This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based
+
+credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key
+credentials, each scoped to a given Relying Party, are created and stored on an authenticator by the user agent in
+conjunction with the web application. The user agent mediates access to public key credentials in order to preserve user
+privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying parties via attestation. This
+specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.
+
+
Status of this document
+
+
This section describes the status of this document at the time of its publication. Other
+ documents may supersede this document. A list of current W3C publications and the latest revision of this
+ technical report can be found in the W3C technical
+ reports index at https://www.w3.org/TR/.
+
This document was published by the Web Authentication Working Group as an Editors' Draft. This document is intended to become a W3C Recommendation.
+
+ Feedback and comments on this specification are welcome. Please use Github issues.
+ Discussions may also be found in the public-webauthn@w3.org archives.
+
Publication as an Editors' Draft does not imply endorsement by the W3C Membership. This is a draft document and may
+ be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite
+ this document as other than work in progress.
This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based
+credentials by web applications, for the purpose of strongly authenticating users. A public key credential is
+created and stored by an authenticator at the behest of a Relying Party, subject to user
+consent. Subsequently, the public key credential can only be accessed by origins belonging to that Relying Party.
+This scoping is enforced jointly by conforming User Agents and authenticators.
+Additionally, privacy across Relying Parties is maintained; Relying Parties are not able to detect any properties, or even
+the existence, of credentials scoped to other Relying Parties.
Broadly, compliant authenticators protect public key credentials, and interact with user agents to implement the Web Authentication API. Some authenticators MAY run on the same computing device (e.g., smart phone, tablet, desktop PC) as
+the user agent is running on. For instance, such an authenticator might consist of a Trusted Execution Environment (TEE) applet,
+a Trusted Platform Module (TPM), or a Secure Element (SE) integrated into the computing device in conjunction with some means
+for user verification, along with appropriate platform software to mediate access to these components' functionality. Other
+authenticators MAY operate autonomously from the computing device running the user agent, and be accessed over a transport such
+as Universal Serial Bus (USB), Bluetooth Low Energy (BLE) or Near Field Communications (NFC).
+
1.1. Use Cases
+
The below use case scenarios illustrate use of two very different types of authenticators, as well as outline further
+scenarios. Additional scenarios, including sample code, are given later in §12 Sample scenarios.
+
1.1.1. Registration
+
+
+
On a phone:
+
+
+
User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using
+(possibly a legacy method such as a password), or creates a new account.
+
+
The phone prompts, "Do you want to register this device with example.com?"
+
+
User agrees.
+
+
The phone prompts the user for a previously configured authorization gesture (PIN, biometric, etc.); the user
+provides this.
+
+
Website shows message, "Registration complete."
+
+
+
1.1.2. Authentication
+
+
+
On a laptop or desktop:
+
+
+
User pairs their phone with the laptop or desktop via Bluetooth.
+
+
User navigates to example.com in a browser and initiates signing in.
+
+
User gets a message from the browser, "Please complete this action on your phone."
+
+
+
Next, on their phone:
+
+
+
User sees a discrete prompt or notification, "Sign in to example.com."
+
+
User selects this prompt / notification.
+
+
User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob."
+
+
User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.
+
+
+
Now, back on the laptop:
+
+
+
Web page shows that the selected user is signed in, and navigates to the signed-in page.
+
+
+
1.1.3. Other use cases and configurations
+
A variety of additional use cases and configurations are also possible, including (but not limited to):
+
+
+
A user navigates to example.com on their laptop, is guided through a flow to create and register a credential on their phone.
+
+
A user obtains a discrete, roaming authenticator, such as a "fob" with USB or USB+NFC/BLE connectivity options, loads
+example.com in their browser on a laptop or phone, and is guided though a flow to create and register a credential on the
+fob.
+
+
A Relying Party prompts the user for their authorization gesture in order to authorize a single transaction, such as a payment
+or other financial transaction.
+
+
2. Conformance
+
This specification defines three conformance classes. Each of these classes is specified so that conforming members of the class
+are secure against non-conforming or hostile members of the other classes.
+
2.1. User Agents
+
A User Agent MUST behave as described by §5 Web Authentication API in order to be considered conformant. Conforming User Agents MAY implement
+algorithms given in this specification in any way desired, so long as the end result is indistinguishable from the result that
+would be obtained by the specification’s algorithms.
+
A conforming User Agent MUST also be a conforming implementation of the IDL fragments of this specification, as described in the
+“Web IDL” specification. [WebIDL-1]
As described in §1.1 Use Cases, an authenticator may be implemented in the operating system underlying the User Agent, or in
+external hardware, or a combination of both.
All CBOR encoding performed by the members of the above conformance classes MUST be done using the CTAP2 canonical CBOR encoding form.
+All decoders of the above conformance classes SHOULD reject CBOR that is not validly encoded
+in the CTAP2 canonical CBOR encoding form and SHOULD reject messages with duplicate map keys.
+
3. Dependencies
+
This specification relies on several other underlying specifications, listed
+below and in Terms defined by reference.
+
+
Base64url encoding
+
+
The term Base64url Encoding refers to the base64 encoding using the URL- and filename-safe character set defined
+in Section 5 of [RFC4648], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the
+inclusion of any line breaks, whitespace, or other additional characters.
+
CBOR
+
+
A number of structures in this specification, including attestation statements and extensions, are encoded using the CTAP2 canonical CBOR encoding form of the Compact Binary Object Representation (CBOR) [RFC7049],
+as defined in [FIDO-CTAP].
+
CDDL
+
+
This specification describes the syntax of all CBOR-encoded data using the CBOR Data Definition Language (CDDL) [CDDL].
+
COSE
+
+
CBOR Object Signing and Encryption (COSE) [RFC8152]. The IANA COSE Algorithms registry established by this specification is also used.
Many of the interface definitions and all of the IDL in this specification depend on [WebIDL-1]. This updated version of
+the Web IDL standard adds support for Promises, which are now the preferred mechanism for asynchronous
+interaction in all new web APIs.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
+"OPTIONAL" in this document are to be interpreted as described in [RFC2119].
The concept of a ceremony[Ceremony] is an extension of the concept of a network protocol, with human nodes alongside
+computer nodes and with communication links that include user interface(s), human-to-human communication, and transfers of
+physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony. In this specification, Registration and Authentication are ceremonies, and an authorization gesture is often a component of
+those ceremonies.
This refers in general to the combination of the user’s platform device, user agent, authenticators, and everything gluing
+it all together.
+
Client-side-resident Credential Private Key
+
+
A Client-side-resident Credential Private Key is stored either on the client platform, or in some cases on the
+authenticator itself, e.g., in the case of a discrete first-factor roaming authenticator. Such client-side credential
+private key storage has the property that the authenticator is able to select the credential private key given
+only an RP ID, possibly with user assistance (e.g., by providing the user a pick list of credentials associated with the RP
+ID). By definition, the private key is always exclusively controlled by the authenticator. In the case of a Client-side-resident Credential Private Key, the authenticator might offload storage of wrapped key material to the
+client platform, but the client platform is not expected to offload the key storage to remote entities (e.g. RP Server).
+
Conforming User Agent
+
+
A user agent implementing, in conjunction with the underlying platform, the Web Authentication API and algorithms
+given in this specification, and handling communication between authenticators and Relying Parties.
An identifier that is human-palatable is intended to be rememberable and reproducible by typical human
+users, in contrast to identifiers that are, for example, randomly generated sequences of bits [EduPersonObjectClassSpec].
+ Note: This is a willful violation of [RFC4949]. In English, a "credential" is both a) the thing presented to prove
+ a statement and b) intended to be used multiple times. It’s impossible to achieve both criteria securely with a single
+ piece of data in a public key system. [RFC4949] chooses to define a credential as the thing that can be used multiple
+ times (the public key), while this specification gives "credential" the English term’s flexibility. This specification
+ uses more specific terms to identify the data related to an [RFC4949] credential:
+
+
"Authentication information" (possibly including a private key)
+
The process (also known as throttling) by which an authenticator implements controls against brute force attacks by limiting
+the number of consecutive failed authentication attempts within a given period of time. If the limit is reached, the
+authenticator should impose a delay that increases exponentially with each successive attempt, or disable the current
+authentication modality and offer a different authentication factor if available. Rate limiting is often implemented as an
+aspect of user verification.
Note: While the term Relying Party is used in other contexts (e.g., X.509 and OAuth), an entity acting as a Relying Party in one
+ context is not necessarily a Relying Party in other contexts.
all (TCP) ports on that host (i.e., a relaxation).
+
+
This is done in order to match the behavior of pervasively deployed ambient credentials (e.g., cookies, [RFC6265]).
+ Please note that this is a greater relaxation of "same-origin" restrictions than what document.domain's setter provides.
+
+
Test of User Presence
+
+
A test of user presence is a simple form of authorization gesture and technical process where a user interacts with
+an authenticator by (typically) simply touching it (other modalities may also exist), yielding a boolean result. Note
+that this does not constitute user verification because a user presence test, by definition,
+is not capable of biometric recognition, nor does it involve the presentation of a shared secret such as a password or
+PIN.
+
User Consent
+
+
User consent means the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts.
+An authorization gesture is a ceremony component often employed to indicate user consent.
+
User Handle
+
+
The user handle is specified by a Relying Party and is a unique identifier for a user account with that Relying Party. A user handle is
+an opaque byte sequence with a maximum size of 64 bytes.
+
The user handle is not meant to be displayed to the user, but is used by the Relying Party to control the number of credentials - an
+authenticator will never contain more than one credential for a given Relying Party under the same user handle.
This section normatively specifies the API for creating and using public key credentials. The basic
+idea is that the credentials belong to the user and are managed by an authenticator, with which the Relying Party interacts through the
+client (consisting of the browser and underlying OS platform). Scripts can (with the user’s consent) request the
+browser to create a new credential for future use by the Relying Party. Scripts can also request the user’s permission to perform
+authentication operations with an existing credential. All such operations are performed in the authenticator and are mediated by
+the browser and/or platform on the user’s behalf. At no point does the script get access to the credentials themselves; it only
+gets information about the credentials in the form of objects.
+
In addition to the above script interface, the authenticator MAY implement (or come with client software that implements) a user
+interface for management. Such an interface MAY be used, for example, to reset the authenticator to a clean state or to inspect
+the current state of the authenticator. In other words, such an interface is similar to the user interfaces provided by browsers
+for managing user state such as history, saved passwords, and cookies. Authenticator management actions such as credential
+deletion are considered to be the responsibility of such a user interface and are deliberately omitted from the API exposed to
+scripts.
+
The security properties of this API are provided by the client and the authenticator working together. The authenticator, which
+holds and manages credentials, ensures that all operations are scoped to a particular origin, and cannot be replayed against
+a different origin, by incorporating the origin in its responses. Specifically, as defined in §6.2 Authenticator operations,
+the full origin of the requester is included, and signed over, in the attestation object produced when a new credential
+is created as well as in all assertions produced by WebAuthn credentials.
The client facilitates these security measures by providing the Relying Party's origin and RP ID to the authenticator for
+each operation. Since this is an integral part of the WebAuthn security model, user agents only expose this API to callers in secure contexts.
+
The Web Authentication API is defined by the union of the Web IDL fragments presented in the following sections. A combined IDL
+listing is given in the IDL Index.
This internal slot contains the credential ID, chosen by the platform with help from the authenticator.
+The credential ID is used to look up credentials for use, and is therefore expected to be globally unique
+with high probability across all credentials of the same type, across all authenticators.
+
Note: This API does not constrain
+the format or length of this identifier, except that it MUST be sufficient for the platform to uniquely select a key.
+For example, an authenticator without on-board storage may create identifiers containing a credential private key wrapped with a symmetric key that is burned into the authenticator.
