable to it. The user agent and/or platform locates credentials matching the
specified criteria, and guides the user to pick one that the script should be allowed to use. The user may choose not to provide
a credential even if one is present, for example to maintain privacy.

This method takes the following parameters:

- The <dfn>assertionChallenge</dfn> parameter contains a challenge that the selected authenticator is expected to sign to
    produce the assertion.

- The optional <dfn dfn-for="getAssertion()">options</dfn> parameter specifies additional options, as described in
    [[#assertion-options]].

When this method is invoked, the user agent MUST execute the following algorithm:

1. If {{AssertionOptions/timeoutSeconds}} was specified, check if its value lies within a reasonable range as defined by the
    platform and if not, correct it to the closest value lying within that range. Set |adjustedTimeout| to this adjusted value.
    If {{AssertionOptions/timeoutSeconds}} was not specified, then set |adjustedTimeout| to a platform-specific default.

2. Let |promise| be a new <a data-lt="Promises">Promise</a>. Return |promise| and start a timer for |adjustedTimeout| seconds.
    Then asynchronously continue executing the following steps. If any fatal error is encountered in this process other than the
    ones enumerated below, cancel the timer, reject |promise| with a DOMException whose name is "UnknownError", and terminate
    this algorithm.

3. Set |callerOrigin| to the <a link-for='web'>current settings object</a>'s <a link-for='web'>origin</a>. If |callerOrigin| is 
    an <a link-for='web'>opaque origin</a>, reject |promise| with a <a>DOMException</a> whose name is "NotAllowedError", and
    terminate this algorithm. Otherwise,
    - If {{AssertionOptions/rpId}} is not specified, then set |rpId| to |callerOrigin|, and |rpIdHash| to the SHA-256
        hash of |rpId|.
    - If {{AssertionOptions/rpId}} is specified, then invoke the procedure used for <a>relaxing the same-origin restriction</a>
        by setting the `document.domain` attribute, using {{AssertionOptions/rpId}} as the given value but without changing the
        current document's `domain`. If no errors are thrown, set |rpId| to the value of `host` as computed by this procedure,
        and |rpIdHash| to the SHA-256 hash of |rpId|. Otherwise, reject |promise| with a <a>DOMException</a> whose name is
        "SecurityError", and terminate this algorithm.

4. If {{AssertionOptions/extensions}} was specified, process any extensions supported by this client platform, to produce the
    extension data that needs to be sent to the authenticator. If an error is encountered while processing an extension, skip
    that extension and do not produce any extension data for it. Call the result of this processing |clientExtensions|.

5. Use {{assertionChallenge}}, |callerOrigin| and |rpId|, along with the token binding key associated with |callerOrigin| (if
    any), to create a {{ClientData}} structure representing this request. Choose a hash algorithm for {{ClientData/hashAlg}} and
    compute the <a>clientDataJSON</a> and <a>clientDataHash</a>.

6. Initialize |issuedRequests| to an empty list.

7. For each authenticator currently available on this platform, perform the following steps:
    - If {{AssertionOptions/allowList}} is empty, let |credentialList| be an empty list. Otherwise, execute a
        platform-specific procedure to determine which, if any, credentials listed in {{AssertionOptions/allowList}} might be
        present on this authenticator, and set |credentialList| to this filtered list. If no such filtering is possible, set
        |credentialList| to an empty list.
    - For each credential C within the |credentialList| that has a non-empty |transports| list, optionally use only the
        specified transports to get assertions using credential C.
    - If the above filtering process concludes that none of the credentials on {{AssertionOptions/allowList}} can possibly be on this
        authenticator, do not perform any of the following steps for this authenticator, and proceed to the next authenticator
        (if any).
    - Asynchronously invoke the <a>authenticatorGetAssertion</a> operation on this authenticator with |rpIdHash|,
        <a>clientDataHash</a>, |credentialList|, and |clientExtensions| as parameters.
    - Add an entry to |issuedRequests|, corresponding to this request.

8. While |issuedRequests| is not empty, perform the following actions depending upon the |adjustedTimeout| timer and responses
    from the authenticators:
    - If the timer for |adjustedTimeout| expires, then for each entry in |issuedRequests| invoke the <a>authenticatorCancel</a>
        operation on that authenticator and remove its entry from the list.
    - If any authenticator returns a status indicating that the user cancelled the operation, delete that authenticator's entry
        from |issuedRequests|. For each remaining entry in |issuedRequests| invoke the <a>authenticatorCancel</a> operation on
        that authenticator, and remove its entry from the list.
    - If any authenticator returns an error status, delete the corresponding entry from |issuedRequests|.
    - If any authenticator returns success:
        - Remove this authenticator's entry from |issuedRequests|.
        - Create a new {{WebAuthnAssertion}} object named |value| and populate its fields with the values returned from the
            authenticator as well as the <a>clientDataJSON</a> computed earlier.
        - For each remaining entry in |issuedRequests| invoke the <a>authenticatorCancel</a> operation on that authenticator and
            remove its entry from the list.
        - Resolve |promise| with |value| and terminate this algorithm.

9. Reject |promise| with a <a>DOMException</a> whose name is "NotAllowedError", and terminate this algorithm.

During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator with which to complete the operation.


## Information about Scoped Credential (interface <dfn interface>ScopedCredentialInfo</dfn>) ## {#iface-credentialInfo}

<pre class="idl">
    [SecureContext]
    interface ScopedCredentialInfo {
        readonly attribute ScopedCredential     credential;
        readonly attribute WebAuthnAttestation  attestation;
    };
</pre>

<div dfn-for="ScopedCredentialInfo">
    This interface represents a newly-created scoped credential. It contains information about the credential that can be used
    to locate it later for use, and also contains metadata that can be used by the <a>[RP]</a> to assess the strength of the
    credential during registration.

    The <dfn>credential</dfn> attribute contains an object whose attributes state the type of, and identifier for, the 
    credential represented by {{ScopedCredentialInfo}}.

    The <dfn>attestation</dfn> attribute contains an attestation statement returned by the authenticator. This provides
    information about the credential and the authenticator it is held in, such as the <a>credential public key</a> and the level
    of security assurance provided by the authenticator.
</div>


## User Account Information (dictionary <dfn dictionary>Account</dfn>) ## {#iface-account}

<pre class="idl">
    dictionary Account {
        required DOMString rpDisplayName;
        required DOMString displayName;
        required DOMString id;
        DOMString          name;
        DOMString          imageURL;
    };
</pre>

<div dfn-for="Account">
    This dictionary is used by the caller to specify information about the user account and <a>[RP]</a> with which a credential
    is to be associated. It is intended to help the authenticator in providing a friendly credential selection interface for the
    user.

    The <dfn>rpDisplayName</dfn> member contains the friendly name of the [RP], such as "Acme Corporation", "Widgets Inc" or
    "Awesome Site".

    The <dfn>displayName</dfn> member contains the friendly name associated with the user account by the [RP], such as "John P.
    Smith".

    The <dfn>id</dfn> member contains an identifier for the account, specified by the [RP]. This is not meant to be displayed
    to the user. It is used by the [RP] to control the number of credentials - an authenticator will never contain more than one
    credential for a given [RP] under the same {{Account/id}}.

    The <dfn>name</dfn> member contains a detailed name for the account, such as "john.p.smith@example.com".

    The <dfn>imageURL</dfn> member contains a URL that resolves to the user's account image. This may be a URL that can be used
    to retrieve an image containing the user's current avatar, or a data URI that contains the image data.
</div>


## Parameters for Credential Generation (dictionary <dfn dictionary>ScopedCredentialParameters</dfn>) ## {#credential-params}

<pre class="idl">
    dictionary ScopedCredentialParameters {
        required ScopedCredentialType  type;
        required AlgorithmIdentifier   algorithm;
    };
</pre>

<div dfn-for="ScopedCredentialParameters">
    This dictionary is used to supply additional parameters when creating a new credential.

    The <dfn>type</dfn> member specifies the type of credential to be created.

    The <dfn>algorithm</dfn> member specifies the cryptographic signature algorithm with which the newly generated credential
    will be used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.
</div>


## Additional options for Credential Generation (dictionary <dfn dictionary>ScopedCredentialOptions</dfn>) ## {#credential-options}

<pre class="idl">
    dictionary ScopedCredentialOptions {
        unsigned long                           timeoutSeconds;
        USVString                               rpId;
        sequence < ScopedCredentialDescriptor > excludeList = [];
        WebAuthnExtensions                      extensions;
    };
</pre>


<div dfn-for="ScopedCredentialOptions">
    This dictionary is used to supply additional options when creating a new credential. All these parameters are optional.

    - The <dfn>timeoutSeconds</dfn> parameter specifies a time, in seconds, that the caller is willing to wait for the call to
        complete. This is treated as a hint, and may be overridden by the platform.

    - The <dfn>rpId</dfn> parameter explicitly specifies the RP ID that the credential should be associated with. If it is
        omitted, the RP ID will be set to the <a link-for='web'>current settings object</a>'s <a link-for='web'>origin</a>.

    - The <dfn>excludeList</dfn> parameter is intended for use by <a>[RPS]</a> that wish to limit the creation of multiple
        credentials for the same account on a single authenticator. The platform is requested to return an error if the new
        credential would be created on an authenticator that also contains one of the credentials enumerated in this parameter.

    - The <dfn>extensions</dfn> parameter contains additional parameters requesting additional processing by the client and
        authenticator. For example, the caller may request that only authenticators with certain capabilities be used to create
        the credential, or that additional information be returned in the attestation statement. Alternatively, the caller may
        specify an additional message that they would like the authenticator to display to the user. Extensions are defined in
        [[#extensions]].
</div>


## Web Authentication Assertion (interface <dfn interface>WebAuthnAssertion</dfn>) ## {#iface-assertion}

<pre class="idl">
    [SecureContext]
    interface WebAuthnAssertion {
        readonly attribute ScopedCredential  credential;
        readonly attribute ArrayBuffer       clientData;
        readonly attribute ArrayBuffer       authenticatorData;
        readonly attribute ArrayBuffer       signature;
    };
</pre>

Scoped credentials produce a cryptographic signature that provides proof of possession of a private key as well as evidence of
user consent to a specific transaction. The structure of these signatures is defined as follows.

<div dfn-for="WebAuthnAssertion">
    The <dfn>credential</dfn> member represents the credential that was used to generate this assertion.

    The <dfn>clientData</dfn> member contains the parameters sent to the authenticator by the client, in serialized form. See
    [[#sec-client-data]] for the format of this parameter and how it is generated.

    The <b><em>authenticatorData</em></b> member contains the serialized data returned by the authenticator. See
    [[#sec-authenticator-data]].

    The <dfn>signature</dfn> member contains the raw signature returned from the authenticator. See
    [[#authenticator-signature]].
</div>


## Additional options for Assertion Generation (dictionary <dfn dictionary>AssertionOptions</dfn>) ## {#assertion-options}

<pre class="idl">
    dictionary AssertionOptions {
        unsigned long                           timeoutSeconds;
        USVString                               rpId;
        sequence < ScopedCredentialDescriptor > allowList = [];
        WebAuthnExtensions                      extensions;
    };
</pre>

<div dfn-for="AssertionOptions">
    This dictionary is used to supply additional options when generating an assertion. All these parameters are optional.

    - The optional <dfn>timeoutSeconds</dfn> parameter specifies a time, in seconds, that the caller is willing to wait for the
        call to complete. This is treated as a hint, and may be overridden by the platform.

    - The optional <dfn>rpId</dfn> parameter specifies the rpId claimed by the caller. If it is omitted, it will be assumed to
        be equal to the <a link-for='web'>current settings object</a>'s <a link-for='web'>origin</a>.

    - The optional <dfn>allowList</dfn> member contains a list of credentials acceptable to the caller, in order of the caller's
        preference.

    - The optional <dfn>extensions</dfn> parameter contains additional parameters requesting additional processing by the client
        and authenticator. For example, if transaction confirmation is sought from the user, then the prompt string would be
        included in an extension. Extensions are defined in a companion specification.
</div>


## WebAuthn Assertion Extensions (dictionary <dfn dictionary>WebAuthnExtensions</dfn>) ## {#iface-assertion-extensions}

<pre class="idl">
    dictionary WebAuthnExtensions {
    };
</pre>

This is a dictionary containing zero or more extensions as defined in [[#extensions]]. An extension is an additional parameter
that can be passed to the <a>getAssertion()</a> method and triggers some additional processing by the client platform and/or the
authenticator.