Note: This "sameOriginWithAncestors" restriction aims to address the concern raised in the Origin Confusion section of [CREDENTIAL-MANAGEMENT-1],
+while allowing Relying Party script access to Web Authentication functionality, e.g., when running in
+a secure context framed document that is same-origin with its ancestors.
+However, in the future, this specification (in conjunction with [CREDENTIAL-MANAGEMENT-1]) may provide Relying Parties with more fine-grained control--e.g., ranging
+from allowing only top-level access to Web Authentication functionality,
+to allowing cross-origin embedded cases--by leveraging [Feature-Policy] once the latter specification becomes stably implemented in user agents.
If the timeout member of options is present, check if its value lies within a
+reasonable range as defined by the platform and if not, correct it to the closest value lying within that range. Set a timer lifetimeTimer to this adjusted value. If the timeout member of options is not
+present, then set lifetimeTimer to a platform-specific default.
Note:options.rp.id represents the
+ caller’s RP ID. The RP ID defaults to being the caller’s origin's effective domain unless the caller has explicitly set options.rp.id when calling create().
Let authenticatorExtensionInput be the (CBOR) result of running extensionId’s client extension processing algorithm on clientExtensionInput. If the algorithm returned an error, continue.
+
+
SetauthenticatorExtensions[extensionId] to the base64url encoding of authenticatorExtensionInput.
+
+
+
Let collectedClientData be a new CollectedClientData instance whose fields are:
The status of Token Binding between the client and the callerOrigin, as well as the Token Binding ID associated with callerOrigin, if one is available.
For eachauthenticator that becomes available on this platform during the lifetime of lifetimeTimer, do the
+following:
+
The definitions of "lifetime of" and "becomes available" are intended to represent how
+devices are hot-plugged into (USB) or discovered by (NFC) browsers, and are underspecified.
+Resolving this with good definitions or some other means will be addressed by resolving Issue #613.
Let userVerification be the effective user verification requirement for credential creation, a Boolean value,
+as follows. If options.authenticatorSelection.userVerification
Otherwise, AppendC to excludeCredentialDescriptorList.
+
+
+
Invoke the authenticatorMakeCredential operation on authenticator with clientDataHash, options.rp, options.user, options.authenticatorSelection.requireResidentKey, userPresence, userVerification, credTypesAndPubKeyAlgs, excludeCredentialDescriptorList,
+and authenticatorExtensions as parameters.
For eachauthenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and removeauthenticator from issuedRequests. Then return a DOMException whose name is "AbortError" and terminate this algorithm.
+
If any authenticator returns a status indicating that the user cancelled the operation,
+
For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove it from issuedRequests.
+
Note:Authenticators may return an indication of "the user cancelled the entire operation".
+How a user agent manifests this state to users is unspecified.
+
+
If any authenticator returns an error status equivalent to "InvalidStateError",
+
Note: This error status is handled separately because the authenticator returns it only if excludeCredentialDescriptorList identifies a credential bound to the authenticator and the user has consented to the operation. Given this explicit consent, it is acceptable for this case to be
+distinguishable to the Relying Party.
+
If any authenticator returns an error status not equivalent to "InvalidStateError",
+
Note: This case does not imply user consent for the operation, so details about the error must be hidden from the Relying Party in order to prevent leak of potentially identifying information. See §14.2 Registration Ceremony Privacy for
+details.
The client MAY replace the AAGUID and attestation statement with a more privacy-friendly
+and/or more easily verifiable version of the same data (for example, by employing an Anonymization CA).
@balfanz wishes to add to the "direct" case:
+ If the authenticator violates the privacy requirements of the attestation type it is using,
+ the client SHOULD terminate this algorithm with an "AttestationNotPrivateError".
Note: This "sameOriginWithAncestors" restriction aims to address the concern raised in the Origin Confusion section of [CREDENTIAL-MANAGEMENT-1],
+while allowing Relying Party script access to Web Authentication functionality, e.g., when running in
+a secure context framed document that is same-origin with its ancestors.
+However, in the future, this specification (in conjunction with [CREDENTIAL-MANAGEMENT-1]) may provide Relying Parties with more fine-grained control--e.g., ranging
+from allowing only top-level access to Web Authentication functionality,
+to allowing cross-origin embedded cases--by leveraging [Feature-Policy] once the latter specification becomes stably implemented in user agents.
If the timeout member of options is present, check if its value lies
+within a reasonable range as defined by the platform and if not, correct it to the closest value lying within that range.
+Set a timer lifetimeTimer to this adjusted value. If the timeout member of options is not present, then set lifetimeTimer to a platform-specific default.
Note:rpId represents the caller’s RP ID. The RP ID defaults to being the caller’s origin's effective domain unless the caller has explicitly set options.rpId when calling get().
+
+
+
Let clientExtensions be a new map and let authenticatorExtensions be a new map.
Let authenticatorExtensionInput be the (CBOR) result of running extensionId’s client extension processing algorithm on clientExtensionInput. If the algorithm returned an error, continue.
+
+
SetauthenticatorExtensions[extensionId] to the base64url encoding of authenticatorExtensionInput.
+
+
+
Let collectedClientData be a new CollectedClientData instance whose fields are:
The status of Token Binding between the client and the callerOrigin, as well as the Token Binding ID associated with callerOrigin, if one is available.
Let authenticator be a platform-specific handle whose value identifies an authenticator.
+
+
Start lifetimeTimer.
+
+
For eachauthenticator that becomes available on this platform during the lifetime of lifetimeTimer, perform the following steps:
+
The definitions of "lifetime of" and "becomes available" are intended to represent how
+devices are hot-plugged into (USB) or discovered by (NFC) browsers, and are underspecified.
+Resolving this with good definitions or some other means will be addressed by resolving Issue #613.
Execute a platform-specific procedure to determine which, if any, public key credentials described by options.allowCredentials are bound to this authenticator, by matching with rpId, options.allowCredentials.id,
+and options.allowCredentials.type.
+Set allowCredentialDescriptorList to this filtered list.
The foregoing step _may_ be incorrect, in that we are attempting to create savedCredentialId here and use it later below, and we do not have a global in which to allocate a place for it. Perhaps this
+ is good enough? addendum: @jcjones feels the above step is likely good enough.
+
+
+
For each credential descriptor C in allowCredentialDescriptorList, append each value, if any, of C.transports to distinctTransports.
+
Note: This will aggregate only distinct values of transports (for this authenticator) in distinctTransports due to the properties of ordered sets.
The client selects one transport value from distinctTransports, possibly incorporating local
+configuration knowledge of the appropriate transport to use with authenticator in making its
+selection.
+
Then, using transport, invoke the authenticatorGetAssertion operation on authenticator, with rpId, clientDataHash, allowCredentialDescriptorList, userPresence, userVerification, and authenticatorExtensions as parameters.
Using local configuration knowledge of the appropriate transport to use with authenticator,
+invoke the authenticatorGetAssertion operation on authenticator with rpId, clientDataHash, allowCredentialDescriptorList, userPresence, userVerification, and clientExtensions as parameters.
Using local configuration knowledge of the appropriate transport to use with authenticator, invoke the authenticatorGetAssertion operation on authenticator with rpId, clientDataHash, userPresence, userVerification and clientExtensions as parameters.
+
Note: In this case, the Relying Party did not supply a list of acceptable credential descriptors. Thus, the
+ authenticator is being asked to exercise any credential it may possess that is bound to
+ the Relying Party, as identified by rpId.
For eachauthenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and removeauthenticator from issuedRequests. Then
+return a DOMException whose name is "AbortError" and terminate this algorithm.
+
If any authenticator returns a status indicating that the user cancelled the operation,
+
For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation
+on authenticator and remove it from issuedRequests.
+
Note:Authenticators may return an indication of "the user cancelled the entire operation".
+How a user agent manifests this state to users is unspecified.
If assertionCreationData.userHandleResult is null, set this
+field to null. Otherwise, set this field to a new ArrayBuffer, created using global’s %ArrayBuffer%, containing the bytes of assertionCreationData.userHandleResult.
During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
+authorizing an authenticator with which to complete the operation.
+
+
5.1.5. Store an existing credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors) method
+
+
The [[Store]](credential, sameOriginWithAncestors) method is not supported
+for Web Authentication’s PublicKeyCredential type, so it always returns an error.
5.1.6. Preventing silent access to an existing credential - PublicKeyCredential’s [[preventSilentAccess]](credential, sameOriginWithAncestors) method
+
+
Calling the [[preventSilentAccess]](credential, sameOriginWithAncestors) method
+will have no effect on authenticators that require an authorization gesture,
+but setting that flag may potentially exclude authenticators that can operate without user intervention.
Whether the user is running in private or incognito mode.
+
+
Whether the user has configured the client to not create such credentials.
+
+
Whether the user has previously expressed an unwillingness to create a new credential for this Relying Party,
+either through configuration or by declining a user interface prompt.
+
+
The user’s explicitly stated intentions, determined through user interaction.
+
+ If this assessment is affirmative, the promise is resolved with the value of True.
+Otherwise, the promise is resolved with the value of False.
+Based on the result, the Relying Party can take further actions to guide the user to create a credential.
+
This method has no arguments and returns a boolean value.
+
If the promise will return False,
+the client SHOULD wait a fixed period of time from the invocation of the method before returning False.
+This is done so that callers cannot distinguish between
+the case where the user was unwilling to create a credential using one of the available user-verifyingplatform authenticators and
+the case where no user-verifyingplatform authenticator exists.
+Trying to make these cases indistinguishable is done in an attempt to not provide additional information that could be used for fingerprinting.
+A timeout value on the order of 10 minutes is recommended;
+this is enough time for successful user interactions to be performed
+but short enough that the dangling promise will still be resolved in a reasonably timely fashion.
5.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse)
+
The AuthenticatorAttestationResponse interface represents the authenticator's response to a client’s request
+for the creation of a new public key credential. It contains information about the new credential that can be used to
+identify it for later use, and metadata that can be used by the Relying Party to assess the characteristics of the credential
+during registration.
+ This dictionary is used to supply additional parameters when creating a new credential.
+
The type member specifies the type of credential to be created.
+
The alg member specifies the cryptographic signature algorithm with which the newly generated credential
+ will be used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.
+
Note: we use "alg" as the latter member name, rather than spelling-out "algorithm", because it will be serialized into
+ a message to the authenticator, which may be sent over a low-bandwidth link.
+
+
5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)
This member contains information about the desired properties of the credential to be created. The sequence is ordered
+from most preferred to least preferred. The platform makes a best-effort to create the most preferred credential that it
+can.
This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. This is
+treated as a hint, and MAY be overridden by the platform.
This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for the same
+account on a single authenticator. The platform is requested to return an error if the new credential would be created
+on an authenticator that also contains one of the credentials enumerated in this parameter.
This member contains additional parameters requesting additional processing by the client and authenticator. For
+example, the caller may request that only authenticators with certain capabilities be used to create the credential, or
+that particular information be returned in the attestation object. Some extensions are defined in §9 WebAuthn Extensions;
+consult the IANA "WebAuthn Extension Identifier" registry established by [WebAuthn-Registries] for an up-to-date list
+of registered WebAuthn Extensions.
+
+
+
5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)
A human-readable name for the entity. Its function depends on what the PublicKeyCredentialEntity represents:
+
+
+
When inherited by PublicKeyCredentialRpEntity it is a human-friendly identifier for the Relying Party, intended only
+for display. For example, "ACME Corporation", "Wonderful Widgets, Inc." or "ОАО Примертех".
+
+
When inherited by PublicKeyCredentialUserEntity, it is a human-palatable identifier for a
+user account. It is intended only for display, and SHOULD allow the user to easily tell the difference between user
+accounts with similar displayNames. For example, "alexm", "alex.p.mueller@example.com"
+or "+14255551234". The Relying Party MAY let the user choose this, and MAY restrict the choice as needed or appropriate.
+For example, a Relying Party might choose to map human-palatableusername account identifiers to
+the name member of PublicKeyCredentialUserEntity.
+
+
Authenticators MUST accept and store a 64-byte minimum length for a name member’s
+value. Authenticators MAY truncate a name member’s value to a length equal to or greater
+than 64 bytes.
A serialized URL which resolves to an image associated with the entity. For example, this could be
+a user’s avatar or a Relying Party's logo. This URL MUST be an a priori authenticated URL. Authenticators MUST
+accept and store a 128-byte minimum length for an icon member’s value.
+Authenticators MAY ignore an icon member’s value if its length is greater than 128 bytes.
+
+
+
5.4.2. RP Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity)
A human-friendly name for the user account, intended only for display. For example, "Alex P. Müller" or "田中 倫". The Relying Party SHOULD let the user choose this, and SHOULD NOT restrict the choice more than necessary.
+
Authenticators MUST accept and store a 64-byte minimum length for a displayName member’s value. Authenticators MAY truncate a displayName member’s value to a length
+equal to or greater than 64 bytes.
This member describes the Relying Party's requirements regarding user verification for the create() operation. Eligible authenticators are filtered to only those capable of satisfying this
+requirement.
Clients can communicate with authenticators using a variety of mechanisms. For example, a client MAY use a platform-specific
+API to communicate with an authenticator which is physically bound to a platform. On the other hand, a client can use a
+variety of standardized cross-platform transport protocols such as Bluetooth (see §5.10.4 Authenticator Transport enumeration (enum AuthenticatorTransport)) to discover and
+communicate with cross-platform attached authenticators. Therefore, we use AuthenticatorAttachment to describe an authenticator's attachment modality. We define authenticators that are part of the client’s
+platform as having a platform attachment, and refer to them as platform authenticators. While those that
+are reachable via cross-platform transport protocols are defined as having cross-platform attachment, and refer to
+them as roaming authenticators.
+
+
platform attachment - the respective authenticator is attached
+ using platform-specific transports. Usually, authenticators of
+ this class are non-removable from the platform. A public key credential bound to a platform authenticator is
+ called a platform credential.
+
cross-platform attachment - the respective
+ authenticator is attached using cross-platform transports. Authenticators of this class are removable from, and can
+ "roam" among, client platforms. A public key credential bound to a roaming authenticator is called a roaming
+ credential.
+
+
This distinction is important because there are use-cases where only platform authenticators are acceptable to a Relying Party, and
+conversely ones where only roaming authenticators are employed. As a concrete example of the former, a platform credential may be used by Relying Parties to quickly and conveniently reauthenticate the user with a minimum of friction, e.g., the user will not
+have to dig around in their pocket for their key fob or phone. As a concrete example of the latter, when the user is accessing the Relying Party from a given client for the first time, they may be asked to use a roaming credential which was originally
+registered with the Relying Party using a different client.
5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)
+
The PublicKeyCredentialRequestOptions dictionary supplies get() with the data it needs to generate
+an assertion. Its challenge member MUST be present, while its other members are OPTIONAL.
This OPTIONAL member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete.
+The value is treated as a hint, and MAY be overridden by the platform.
This optional member contains a list of PublicKeyCredentialDescriptor objects representing public key credentials acceptable to the caller, in descending order of the caller’s preference (the first item in the list is the most
+preferred credential, and so on down the list).
This member describes the Relying Party's requirements regarding user verification for the get() operation. Eligible authenticators are filtered to only those capable of satisfying this
+requirement.
This OPTIONAL member contains additional parameters requesting additional processing by the client and authenticator.
+For example, if transaction confirmation is sought from the user, then the prompt string might be included as an
+extension.
The WHATWG HTML WG is discussing whether to provide a hook when a browsing context gains or
+ loses focuses. If a hook is provided, the above paragraph will be updated to include the hook.
+ See WHATWG HTML WG Issue #2711 for more details.
The public key credential type uses certain data structures that are specified in supporting specifications. These are as
+follows.
+
5.10.1. Client data used in WebAuthn signatures (dictionary CollectedClientData)
+
The client data represents the contextual bindings of both the Relying Party and the client platform. It is a key-value
+mapping with string-valued keys. Values can be any type that has a valid encoding in JSON. Its structure is defined by the
+following Web IDL.
+
Note: The CollectedClientData may be extended in the future. Therefore it’s critical when parsing to be tolerant of unknown keys and of any reordering of the keys.
+ The type member contains the string "webauthn.create" when creating new credentials, and "webauthn.get"
+ when getting an assertion from an existing credential. The purpose of this member is to prevent certain types of signature
+ confusion attacks (where an attacker substitutes one legitimate signature for another).
+
The challenge member contains the base64url encoding of the challenge provided by the RP.
+ See the §13.1 Cryptographic Challenges security consideration.
+
The origin member contains the fully qualified origin of the requester, as provided to the authenticator by
+ the client, in the syntax defined by [RFC6454].
+
The tokenBinding member contains information about the state of the Token Binding protocol used when communicating with the Relying Party. The status member is one of:
+
+
+
not-supported: when the client does not support token binding.
+
+
supported: the client supports token binding, but it was not negotiated when communicating with the Relying Party.
+
+
present: token binding was used when communicating with the Relying Party. In this case, the id member MUST be present and MUST be a base64url encoding of the Token Binding ID that was used.
+
+
This structure is used by the client to compute the following quantities:
+ This enumeration defines the valid credential types. It is an extension point; values can be added to it in the future, as
+ more credential types are defined. The values of this enumeration are used for versioning the Authentication Assertion and
+ attestation structures according to the type of the authenticator.
+
Currently one credential type is defined, namely "public-key".
This dictionary contains the attributes that are specified by a caller when referring to a public key credential as an input
+parameter to the create() or get() methods. It mirrors the fields of the PublicKeyCredential object returned by the latter methods.
+
+ The type member contains the type of the public key credential the caller is referring to.
+
+ Authenticators may communicate with clients using a variety of transports. This enumeration defines a hint as to how clients
+ might communicate with a particular authenticator in order to obtain an assertion for a specific credential. Note that these
+ hints represent the Relying Party's best belief as to how an authenticator may be reached. A Relying Party may obtain a list of
+ transports hints from some attestation statement formats or via some out-of-band mechanism; it is outside the scope of
+ this specification to define that mechanism.
+
+
usb - the respective authenticator can be contacted over USB.
+
nfc - the respective authenticator can be contacted over Near Field Communication (NFC).
+
ble - the respective authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE).
+
A COSEAlgorithmIdentifier's value is a number identifying a cryptographic algorithm.
+ The algorithm identifiers SHOULD be values registered in the IANA COSE Algorithms registry [IANA-COSE-ALGS-REG],
+ for instance, -7 for "ES256" and -257 for "RS256".
+
5.10.6. User Verification Requirement enumeration (enum UserVerificationRequirement)
The value preferred indicates that the Relying Party prefers user verification for the
+operation if possible, but will not fail the operation if the response does not have the UVflag set.
+
The value discouraged indicates that the Relying Party does not want user verification employed
+during the operation (e.g., in the interest of minimizing disruption to the user interaction flow).
Client platforms MAY implement and expose this abstract model in any way desired. However, the behavior of the client’s Web
+Authentication API implementation, when operating on the authenticators supported by that platform, MUST be indistinguishable
+from the behavior specified in §5 Web Authentication API.
+
For authenticators, this model defines the logical operations that they MUST support, and the data formats that they expose to
+the client and the Relying Party. However, it does not define the details of how authenticators communicate with the client platform,
+unless they are necessary for interoperability with Relying Parties. For instance, this abstract model does not define protocols for
+connecting authenticators to clients over transports such as USB or NFC. Similarly, this abstract model does not define specific
+error codes or methods of returning them; however, it does define error behavior in terms of the needs of the client. Therefore,
+specific error codes are mentioned as a means of showing which error conditions must be distinguishable (or not) from each other
+in order to enable a compliant and secure client implementation.
In this abstract model, the authenticator provides key management and cryptographic signatures. It can be embedded in the
+WebAuthn client or housed in a separate device entirely. The authenticator itself can contain a cryptographic module which
+operates at a higher security level than the rest of the authenticator. This is particularly important for authenticators that
+are embedded in the WebAuthn client, as in those cases this cryptographic module (which may, for example, be a TPM) could be
+considered more trustworthy than the rest of the authenticator.
Additionally, each authenticator has an AAGUID, which is a 128-bit identifier indicating the type (e.g. make and model) of the
+authenticator. The AAGUID MUST be chosen by the manufacturer to be identical across all substantially identical authenticators
+made by that manufacturer, and different (with high probability) from the AAGUIDs of all other types of authenticators.
+The AAGUID for a given type of authenticator SHOULD be randomly generated to ensure this. The RP MAY use the AAGUID to infer certain
+properties of the authenticator, such as certification level and strength of key protection, using information from other sources.
+
The primary function of the authenticator is to provide WebAuthn signatures, which are bound to various contextual data. These
+data are observed and added at different levels of the stack as a signature request passes from the server to the
+authenticator. In verifying a signature, the server checks these bindings against expected values. These contextual bindings
+are divided in two: Those added by the RP or the client, referred to as client data; and those added by the authenticator,
+referred to as the authenticator data. The authenticator signs over the client data, but is otherwise not interested in
+its contents. To save bandwidth and processing requirements on the authenticator, the client hashes the client data and
+sends only the result to the authenticator. The authenticator signs over the combination of the hash of the serialized client data, and its own authenticator data.
+
The goals of this design can be summarized as follows.
+
+
+
The scheme for generating signatures should accommodate cases where the link between the client platform and authenticator
+is very limited, in bandwidth and/or latency. Examples include Bluetooth Low Energy and Near-Field Communication.
+
+
The data processed by the authenticator should be small and easy to interpret in low-level code. In particular, authenticators
+should not have to parse high-level encodings such as JSON.
+
+
Both the client platform and the authenticator should have the flexibility to add contextual bindings as needed.
+
+
The design aims to reuse as much as possible of existing encoding formats in order to aid adoption and implementation.
+
+
Authenticators produce cryptographic signatures for two distinct purposes:
The formats of these signatures, as well as the procedures for generating them, are specified below.
+
6.1. Authenticator data
+
The authenticator data structure encodes contextual bindings made by the authenticator. These bindings are
+controlled by the authenticator itself, and derive their trust from the Relying Party's assessment of the security properties of the
+authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy
+than the client data. At the other extreme, the authenticator may be a discrete entity with high-security hardware and
+software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same
+format, and uses its knowledge of the authenticator to make trust decisions.
+
The authenticator data has a compact but extensible encoding. This is desired since authenticators can be devices with
+limited capabilities and low power requirements, with much simpler software stacks than the client platform components.
+
The authenticator data structure is a byte array of 37 bytes or more, as follows.
+
+
+
+
Name
+
Length (in bytes)
+
Description
+
+
rpIdHash
+
32
+
SHA-256 hash of the RP ID associated with the credential.
+
NOTE: The names in the Name column in the above table are only for reference within this document, and are not present in the
+ actual representation of the authenticator data.
+
The RP ID is originally received from the client when the credential is created, and again when an assertion is generated.
+However, it differs from other client data in some important ways. First, unlike the client data, the RP ID of a
+credential does not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is
+validated by the authenticator during the authenticatorGetAssertion operation, by verifying that the RP ID associated
+with the requested credential exactly matches the RP ID supplied by the client, and that the RP IDis a registrable
+domain suffix of or is equal to the effective domain of the RP’s origin's effective domain.