If the caller wishes to pass extensions to the platform, it MUST do so by adding one entry per extension to this dictionary
with the extension identifier as the key, and the extension's value as the value (see [[#extensions]] for details).


## Credential Attestation Structure (interface <dfn interface>WebAuthnAttestation</dfn>) ## {#iface-attestation}

<pre class="idl">
    [SecureContext]
    interface WebAuthnAttestation {
        readonly    attribute USVString     format;
        readonly    attribute ArrayBuffer   clientData;
        readonly    attribute ArrayBuffer   authenticatorData;
        readonly    attribute any           attestation;
    };
</pre>

Authenticators must also provide some form of attestation. The basic requirement is that the authenticator can produce, for each
<a>credential public key</a>, attestation information that can be verified by a <a>[RP]</a>. Typically, this information
contains a signature by an attestation private key over the attested <a>credential public key</a> and a challenge, as well as a
certificate or similar information providing provenance information for the <a>attestation public key</a>, enabling a trust
decision to be made. However, if an <a>attestation key pair</a> is not available, then the authenticator MUST perform <a>self
attestation</a> of the <a>credential public key</a> with the corresponding <a>credential private key</a>.

<div dfn-for="WebAuthnAttestation">
    The <dfn>format</dfn> member specifies the format of attestation statement contained in this structure. Attestation formats
    are defined in [[#attestation-formats]]. This specification supports a number of attestation formats, in
    [[#defined-attestation-formats]]. Other attestation formats may be defined in later versions of this specification.

    The <dfn>clientData</dfn> member contains the <a>clientDataJSON</a> (see [[#signature-format]]). The exact JSON encoding
    must be preserved as the hash (<a>clientDataHash</a>) has been computed over it.

    The <b><em>authenticatorData</em></b> member contains the serialized data returned by the authenticator. See
    [[#sec-authenticator-data]].

    The <dfn>attestation</dfn> element contains the actual <dfn>attestation statement</dfn>. The structure of this object
    depends on the <a>attestation format</a>. For more details, see [[#cred-attestation-stmts]].
</div>

This attestation structure is delivered to the <a>[RP]</a> by the [RP]'s script running on the client, using methods outside
the scope of this specification. It contains all the information that the [RP]'s server requires to validate the statement, as
well as to decode and validate the bindings of both the client and authenticator data.


## Supporting Data Structures ## {#supporting-data-structures}

The scoped credential type uses certain data structures that are specified in supporting specifications. These are as follows.


### Client data used in WebAuthn signatures (dictionary <dfn dictionary>ClientData</dfn>) ### {#sec-client-data}

The client data represents the contextual bindings of both the [RP] and the client platform. It is a key-value mapping with
string-valued keys. Values may be any type that has a valid encoding in JSON. Its structure is defined by the following Web IDL.

<pre class="idl">
    dictionary ClientData {
        required DOMString           challenge;
        required DOMString           origin;
        required AlgorithmIdentifier hashAlg;
        DOMString                    tokenBinding;
        WebAuthnExtensions           extensions;
    };
</pre>

<div dfn-for="ClientData">
    The <dfn>challenge</dfn> member contains the base64url encoding of the challenge provided by the RP.

    The <dfn for="ClientData">origin</dfn> member contains the fully qualified origin of the requester, as provided to the authenticator by
    the client, in the syntax defined by [[RFC6454]].

    The <dfn>hashAlg</dfn> member specifies the hash algorithm used to compute <a>clientDataHash</a> (see
    [[#authenticator-signature]]). Use "S256" for SHA-256, "S384" for SHA384, "S512" for SHA512, and "SM3" for SM3 (see
    [[#iana-considerations]]). This algorithm is chosen by the client at its sole discretion.

    The <dfn>tokenBinding</dfn> member contains the base64url encoding of the Token Binding ID that this client uses for the
    Token Binding protocol when communicating with the [RP]. This can be omitted if no Token Binding has been negotiated between
    the client and the [RP].

    The optional <dfn>extensions</dfn> member contains additional parameters generated by processing the extensions passed in
    by the [RP]. WebAuthn extensions are detailed in Section [[#extensions]].
</div>

This structure is used by the client to compute the following quantities:

: <dfn>clientDataJSON</dfn>
:: This is the UTF-8 encoded JSON serialization [[RFC7159]] of a {{ClientData}} dictionary.

: <dfn>clientDataHash</dfn>
:: This is the hash (computed using <a>hashAlg</a>) of <a>clientDataJSON</a>.


### Credential Type enumeration (enum <dfn enum>ScopedCredentialType</dfn>) ### {#credentialType}

<pre class="idl">
    enum ScopedCredentialType {
        "ScopedCred"
    };
</pre>

<div dfn-for="ScopedCredentialType">
    This enumeration defines the valid credential types. It is an extension point; values may be added to it in the future, as
    more credential types are defined. The values of this enumeration are used for versioning the WebAuthn assertion and
    attestation structures according to the type of the authenticator.

    Currently one credential type is defined, namely "<dfn>ScopedCred</dfn>".
</div>


### Unique Identifier for Credential (interface <dfn interface>ScopedCredential</dfn>) ### {#credential-identifier}

<pre class="idl">
    [SecureContext]
    interface ScopedCredential {
        readonly attribute ScopedCredentialType type;
        readonly attribute ArrayBuffer          id;
    };
</pre>

This interface contains the attributes that are returned to the caller when a new credential is created, and can be used later
by the caller to select a credential for use.

<div dfn-for="ScopedCredential">
    The <dfn>type</dfn> attribute contains a value of type {{ScopedCredentialType}}, indicating the specification and version
    that this credential conforms to.

    The <dfn>id</dfn> attribute contains an identifier for the credential, chosen by the platform with help from the
    authenticator. This identifier is used to look up credentials for use, and is therefore expected to be globally unique with
    high probability across all credentials of the same type, across all authenticators. This API does not constrain the format
    or length of this identifier, except that it must be sufficient for the platform to uniquely select a key. For example, an
    authenticator without on-board storage may create identifiers that consist of the key material wrapped with a key that is
    burned into the authenticator.
</div>


### Credential Descriptor (dictionary <dfn dictionary>ScopedCredentialDescriptor</dfn>) ### {#credential-dictionary}

<pre class="idl">
    dictionary ScopedCredentialDescriptor {
        required ScopedCredentialType type;
        required BufferSource   id;
        sequence < Transport >  transports;
    };
</pre>

This dictionary contains the attributes that are specified by a caller when referring to a credential as an input parameter to
the {{makeCredential()}} or {{getAssertion()}} method. It mirrors the fields of the {{ScopedCredential}} object returned by
these methods.

<div dfn-for="ScopedCredentialDescriptor">
    The <dfn>type</dfn> attribute contains the type of the credential the caller is referring to.

    The <dfn>id</dfn> attribute contains the identifier of the credential that the caller is referring to.
</div>


### Credential Transport enumeration (enum <dfn enum>ExternalTransport</dfn>) ### {#transport}

<pre class="idl">
    enum Transport {
        "usb",
        "nfc",
        "ble"
    };
</pre>

<div dfn-for="Transport">
    Authenticators may communicate with Clients using a variety of transports.
    This enumeration defines a hint as to how Clients might communicate with a
    particular Authenticator in order to obtain an assertion for a specific
    credential.  Note that these hints represent the [RP]'s best belief as to
    how an Authenticator may be reached.  A [RP] may obtain a list of
    transports hints from some attestation formats or via some out-of-band
    mechanism; it is outside the scope of this specification to define that
    mechanism.

    <ul>
        <li><dfn>usb</dfn> - the respective Authenticator may be contacted over
            USB.
        <li><dfn>nfc</dfn> - the respective Authenticator may be contacted over
            Near Field Communication (NFC).
        <li><dfn>ble</dfn> - the respective Authenticator may be contacted over
            Bluetooth Smart (Bluetooth Low Energy / BLE).
    </ul>
</div>


### Cryptographic Algorithm Identifier (type {{AlgorithmIdentifier}}) ### {#alg-identifier}

A string or dictionary identifying a cryptographic algorithm and optionally a set of parameters for that algorithm. This type is
defined in [[!WebCryptoAPI]].


# WebAuthn Authenticator model # {#authenticator-model}

The API defined in this specification implies a specific abstract functional model for an <a>authenticator</a>. This section
describes the authenticator model. Client platforms may implement and expose this abstract model in any way desired. For
instance, this abstract model does not define specific error codes or methods of returning them; however, it does define error
behavior in terms of the needs of the client. Therefore, specific error codes are mentioned as a means of showing which error
conditions must be distinguishable (or not) from each other in order to enable a compliant and secure client implementation.
The overall requirement is that the behavior of the client's Web Authentication API implementation, when operating on the
authenticators supported by that platform, MUST be indistinguishable from the behavior specified in [[#api]].

In this abstract model, each authenticator stores some number of scoped credentials. Each scoped credential has an identifier
which is unique (or extremely unlikely to be duplicated) among all scoped credentials. Each credential is also associated with a
<a>[RP]</a>, whose identity is represented by a <a>Relying Party Identifier</a> (<a>RP ID</a>).

Each authenticator has an AAGUID, which is a 128-bit identifier that indicates the type (e.g. make and model) of the
authenticator. The AAGUID MUST be chosen by the manufacturer to be identical across all substantially identical authenticators
made by that manufacturer, and different (with probability 1-2<sup>-128</sup> or greater) from the AAGUIDs of all other types of
authenticators. The RP MAY use the AAGUID to infer certain properties of the authenticator, such as certification level and
strength of key protection, using information from other sources.


## Authenticator operations ## {#authenticator-ops}

A client must connect to an authenticator in order to invoke any of the operations of that authenticator. This connection
defines an authenticator session. An authenticator must maintain isolation between sessions. It may do this by only allowing one
session to exist at any particular time, or by providing more complicated session management.

The following operations can be invoked by the client in an authenticator session.


### The <dfn>authenticatorMakeCredential</dfn> operation ### {#op-make-cred}

This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following
input parameters:

- The SHA-256 hash of the caller's RP ID, as determined by the user agent and the client.
- The <a>clientDataHash</a>, which is the hash of the serialized {{ClientData}} and is provided by the client.
- The {{Account}} information provided by the [RP].
- The {{ScopedCredentialType}} and cryptographic parameters requested by the [RP], with the cryptographic algorithms normalized
    as per the procedure in [[WebCryptoAPI#algorithm-normalization-normalize-an-algorithm]].
- A list of {{ScopedCredential}} objects provided by the [RP] with the intention that, if any of these are known to the
    authenticator, it should not create a new credential.
- Extension data created by the client based on the extensions requested by the [RP].

When this operation is invoked, the authenticator must perform the following procedure:
- Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code
    equivalent to UnknownError and terminate the operation.
-  Check if at least one of the specified combinations of {{ScopedCredentialType}} and cryptographic parameters is supported. If
    not, return an error code equivalent to NotSupportedError and terminate the operation.
- Check if a credential matching any of the supplied {{ScopedCredential}} identifiers is present on this authenticator. If so,
    return an error code equivalent to NotAllowedError and terminate the operation.
- Prompt the user for consent to create a new credential. The prompt for obtaining this consent is shown by the authenticator
    if it has its own output capability, or by the user agent otherwise. If the user denies consent, return an error code
    equivalent to NotAllowedError and terminate the operation.
- Once user consent has been obtained, generate a new credential object:
    - Generate a set of cryptographic keys using the most preferred combination of {{ScopedCredentialType}} and cryptographic
        parameters supported by this authenticator.
    - Generate an identifier for this credential, such that this identifier is globally unique with high probability across all
        credentials with the same type across all authenticators.
    - Associate the credential with the specified RP ID hash and the user's account identifier {{Account/id}}.
    - Delete any older credentials with the same RP ID hash and {{Account/id}} that are stored locally in the authenticator.
- If any error occurred while creating the new credential object, return an error code equivalent to UnknownError and terminate
    the operation.
- Process all the supported extensions requested by the client, and generate an attestation statement. If no authority key is
	available to sign such an attestation statement, then the authenticator performs <a>self attestation</a> of the credential
	with its own private key. For more details on attestation, see [[#cred-attestation-stmts]].

On successful completion of this operation, the authenticator must return the following to the client:
- The type and unique identifier of the new credential.
- The new <a>credential public key</a>.
- The fields of the attestation structure {{WebAuthnAttestation}}, including information about the attestation format used.