+
The UP flag SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The RFU bits SHALL be set to zero.
+
For attestation signatures, the authenticator MUST set the AT flag and include the attestedCredentialData. For
+authentication signatures, the AT flag MUST NOT be set and the attestedCredentialData MUST NOT be included.
+
If the authenticator does not include any extension data, it MUST set the ED flag to zero, and to one if
+extension data is included.
Note that the authenticator data describes its own length: If the AT and ED flags are not set, it is always 37 bytes long.
+The attested credential data (which is only present if the AT flag is set) describes its own length. If the ED flag is set,
+then the total length is 37 bytes plus the length of the attested credential data, plus the length of the CBOR map that
+follows.
Detecting a signature counter mismatch does not indicate whether the current operation was performed by a cloned authenticator or the original authenticator. Relying Parties should address this situation appropriately relative to their individual situations, i.e., their risk tolerance.
+
Authenticators:
+
+
+
should implement per-RP IDsignature counters. This prevents the signature counter value from being shared between Relying Parties and being possibly employed
+as a correlation handle for the user. Authenticators may implement a global signature counter,
+i.e., on a per-authenticator basis, but this is less privacy-friendly for users.
+
+
should ensure that the signature counter value does not
+accidentally decrease (e.g., due to hardware failures).
A WebAuthn Client MUST connect to an authenticator in order to invoke any of the operations of that authenticator. This connection
+defines an authenticator session. An authenticator must maintain isolation between sessions. It may do this by only allowing one
+session to exist at any particular time, or by providing more complicated session management.
+
The following operations can be invoked by the client in an authenticator session.
+
6.2.1. Lookup Credential Source by Credential ID algorithm
+
The result of looking up a credential idcredentialId in an authenticatorauthenticator is the result of the following algorithm:
A sequence of pairs of PublicKeyCredentialType and public key algorithms (COSEAlgorithmIdentifier) requested by the Relying Party. This sequence is ordered from most preferred to least preferred. The platform makes a best-effort to create the most
+preferred credential that it can.
+
excludeCredentialDescriptorList
+
+
An optional list of PublicKeyCredentialDescriptor objects provided by the Relying Party with the intention that, if any of
+these are known to the authenticator, it should not create a new credential. excludeCredentialDescriptorList contains a
+list of known credentials.
Note: Before performing this operation, all other operations in progress in the authenticator session MUST be aborted by
+running the authenticatorCancel operation.
+
When this operation is invoked, the authenticator MUST perform the following procedure:
+
+
+
Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code
+equivalent to "UnknownError" and terminate the operation.
+
+
Check if at least one of the specified combinations of PublicKeyCredentialType and cryptographic parameters in credTypesAndPubKeyAlgs is supported.
+If not, return an error code equivalent to "NotSupportedError" and terminate the operation.
+
+
For eachdescriptor of excludeCredentialDescriptorList:
+
+
+
If looking updescriptor.id in this authenticator
+returns non-null, and the returned item's RP ID and type match rpEntity.id and excludeCredentialDescriptorList.type respectively, then obtain user
+consent for creating a new credential. The method of obtaining user consent MUST include a test
+of user presence. If the user
+
+
confirms consent to create a new credential
+
+
return an error code equivalent to "InvalidStateError" and terminate the operation.
+
does not consent to create a new credential
+
+
return an error code equivalent to "NotAllowedError" and terminate the operation.
If requireUserVerification is true and the authenticator cannot perform user verification, return an error code
+equivalent to "ConstraintError" and terminate the operation.
+
+
Obtain user consent for creating a new credential. The prompt for obtaining this consent is shown by the
+authenticator if it has its own output capability, or by the user agent otherwise. The prompt SHOULD display rpEntity.id, rpEntity.name, userEntity.name and userEntity.displayName, if possible.
Once user consent has been obtained, generate a new credential object:
+
+
+
Let (publicKey, privateKey) be a new pair of cryptographic keys using the combination of PublicKeyCredentialType and cryptographic parameters represented by the first item in credTypesAndPubKeyAlgs that is supported by
+this authenticator.
Note: Before performing this operation, all other operations in progress in the authenticator session must be aborted by running the authenticatorCancel operation.
+
When this method is invoked, the authenticator MUST perform the following procedure:
+
+
+
Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code
+equivalent to "UnknownError" and terminate the operation.
If allowCredentialDescriptorList was supplied, then for eachdescriptor of allowCredentialDescriptorList:
+
+
+
Let credSource be the result of looking updescriptor.id in this
+authenticator.
+
+
If credSource is not null, append it to credentialOptions.
+
+
+
Otherwise (allowCredentialDescriptorList was not supplied), for eachkey → credSource of this
+authenticator’s credentials map, appendcredSource to credentialOptions.
+
+
Remove any items from credentialOptions whose rpId is not equal to rpId.
+
+
If credentialOptions is now empty, return an error code equivalent to "NotAllowedError" and terminate the operation.
+
+
Prompt the user to select a public key credential sourceselectedCredential from credentialOptions.
+Obtain user consent for using selectedCredential. The prompt for obtaining this consent may be shown
+by the authenticator if it has its own output capability, or by the user agent otherwise.
Let signature be the assertion signature of the concatenation authenticatorData || hash using the privateKey of selectedCredential as shown in Figure 2, below. A simple,
+undelimited
+concatenation is safe to use here because the authenticator data describes its own length. The hash of the serialized
+client data (which potentially has a variable length) is always the last element.
If any error occurred while generating the assertion signature, return an error code equivalent to "UnknownError" and
+terminate the operation.
+
+ Return to the user agent:
+
+
+
selectedCredential.id, if either a list of credentials
+(i.e., allowCredentialDescriptorList) of length 2 or greater was
+supplied by the client, or no such list was supplied.
+
Note: If, within allowCredentialDescriptorList, the client supplied exactly one credential and it was successfully employed, then its credential ID is not returned since the client already knows it. This saves transmitting these bytes over
+ what may be a constrained connection in what is likely a common case.
If the authenticator cannot find any credential corresponding to the specified Relying Party that
+matches the specified criteria, it terminates the operation and returns an error.
+
6.2.4. The authenticatorCancel operation
+
This operation takes no input parameters and returns no result.
+
When this operation is invoked by the client in an authenticator session, it has the effect of terminating any authenticatorMakeCredential or authenticatorGetAssertion operation currently in progress in that authenticator
+session. The authenticator stops prompting for, or accepting, any user input related to authorizing the canceled operation. The
+client ignores any further responses from the authenticator for the canceled operation.
The attestation statement format is the manner in which the signature is represented and the various contextual
+bindings are incorporated into the attestation statement by the authenticator. In other words, this defines the
+syntax of the statement. Various existing devices and platforms (such as TPMs and the Android OS) have previously defined attestation statement formats. This specification supports a variety of such formats in an extensible way, as defined in §6.3.2 Attestation Statement Formats.
The characteristics of the individual authenticator, such as its construction, whether part or all of it runs in a secure
+operating environment, and so on.
Attested credential data is a variable-length byte array added to the authenticator data when generating an attestation
+object for a given credential. It has the following format:
+
+
+
+
Name
+
Length (in bytes)
+
Description
+
+
aaguid
+
16
+
The AAGUID of the authenticator.
+
+
credentialIdLength
+
2
+
Byte length L of Credential ID, 16-bit unsigned big-endian integer.
+
NOTE: The names in the Name column in the above table are only for reference within this document, and are not present in the
+ actual representation of the attested credential data.
+
6.3.1.1. Examples of credentialPublicKey Values encoded in COSE_Key format
+
This section provides examples of COSE_Key-encoded Elliptic Curve and RSA public keys for the ES256, PS256, and RS256
+signature algorithms. These examples adhere to the rules defined above for the credentialPublicKey value, and are presented in [CDDL] for clarity.
+
[RFC8152]Section 7 defines the general framework for all COSE_Key-encoded keys.
+Specific key types for specific algorithms are defined in other sections of [RFC8152] as well as in other specifications,
+as noted below.
+
Below is an example of a COSE_Key-encoded Elliptic Curve public key in EC2 format (see [RFC8152]Section 13.1), on the P-256 curve, to be used with the ES256 signature
+algorithm (ECDSA w/ SHA-256, see [RFC8152]Section 8.1):
+
{
+ 1: 2, ; kty: EC2 key type
+ 3: -7, ; alg: ES256 signature algorithm
+ -1: 1, ; crv: P-256 curve
+ -2: x, ; x-coordinate as byte string 32 bytes in length
+ ; e.g., in hex: 65eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c08551d
+ -3: y ; y-coordinate as byte string 32 bytes in length
+ ; e.g., in hex: 1e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd0084d19c
+}
+
+
Below is the above Elliptic Curve public key encoded in the CTAP2 canonical CBOR encoding form, whitespace and line breaks
+are included here for clarity and to match the [CDDL] presentation above:
Below is an example of a COSE_Key-encoded 2048-bit RSA public key (see [RFC8230]Section 4),
+to be used with the PS256 signature algorithm
+(RSASSA-PSS with SHA-256, see [RFC8230]Section 2):
+
{
+ 1: 3, ; kty: RSA key type
+ 3: -37, ; alg: PS256
+ -1: n, ; n: RSA modulus n byte string 256 bytes in length
+ ; e.g., in hex (middle bytes elided for brevity): DB5F651550...6DC6548ACC3
+ -2: e ; e: RSA public exponent e byte string 3 bytes in length
+ ; e.g., in hex: 010001
+}
+
+
Below is an example of the same COSE_Key-encoded RSA public key as above,
+to be used with the RS256 signature algorithm (RSASSA-PKCS1-v1_5 with SHA-256, see §11.3 COSE Algorithm Registrations):
+
{
+ 1: 3, ; kty: RSA key type
+ 3:-257, ; alg: RS256
+ -1: n, ; n: RSA modulus n byte string 256 bytes in length
+ ; e.g., in hex (middle bytes elided for brevity): DB5F651550...6DC6548ACC3
+ -2: e ; e: RSA public exponent e byte string 3 bytes in length
+ ; e.g., in hex: 010001
+}
+
In the case of basic attestation [UAFProtocol], the authenticator’s attestation key pair is specific to an
+authenticator model. Thus, authenticators of the same model often share the same attestation key pair. See §14.1 Attestation Privacy for further information.
+
Self Attestation (Self)
+
+
In the case of self attestation, also known as surrogate basic attestation [UAFProtocol], the Authenticator does not have
+any specific attestation key. Instead it uses the credential private key to create the attestation signature.
+Authenticators without meaningful protection measures for an attestation private key typically use this attestation type.
+
Attestation CA (AttCA)
+
+
In this case, an authenticator is based on a Trusted Platform Module (TPM) and holds an authenticator-specific
+"endorsement key" (EK). This key is used to securely communicate with a trusted third party, the Attestation CA[TCG-CMCProfile-AIKCertEnroll] (formerly known as a "Privacy CA"). The authenticator can generate multiple
+attestation identity key pairs (AIK) and requests an Attestation CA to issue an AIK certificate
+for each. Using this approach, such an authenticator can limit the exposure of the EK (which is a global correlation
+handle) to Attestation CA(s). AIKs can be requested for each authenticator-generated public key credential individually, and conveyed to Relying Parties as attestation certificates.
+
Note: This concept typically leads to multiple attestation certificates. The attestation certificate requested most recently
+ is called "active".
+
Elliptic Curve based Direct Anonymous Attestation (ECDAA)
+
+
In this case, the Authenticator receives direct anonymous attestation (DAA) credentials from a single DAA-Issuer.