### The <dfn>authenticatorGetAssertion</dfn> operation ### {#op-get-assertion}

This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following
input parameters:

- The SHA-256 hash of the caller's RP ID, as determined by the user agent and the client.
- The <a>clientDataHash</a>, which is the hash of the serialized {{ClientData}} and is provided by the client.
- A list of credentials acceptable to the [RP] (possibly filtered by the client).
- Extension data created by the client based on the extensions requested by the [RP].

When this method is invoked, the authenticator must perform the following procedure:
- Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code
    equivalent to UnknownError and terminate the operation.
- If a list of credentials was supplied by the client, filter it by removing those credentials that are not present on this
    authenticator. If no list was supplied, create a list with all credentials stored for the caller's RP ID (as determined by
    an exact match of the RP ID hash).
- If the previous step resulted in an empty list, return an error code equivalent to NotAllowedError and terminate the
    operation.
- Prompt the user to select a credential from among the above list. Obtain user consent for using this credential. The prompt
    for obtaining this consent may be shown by the authenticator if it has its own output capability, or by the user agent
    otherwise.
- Process all the supported extensions requested by the client, then generate a cryptographic signature using the private key of
    the selected credential (as specified in [[#signature-format]]), and use it to construct an assertion.
- If any error occurred while generating the assertion, return an error code equivalent to UnknownError and terminate the
    operation.

On successful completion, the authenticator must return to the user agent:
- The identifier of the credential used to generate the signature.
- The <a>authenticatorData</a> used to generate the signature.
- The signature itself.

If the authenticator cannot find any credential corresponding to the specified [RP] that matches the specified criteria, it
terminates the operation and returns an error.

If the user refuses consent, the authenticator returns an appropriate error status to the client.


### The <dfn>authenticatorCancel</dfn> operation ### {#op-cancel}

This operation takes no input parameters and returns no result.

When this operation is invoked by the client in an authenticator session, it has the effect of terminating any
<a>authenticatorMakeCredential</a> or <a>authenticatorGetAssertion</a> operation currently in progress in that authenticator
session. The authenticator stops prompting for, or accepting, any user input related to authorizing the canceled operation. The
client ignores any further responses from the authenticator for the canceled operation.

This operation is ignored if it is invoked in an authenticator session which does not have an <a>authenticatorMakeCredential</a>
or <a>authenticatorGetAssertion</a> operation currently in progress.


## Signature Format ## {#signature-format}

WebAuthn signatures are bound to various contextual data. These data are observed, and added at different levels of the stack as
a signature request passes from the server to the authenticator. In verifying a signature, the server checks these bindings
against expected values.

The components of a system using WebAuthn can be divided into three layers:

1. The <a>[RP]</a> (RP), which uses the WebAuthn services. The RP consists of a server component and a web-application running
    in a browser.

2. The <a>WebAuthn Client</a> platform, which consists of the User Agent and the OS and device on which it executes.

3. The <a>Authenticator</a> itself, which provides key management and cryptographic signatures. This may be embedded in the
    WebAuthn client, or housed in a separate device entirely. In the latter case, the interface between the WebAuthn client and
    the authenticator is a separately-defined protocol. The authenticator may itself contain a cryptographic module which
    operates at a higher security level than the rest of the authenticator. This is particularly important for authenticators
    that are embedded in the WebAuthn client, as in those cases this cryptographic module (which may, for example, be a TPM)
    could be considered more trustworthy than the rest of the authenticator.

This specification defines the common signature format shared by all the above layers. This includes how the different
contextual bindings are encoded, signed over, and delivered to the RP.

The goals of this design can be summarized as follows.

- The scheme for generating signatures should accommodate cases where the link between the client platform and authenticator
    is very limited, in bandwidth and/or latency. Examples include Bluetooth Low Energy and Near-Field Communication.

- The data processed by the authenticator should be small and easy to interpret in low-level code. In particular, authenticators
    should not have to parse high-level encodings such as JSON.

- Both the client platform and the authenticator should have the flexibility to add contextual bindings as needed.

- The design aims to reuse as much as possible of existing encoding formats in order to aid adoption and implementation.

The contextual bindings are divided in two: Those added by the RP or the client platform, referred to as client data; and those
added by the authenticator, referred to as the authenticator data. The client data must be signed over, but an authenticator is
otherwise not interested in its contents. To save bandwidth and processing requirements on the authenticator, the client
platform hashes the {{ClientData}} and sends only the result to the authenticator. The authenticator signs over the combination
of this <a>clientDataHash</a>, and its own authenticator data.


### Authenticator data ### {#sec-authenticator-data}

The <dfn>authenticator data</dfn>, <dfn>authenticatorData</dfn>, encodes contextual bindings made by the <a>authenticator</a>
itself. These bindings are controlled by the authenticator itself, and derive their trust from the [RP]'s assessment of the
security of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no
more trustworthy than the {{ClientData}}. At the other extreme, the authenticator may be a discrete entity with high-security
hardware and software, connected to the client over a secure channel. In both cases, the [RP] receives the authenticator data in
the same format, and uses its knowledge of the authenticator to make trust decisions.

The authenticator data has a compact but extensible encoding. This is desired since authenticators can be devices with limited
capabilities and low power requirements, with much simpler software stacks than the client platform components.

The encoding of authenticator data is a byte array of 37 bytes or more, as follows.

<table class="complex data longlastcol">
    <tr>
        <th>Length (in bytes)</th>
        <th>Description</th>
    </tr>
    <tr>
        <td>32</td>
        <td>
            SHA-256 hash of the RP ID associated with the credential.
        </td>
    </tr>
    <tr>
        <td>1</td>
        <td>
            Flags (bit 0 is the least significant bit):
            - Bit 0: Test of User Presence (`TUP`) result.
            - Bits 1-5: Reserved for future use (`RFU`).
            - Bit 6: Attestation data included (`AT`). Indicates whether the authenticator added attestation data.
            - Bit 7: Extension data included (`ED`). Indicates if the authenticator data has extensions.
        </td>
    </tr>
    <tr>
        <td>4</td>
        <td>Signature counter (`signCount`), 32-bit unsigned big-endian integer.</td>
    </tr>
    <tr>
        <td>variable (if present)</td>
        <td>
            Attestation data (if present). See [[#generating-an-attestation-statement]] for details. Its length n depends on the
            length of the <a>credential public key</a> and credential ID being attested.
        </td>
    </tr>
    <tr>
        <td>variable (if present)</td>
        <td>
            Extension-defined authenticator data. This is a CBOR [[RFC7049]] map with extension identifiers as keys, and
            extension authenticator data values as values. See [[#extensions]] for details.
        </td>
    </tr>
</table>

The RP ID hash is originally received from the client when the credential is created, and again when an assertion is generated.
However, it differs from other client data in some important ways. First, unlike the client data, the RP ID of a credential does
not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is validated by the
authenticator during the <a>authenticatorGetAssertion</a> operation, by making sure that the RP ID hash associated with the
requested credential exactly matches the RP ID hash supplied by the client. These differences also explain why the RP ID hash is
always a SHA-256 hash instead of being crypto-agile like the <a>clientDataHash</a>; for a given RP ID, we need the hash to be
computed the same way by all clients for all operations so that authenticators can roam among clients without losing
interoperability.

The `TUP` flag SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The
`RFU` bits in the flags byte SHALL be set to zero.

For attestation signatures, the authenticator MUST set the AT flag and include the attestation data. For authentication
signatures, the AT flag MUST NOT be set and the attestation data MUST NOT be included.

If the authenticator does not include any extension data, it MUST set the `ED` flag in the first byte to zero, and to one if
extension data is included.

The figure below shows a visual representation of the authenticator data structure.

<figure>
    <img src="images/fido-signature-formats-figure1.svg"/>
    <figcaption><a>authenticatorData</a> layout.</figcaption>
</figure>

Note that the <a>authenticatorData</a> describes its own length: If the AT and ED flags are not set, it is always 37 bytes long.
The attestation data (which is only present if the AT flag is set) describes its own length. If the ED flag is set, then the
total length is 37 bytes plus the length of the attestation data, plus the length of the CBOR map that follows.


### Generating a signature ### {#authenticator-signature}

A raw cryptographic signature must assert the integrity of both the client data and the authenticator data. Thus, an
<a>authenticator</a> SHALL compute a signature over the concatenation of the <a>authenticatorData</a> and the
<a>clientDataHash</a>.

<figure id="fig-signature">
    <img src="images/fido-signature-formats-figure2.svg"/>
    <figcaption>Generating a signature on the authenticator.</figcaption>
</figure>

A simple, undelimited concatenation is safe to use here because the <a>authenticatorData</a> describes its own length. The
<a>clientDataHash</a> (which potentially has a variable length) is always the last element.

The authenticator MUST return both the <a>authenticatorData</a> and the raw signature back to the client. The client, in turn,
MUST return <a>clientDataJSON</a>, <a>authenticatorData</a> and the signature to the RP. The first two are returned in the
`clientData` and `authenticatorData` members respectively of the {{WebAuthnAssertion}} and {{WebAuthnAttestation}} structures.


## Credential Attestation Statements ## {#cred-attestation-stmts}

A credential attestation statement is a specific type of signed data object, containing statements about a credential itself and
the authenticator that created it. It is created using the process described in [[#signature-format]], with the important
difference that the signature is generated not using the private key associated with the credential but using the key of the
attesting authority (except for the case of <a>self attestation</a>). In order to correctly interpret an attestation statement,
a <a>[RP]</a> needs to understand two aspects of the attestation:

1. The <dfn>attestation format</dfn> is the manner in which the signature is represented and the various contextual bindings are
    incorporated into the attestation statement by the <a>authenticator</a>. In other words, this defines the syntax of the
    statement. Various existing devices and platforms (such as TPMs and the Android OS) have previously defined attestation
    formats. This specification supports a variety of such formats in an extensible way, as defined in [[#attestation-formats]].

2. The <dfn>attestation type</dfn> defines the semantics of the attestation statement and its underlying trust model. It defines
    how a [RP] establishes trust in a particular attestation statement, after verifying that it is cryptographically valid.

In general, there is no simple mapping between attestation formats and attestation types. For example the "packed" attestation
format defined in [[#packed-attestation]] can be used in conjunction with all attestation types, while other formats and types
have more limited applicability.

The privacy, security and operational characteristics of attestation depend on:
- The attestation type, which determines the trust model,
- The attestation format, which may constrain the strength of the attestation by limiting what can be expressed in an
    attestation statement, and
- The characteristics of the individual authenticator, such as its construction, whether part or all of it runs in a secure
    operating environment, and so on.

It is expected that most authenticators will support a small number of attestation types and formats, while [RPS] will decide
what attestation types are acceptable to them by policy. [RPS] will also need to understand the characteristics of the
authenticators that they trust, based on information they have about these authenticators. For example, the FIDO Metadata
Service [[FIDOMetadataService]] provides one way to access such information.


### Attestation Formats ### {#attestation-formats}

As described above, an attestation format is a data format which represents a cryptographic signature by an authenticator over a
set of contextual bindings. Each attestation format is defined by the following attributes:

- The name of the format, used to identify it in a {{WebAuthnAttestation}} structure. This MUST be an ASCII string, and MUST
    NOT be an <a>ASCII case-insensitive match</a> for the name of any other attestation format.

- The set of attestation types supported by the format.

- The syntax of an attestation statement produced in this format.

- The procedure for computing an attestation statement in this format given the <a>attToBeSigned</a> for the attestation,
    created as per [[#generating-an-attestation-statement]].

- The procedure for verifying an attestation statement, takes the following inputs:
    - The <a>authenticator data</a> claimed to have been used for the attestation,
    - The <a>clientDataHash</a> of the client's contextual bindings,
    - A trust anchor (a root certificate, a DAA root key, or the <a>credential public key</a> itself),

    and returns a Boolean value indicating whether the attestation is cryptographically valid, and if so the attestation type.

The initial list of supported formats is in [[#defined-attestation-formats]].


<!-- Editors Note: differentiating section IDs from non-section IDs is useful because at times we need to seperately reference
     different things having the same nominal name, eg attestation-types-the-section, and attestation-types-the-definition -->
### Attestation Types ### {#sctn-attestation-types}

WebAuthn supports multiple attestation types:

: <dfn>Basic Attestation</dfn>
:: In the case of basic attestation [[UAFProtocol]], the authenticator's attestation key pair is specific to an
    authenticator model.  Thus, authenticators of the same model often share the same attestation key pair. See 
    [[#sec-attestation-privacy]] for futher information. 
    

: <dfn>Self Attestation</dfn>
:: In the case of self attestation, also known as surrogate basic attestation [[UAFProtocol]], the Authenticator doesn't have
    any specific attestation key. Instead it uses the authentication key itself to sign the attestation statement.
    Authenticators without meaningful protection measures for an attestation private key typically use this attestation type.