+These DAA credentials are used along with blinding to sign the attested credential data. The concept of blinding avoids
+the DAA credentials being misused as global correlation handle. WebAuthn supports DAA using elliptic curve cryptography and
+bilinear pairings, called ECDAA (see [FIDOEcdaaAlgorithm]) in this specification. Consequently we denote the DAA-Issuer
+as ECDAA-Issuer (see [FIDOEcdaaAlgorithm]).
+
No attestation statement (None)
+
+
In this case, no attestation information is available.
Return the attestation object as a CBOR map with the following syntax, filled in with variables initialized by this
+algorithm:
+
attObj = {
+ authData: bytes,
+ $$attStmtType
+ }
+
+ attStmtTemplate = (
+ fmt: text,
+ attStmt: { * tstr => any } ; Map is filled in by each concrete attStmtType
+ )
+
+ ; Every attestation statement format must have the above fields
+ attStmtTemplate .within $$attStmtType
+
+
+
6.3.5. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures
+
+
+
For COSEAlgorithmIdentifier -7 (ES256), and other ECDSA-based algorithms,
+a signature value is encoded as an ASN.1 DER Ecdsa-Sig-Value, as defined in [RFC3279] section 2.2.3.
Note: As CTAP1/U2F devices are already producing signatures values in this format, CTAP2
+devices will also produce signatures values in the same format, for consistency reasons.
+It is recommended that any new attestation formats defined not use ASN.1 encodings,
+but instead represent signatures as equivalent fixed-length byte arrays without internal structure,
+using the same representations as used by COSE signatures as defined in [RFC8152] and [RFC8230].
+
+
For COSEAlgorithmIdentifier -257 (RS256), sig contains the signature generated using the
+RSASSA-PKCS1-v1_5 signature scheme defined in section 8.2.1 in [RFC8017] with SHA-256 as the hash function.
+The signature is not ASN.1 wrapped.
+
+
For COSEAlgorithmIdentifier -37 (PS256), sig contains the signature generated using the
+RSASSA-PSS signature scheme defined in section 8.1.1 in [RFC8017] with SHA-256 as the hash function.
+The signature is not ASN.1 wrapped.
Note: Using any implementation of UTF-8 decode is acceptable as long as it yields the same result as that yielded by
+the UTF-8 decode algorithm. In particular, any leading byte order mark (BOM) MUST be stripped.
+
+
Let C, the client data claimed as collected during the credential creation, be the result of running an
+implementation-specific JSON parser on JSONtext.
+
Note:C may be any implementation-specific data structure representation, as long as C’s components are referenceable, as
+required by this algorithm.
+
+
Verify that the value of C.type is webauthn.create.
+
+
Verify that the value of C.challenge matches the challenge that was sent to the
+authenticator in the create() call.
Note: Since all extensions are OPTIONAL for both the client and the authenticator, the Relying Party MUST be prepared to
+handle cases where none or not all of the requested extensions were acted upon.
+
+
Determine the attestation statement format by performing a USASCII case-sensitive match on fmt against the set of
+supported WebAuthn Attestation Statement Format Identifier values.
+The up-to-date list of registered WebAuthn Attestation Statement Format Identifier values
+is maintained in the in the IANA registry of the same name [WebAuthn-Registries].
If validation is successful, obtain a list of acceptable trust anchors (attestation root certificates or ECDAA-Issuer
+public keys) for that attestation type and attestation statement format fmt, from a trusted source or from policy. For
+example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information, using the aaguid in the attestedCredentialData in authData.
+
+
Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows:
Otherwise, use the X.509 certificates returned by the verification procedure to verify that the attestation public key
+correctly chains up to an acceptable root certificate.
+
+
+
Check that the credentialId is not yet registered to any other user. If registration
+is requested for a credential that is already registered to a different user, the Relying Party SHOULD
+fail this registration ceremony, or it MAY decide to accept the registration, e.g. while deleting the older registration.
+
+
If the attestation statement attStmt verified successfully and is found to be trustworthy, then register the new
+credential with the account that was denoted in the options.user passed to create(), by associating it with the credentialId and credentialPublicKey in the attestedCredentialData in authData, as appropriate for the Relying Party's system.
+
+
If the attestation statement attStmt successfully verified but is not trustworthy per step 16 above, the Relying Party SHOULD fail
+the registrationceremony.
Verification of attestation objects requires that the Relying Party has a trusted method of determining acceptable trust anchors
+in step 15 above. Also, if certificates are being used, the Relying Party MUST have access to certificate status information for the
+intermediate CA certificates. The Relying Party MUST also be able to build the attestation certificate chain if the client did not
+provide this chain in the attestation information.
Using credential’s id attribute (or the corresponding rawId, if base64url encoding is inappropriate for your use case), look up the corresponding credential public key.
Let JSONtext be the result of running UTF-8 decode on the value of cData.
+
Note: Using any implementation of UTF-8 decode is acceptable as long as it yields the same result as that yielded by
+the UTF-8 decode algorithm. In particular, any leading byte order mark (BOM) MUST be stripped.
+
+
Let C, the client data claimed as used for the signature, be the result of running an implementation-specific
+JSON parser on JSONtext.
+
Note:C may be any implementation-specific data structure representation, as long as C’s components are referenceable, as
+required by this algorithm.
+
+
Verify that the value of C.type is the string webauthn.get.
Note: Since all extensions are OPTIONAL for both the client and the authenticator, the Relying Party MUST be prepared to
+handle cases where none or not all of the requested extensions were acted upon.
+
+
Let hash be the result of computing a hash over the cData using SHA-256.
+
+
Using the credential public key looked up in step 3, verify that sig is a valid signature over the binary concatenation of authData and hash.
If the signature counter value authData.signCount is nonzero or the value stored
+in conjunction with credential’s id attribute
+is nonzero, then run the following sub-step:
If all the above steps are successful, continue with the authentication ceremony as appropriate. Otherwise, fail the authentication ceremony.
+
+
8. Defined Attestation Statement Formats
+
WebAuthn supports pluggable attestation statement formats. This section defines an initial set of such formats.
+
8.1. Attestation Statement Format Identifiers
+
Attestation statement formats are identified by a string, called an attestation statement format identifier, chosen by
+the author of the attestation statement format.
+
Attestation statement format identifiers SHOULD be registered per [WebAuthn-Registries] "Registries for Web Authentication
+(WebAuthn)". All registered attestation statement format identifiers are unique amongst themselves as a matter of course.
+
Unregistered attestation statement format identifiers SHOULD use lowercase reverse domain-name naming, using a domain name
+registered by the developer, in order to assure uniqueness of the identifier. All attestation statement format identifiers MUST
+be a maximum of 32 octets in length and MUST consist only of printable USASCII characters, excluding backslash and doublequote,
+i.e., VCHAR as defined in [RFC5234] but without %x22 and %x5c.
+
Note: This means attestation statement format identifiers based on domain names MUST incorporate only LDH Labels [RFC5890].
+
Implementations MUST match WebAuthn attestation statement format identifiers in a case-sensitive fashion.
+
Attestation statement formats that may exist in multiple versions SHOULD include a version in their identifier. In effect,
+different versions are thus treated as different formats, e.g., packed2 as a new version of the packed attestation statement
+format.
+
The following sections present a set of currently-defined and registered attestation statement formats and their identifiers.
+The up-to-date list of registered WebAuthn Extensions is maintained in the IANA "WebAuthn Attestation Statement Format
+Identifier" registry established by [WebAuthn-Registries].
+
8.2. Packed Attestation Statement Format
+
This is a WebAuthn optimized attestation statement format. It uses a very compact but still extensible encoding method. It is
+implementable by authenticators with limited resources (e.g., secure elements).
+
+
Attestation statement format identifier
+
+
packed
+
Attestation types supported
+
+
All
+
Syntax
+
+
The syntax of a Packed Attestation statement is defined by the following CDDL:
A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.
+
sig
+
+
A byte string containing the attestation signature.
+
x5c
+
+
The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format.
+The attestation certificate MUST be the first element in the array.
+
ecdaaKeyId
+
+
The identifier of the ECDAA-Issuer public key. This is the
+BigNumberToB encoding of the component "c" of the ECDAA-Issuer public key as defined section 3.3, step 3.5 in [FIDOEcdaaAlgorithm].
If Basic or AttCAattestation is in use, the authenticator produces the sig by concatenating authenticatorData and clientDataHash, and signing the result using an attestation private key selected through an authenticator-specific
+mechanism. It sets x5c to the certificate chain of the attestation public key and alg to the algorithm of the
+attestation private key.
If self attestation is in use, the authenticator produces sig by concatenating authenticatorData and clientDataHash,
+and signing the result using the credential private key. It sets alg to the algorithm of the credential private key and
+omits the other fields.
+
+
Verification procedure
+
+
Given the verification procedure inputsattStmt, authenticatorData and clientDataHash, the verification procedure is
+as follows:
+
+
+
Verify that attStmt is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract
+the contained fields.
+
+
If x5c is present, this indicates that the attestation type is not ECDAA. In this case:
+
+
+
Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash using the
+attestation public key in x5c with the algorithm specified in alg.
If x5c contains an extension with OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid) verify that the value of this
+extension matches the aaguid in authenticatorData.
If ecdaaKeyId is present, then the attestation type is ECDAA. In this case:
+
+
+
Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash using
+ECDAA-Verify with ECDAA-Issuer public key identified by ecdaaKeyId (see [FIDOEcdaaAlgorithm]).
If the related attestation root certificate is used for multiple authenticator models, the Extension OID
+1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid) MUST be present, containing the AAGUID as a 16-byte OCTET STRING.
+The extension MUST NOT be marked as critical.
+
Note that an X.509 Extension encodes the DER-encoding of the value in an OCTET STRING.
+Thus, the AAGUID must be wrapped in two OCTET STRINGS to be valid. Here is a sample, encoded Extension structure:
The Basic Constraints extension MUST have the CA component set to false.
+
+
An Authority Information Access (AIA) extension with entry id-ad-ocsp and a CRL Distribution Point extension [RFC5280] are both OPTIONAL as the status of many attestation certificates is available through authenticator metadata services.
+See, for example, the FIDO Metadata Service [FIDOMetadataService].
+
+
8.3. TPM Attestation Statement Format
+
This attestation statement format is generally used by authenticators that use a Trusted Platform Module as their cryptographic
+engine.
Concatenate authenticatorData and clientDataHash to form attToBeSigned.
+
Generate a signature using the procedure specified in [TPMv2-Part3] Section 18.2, using the attestation private key and
+setting the extraData parameter to the digest of attToBeSigned using the hash algorithm corresponding to the "alg" signature algorithm.
+(For the "RS256" algorithm, this would be a SHA-256 digest.)
+
Set the pubArea field to the public area of the credential public key, the certInfo field to the output parameter of the
+same name, and the sig field to the signature obtained from the above procedure.
+
Verification procedure
+
+
Given the verification procedure inputsattStmt, authenticatorData and clientDataHash, the verification procedure is
+as follows:
+
Verify that attStmt is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the
+contained fields.
+
Verify that the public key specified by the parameters and unique fields of pubArea is identical to the credentialPublicKey in the attestedCredentialData in authenticatorData.
+
Concatenate authenticatorData and clientDataHash to form attToBeSigned.
+
Validate that certInfo is valid:
+
+
+
Verify that magic is set to TPM_GENERATED_VALUE.
+
+
Verify that type is set to TPM_ST_ATTEST_CERTIFY.
+
+
Verify that extraData is set to the hash of attToBeSigned using the hash algorithm employed in "alg".
+
+
Verify that attested contains a TPMS_CERTIFY_INFO structure as specified in [TPMv2-Part2] section 10.12.3,
+whose name field contains a valid Name for pubArea,
+as computed using the algorithm in the nameAlg field of pubArea using the procedure specified in [TPMv2-Part1] section 16.
+
+
Note that the remaining fields in the "Standard Attestation Structure" [TPMv2-Part1] section 31.2, i.e., qualifiedSigner, clockInfo and firmwareVersion are ignored.
+These fields MAY be used as an input to risk engines.
+
+
If x5c is present, this indicates that the attestation type is not ECDAA. In this case:
+
+
+
Verify the sig is a valid signature over certInfo using the attestation public key in x5c with the
+algorithm specified in alg.
If x5c contains an extension with OID 1 3 6 1 4 1 45724 1 1 4 (id-fido-gen-ce-aaguid) verify that the value of this
+extension matches the aaguid in authenticatorData.
The Subject Alternative Name extension MUST be set as defined in [TPMv2-EK-Profile] section 3.2.9.
+
+
The Extended Key Usage extension MUST contain the
+"joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)" OID.
+
+
The Basic Constraints extension MUST have the CA component set to false.
+
+
An Authority Information Access (AIA) extension with entry id-ad-ocsp and a CRL Distribution Point extension [RFC5280] are
+both OPTIONAL as the status of many attestation certificates is available through metadata services.
+See, for example, the FIDO Metadata Service [FIDOMetadataService].
An Android key attestation statement consists simply of the Android attestation statement, which is a series of
+DER encoded X.509 certificates. See the Android developer documentation. Its
+syntax is defined as follows:
Request an Android Key Attestation by calling keyStore.getCertificateChain(myKeyUUID) providing clientDataHash as the
+challenge value (e.g., by using setAttestationChallenge). Set x5c to the returned value.
+
The authenticator produces sig by concatenating authenticatorData and clientDataHash,
+and signing the result using the credential private key. It sets alg to the algorithm of the signature format.
+
Verification procedure
+
+
Given the verification procedure inputsattStmt, authenticatorData and clientDataHash, the verification procedure is
+as follows:
+
+
+
Verify that attStmt is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the
+contained fields.
+
+
Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash using the
+public key in the first certificate in x5c with the algorithm specified in alg.
8.5. Android SafetyNet Attestation Statement Format
+
When the authenticator in question is a platform-provided Authenticator on certain Android platforms, the attestation
+statement is based on the SafetyNet API. In
+this case the authenticator data is completely controlled by the caller of the SafetyNet API (typically an application
+running on the Android platform) and the attestation statement only provides some statements about the health of the platform
+and the identity of the calling application. This attestation does not provide information regarding provenance of the authenticator
+and its associated data. Therefore platform-provided authenticators should make use of the Android Key Attestation when available,
+even if the SafetyNet API is also present.
Concatenate authenticatorData and clientDataHash, perform SHA-256 hash of the concatenated string, and
+let the result of the hash form attToBeSigned.
+
Request a SafetyNet attestation, providing attToBeSigned as the nonce value. Set response to the result, and ver to
+the version of Google Play Services running in the authenticator.
+
Verification procedure
+
+
Given the verification procedure inputsattStmt, authenticatorData and clientDataHash, the verification procedure is
+as follows:
+
+
+
Verify that attStmt is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the
+contained fields.
+
+
Verify that response is a valid SafetyNet response of version ver.
+
+
Verify that the nonce in the response is identical to the SHA-256 hash of the concatenation of authenticatorData and clientDataHash.
+
+
Verify that the attestation certificate is issued to the hostname "attest.android.com" (see SafetyNet online documentation).
+
+
Verify that the ctsProfileMatch attribute in the payload of response is true.
+
+
If successful, return attestation type Basic with the attestation trust path set to the above attestation certificate.
+
+
+
8.6. FIDO U2F Attestation Statement Format
+
This attestation statement format is used with FIDO U2F authenticators using the formats defined in [FIDO-U2F-Message-Formats].
The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format.
+The attestation certificate MUST be the first element in the array.
If the credential public key of the given credential is not of algorithm -7 ("ES256"), stop and return an error.
+Otherwise, let authenticatorData denote the authenticator data for the attestation,
+and let clientDataHash denote the hash of the serialized client data. (Since SHA-256 is used to hash the
+serialized client data, clientDataHash will be 32 bytes long.)
+
Generate a Registration Response Message as specified in [FIDO-U2F-Message-Formats]Section 4.3, with the application parameter set to the
+SHA-256 hash of the RP ID associated with the given credential, the challenge parameter set to clientDataHash, and the key handle
+parameter set to the credential ID of the given credential. Set the raw signature part of this Registration Response Message (i.e., without the user public key,
+key handle, and attestation certificates) as sig and set the attestation certificates of
+the attestation public key as x5c.
+
Verification procedure
+
+
Given the verification procedure inputsattStmt, authenticatorData and clientDataHash, the verification procedure is
+as follows:
+
+
+
Verify that attStmt is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the
+contained fields.
+
+
Let attCert be the value of the first element of x5c. Let certificate public key be the public key
+conveyed by attCert. If certificate public key is not an Elliptic Curve (EC) public
+key over the P-256 curve, terminate this algorithm and return an appropriate error.
+
+
Extract the claimed rpIdHash from authenticatorData, and the claimed credentialId and credentialPublicKey from authenticatorData.attestedCredentialData.
Let x be the value corresponding to the "-2" key (representing x coordinate) in credentialPublicKey, and confirm its
+size to be of 32 bytes.
+If size differs or "-2" key is not found, terminate this algorithm and return an appropriate error.
+
+
Let y be the value corresponding to the "-3" key (representing y coordinate) in credentialPublicKey, and confirm its
+size to be of 32 bytes.
+If size differs or "-3" key is not found, terminate this algorithm and return an appropriate error.
+
+
Let publicKeyU2F be the concatenation 0x04 || x || y.
+
Note: This signifies uncompressed ECC key format.
+
+
+
Let verificationData be the concatenation of (0x00 || rpIdHash || clientDataHash || credentialId || publicKeyU2F) (see Section 4.3 of [FIDO-U2F-Message-Formats]).
+
+
Verify the sig using verificationData and certificate public key per [SEC1].
Return the fixed attestation statement defined above.
+
Verification procedure
+
+
Return attestation type None with an empty trust path.
+
+
9. WebAuthn Extensions
+
The mechanism for generating public key credentials, as well as requesting and generating Authentication assertions, as
+defined in §5 Web Authentication API, can be extended to suit particular use cases. Each case is addressed by defining a registration
+extension and/or an authentication extension.
+
Every extension is a client extension, meaning that the extension involves communication with and processing by the
+client. Client extensions define the following steps and data:
An extension can also be an authenticator extension, meaning that the extension involves communication with and
+processing by the authenticator. Authenticator extensions define the following steps and data:
All WebAuthn extensions are OPTIONAL for both clients and authenticators. Thus, any extensions requested by a Relying Party MAY be
+ignored by the client browser or OS and not passed to the authenticator at all, or they MAY be ignored by the authenticator.
+Ignoring an extension is never considered a failure in WebAuthn API processing, so when Relying Parties include extensions with any
+API calls, they MUST be prepared to handle cases where some or all of those extensions are ignored.
+
Clients wishing to support the widest possible range of extensions MAY choose to pass through any extensions that they do not
+recognize to authenticators, generating the authenticator extension input by simply encoding the client extension input in CBOR. All WebAuthn extensions MUST be defined in such a way that this implementation choice does not endanger the user’s
+security or privacy. For instance, if an extension requires client processing, it could be defined in a manner that ensures such
+a naïve pass-through will produce a semantically invalid authenticator extension input value, resulting in the extension
+being ignored by the authenticator. Since all extensions are OPTIONAL, this will not cause a functional failure in the API
+operation. Likewise, clients can choose to produce a client extension output value for an extension that it does not
+understand by encoding the authenticator extension output value into JSON, provided that the CBOR output uses only types
+present in JSON.
+
When clients choose to pass through extensions they do not recognize,
+the JavaScript values in the client extension inputs are converted to CBOR values in the authenticator extension inputs.
+When the JavaScript value is an %ArrayBuffer%, it is converted to a CBOR byte array.
+When the JavaScript value is a non-integer number, it is converted to a 64-bit CBOR floating point number.
+Otherwise, when the JavaScript type corresponds to a JSON type, the conversion is done
+using the rules defined in Section 4.2 of [RFC7049] (Converting from JSON to CBOR),
+but operating on inputs of JavaScript type values rather than inputs of JSON type values.
+Once these conversions are done,
+canonicalization of the resulting CBOR MUST be performed using the CTAP2 canonical CBOR encoding form.
+
Likewise, when clients receive outputs from extensions they have passed through that they do not recognize,
+the CBOR values in the authenticator extension outputs are converted to JavaScript values in the client extension outputs.
+When the CBOR value is a byte string, it is converted to a JavaScript %ArrayBuffer% (rather than a base64url-encoded string).
+Otherwise, when the CBOR type corresponds to a JSON type, the conversion is done
+using the rules defined in Section 4.1 of [RFC7049] (Converting from CBOR to JSON),
+but producing outputs of JavaScript type values rather than outputs of JSON type values.
+
Note that some clients may choose to implement this pass-through capability under a feature flag.
+Supporting this capability can facilitate innovation, allowing authenticators to experiment with new extensions
+and Relying Parties to use them before there is explicit support for them in clients.
+
The IANA "WebAuthn Extension Identifier" registry established by [WebAuthn-Registries] can be consulted
+for an up-to-date list of registered WebAuthn Extensions.
+
9.1. Extension Identifiers
+
Extensions are identified by a string, called an extension identifier, chosen by the extension author.
+
Extension identifiers SHOULD be registered per [WebAuthn-Registries] "Registries for Web Authentication (WebAuthn)".
+All registered extension identifiers are unique amongst themselves as a matter of course.
+
Unregistered extension identifiers SHOULD aim to be globally unique, e.g., by including the defining entity such as myCompany_extension.
+
All extension identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable USASCII characters,
+excluding backslash and doublequote, i.e., VCHAR as defined in [RFC5234] but without %x22 and %x5c. Implementations MUST
+match WebAuthn extension identifiers in a case-sensitive fashion.
+
Extensions that may exist in multiple versions should take care to include a version in their identifier. In effect, different
+versions are thus treated as different extensions, e.g., myCompany_extension_01
+
§10 Defined Extensions defines an initial set of extensions and their identifiers.
+See the IANA "WebAuthn Extension Identifier" registry established by [WebAuthn-Registries] for an up-to-date list of registered WebAuthn Extension Identifiers.
Any client extension that is processed by the client MUST return a client extension output value so that the Relying Party knows that the extension was honored by the client. Similarly, any extension that requires authenticator processing MUST return
+an authenticator extension output to let the Relying Party know that the extension was honored by the authenticator. If an
+extension does not otherwise require any result values, it SHOULD be defined as returning a JSON Boolean client extension
+output result, set to true to signify that the extension was understood and processed. Likewise, any authenticator
+extension that does not otherwise require any result values MUST return a value and SHOULD return a CBOR Boolean authenticator extension output result, set to true to signify that the extension was understood and processed.
+
9.3. Extending request parameters
+
An extension defines one or two request arguments. The client extension input,
+which is a value that can be encoded in JSON, is passed from the Relying Party to the client
+in the get() or create() call,
+while the CBOR authenticator extension input is
+passed from the client to the authenticator for authenticator extensions during the processing of these calls.
var assertionPromise = navigator.credentials.get({
+ publicKey:{
+ // The challenge must be produced by the server, see the Security Considerations
+ challenge:new Uint8Array([4,99,22/* 29 more random bytes generated by the server */]),
+ extensions:{
+ "webauthnExample_foobar":42
+ }
+ }
+});
+
+
Extension definitions MUST specify the valid values for their client extension input. Clients SHOULD ignore extensions with
+an invalid client extension input. If an extension does not require any parameters from the Relying Party, it SHOULD be defined
+as taking a Boolean client argument, set to true to signify that the extension is requested by the Relying Party.