: <dfn>Privacy CA</dfn>
:: In this case, the Authenticator owns an authenticator-specific (endorsement) key. This key is used to securely communicate
    with a trusted third party, the Privacy CA.  The Authenticator can generate multiple attestation key pairs and asks the
    Privacy CA to issue an attestation certificate for it. Using this approach, the Authenticator can limit the exposure of the
    endorsement key (which is a global correlation handle) to Privacy CA(s). Attestation keys can be requested for each scoped
    credential individually.

    Note: This concept typically leads to multiple attestation certificates. The attestation certificate requested most recently
        is called "active".

: <dfn>Direct Anonymous Attestation</dfn> (DAA)
:: In this case, the Authenticator receives DAA credentials from a single DAA-Issuer. These DAA credentials are used along with
    blinding to sign the attestation data. The concept of blinding avoids the DAA credentials being misused as global
    correlation handle. WebAuthn supports DAA using elliptic curve cryptography and bilinear pairings, called ECDAA (see
    [[FIDOEcdaaAlgorithm]]) in this specification.


### Generating an Attestation Statement ### {#generating-an-attestation-statement}

This section specifies the algorithm for generating an attestation statement, independent of <a>attestation format</a>.

When requested to generate an attestation statement for a given credential using a particular <a>attestation format</a>, the
authenticator MUST first generate an <a>authenticatorData</a> structure, with the attestation data field populated as follows:

<table class="complex data longlastcol">
    <tr>
        <th>Length (in bytes)</th>
        <th>Description</th>
    </tr>
    <tr>
        <td>16</td>
        <td>The AAGUID of the authenticator.</td>
    </tr>
    <tr>
        <td>2</td>
        <td>Byte length l of Credential ID</td>
    </tr>
    <tr>
        <td>(length)</td>
        <td>Credential ID (l bytes)</td>
    </tr>
    <tr>
        <td>2</td>
        <td>
            Public key algorithm and encoding (16-bit big-endian value). Allowed values are:

            1. 0x0100. This is raw ANSI X9.62 formatted Elliptic Curve public key [[!SEC1]], i.e.,
                `[0x04, X (n bytes), Y (n bytes)]`, where the byte `0x04` denotes the uncompressed point compression method and
                n denotes the key length in bytes.

            2. 0x0102.  Raw encoded RSA PKCS1 or RSASSA-PSS public key [[RFC3447]]. In the case of RSASSA-PSS, the default
                parameters according to [[RFC4055]] MUST be assumed, i.e.,
                - Mask Generation Algorithm MGF1 with SHA256
                - Salt Length of 32 bytes, i.e., the length of a SHA256 hash value.
                - Trailer Field value of 1, which represents the trailer field with hexadecimal value `0xBC`.

                That is, `[modulus (256 bytes), e (m-n bytes)]`, where `m` is the total length of the field. This total length
                should be taken from the object containing this key
        </td>
    </tr>
    <tr>
        <td>2</td>
        <td>Byte length m of following <a>credential public key</a> bytes (16 bit value with most significant byte first).</td>
    </tr>
    <tr>
        <td>(length)</td>
        <td>The <a>credential public key</a> (m bytes) according to the encoding denoted before.</td>
    </tr>
</table>

The authenticator MUST then concatenate this <a>authenticatorData</a> and the client-supplied <a>clientDataHash</a> as specified
in [[#authenticator-signature]] to form <dfn>attToBeSigned</dfn>. It must then run the signing procedure for the desired
attestation format, with <a>attToBeSigned</a> as input.


### Verifying an Attestation Statement ### {#verifying-an-attestation-statement}

This section specifies the algorithm for verifying an attestation statement, independent of attestation format.

Upon receiving an attestation statement in the form of a {{WebAuthnAttestation}} structure, the [RP] shall:

1. Perform JSON decoding to extract the {{ClientData}} used for the attestation from the {{WebAuthnAttestation/clientData}}.

2. Verify that the {{ClientData/challenge}} in the {{ClientData}} matches the challenge that was sent to the authenticator.

3. Verify that the {{ClientData/origin}} in the {{ClientData}} matches the [RP]'s origin.

4. Verify that the {{ClientData/tokenBinding}} in the {{ClientData}} matches the token binding ID for the TLS connection
    over which the attestation was obtained.

5. Verify that the {{ClientData/extensions}} in the {{ClientData}} is a proper subset of the extensions requested by the RP.

6. Verify that the RP ID hash in the {{WebAuthnAttestation/authenticatorData}} is indeed the SHA-256 hash of the RP ID expected
    by the RP.

7. Perform an <a>ASCII case-insensitive match</a> on {{WebAuthnAttestation/format}} to determine the attestation format.

8. Look up the attestation root certificate or DAA root key from a trusted source. For example, the FIDO Metadata Service
    [[FIDOMetadataService]] provides one way to access such information. The AAGUID in the
    {{WebAuthnAssertion/authenticatorData}} can be used for this lookup.

9. Using the verification process for the above attestation format, validate that the attestation
    {{WebAuthnAttestation/attestation}} is valid for the given {{WebAuthnAttestation/authenticatorData}},
    {{WebAuthnAttestation/clientData}} and the above trust anchor.

The [RP] MAY take any of the below actions when verification of an attestation statement fails, according to its policy:

- Reject the request, such as a registration request, associated with the attestation statement.

- Accept the request associated with the attestation statement but treat the attested Scoped Credential as one with self
    attestation (see [[#sctn-attestation-types]]). If doing so, the [RP] is asserting there is no cryptographic proof that the
    Scoped Credential has been generated by a particular Authenticator model. See [[FIDOSecRef]] and [[UAFProtocol]] for a more
    detailed discussion.

Verification of attestation statements requires that the [RP] has a trusted method of determining the trust anchor in Step 8
above. Also, if certificates are being used, the [RP] must have access to certificate status information for the intermediate
CA certificates. The [RP] must also be able to build the attestation certificate chain if the client didn't provide
this chain in the attestation information.


### Security Considerations ### {#sec-attestation-security-considerations}


#### Privacy #### {#sec-attestation-privacy}

Attestation keys may be used to track users or link various online identities of the same user together. This may be mitigated
in several ways, including:

- A WebAuthn <a>Authenticator</a> manufacturer may choose to ship all of their devices with the same (or a fixed number of)
    attestation key(s) (called <a>Basic Attestation</a>). This will anonymize the user at the risk of not being able to revoke a
    particular attestation key should its WebAuthn Authenticator be compromised.

- A WebAuthn Authenticator may be capable of dynamically generating different attestation keys (and requesting related
    certificates) per origin (following the <a>Privacy CA</a> approach). For example, a WebAuthn Authenticator can ship with a
    master attestation key (and certificate), and combined with a cloud operated privacy CA, can dynamically generate per origin
    attestation keys and attestation certificates.

- A WebAuthn Authenticator can implement <a>direct anonymous attestation</a> (see [[FIDOEcdaaAlgorithm]]).  Using this scheme,
    the authenticator generates a blinded attestation signature.  This allows the [RP] to verify the signature using the DAA
    root key, but the attestation signature doesn't serve as a global correlation handle.


#### Attestation Certificate and Attestation Certificate CA Compromise #### {#ca-compromise}

When an intermediate CA or a root CA used for issuing attestation certificates is compromised, WebAuthn <a>Authenticator</a>
attestation keys are still safe although their certificates can no longer be trusted. A WebAuthn Authenticator manufacturer that
has recorded the public attestation keys for their devices can issue new attestation certificates for these keys from a new
intermediate CA or from a new root CA. If the root CA changes, the [RPS] must update their trusted root certificates
accordingly.

A WebAuthn Authenticator attestation certificate must be revoked by the issuing CA if its key has been compromised. A WebAuthn
Authenticator manufacturer may need to ship a firmware update and inject new attestation keys and certificates into already
manufactured WebAuthn Authenticators, if the exposure was due to a firmware flaw. (The process by which this happens is out of
scope for this specification.) If the WebAuthn Authenticator manufacturer does not have this capability, then it may not be
possible for [RPS] to trust any further valid attestation statements from the affected WebAuthn Authenticators.

If attestation certificate validation fails due to a revoked intermediate attestation CA certificate, and the [RP]'s policy
requires rejecting the registration/authentication request in these situations, then it is recommended that the [RP] also
un-registers (or marks with a trust level equivalent to "<a>self attestation</a>") scoped credentials that were registered after
the CA compromise date using an attestation certificate chaining up to the same intermediate CA. It is thus recommended that
[RPS] remember intermediate attestation CA certificates during Authenticator registration in order to un-register related Scoped
Credentials if the registration was performed after revocation of such certificates.

If a DAA attestation key has been compromised, it can be added to the RogueList (i.e., the list of revoked authenticators)
maintained by the related DAA-Issuer. The [RP] should verify whether an authenticator belongs to the RogueList when performing
DAA-Verify. For example, the FIDO Metadata Service [[FIDOMetadataService]] provides one way to access such information.


#### Attestation Certificate Hierarchy #### {#cert-hierarchy}

A 3-tier hierarchy for attestation certificates is recommended (i.e., Attestation Root, Attestation Issuing CA, Attestation
Certificate). It is also recommended that for each WebAuthn Authenticator device line (i.e., model), a separate issuing CA is
used to help facilitate isolating problems with a specific version of a device.

If the attestation root certificate is not dedicated to a single WebAuthn Authenticator device line (i.e., AAGUID), the AAGUID
should be specified in the attestation certificate itself, so that it can be verified against the <a>authenticatorData</a>.



# Defined Attestation Formats # {#defined-attestation-formats}

WebAuthn supports pluggable attestation data formats. This section defines an initial set of such formats.

## Attestation Format Identifiers ## {#sctn-attstn-fmt-ids}

Attestation formats are identified by a string, called a <dfn>attestation format identifier</dfn>, chosen by the attestation
format author.

Attestation format identifiers SHOULD be registered per [[WebAuthn-Registries]] "Registries for Web Authentication (WebAuthn)".
All registered attestation format identifiers are unique amongst themselves as a matter of course.

Unregistered attestation format identifiers SHOULD use reverse domain-name naming, using a domain
name registered by the attestation type developer, in order to assure uniqueness of the identifier.
All attestation format identifiers MUST be a maximum of 32 octets in length and MUST
consist only of printable USASCII characters, i.e., VCHAR as defined in [[!RFC5234]] (note: this means attestation format
identifiers based on domain names MUST incorporate only LDH Labels [[!RFC5890]]).
Implementations MUST match WebAuthn attestation format identifiers in a case-insensitive fashion.

Attestation formats that may exist in multiple versions SHOULD include a version in their identifier. In effect, different
versions are thus treated as different extensions, e.g., `packed2` as a new version of the `packed` attestation format.

The following sections present a set of currently-defined and registered attestation formats and their identifiers. See the
WebAuthn Attestation Format Identifier Registry defined in [[WebAuthn-Registries]] for an up-to-date list of registered WebAuthn
Attestation Formats.

## Packed Attestation Format ## {#packed-attestation}

Packed attestation is a WebAuthn optimized format of attestation data. It uses a very compact but still extensible encoding
method. Encoding this format can even be implemented by <a>authenticators</a> with very limited resources (e.g., secure
elements).


: Attestation format identifier
:: packed


: Attestation types supported
:: All

: Syntax
:: A Packed Attestation statement has the following format:

    <pre class="idl">
        interface PackedAttestation {
            readonly    attribute ArrayBuffer   x5c;
            readonly    attribute ArrayBuffer   daaKey;
            readonly    attribute DOMString     alg;
            readonly    attribute ArrayBuffer   signature;
        };
    </pre>

    <div dfn-for="PackedAttestation">
        The <dfn>x5c</dfn> attribute contains the attestation certificate and its certificate chain as described in [[!RFC7515]]
        section 4.1.6.

        The <dfn>alg</dfn> element contains the name of the algorithm used to generate the attestation signature according to
        [[!RFC7518]] section 3.1. The following algorithms are supported:

        1. "ES256" [[!RFC7518]]
        2. "RS256" [[!RFC7518]]
        3. "PS256" [[!RFC7518]]
        4. "ED256" [[!FIDOEcdaaAlgorithm]]
        5. "ED512" [[!FIDOEcdaaAlgorithm]]

        The <dfn>signature</dfn> element contains the attestation signature.
    </div>

: Signing procedure
:: The authenticator signs the <a>attToBeSigned</a> using the attestation private key.

: Verification procedure
:: If {{PackedAttestation/x5c}} is present, this indicates that the attestation type is not DAA. In this case:
    - Verify the {{PackedAttestation/signature}} using the attestation public key in {{PackedAttestation/x5c}} with the
        algorithm specified in {{PackedAttestation/alg}}.
    - Verify that {{PackedAttestation/x5c}} correctly chains to the trust anchor provided.
    - Verify that {{PackedAttestation/x5c}} meets the requirements in [[#packed-attestation-cert-requirements]].

    If {{PackedAttestation/daaKey}} is present, then the attestation type is DAA. In this case:
    - Verify that {{PackedAttestation/alg}} is "ED256" or "ED512".
    - Perform DAA-Verify on {{PackedAttestation/signature}} (see [[!FIDOEcdaaAlgorithm]]).
    - If {{PackedAttestation/x5c}} contains an extension with OID `1 3 6 1 4 1 45724 1 1 4` (id-fido-gen-ce-aaguid) verify that
        the value of this extension matches the AAGUID in the {{WebAuthnAttestation/authenticatorData}}.

    If neither {{PackedAttestation/x5c}} nor {{PackedAttestation/daaKey}} is present, self attestation is in use.
    - Verify the signature using the <a>credential public key</a>.
    - Validate that {{PackedAttestation/alg}} matches the algorithm in {{WebAuthnAttestation/authenticatorData}}.


### Packed attestation statement certificate requirements ### {#packed-attestation-cert-requirements}

The attestation certificate MUST have the following fields/extensions:

- Version must be set to 3.
- Subject field MUST be set to:
    : Subject-C
    :: Country where the Authenticator vendor is incorporated
    : Subject-O
    :: Legal name of the Authenticator vendor
    : Subject-OU
    :: Authenticator Attestation
    : Subject-CN
    :: No stipulation.

- If the related attestation root certificate is used for multiple authenticator models, the Extension OID
    `1 3 6 1 4 1 45724 1 1 4` (id-fido-gen-ce-aaguid) MUST be present, containing the AAGUID as value.

- The Basic Constraints extension MUST have the CA component set to false

- An Authority Information Access (AIA) extension with entry `id-ad-ocsp` and a CRL Distribution Point extension [[RFC5280]]
    are both optional as the status of many attestation certificates is available through authenticator metadata services. 
    See, for example, the FIDO Metadata Service [[FIDOMetadataService]].


## TPM Attestation Format ## {#tpm-attestation}

This attestation format is generally used by authenticators that use a Trusted Platform Model as their cryptographic engine.

: Attestation format identifier
:: tpm

: Attestation types supported
:: Privacy CA, DAA

: Syntax
:: A TPM Attestation statement has the following format:

    <pre class="idl">
        interface TpmAttestation {
            readonly    attribute DOMString     tpmVersion;
            readonly    attribute ArrayBuffer   x5c;
            readonly    attribute ArrayBuffer   daaKey;
            readonly    attribute ArrayBuffer   certifyInfo;
            readonly    attribute DOMString     alg;
            readonly    attribute ArrayBuffer   signature;
        };
    </pre>

    <div dfn-for="TpmAttestation">
        The <dfn>tpmVersion</dfn> field contains the version of the TPM specification to which the signature conforms. Currently
        supported versions are "1.2" and "2.0".

        The <dfn>x5c</dfn> attribute contains the attestation certificate and its certificate chain as described in [[!RFC7515]]
        section 4.1.6. This will be an AIK certificate.

        The <dfn>alg</dfn> element contains the name of the algorithm used to generate the attestation signature according to
        [[!RFC7518]] section 3.1. The following algorithms are supported:

        1. "RSA1_5" [[!RFC7518]] (TPM v1.2 only)
        2. "ES256" [[!RFC7518]]  (TPM v2.0 only)
        3. "RS256" [[!RFC7518]]  (TPM v2.0 only)
        4. "PS256" [[!RFC7518]]  (TPM v2.0 only)
        5. "ED256" [[!FIDOEcdaaAlgorithm]]  (TPM v2.0 only)
        6. "ED512" [[!FIDOEcdaaAlgorithm]]  (TPM v2.0 only)

        The <dfn>signature</dfn> element contains the attestation signature.
    </div>

: Signing procedure
:: If using TPM version 1.2, generate a signature using the procedure specified in [[TPMv1-2-Part3]] Section 13.8 or
    Section 13.9, using the attestation private key and setting the `antiReplay` parameter to the SHA-1 hash of </a>attToBeSigned</a>.

    If using TPM version 2.0, generate a signature using the procedure specified in [[TPMv2-Part3]] Section 18.2, using the
    attestation private key and setting the `qualifyingData` parameter to </a>attToBeSigned</a>.

    In both the above cases, return the certifyInfo output parameter along with the signature.

: Verification procedure
:: If {{TpmAttestation/x5c}} is present, this indicates that the attestation type is not DAA. In this case:
    - Verify the {{TpmAttestation/signature}} is over the {{TpmAttestation/certifyInfo}} using the attestation public key in
        {{TpmAttestation/x5c}} with the algorithm specified in {{TpmAttestation/alg}}.
    - If {{TpmAttestation/tpmVersion}} is "1.2", verify that the {{TpmAttestation/certifyInfo}} contains a TPM_CERTIFY_INFO
        or TPM_CERTIFY_INFO2 structure with the `data` field set to the SHA-1 hash of the concatenation of
        {{WebAuthnAttestation/authenticatorData}} and  {{WebAuthnAttestation/clientData}}.
    - If {{TpmAttestation/tpmVersion}} is "2.0", verify that {{TpmAttestation/certifyInfo}} is a TPMS_ATTEST structure with the
        `extraData` field set to the concatenation of {{WebAuthnAttestation/authenticatorData}} and
        {{WebAuthnAttestation/clientData}}.
    - Verify that {{TpmAttestation/x5c}} correctly chains to the trust anchor provided.
    - Verify that {{TpmAttestation/x5c}} meets the requirements in [[#tpm-cert-requirements]].

    If {{TpmAttestation/daaKey}} is present, then the attestation type is DAA.
    - Verify that {{TpmAttestation/alg}} is "ED256" or "ED512".
    - Perform DAA-Verify on {{TpmAttestation/signature}} to verify that it is over the {{TpmAttestation/certifyInfo}}
        (see [[!FIDOEcdaaAlgorithm]]).
    - Verify that {{TpmAttestation/certifyInfo}} is a TPMS_ATTEST structure with the `extraData` field set to the concatenation
        of {{WebAuthnAttestation/authenticatorData}} and {{WebAuthnAttestation/clientData}}.
    - If {{TpmAttestation/x5c}} contains an extension with OID `1 3 6 1 4 1 45724 1 1 4` (id-fido-gen-ce-aaguid) verify that the
        value of this extension matches the AAGUID in the {{WebAuthnAttestation/authenticatorData}}.


### TPM attestation statement certificate requirements ### {#tpm-cert-requirements}

TPM <a>attestation certificate</a> MUST have the following fields/extensions:

- Version must be set to 3.

- Subject field MUST be set to empty.

- The Subject Alternative Name extension must be set as defined in [[TPMv2-EK-Profile]] section 3.2.9 if "version" equals 2 and
    [[TPMv1-2-Credential-Profiles]] section 3.2.9 if "version" equals 1.

- The Extended Key Usage extension MUST contain the
    "joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)" OID.

- The Basic Constraints extension MUST have the CA component set to false

- An Authority Information Access (AIA) extension with entry `id-ad-ocsp` and a CRL Distribution Point extension [[RFC5280]] are
    both optional as the status of many attestation certificates is available through metadata services.
    See, for example, the FIDO Metadata Service [[FIDOMetadataService]].


## Android Key Attestation Format ## {#android-key-attestation}

When the <a>Authenticator</a> in question is a platform-provided Authenticator on the Android "N" or later platform, the
attestation statement is based on the
[Android key attestation](https://developer.android.com/preview/api-overview.html#key_attestation). In these cases, the
attestation statement is produced by a component running in a secure operating environment, but the <a>authenticatorData</a>
is produced outside this environment. The [RP] is expected to check that the contents of <a>authenticatorData</a> are consistent
with the fields of the attestation certificate's extension data.


: Attestation format identifier
:: android-key

: Attestation types supported
:: Basic

: Syntax
:: An Android key Attestation statement has the following format:

    <pre class="idl">
        [SecureContext]
        interface AndroidKeyAttestation {
            readonly    attribute ArrayBuffer   signature;
        };
    </pre>

    <div dfn-for="AndroidKeyAttestation">
        The <dfn>signature</dfn> field contains the Android attestation statement, which is a series of DER encoded X.509 certificates. See
        [the Android developer documentation](https://developer.android.com/training/articles/security-key-attestation.html).
    </div>

: Signing procedure
:: Request a Android Key Attestation (i.e., by calling "keyStore.getCertificateChain(myKeyUUID)") providing <a>attToBeSigned</a> 
    as the challenge value (e.g., by using 
    "[setAttestationChallenge]
    (https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder.html#setAttestationChallenge(byte[]))" ), and set {{AndroidKeyAttestation/signature}} to the returned value. 

: Verification procedure
:: Verification is performed as follows:
    - Verify that {{AndroidKeyAttestation/signature}} is a valid certificate chain, consisting of a time-valid X.509 certificate
        chaining up to a trusted attestation root key.

    - Verify that the public key in the first certificate, in the series of certificates represented by 
        {{AndroidKeyAttestation/signature}} matches the <a>credential public key</a> in the attestation data field of the given
        <a>authenticatorData</a>.

    - Verify that in the attestation certificate extension data:
        - The value of the `attestationChallenge` field is identical to <a>attToBeSigned</a>.
        - The `AuthorizationList.allApplications` field is <em>not</em> present, since ScopedCredentials must be bound to the
            RP ID.
        - The value in the `AuthorizationList.origin` field is equal to `KM_TAG_GENERATED`.
        - The value in the `AuthorizationList.purpose` field is equal to `KM_PURPOSE_SIGN`.


## Android SafetyNet Attestation Format ## {#android-safetynet-attestation}

When the <a>Authenticator</a> in question is a platform-provided Authenticator on certain Android platforms, the attestation
statement is based on the [SafetyNet API](https://developer.android.com/training/safetynet/index.html#compat-check-response). In
this case the authenticator data is completely controlled by the caller of the SafetyNet API (typically an application running
on the Android platform) and the attestation statement only provides some statements about the health of the platform and thehref
identity of the calling application.

: Attestation format identifier
:: android-safetynet

: Attestation types supported
:: Basic

: Syntax
:: An Android Attestation statement has the following format:

    <pre class="idl">
        interface AndroidSafetyNetAttestation {
            readonly attribute unsigned long version;
            readonly attribute DOMString     safetyNetResponse;
        };
    </pre>

    <div dfn-for="AndroidSafetyNetAttestation">
        The <dfn>version</dfn> element is set to the version number of Google Play Services responsible for providing the SafetyNet
        API.

        The <dfn>safetyNetResponse</dfn> element contains the value returned by the above SafetyNet API. This value is a JWS
        [[RFC7515]] object (see
        [SafetyNet online documentation](https://developer.android.com/training/safetynet/index.html#compat-check-response))
        in Compact Serialization.
    </div>

: Signing procedure
:: Request a SafetyNet attestation, providing </a>attToBeSigned</a> as the nonce value.

: Verification procedure
:: Verification is performed as follows:
    - Verify that {{AndroidSafetyNetAttestation/safetyNetResponse}} is a valid SafetyNet response of version
        {{AndroidSafetyNetAttestation/version}}.

    - Verify that the nonce in the {{AndroidSafetyNetAttestation/safetyNetResponse}} is identical to <a>attToBeSigned</a>.

    - Verify that the attestation certificate is issued to the hostname "attest.android.com" (see
        [SafetyNet online documentation](https://developer.android.com/training/safetynet/index.html#compat-check-response)).

    - Verify that the `ctsProfileMatch` attribute in the payload of the {{AndroidSafetyNetAttestation/safetyNetResponse}} is
        true.


# WebAuthn Extensions # {#extensions}

The mechanism for generating scoped credentials, as well as requesting and generating WebAuthn assertions, as defined in
[[#api]], can be extended to suit particular use cases. Each case is addressed by defining a registration extension and/or
an authentication extension. Extensions can define additions to the following steps and data:

- {{makeCredential()}} request parameters for registration extension.

- {{getAssertion()}} request parameters for authentication extensions.

- Client processing, and the {{ClientData}} structure, for registration extensions and authentication extensions.