Note: Extensions should aim to define authenticator arguments that are as small as possible. Some authenticators communicate
+ over low-bandwidth links such as Bluetooth Low-Energy or NFC.
+
9.4. Client extension processing
+
Extensions MAY define additional processing requirements on the client platform during the creation of credentials or the
+generation of an assertion. The client extension input for the extension is used as an input to this client processing.
+For each supported client extension, the client adds an entry to the clientExtensionsmap with the extension identifier as the key, and the extension’s client extension input as the value.
This section defines the initial set of extensions to be registered in the
+IANA "WebAuthn Extension Identifier" registry established by [WebAuthn-Registries].
+These are RECOMMENDED for implementation by user agents targeting broad interoperability.
+
10.1. FIDO AppID Extension (appid)
+
This client extension allows Relying Parties that have previously registered a
+credential using the legacy FIDO JavaScript APIs to request an assertion. The
+FIDO APIs use an alternative identifier for relying parties called an AppID[FIDO-APPID], and any credentials created using those APIs will be bound to
+that identifier. Without this extension, they would need to be re-registered in
+order to be bound to an RP ID.
+
This extension does not allow FIDO-compatible credentials to be created. Thus,
+credentials created with WebAuthn are not backwards compatible with the FIDO
+JavaScript APIs.
When building allowCredentialDescriptorList,
+if a U2F authenticator indicates that a credential is inapplicable (i.e. by
+returning SW_WRONG_DATA) then the client MUST retry with the U2F application
+parameter set to the SHA-256 hash of appId. If this results in an applicable
+credential, the client MUST include the credential in allowCredentialDescriptorList. The value of appId then replaces the rpId parameter of authenticatorGetAssertion.
+
+
Client extension output
+
+
Returns the value true to indicate to the RP that the extension was acted upon.
The client extension input encoded as a CBOR text string (major type 3).
+
+
CDDL:
+txAuthSimpleInput = (tstr)
+
+
+
Authenticator extension processing
+
+
The authenticator MUST display the prompt to the user before performing either user verification or test of user
+presence. The authenticator MAY insert line breaks if needed.
+
Authenticator extension output
+
+
A single CBOR string, representing the prompt as displayed (including any eventual line breaks).
This registration extension and authentication extension allows images to be used as transaction authorization prompts
+as well. This allows authenticators without a font rendering engine to be used and also supports a richer visual appearance.
The authenticator MUST display the content to the user before performing either user verification or test of
+user presence. The authenticator MAY add other information below the content. No changes are allowed to the content itself, i.e., inside content boundary box.
+
Authenticator extension output
+
+
The hash value of the content which was displayed. The authenticator MUST use the same hash algorithm as it uses for the
+signature itself.
This registration extension allows a Relying Party to guide the selection of the authenticator that will be leveraged when
+creating the credential. It is intended primarily for Relying Parties that wish to tightly control the experience around credential
+creation.
Each AAGUID corresponds to an authenticator model that is acceptable to the Relying Party for this credential creation. The
+list is ordered by decreasing preference.
+
An AAGUID is defined as an array containing the globally unique identifier of the authenticator model being sought.
This extension can only be used during create(). If the client supports the Authenticator Selection
+Extension, it MUST use the first available authenticator whose AAGUID is present in the AuthenticatorSelectionList. If
+none of the available authenticators match a provided AAGUID, the client MUST select an authenticator from among the
+available authenticators to generate the credential.
+
Client extension output
+
+
Returns the value true to indicate to the RP that the extension was acted upon.
The Boolean value true, encoded in CBOR (major type 7, value 21).
+
Authenticator extension processing
+
+
The authenticator sets the authenticator extension output to be a list of extensions that the authenticator supports, as
+defined below. This extension can be added to attestation objects.
The Boolean value true, encoded in CBOR (major type 7, value 21).
+
Authenticator extension processing
+
+
The authenticator sets the authenticator extension output to be a user verification index indicating the method used
+by the user to authorize the operation, as defined below. This extension can be added to attestation objects and assertions.
+
Authenticator extension output
+
+
The user verification index (UVI) is a value uniquely identifying a user verification data record. The UVI is encoded as CBOR
+byte string (type 0x58). Each UVI value MUST be specific to the related key (in order to provide unlinkability). It also
+MUST contain sufficient entropy that makes guessing impractical. UVI values MUST NOT be reused by the Authenticator (for
+other biometric data or users).
+
The UVI data can be used by servers to understand whether an authentication was authorized by the exact same biometric data
+as the initial key generation. This allows the detection and prevention of "friendly fraud".
+
As an example, the UVI could be computed as SHA256(KeyID || SHA256(rawUVI)), where || represents concatenation, and the
+rawUVI reflects (a) the biometric reference data, (b) the related OS level user ID and (c) an identifier which changes
+whenever a factory reset is performed for the device, e.g. rawUVI = biometricReferenceData || OSLevelUserID ||
+FactoryResetCounter.
None, except creating the authenticator extension input from the client extension input.
+
Client extension output
+
+
Returns a JavaScript object that encodes the location information in the authenticator extension output as a Coordinates value,
+as defined by [Geolocation-API].
The Boolean value true, encoded in CBOR (major type 7, value 21).
+
Authenticator extension processing
+
+
Determine the Geolocation value.
+
Authenticator extension output
+
+
A [Geolocation-API]Coordinates record encoded as a CBOR map.
+Values represented by the "double" type in JavaScript are represented as 64-bit CBOR floating point numbers.
+Per the Geolocation specification, the "latitude", "longitude", and "accuracy" values are required
+and other values such as "altitude" are optional.
The Boolean value true, encoded in CBOR (major type 7, value 21).
+
Authenticator extension processing
+
+
The authenticator sets the authenticator extension output to be one or more user verification methods indicating the method(s) used
+by the user to authorize the operation, as defined below. This extension can be added to attestation objects and assertions.
+
Authenticator extension output
+
+
Authenticators can report up to 3 different user verification methods (factors) used in a single authentication instance,
+using the CBOR syntax defined below:
The semantics of the fields in each uvmEntry are as follows:
+
+
userVerificationMethod
+
+
The authentication method/factor used by the authenticator to verify the user. Available values are defined in [FIDOReg], "User Verification Methods" section.
+
keyProtectionType
+
+
The method used by the authenticator to protect the FIDO registration private key material. Available values are defined
+in [FIDOReg], "Key Protection Types" section.
+
matcherProtectionType
+
+
The method used by the authenticator to protect the matcher that performs user verification. Available values are defined
+in [FIDOReg], "Matcher Protection Types" section.
+
+
If >3 factors can be used in an authentication instance the authenticator vendor MUST select the 3 factors it believes
+will be most relevant to the Server to include in the UVM.
+
Example for authenticator data containing one UVM extension for a multi-factor authentication instance where 2 factors
+were used:
+
... -- [=RP ID=] hash (32 bytes)
+81 -- UP and ED set
+00 00 00 01 -- (initial) signature counter
+... -- all public key alg etc.
+A1 -- extension: CBOR map of one element
+ 63 -- Key 1: CBOR text string of 3 bytes
+ 75 76 6d -- "uvm" [=UTF-8 encoded=] string
+ 82 -- Value 1: CBOR array of length 2 indicating two factor usage
+ 83 -- Item 1: CBOR array of length 3
+ 02 -- Subitem 1: CBOR integer for User Verification Method Fingerprint
+ 04 -- Subitem 2: CBOR short for Key Protection Type TEE
+ 02 -- Subitem 3: CBOR short for Matcher Protection Type TEE
+ 83 -- Item 2: CBOR array of length 3
+ 04 -- Subitem 1: CBOR integer for User Verification Method Passcode
+ 01 -- Subitem 2: CBOR short for Key Protection Type Software
+ 01 -- Subitem 3: CBOR short for Matcher Protection Type Software
+
The FAR is the maximum false acceptance rate for a biometric authenticator allowed by the Relying Party.
+
The FAR is the maximum false rejection rate for a biometric authenticator allowed by the Relying Party.
+
Client extension processing
+
+
This extension can only be used during create(). If the client supports this
+extension, it MUST NOT use a biometric authenticator whose FAR or FRR does not match the bounds as provided. The client
+can obtain information about the biometric authenticator’s performance from authoritative sources such as the FIDO
+Metadata Service [FIDOMetadataService] (see Sec. 3.2 of [FIDOUAFAuthenticatorMetadataStatements]).
+
Client extension output
+
+
Returns the JSON value true to indicate to the RP that the extension was acted upon
+
Authenticator extension input
+
+
None.
+
Authenticator extension processing
+
+
None.
+
Authenticator extension output
+
+
None.
+
+
11. IANA Considerations
+
11.1. WebAuthn Attestation Statement Format Identifier Registrations
WebAuthn Attestation Statement Format Identifier: packed
+
+
Description: The "packed" attestation statement format is a WebAuthn-optimized format for attestation. It uses a very
+compact but still extensible encoding method. This format is implementable by authenticators with limited resources (e.g.,
+secure elements).
WebAuthn Attestation Statement Format Identifier: tpm
+
+
Description: The TPM attestation statement format returns an attestation statement in the same format as the packed
+attestation statement format, although the rawData and signature fields are computed differently.
Description: This authentication extension allows Relying Parties that have previously registered a credential using the legacy
+FIDO JavaScript APIs to request an assertion.
Description: This registration extension and authentication extension allows for a simple form of transaction
+authorization. A WebAuthn Relying Party can specify a prompt string, intended for display on a trusted device on the
+authenticator
Description: This registration extension and authentication extension allows images to be used as transaction
+authorization prompts as well. This allows authenticators without a font rendering engine to be used and also supports a
+richer visual appearance than accomplished with the webauthn.txauth.simple extension.
Description: This registration extension allows a WebAuthn Relying Party to guide the selection of the authenticator that
+will be leveraged when creating the credential. It is intended primarily for WebAuthn Relying Parties that wish to tightly
+control the experience around credential creation.
Description: This registration extension enables the Relying Party to determine which extensions the authenticator supports. The
+extension data is a list (CBOR array) of extension identifiers encoded as UTF-8 Strings. This extension is added
+automatically by the authenticator. This extension can be added to attestation statements.
Description: This registration extension and authentication extension enables use of a user verification index. The
+user verification index is a value uniquely identifying a user verification data record. The UVI data can be used by servers
+to understand whether an authentication was authorized by the exact same biometric data as the initial key generation. This
+allows the detection and prevention of "friendly fraud".
Description: This registration extension and authentication extension enables use of a user verification method.
+The user verification method extension returns to the Webauthn relying party which user verification methods (factors) were
+used for the WebAuthn operation.
This section registers identifiers for RSASSA-PKCS1-v1_5 [RFC8017] algorithms using SHA-2 and SHA-1 hash functions in the
+IANA COSE Algorithms registry [IANA-COSE-ALGS-REG].
+It also registers identifiers for ECDAA algorithms.
In this section, we walk through some events in the lifecycle of a public key credential, along with the corresponding
+sample code for using this API. Note that this is an example flow and does not limit the scope of how the API can be used.
+
As was the case in earlier sections, this flow focuses on a use case involving an external first-factor authenticator with its own display. One example of such an authenticator would be a smart phone. Other authenticator types are also supported
+by this API, subject to implementation by the platform. For instance, this flow also works without modification for the case of
+an authenticator that is embedded in the client platform. The flow also works for the case of an authenticator without
+its own display (similar to a smart card) subject to specific implementation considerations. Specifically, the client platform
+needs to display any prompts that would otherwise be shown by the authenticator, and the authenticator needs to allow the client
+platform to enumerate all the authenticator’s credentials so that the client can have information to show appropriate prompts.