- Authenticator processing, and the <a>authenticatorData</a> structure, for registration extensions and authentication
    extensions.

When requesting an assertion for a scoped credential, a [RP] can list a set of extensions to be used, if they are supported by
the client and/or the authenticator. It sends the client arguments for each extension in the {{getAssertion()}} call (for
authentication extensions) or {{makeCredential()}} call (for registration extensions) to the client platform. The client
platform performs additional processing for each extension that it supports, and augments {{ClientData}} as required by the
extension. In addition, the client collects the authenticator arguments for the above extensions, and passes them to the
authenticator in the <a>authenticatorMakeCredential</a> call (for registration extensions) or <a>authenticatorGetAssertion</a>
call (for authentication extensions). These authenticator arguments are passed as name-value pairs, with the extension
identifier as the name, and the corresponding authenticator argument as the value. The authenticator, in turn, performs
additional processing for the extensions that it supports, and augments <a>authenticatorData</a> as specified by the extension.

All WebAuthn extensions are optional for both clients and authenticators. Thus, any extensions requested by a [RP] may be
ignored by the client browser or OS and not passed to the authenticator at all, or they may be ignored by the authenticator.
Ignoring an extension is never considered a failure in WebAuthn API processing, so when [RPS] include extensions with any API
calls, they must be prepared to handle cases where some or all of those extensions are ignored.

Clients wishing to support the widest possible range of extensions may choose to pass through any extensions that they do not
recognize to authenticators, generating the authenticator argument by simply encoding the client argument in CBOR. All
WebAuthn extensions MUST be defined in such a way that this implementation choice does not endanger the user's security or
privacy. For instance, if an extension requires client processing, it could be defined in a manner that ensures such a naïve
pass-through will produce a semantically invalid authenticator argument, resulting in the extension being ignored by the
authenticator. Since all extensions are optional, this will not cause a functional failure in the API operation.


## Extension Identifiers ## {#extension-id}

Extensions are identified by a string, called an <dfn>extension identifier</dfn>, chosen by the extension author.

Extension identifiers SHOULD be registered per [[WebAuthn-Registries]] "Registries for Web Authentication (WebAuthn)".
All registered extension identifiers are unique amongst themselves as a matter of course.

Unregistered extension identifiers should aim to be globally unique, e.g., by including the defining entity such as `myCompany_extension`.

All extension identifiers MUST be a maximum of 32 octets in length and MUST
consist only of printable USASCII characters, i.e., VCHAR as defined in [[!RFC5234]].
Implementations MUST match WebAuthn extension identifiers in a case-insensitive fashion.

Extensions that may exist in multiple versions should take care to include a version in their identifier. In effect, different
versions are thus treated as different extensions, e.g., `myCompany_extension_01`

Extensions defined in this specification use a fixed prefix of `webauthn` for the extension identifiers. This prefix should not
be used for extensions not defined by the W3C.

[[#extension-predef]] defines an initial set of currently-defined and registered extensions their identifiers. See the WebAuthn
Extension Identifiers Registry defined in [[WebAuthn-Registries]] for an up-to-date list of registered WebAuthn Extension
Identifiers.


## Defining extensions ## {#extension-specification}

A definition of an extension must specify, at minimum, an extension identifier and an extension client argument sent via the
{{getAssertion()}} or {{makeCredential()}} call. Additionally, extensions may specify additional values in {{ClientData}},
<a>authenticatorData</a> (in the case of authentication extensions), or both. Finally, if the extension requires any
authenticator processing, it must also specify an authenticator argument to be sent via the <a>authenticatorGetAssertion</a> or
<a>authenticatorMakeCredential</a> call.

Any extension that requires client processing MUST specify a method of augmenting {{ClientData}} that unambiguously lets the
[RP] know that the extension was honored by the client. Similarly, any extension that requires authenticator processing MUST
specify a method of augmenting <a>authenticatorData</a> to let the [RP] know that the extension was honored by the
authenticator.


## Extending request parameters ## {#extension-request-parameters}

An extension defines up to two request arguments. The <dfn>client argument</dfn> is passed from the <a>[RP]</a> to the client
in the {{getAssertion()}} or {{makeCredential()}} call, while the <dfn>authenticator argument</dfn> is passed from the client
to the authenticator during the processing of these calls.

A [RP] simultaneously requests the use of an extension and sets its client argument by including an entry in the
{{ScopedCredentialOptions/extensions}} option to the {{makeCredential()}} or {{getAssertion()}} call. The entry key MUST be the
extension identifier, and the value MUST be the <a>client argument</a>.

<pre class="example highlight">
    var assertionPromise = credentials.getAssertion(..., /* extensions */ {
        "webauthnExample_foobar": 42
    });
</pre>

Extension definitions MUST specify the valid values for their client argument. Clients SHOULD ignore extensions with an invalid
client argument. If an extension does not require any parameters from the [RP], it SHOULD be defined as taking a Boolean client
argument, set to `true` to signify that the extension is requested by the [RP].

Extensions that only affect client processing need not specify an authenticator argument. Extensions that affect authenticator
processing MUST specify a method of computing the authenticator argument from the client argument. For extensions that do not
require additional parameters, and are defined as taking a Boolean client argument set to `true`, this method SHOULD consist of
passing an authenticator argument of `true` (CBOR major type 7, value 21).

Note: Extensions should aim to define authenticator arguments that are as small as possible. Some authenticators communicate
    over low-bandwidth links such as Bluetooth Low-Energy or NFC.


## Extending client processing ## {#extension-client-processing}

Extensions may define additional processing requirements on the client platform during the creation of credentials or the
generation of an assertion. In order for the <a>[RP]</a> to verify the processing took place, or if the processing has a result
value that the [RP] needs to be aware of, the extension should specify a client data value to be included in the {{ClientData}}
structure.

The client data value may be any value that can be encoded using JSON. If any extension processed by a client defines such a
value, the client SHOULD include a dictionary in {{ClientData}} with the key {{ClientData/extensions}}. For each such
extension, the client SHOULD add an entry to this dictionary with the extension identifier as the key, and the extension's
client data value.

Extensions that require authenticator processing MUST define the process by which the client argument can be used to determine
the authenticator argument.


## Extending authenticator processing ## {#extension-authenticator-processing}

Extensions that define additional authenticator processing may similarly define an authenticator data value. The value may be
any data that can be encoded in CBOR. An authenticator that processes an authentication extension that defines such a value must
include it in the <a>authenticatorData</a>.

As specified in [[#sec-authenticator-data]], the authenticator data value of each processed extension is included in the
extended data part of the <a>authenticatorData</a>. This part is a CBOR map, with extension identifiers as keys, and the
authenticator data value of each extension as the value.


## Example extension ## {#sample-extensions}

[INFORMATIVE]

To illustrate the requirements above, consider a hypothetical extension "Geo". This extension, if supported, lets both clients
and authenticators embed their geolocation in assertions.

The extension identifier is chosen as `webauthnExample_geo`. The client argument is the constant value `true`, since the
extension does not require the <a>[RP]</a> to pass any particular information to the client, other than that it requests the use
of the extension. The [RP] sets this value in its request for an assertion:

<pre class="highlight">
    var assertionPromise =
        credentials.getAssertion("SGFuIFNvbG8gc2hvdCBmaXJzdC4",
            {}, /* Empty filter */
            { 'webauthnExample_geo': true });
</pre>

The extension defines the additional client data to be the client's location, if known, as a GeoJSON [[GeoJSON]] point. The
client constructs the following client data:

<pre class="highlight">
    {
        ...,
        'extensions': {
            'webauthnExample_geo': {
                'type': 'Point',
                'coordinates': [65.059962, -13.993041]
            }
        }
    }
</pre>

The extension also requires the client to set the authenticator parameter to the fixed value `true`.

Finally, the extension requires the authenticator to specify its geolocation in the authenticator data, if known. The extension
e.g. specifies that the location shall be encoded as a two-element array of floating point numbers, encoded with CBOR. An
authenticator does this by including it in the <a>authenticatorData</a>. As an example, authenticator data may be as follows
(notation taken from [[RFC7049]]):

<pre class="highlight">
    81 (hex)                                    -- Flags, ED and TUP both set.
    20 05 58 1F                                 -- Signature counter
    A1                                          -- CBOR map of one element
        73                                      -- Key 1: CBOR text string of 19 bytes
            77 65 62 61 75 74 68 6E 45 78 61
            6D 70 6C 65 5F 67 65 6F             -- "webauthnExample_geo" UTF-8 encoded string
        82                                      -- Value 1: CBOR array of two elements
            FA 42 82 1E B3                      -- Element 1: Latitude as CBOR encoded float
            FA C1 5F E3 7F                      -- Element 2: Longitude as CBOR encoded float
</pre>


# Pre-defined extensions # {#extension-predef}

This section defines an initial set of extensions. These are recommended for implementation by user agents targeting broad
interoperability.


## FIDO AppId ## {#extension-appid}

This authentication extension allows [RPS] who have previously registered a
credential using the legacy FIDO JavaScript APIs to request an assertion.
Specifically, this extension allows [RPS] to specify an |appId| [[FIDO-APPID]]
to overwrite the otherwise computed |rpId|.  This extension is only valid if
used during the <a>getAssertion()</a> call; other usage will result in client
error.

: Extension identifier
:: `fido_appid`

: Client argument
:: A single UTF-8 encoded string specifying a FIDO |appId|.

: Client processing
:: If {{AssertionOptions/rpId}} is present, reject promise with a DOMException
    whose name is "NotAllowedError", and terminate this algorithm. 
    Replace the calculation of |rpId| in Step 3 of [[#getAssertion]] with the
    following procedure:  The client uses the value of |fido_appid| to perform
    the AppId validation procedure (as defined by [[FIDO-APPID]]).  If valid,
    the value of |rpId| for all client processing should be replaced by the
    value of |fido_appid|.

: Authenticator argument
:: none

: Authenticator processing
:: none

: Authenticator data
:: none


## Transaction authorization ## {#extension-txauth}

This authentication extension allows for a simple form of transaction authorization. A [RP] can specify a prompt string,
intended for display on a trusted device on the authenticator.

: Extension identifier
:: `webauthn_txAuthSimple`

: Client argument
:: A single UTF-8 encoded string prompt.

: Client processing
:: None, except default forwarding of client argument to authenticator argument.

: Authenticator argument
:: The client argument encoded as a CBOR text string (major type 3).

: Authenticator processing
:: The authenticator MUST display the prompt to the user before performing the user verification / test of user presence. The
    authenticator may insert line breaks if needed.

: Authenticator data
:: A single UTF-8 encoded string, representing the prompt as displayed (including any eventual line breaks).

The generic version of this extension allows images to be used as prompts as well.  This allows authenticators without a font
rendering engine to be used and also supports a richer visual appearance.

: Extension identifier
:: `webauthn_txAuthGeneric`

: Client argument
:: A CBOR map with one pair of data items (CBOR tagged as 0xa1). The pair of data items consists of
    1. one UTF-8 encoded string <dfn>contentType</dfn>, containing the MIME-Type of the content, e.g. "image/png"
    2. and the <dfn>content</dfn> itself, encoded as CBOR byte array.

: Client processing
:: None, except default forwarding of client argument to authenticator argument.

: Authenticator argument
:: The client argument encoded as a CBOR map.

: Authenticator processing
:: The authenticator MUST display the <a>content</a> to the user before performing the user verification / test of user
    presence. The authenticator may add other information below the <a>content</a>. No changes are allowed to the <a>content</a>
    itself, i.e., inside <a>content</a> boundary box.

: Authenticator data
:: The hash value of the <a>content</a> which was displayed. The authenticator MUST use the same hash algorithm as it uses for
    the signature itself.


## Authenticator Selection Extension ## {#extension-authenticator-selection}

This registration extension allows a [RP] to guide the selection of the authenticator that will be leveraged when creating the
credential. It is intended primarily for [RPS] that wish to tightly control the experience around credential creation.

: Extension identifier
:: `webauthn_authnSel`

: Client argument
:: A sequence of AAGUIDs:

    <pre class="idl highlight">
        typedef sequence < AAGUID > AuthenticatorSelectionList;
    </pre>

    Each AAGUID corresponds to an authenticator model that is acceptable to the [RP] for this credential creation. The
    list is ordered by decreasing preference.

    An AAGUID is defined as an array containing the globally unique identifier of the authenticator model being sought.

    <pre class="idl highlight">
        typedef BufferSource AAGUID;
    </pre>

: Client processing
:: This extension can only be used during {{makeCredential()}}. If the client supports the Authenticator Selection Extension, it
    MUST use the first available authenticator whose AAGUID is present in the <dfn>AuthenticatorSelectionList</dfn>. If none of
    the available authenticators match a provided AAGUID, the client MUST select an authenticator from among the available
    authenticators to generate the credential.

: Authenticator argument
:: There is no authenticator argument.

: Authenticator processing
:: None.


## SupportedExtensions Extension ## {#supported-extensions-extension}

: Extension identifier
:: `webauthn_exts`

: Client argument
:: The Boolean value `true` to indicate that this extension is requested by the [RP].

: Client processing
:: None, except default forwarding of client argument to authenticator argument.

: Authenticator argument
:: The Boolean value `true`, encoded in CBOR (major type 7, value 21).

: Authenticator processing
:: The <a>authenticator</a> augments the authenticator data with a list of extensions that the authenticator supports, as
    defined below. This extension can be added to attestation statements.

: Authenticator data
:: The SupportedExtensions extension is a list (CBOR array) of extension identifiers (UTF-8 encoded strings).


## User Verification Index (UVI) Extension ## {#uvi-extension}

: Extension identifier
:: `webauthn_uvi`

: Client argument
:: The Boolean value `true` to indicate that this extension is requested by the [RP].

: Client processing
:: None, except default forwarding of client argument to authenticator argument.

: Authenticator argument
:: The Boolean value `true`, encoded in CBOR (major type 7, value 21).

: Authenticator processing
:: The <a>authenticator</a> augments the authenticator data with a user verification index indicating the method used by the
    user to authorize the operation, as defined below. This extension can be added to attestation statements and assertions.

: Authenticator data
:: The user verification index (UVI) is a value uniquely identifying a user verification data record. The UVI is encoded as CBOR
    byte string (type 0x58). Each UVI value MUST be specific to the related key (in order to provide unlinkability). It also
    must contain sufficient entropy that makes guessing impractical. UVI values MUST NOT be reused by the Authenticator (for
    other biometric data or users).

    The UVI data can be used by servers to understand whether an authentication was authorized by the exact same biometric data
    as the initial key generation. This allows the detection and prevention of "friendly fraud".

    As an example, the UVI could be computed as SHA256(KeyID | SHA256(rawUVI)), where the rawUVI reflects (a) the biometric
    reference data, (b) the related OS level user ID and (c) an identifier which changes whenever a factory reset is performed
    for the device, e.g. rawUVI = biometricReferenceData | OSLevelUserID | FactoryResetCounter.

    Servers supporting UVI extensions MUST support a length of up to 32 bytes for the UVI value.

    Example for <a>authenticatorData</a> containing one UVI extension
    <pre class="highlight">
        ...                                         -- RP ID hash (32 bytes)
        81                                          -- TUP and ED set
        00 00 00 01                                 -- (initial) signature counter
        ...                                         -- all public key alg etc.
        A1                                          -- extension: CBOR map of one element
            6C                                      -- Key 1: CBOR text string of 11 bytes
                77 65 62 61 75 74 68 6E 5F 75 76 69 -- "webauthn_uvi" UTF-8 encoded string
            58 20                                   -- Value 1: CBOR byte string with 0x20 bytes
                00 43 B8 E3 BE 27 95 8C             -- the UVI value itself
                28 D5 74 BF 46 8A 85 CF
                46 9A 14 F0 E5 16 69 31
                DA 4B CF FF C1 BB 11 32
                82
    </pre>

## Location Extension ## {#uvi-location}

: Extension identifier
:: `webauthn_loc`

: Client argument
:: The Boolean value `true` to indicate that this extension is requested by the [RP].

: Client processing
:: None, except default forwarding of client argument to authenticator argument.

: Authenticator argument
:: The Boolean value `true`, encoded in CBOR (major type 7, value 21).

: Authenticator processing
:: If the <a>authenticator</a> does not support the extension, then the authenticator MUST ignore the extension request.
    If the <a>authenticator</a> accepts the extension, then the authenticator SHOULD only add this extension data to a packed
    attestation or assertion.

: Authenticator data
:: If the <a>authenticator</a> accepts the extension request, then authenticator data SHOULD provide location data in the form of a
    CBOR-encoded map, with the first value being the extension identifier and the second being an array of returned values.  The array
    elements SHOULD be derived from (key,value) pairings for each location attribute that the <a>authenticator</a> supports. The following is
    an example of <a>authenticatorData</a> where the returned array is comprised of a {longitude, latitude, altitude} triplet, following the
    coordinate representation defined in
    [The W3C Geolocation API Specification](https://dev.w3.org/geo/api/spec-source.html#coordinates_interface).

    <pre class="highlight">
        ...                                         -- RP ID hash (32 bytes)
        81                                          -- TUP and ED set
        00 00 00 01                                 -- (initial) signature counter
        ...                                         -- all public key alg etc.
        A1                                          -- extension: CBOR map of one element
            6C                                      -- Value 1: CBOR text string of 11 bytes
                77 65 62 61 75 74 68 6E 5F 6C 6F 63 -- "webauthn_loc" UTF-8 encoded string
            86                                      -- Value 2: array of 6 elements
                68				    -- Element 1:  CBOR text string of 8 bytes
                   6C 61 74 69 74 75 64 65          -- “latitude” UTF-8 encoded string
                FB ...				    -- Element 2:  Latitude as CBOR encoded double-precision float
                69				    -- Element 3:  CBOR text string of 9 bytes
                   6C 6F 6E 67 69 74 75 64 65       -- “longitude” UTF-8 encoded string
                FB ...				    -- Element 4:  Longitude as CBOR encoded double-precision float
                68				    -- Element 5:  CBOR text string of 8 bytes
                  61 6C 74 69 74 75 64 65           -- “altitude” UTF-8 encoded string
                FB ...				    -- Element 6:  Altitude as CBOR encoded double-precision float
    </pre>


## User Verification Mode (UVM) Extension ## {#uvm-extension}

: Extension identifier
:: `webauthn_uvm`

: Client argument
:: The Boolean value true to indicate that this extension is requested by the WebAuthn Relying Party.

: Client processing
:: None, except default forwarding of client argument to authenticator argument.

: Authenticator argument
:: The Boolean value `true`, encoded in CBOR (major type 7, value 21).

: Authenticator processing
:: The <a>authenticator</a> augments the authenticator data with a user verification index indicating the method used by the
    user to authorize the operation, as defined below. This extension can be added to attestation statements and assertions.

: Authenticator data
:: Authenticators can report up to 3 different user verification methods (factors) used in a single authentication instance.
    To accommodate this possibility the UVM is encoded as CBOR array (major type 4) with a maximum allowed length of 3 -
    * Type 0x81 – only 1 factor was used for authentication.
    * Type 0x82 – 2 factors were used.
    * Type 0x83 – 3 or more factors were used.

    Each data item is in turn a CBOR array of length 3 (type 0x83) with the following data items:
    - Data Item 1 – User Verification Method. This is the authentication method/factor used by the authenticator to verify
                    the user. Available values are defined in [[!FIDOReg]], "User Verification Methods" section. It is
                    encoded as a CBOR unsigned integer (Major type 0).
    - Data Item 2 – Key Protection Type. This is the method used by the authenticator to protect the FIDO registration
                    private key material. Available values are defined in [[!FIDOReg]], "Key Protection Types" section.
                    It is encoded as a CBOR 2 byte unsigned short (Major type 0).
    - Data Item 3 – Matcher Protection Type. This is the method used by the authenticator to protect the matcher that
		            performs user verification. Available values are defined in [[!FIDOReg]], "Matcher Protection Types"
		            section. It is encoded as a CBOR 2 byte unsigned short (Major type 0).

    This is repeated for each factor used in the authentication instance.

    If >3 factors can be used in an authentication instance the authenticator vendor must select the 3 factors it believes
    will be most relevant to the Server to include in the UVM.

    Servers supporting the UVM extension MUST support a length up to 36 bytes for a 3 factor maximum UVM value.

    Example for <a>authenticatorData</a> containing one UVM extension for a multi-factor authentication instance where 2 factors were used:
    <pre class="highlight">
        ...                    -- RP ID hash (32 bytes)
        81                     -- TUP and ED set
        00 00 00 01            -- (initial) signature counter
        ...                    -- all public key alg etc.
        A1                     -- extension: CBOR map of one element
            6C                 -- Key 1: CBOR text string of 12 bytes
                77 65 62 61 75 74 68 6E 2E 75 76 6d -- "webauthn_uvm" UTF-8 encoded string
            82                 -- Value 1: CBOR array of length 2 indicating two factor usage
                83              -- Item 1: CBOR array of length 3
                    02           -- Subitem 1: CBOR integer for User Verification Method Fingerprint
                    04           -- Subitem 2: CBOR short for Key Protection Type TEE
                    02           -- Subitem 3: CBOR short for Matcher Protection Type TEE
                83              -- Item 2: CBOR array of length 3
                    04           -- Subitem 1: CBOR integer for User Verification Method Passcode
                    01           -- Subitem 2: CBOR short for Key Protection Type Software
                    01           -- Subitem 3: CBOR short for Matcher Protection Type Software
    </pre>


# IANA Considerations # {#iana-considerations}

This specification registers the algorithm names "S256", "S384", "S512", and "SM3" with the IANA JSON Web Algorithms registry as
defined in section "Cryptographic Algorithms for Digital Signatures and MACs" in [[RFC7518]].

These names follow the naming strategy in [draft-ietf-oauth-spop-15](https://tools.ietf.org/html/draft-ietf-oauth-spop-15).

<table class="def">
<tbody>
    <tr> <td>Algorithm Name</td>                   <td>"S256"</td> </tr>
    <tr> <td>Algorithm Description</td>            <td>The SHA256 hash algorithm.</td> </tr>
    <tr> <td>Algorithm Usage Location(s)</td>      <td>"alg", i.e., used with JWS.</td> </tr>
    <tr> <td>JOSE Implementation Requirements</td> <td>Optional+</td> </tr>
    <tr> <td>Change Controller</td>                <td><a href='https://fidoalliance.org/contact/'>FIDO Alliance</a></td> </tr>
    <tr> <td>Specification Documents</td>          <td>[[!FIPS-180-4]] </td> </tr>
    <tr> <td>Algorithm Analysis Document(s)</td>   <td>[[SP800-107r1]]</td> </tr>
</tbody>
</table>

<table class="def">
<tbody>
    <tr> <td>Algorithm Name</td>                   <td>"S384"</td> </tr>
    <tr> <td>Algorithm Description</td>            <td>The SHA384 hash algorithm.</td> </tr>
    <tr> <td>Algorithm Usage Location(s)</td>      <td>"alg", i.e., used with JWS.</td> </tr>
    <tr> <td>JOSE Implementation Requirements</td> <td>Optional</td> </tr>
    <tr> <td>Change Controller</td>                <td><a href='https://fidoalliance.org/contact/'>FIDO Alliance</a></td> </tr>
    <tr> <td>Specification Documents</td>          <td>[[!FIPS-180-4]] </td> </tr>
    <tr> <td>Algorithm Analysis Document(s)</td>   <td>[[SP800-107r1]]</td> </tr>
</tbody>
</table>

<table class="def">
<tbody>
    <tr> <td>Algorithm Name</td>                   <td>"S512"</td> </tr>
    <tr> <td>Algorithm Description</td>            <td>The SHA512 hash algorithm.</td> </tr>
    <tr> <td>Algorithm Usage Location(s)</td>      <td>"alg", i.e., used with JWS.</td> </tr>
    <tr> <td>JOSE Implementation Requirements</td> <td>Optional+</td> </tr>
    <tr> <td>Change Controller</td>                <td><a href='https://fidoalliance.org/contact/'>FIDO Alliance</a></td> </tr>
    <tr> <td>Specification Documents</td>          <td>[[!FIPS-180-4]] </td> </tr>
    <tr> <td>Algorithm Analysis Document(s)</td>   <td>[[SP800-107r1]]</td> </tr>
</tbody>
</table>

<table class="def">
<tbody>
    <tr> <td>Algorithm Name</td>                   <td>"SM3"</td> </tr>
    <tr> <td>Algorithm Description</td>            <td>The SM3 hash algorithm.</td> </tr>
    <tr> <td>Algorithm Usage Location(s)</td>      <td>"alg", i.e., used with JWS.</td> </tr>
    <tr> <td>JOSE Implementation Requirements</td> <td>Optional</td> </tr>
    <tr> <td>Change Controller</td>                <td><a href='https://fidoalliance.org/contact/'>FIDO Alliance</a></td> </tr>
    <tr> <td>Specification Documents</td>          <td>[[!OSCCA-SM3]] </td> </tr>
    <tr> <td>Algorithm Analysis Document(s)</td>   <td>N/A</td> </tr>
</tbody>
</table>


# Sample scenarios # {#sample-scenarios}

[INFORMATIVE]

In this section, we walk through some events in the lifecycle of a scoped credential, along with the corresponding sample code
for using this API. Note that this is an example flow, and does not limit the scope of how the API can be used.

As was the case in earlier sections, this flow focuses on a use case involving an external first-factor <a>authenticator</a>
with its own display. One example of such an authenticator would be a smart phone. Other authenticator types are also supported
by this API, subject to implementation by the platform. For instance, this flow also works without modification for the case of
an authenticator that is embedded in the client platform. The flow also works for the case of an authenticator without
its own display (similar to a smart card) subject to specific implementation considerations. Specifically, the client platform
needs to display any prompts that would otherwise be shown by the authenticator, and the authenticator needs to allow the client
platform to enumerate all the authenticator's credentials so that the client can have information to show appropriate prompts.


## Registration ## {#sample-registration}

This is the first-time flow, in which a new credential is created and registered with the server.

1. The user visits example.com, which serves up a script. At this point, the user must already be logged in using a legacy
    username and password, or additional authenticator, or other means acceptable to the [RP].

2. The [RP] script runs the code snippet below.

3. The client platform searches for and locates the authenticator.

4. The client platform connects to the authenticator, performing any pairing actions if necessary.

5. The authenticator shows appropriate UI for the user to select the authenticator on which the new credential will be
    created, and obtains a biometric or other authorization gesture from the user.

6. The authenticator returns a response to the client platform, which in turn returns a response to the [RP] script. If
    the user declined to select an authenticator or provide authorization, an appropriate error is returned.

7. If a new credential was created,
    - The [RP] script sends the newly generated <a>credential public key</a> to the server, along with additional information 
        such as attestation regarding the provenance and characteristics of the authenticator.
    - The server stores the <a>credential public key</a> in its database and associates it with the user as well as with the 
        characteristics of authentication indicated by attestation, also storing a friendly name for later use.
    - The script may store data such as the credential ID in local storage, to improve future UX by narrowing the choice of
        credential for the user.

The sample code for generating and registering a new key follows:

<pre class="example highlight">
    var webauthnAPI = navigator.authentication;

    if (!webauthnAPI) { /* Platform not capable. Handle error. */ }

    var userAccountInformation = {
        rpDisplayName: "Acme",
        displayName: "John P. Smith",
        name: "johnpsmith@example.com",
        id: "1098237235409872",
        imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
    };

    // This Relying Party will accept either an ES256 or RS256 credential, but
    // prefers an ES256 credential.
    var cryptoParams = [
        {
            type: "ScopedCred",
            algorithm: "ES256"
        },
        {
            type: "ScopedCred",
            algorithm: "RS256"
        }
    ];
    var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
    var options = { timeoutSeconds: 300,  // 5 minutes
                    excludeList: [],      // No excludeList
                    extensions: {"webauthn.location": true}  // Include location information
                                                   // in attestation
    };

    // Note: The following call will cause the authenticator to display UI.
    webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge, options)
        .then(function (newCredentialInfo) {
        // Send new credential info to server for verification and registration.
    }).catch(function (err) {
        // No acceptable authenticator or user refused consent. Handle appropriately.
    });
</pre>


## Authentication ## {#sample-authentication}

This is the flow when a user with an already registered credential visits a website and wants to authenticate using the
credential.

1. The user visits example.com, which serves up a script.

2. The script asks the client platform for a WebAuthn identity assertion, providing as much information as possible to narrow
    the choice of acceptable credentials for the user. This may be obtained from the data that was stored locally after
    registration, or by other means such as prompting the user for a username.

3. The <a>[RP]</a> script runs one of the code snippets below.

4. The client platform searches for and locates the authenticator.

5. The client platform connects to the authenticator, performing any pairing actions if necessary.

6. The authenticator presents the user with a notification that their attention is required. On opening the
    notification, the user is shown a friendly selection menu of acceptable credentials using the account information provided
    when creating the credentials, along with some information on the origin that is requesting these keys.

7. The authenticator obtains a biometric or other authorization gesture from the user.

8. The authenticator returns a response to the client platform, which in turn returns a response to the [RP] script.
    If the user declined to select a credential or provide an authorization, an appropriate error is returned.

9. If an assertion was successfully generated and returned,
    - The script sends the assertion to the server.
    - The server examines the assertion, extracts the credential ID, looks up the registered
        credential public key it is database, and verifies the assertion's authentication signature.
        If valid, it looks up the identity associated with the assertion's credential ID; that
        identity is now authenticated. If the credential ID is not recognized by the server (e.g.,
        it has been deregistered due to inactivity) then the authentication has failed; each [RP]
        will handle this in its own way.
    - The server now does whatever it would otherwise do upon successful authentication -- return a success page, set
        authentication cookies, etc.

If the [RP] script does not have any hints available (e.g., from locally stored data) to help it narrow the list of credentials,
then the sample code for performing such an authentication might look like this:

<pre class="example highlight">
    var webauthnAPI = navigator.authentication;

    if (!webauthnAPI) { /* Platform not capable. Handle error. */ }

    var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
    var options = {
                    timeoutSeconds = 300,  // 5 minutes
                    allowList: [{ type: "ScopedCred" }]
                  };

    webauthnAPI.getAssertion(challenge, options)
        .then(function (assertion) {
        // Send assertion to server for verification
    }).catch(function (err) {
        // No acceptable credential or user refused consent. Handle appropriately.
    });
</pre>

On the other hand, if the [RP] script has some hints to help it narrow the list of credentials, then the sample code for
performing such an authentication might look like the following. Note that this sample also demonstrates how to use the
extension for transaction authorization.

<pre class="example highlight">
    var webauthnAPI = navigator.authentication;

    if (!webauthnAPI) { /* Platform not capable. Handle error. */ }

    var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
    var acceptableCredential1 = {
        type: "ScopedCred",
        id: "ISEhISEhIWhpIHRoZXJlISEhISEhIQo="
    };
    var acceptableCredential2 = {
        type: "ScopedCred",
        id: "cm9zZXMgYXJlIHJlZCwgdmlvbGV0cyBhcmUgYmx1ZQo="
    };

    var options = {
                    timeoutSeconds: 300,  // 5 minutes
                    allowList: [acceptableCredential1, acceptableCredential2];
                    extensions: { 'webauthn.txauth.simple':
                       "Wave your hands in the air like you just don't care" };
                  };

    webauthnAPI.getAssertion(challenge, options)
        .then(function (assertion) {
        // Send assertion to server for verification
    }).catch(function (err) {
        // No acceptable credential or user refused consent. Handle appropriately.
    });
</pre>


## Decommissioning ## {#sample-decommissioning}

The following are possible situations in which decommissioning a credential might be desired. Note that all of these are
handled on the server side and do not need support from the API specified here.

- Possibility #1 -- user reports the credential as lost.
    * User goes to server.example.net, authenticates and follows a link to report a lost/stolen device.
    * Server returns a page showing the list of registered credentials with friendly names as configured during registration.
    * User selects a credential and the server deletes it from its database.
    * In future, the <a>[RP]</a> script does not specify this credential in any list of acceptable credentials, and assertions
        signed by this credential are rejected.

- Possibility #2 -- server deregisters the credential due to inactivity.
    * Server deletes credential from its database during maintenance activity.
    * In the future, the [RP] script does not specify this credential in any list of acceptable credentials, and assertions
        signed by this credential are rejected.

- Possibility #3 -- user deletes the credential from the device.
    * User employs a device-specific method (e.g., device settings UI) to delete a credential from their device.
    * From this point on, this credential will not appear in any selection prompts, and no assertions can be generated with it.
    * Sometime later, the server deregisters this credential due to inactivity.




# Acknowledgements # {#acknowledgements}
We thank the following for their contributions to, and thorough review of, this specification: Domenic Denicola, Rahul Ghosh,
Brad Hill, Jing Jin, Anne van Kesteren, Giridhar Mandyam, Axel Nennker, Yaron Sheffer, Mike West, Boris Zbarsky.

<pre class=biblio>
{
  "Ceremony": {
    "title": "Ceremony Design and Analysis",
    "href": "https://eprint.iacr.org/2007/399.pdf",
    "authors": ["Carl Ellison"],
    "date": "2007"
  },

  "WebAuthn-Registries": {
    "authors": [
        "Jeff Hodges"
    ],
    "date": "June 2016",
    "href": "https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?modeAsFormat=html/ascii&url=https://raw.githubusercontent.com/w3c/webauthn/master/draft-hodges-webauthn-registries.xml#46923110554855074732",
    "publisher": "W3C WebAuthn Working Draft",
    "status": "Active Internet-Draft",
    "title": "Registries for Web Authentication (WebAuthn)",
    "id": "WebAuthn-Registries"
  },

  "GeoJSON": {
    "title": "The GeoJSON Format Specification",
    "href": "http://geojson.org/geojson-spec.html"
  },

  "SP800-107r1": {
    "title": "NIST Special Publication 800-107: Recommendation for Applications Using Approved Hash Algorithms",
    "href": "http://csrc.nist.gov/publications/nistpubs/800-107-rev1/sp800-107-rev1.pdf",
    "authors": ["Quynh Dang"],
    "date": "August 2012"
  },

  "OSCCA-SM3": {
    "title": "SM3 Cryptographic Hash Algorithm",
    "href": "http://www.oscca.gov.cn/UpFile/20101222141857786.pdf",
    "date": "December 2010"
  },

  "TPM": {
    "title": "TPM Main Specification",
    "publisher": "Trusted Computing Group",
    "date": "Accessed March 2014",
    "href": "http://www.trustedcomputinggroup.org/resources/tpm_main_specification"
  },

  "UAFProtocol": {
    "authors": ["R. Lindemann", "D. Baghdasaryan", "E. Tiffany", "D. Balfanz", "B. Hill", "J. Hodges"],
    "title": "FIDO UAF Protocol Specification v1.0",
    "status": "FIDO Alliance Proposed Standard",
    "href": "https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html"
  },

  "FIDOEcdaaAlgorithm": {
    "title": "FIDO ECDAA Algorithm",
    "authors": ["R. Lindemann", "A. Edgington", "R. Urian"],
    "status": "FIDO Alliance Proposed Standard (To Be Published)"
  },

  "SEC1": {
    "title": "SEC1: Elliptic Curve Cryptography, Version 2.0",
    "publisher": "Standards for Efficient Cryptography Group",
    "href": "http://www.secg.org/sec1-v2.pdf"
  },

  "FIDOMetadataService": {
    "authors": ["R. Lindemann", "B. Hill", "D. Baghdasaryan"],
    "title": "FIDO Metadata Service v1.0",
    "href": "https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-metadata-service-v1.0-ps-20141208.html",
    "status": "FIDO Alliance Proposed Standard"
  },

  "TPMv1-2-Part2": {
    "title": "TPM Main Part 2: TPM Structures",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf"
  },

  "TPMv1-2-Part3": {
    "title": "TPM Main Part 3: TPM Commands",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-3-TPM-Commands_v1.2_rev116_01032011.pdf"
  },

  "TPMv2-Part2": {
    "title": "Trusted Platform Module Library, Part 2: Structures",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.16-1.pdf"
  },

  "TPMv2-Part3": {
    "title": "Trusted Platform Module Library, Part 3: Commands",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.16-1.pdf"
  },

  "TPMv2-EK-Profile": {
    "title": "TCG EK Credential Profile for TPM Family 2.0",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf"
  },

  "TPMv1-2-Credential-Profiles": {
    "title": "TCG Credential Profiles for TPM Family 1.2",
    "publisher": "Trusted Computing Group",
    "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profiles_V1.2_Level2_Revision8.pdf"
  },

  "FIDOSecRef": {
    "authors": ["R. Lindemann", "D. Baghdasaryan", "B. Hill"],
    "title": "FIDO Security Reference",
    "href": "https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-security-ref-v1.0-ps-20141208.html",
    "status": "FIDO Alliance Proposed Standard"
  },

  "FIDOReg": {
    "authors": ["R. Lindemann", "D. Baghdasaryan", "B. Hill"],
    "title": "FIDO UAF Registry of Predefined Values",
    "href": "https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-reg-v1.0-ps-20141208.html",
    "status": "FIDO Alliance Proposed Standard"
  }
}
</pre>