The user visits example.com, which serves up a script. At this point, the user may already be logged in using a legacy
+username and password, or additional authenticator, or other means acceptable to the Relying Party.
+Or the user may be in the process of creating a new account.
+
+
The Relying Party script runs the code snippet below.
+
+
The client platform searches for and locates the authenticator.
+
+
The client platform connects to the authenticator, performing any pairing actions if necessary.
+
+
The authenticator shows appropriate UI for the user to select the authenticator on which the new credential will be
+created, and obtains a biometric or other authorization gesture from the user.
+
+
The authenticator returns a response to the client platform, which in turn returns a response to the Relying Party script. If
+the user declined to select an authenticator or provide authorization, an appropriate error is returned.
+
+
If a new credential was created,
+
+
+
The Relying Party script sends the newly generated credential public key to the server, along with additional information
+such as attestation regarding the provenance and characteristics of the authenticator.
+
+
The server stores the credential public key in its database and associates it with the user as well as with the
+characteristics of authentication indicated by attestation, also storing a friendly name for later use.
+
+
The script may store data such as the credential ID in local storage, to improve future UX by narrowing the choice of
+credential for the user.
+
+
+
The sample code for generating and registering a new key follows:
+
if(!window.PublicKeyCredential){/* Platform not capable. Handle error. */}
+
+var publicKey ={
+ // The challenge must be produced by the server, see the Security Considerations
+ challenge:new Uint8Array([21,31,105/* 29 more random bytes generated by the server */]),
+
+ // Relying Party:
+ rp:{
+ name:"ACME Corporation"
+ },
+
+ // User:
+ user:{
+ id: Uint8Array.from(window.atob("MIIBkzCCATigAwIBAjCCAZMwggE4oAMCAQIwggGTMII="), c=>c.charCodeAt(0)),
+ name:"alex.p.mueller@example.com",
+ displayName:"Alex P. Müller",
+ icon:"https://pics.example.com/00/p/aBjjjpqPb.png"
+ },
+
+ // This Relying Party will accept either an ES256 or RS256 credential, but
+ // prefers an ES256 credential.
+ pubKeyCredParams:[
+ {
+ type:"public-key",
+ alg:-7// "ES256" as registered in the IANA COSE Algorithms registry
+ },
+ {
+ type:"public-key",
+ alg:-257// Value registered by this specification for "RS256"
+ }
+ ],
+
+ timeout:60000,// 1 minute
+ excludeCredentials:[],// No exclude list of PKCredDescriptors
+ extensions:{"loc":true}// Include location information
+ // in attestation
+};
+
+// Note: The following call will cause the authenticator to display UI.
+navigator.credentials.create({ publicKey })
+ .then(function(newCredentialInfo){
+ // Send new credential info to server for verification and registration.
+ }).catch(function(err){
+ // No acceptable authenticator or user refused consent. Handle appropriately.
+ });
+
+
12.2. Registration Specifically with User Verifying Platform Authenticator
The user is shown appropriate UI and guided in creating a credential using one of the available platform authenticators.
+Upon successful credential creation, the RP script conveys the new credential to the server.
+
+
if(!window.PublicKeyCredential){/* Platform not capable of the API. Handle error. */}
+
+PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()
+ .then(function(userIntent){
+
+ // If the user has affirmed willingness to register with RP using an available platform authenticator
+ if(userIntent){
+ var publicKeyOptions ={/* Public key credential creation options. */};
+
+ // Create and register credentials.
+ return navigator.credentials.create({"publicKey": publicKeyOptions });
+ }else{
+
+ // Record that the user does not intend to use a platform authenticator
+ // and default the user to a password-based flow in the future.
+ }
+
+ }).then(function(newCredentialInfo){
+ // Send new credential info to server for verification and registration.
+ }).catch(function(err){
+ // Something went wrong. Handle appropriately.
+ });
+
+
12.3. Authentication
+
This is the flow when a user with an already registered credential visits a website and wants to authenticate using the
+credential.
+
+
+
The user visits example.com, which serves up a script.
+
+
The script asks the client platform for an Authentication Assertion, providing as much information as possible to narrow
+the choice of acceptable credentials for the user. This can be obtained from the data that was stored locally after
+registration, or by other means such as prompting the user for a username.
+
+
The Relying Party script runs one of the code snippets below.
+
+
The client platform searches for and locates the authenticator.
+
+
The client platform connects to the authenticator, performing any pairing actions if necessary.
+
+
The authenticator presents the user with a notification that their attention is needed. On opening the
+notification, the user is shown a friendly selection menu of acceptable credentials using the account information provided
+when creating the credentials, along with some information on the origin that is requesting these keys.
+
+
The authenticator obtains a biometric or other authorization gesture from the user.
+
+
The authenticator returns a response to the client platform, which in turn returns a response to the Relying Party script.
+If the user declined to select a credential or provide an authorization, an appropriate error is returned.
+
+
If an assertion was successfully generated and returned,
+
+
+
The script sends the assertion to the server.
+
+
The server examines the assertion, extracts the credential ID, looks up the registered
+credential public key it is database, and verifies the assertion’s authentication signature.
+If valid, it looks up the identity associated with the assertion’s credential ID; that
+identity is now authenticated. If the credential ID is not recognized by the server (e.g.,
+it has been deregistered due to inactivity) then the authentication has failed; each Relying Party will handle this in its own way.
+
+
The server now does whatever it would otherwise do upon successful authentication -- return a success page, set
+authentication cookies, etc.
+
+
+
If the Relying Party script does not have any hints available (e.g., from locally stored data) to help it narrow the list of
+credentials, then the sample code for performing such an authentication might look like this:
+
if(!window.PublicKeyCredential){/* Platform not capable. Handle error. */}
+
+var options ={
+ // The challenge must be produced by the server, see the Security Considerations
+ challenge:new Uint8Array([4,101,15/* 29 more random bytes generated by the server */]),
+ timeout:60000,// 1 minute
+ allowCredentials:[{ type:"public-key"}]
+ };
+
+navigator.credentials.get({"publicKey": options })
+ .then(function(assertion){
+ // Send assertion to server for verification
+}).catch(function(err){
+ // No acceptable credential or user refused consent. Handle appropriately.
+});
+
+
On the other hand, if the Relying Party script has some hints to help it narrow the list of credentials, then the sample code for
+performing such an authentication might look like the following. Note that this sample also demonstrates how to use the
+extension for transaction authorization.
+
if(!window.PublicKeyCredential){/* Platform not capable. Handle error. */}
+
+var encoder =new TextEncoder();
+var acceptableCredential1 ={
+ type:"public-key",
+ id: encoder.encode("!!!!!!!hi there!!!!!!!\n")
+};
+var acceptableCredential2 ={
+ type:"public-key",
+ id: encoder.encode("roses are red, violets are blue\n")
+};
+
+var options ={
+ // The challenge must be produced by the server, see the Security Considerations
+ challenge:new Uint8Array([8,18,33/* 29 more random bytes generated by the server */]),
+ timeout:60000,// 1 minute
+ allowCredentials:[acceptableCredential1, acceptableCredential2],
+ extensions:{'txAuthSimple':
+ "Wave your hands in the air like you just don’t care"}
+ };
+
+navigator.credentials.get({"publicKey": options })
+ .then(function(assertion){
+ // Send assertion to server for verification
+}).catch(function(err){
+ // No acceptable credential or user refused consent. Handle appropriately.
+});
+
+
12.4. Aborting Authentication Operations
+
The below example shows how a developer may use the AbortSignal parameter to abort a
+credential registration operation. A similar procedure applies to an authentication operation.
+
const authAbortController =new AbortController();
+const authAbortSignal = authAbortController.signal;
+
+authAbortSignal.onabort =function(){
+ // Once the page knows the abort started, inform user it is attempting to abort.
+}
+
+var options ={
+ // A list of options.
+}
+
+navigator.credentials.create({
+ publicKey: options,
+ signal: authAbortSignal})
+ .then(function(attestation){
+ // Register the user.
+ }).catch(function(error){
+ if(error =="AbortError"){
+ // Inform user the credential hasn’t been created.
+ // Let the server know a key hasn’t been created.
+ }
+ });
+
+// Assume widget shows up whenever authentication occurs.
+if(widget =="disappear"){
+ authAbortController.abort();
+}
+
+
12.5. Decommissioning
+
The following are possible situations in which decommissioning a credential might be desired. Note that all of these are
+handled on the server side and do not need support from the API specified here.
+
+
+
Possibility #1 -- user reports the credential as lost.
+
+
+
User goes to server.example.net, authenticates and follows a link to report a lost/stolen device.
+
+
Server returns a page showing the list of registered credentials with friendly names as configured during registration.
+
+
User selects a credential and the server deletes it from its database.
+
+
In future, the Relying Party script does not specify this credential in any list of acceptable credentials, and assertions
+signed by this credential are rejected.
+
+
+
Possibility #2 -- server deregisters the credential due to inactivity.
+
+
+
Server deletes credential from its database during maintenance activity.
+
+
In the future, the Relying Party script does not specify this credential in any list of acceptable credentials, and assertions
+signed by this credential are rejected.
+
+
+
Possibility #3 -- user deletes the credential from the device.
+
+
+
User employs a device-specific method (e.g., device settings UI) to delete a credential from their device.
+
+
From this point on, this credential will not appear in any selection prompts, and no assertions can be generated with it.
+
+
Sometime later, the server deregisters this credential due to inactivity.
At this time, this specification does not feature detailed security considerations. However, the [FIDOSecRef] document provides a security analysis which is overall applicable to this specification.
+Also, the [FIDOAuthnrSecReqs] document suite defines authenticator security characteristics which are overall applicable for WebAuthn authenticators.
+
The below subsections comprise the current Web Authentication-specific security considerations.
+
13.1. Cryptographic Challenges
+
As a cryptographic protocol, Web Authentication is dependent upon randomized challenges
+to avoid replay attacks. Therefore, both challenge's
+and challenge's value MUST be randomly generated
+by Relying Parties in an environment they trust (e.g., on the server-side), and the
+returned challenge value in the client’s
+response MUST match what was generated. This SHOULD be done in a fashion that does not rely
+upon a client’s behavior, e.g., the Relying Party SHOULD store the challenge temporarily
+until the operation is complete. Tolerating a mismatch will compromise the security
+of the protocol.
+
In order to prevent replay attacks, the challenges MUST contain enough entropy to make guessing them infeasible. Challenges SHOULD
+therefore be at least 16 bytes long.
+
13.2. Attestation Security Considerations
+
13.2.1. Attestation Certificate Hierarchy
+
A 3-tier hierarchy for attestation certificates is RECOMMENDED (i.e., Attestation Root, Attestation Issuing CA, Attestation
+Certificate). It is also RECOMMENDED that for each WebAuthn Authenticator device line (i.e., model), a separate issuing CA is
+used to help facilitate isolating problems with a specific version of a device.
+
If the attestation root certificate is not dedicated to a single WebAuthn Authenticator device line (i.e., AAGUID), the AAGUID
+SHOULD be specified in the attestation certificate itself, so that it can be verified against the authenticator data.
+
13.2.2. Attestation Certificate and Attestation Certificate CA Compromise
+
When an intermediate CA or a root CA used for issuing attestation certificates is compromised, WebAuthn authenticator attestation keys are still safe although their certificates can no longer be trusted. A WebAuthn Authenticator manufacturer that
+has recorded the public attestation keys for their devices can issue new attestation certificates for these keys from a new
+intermediate CA or from a new root CA. If the root CA changes, the Relying Parties MUST update their trusted root certificates
+accordingly.
+
A WebAuthn Authenticator attestation certificate MUST be revoked by the issuing CA if its key has been compromised. A WebAuthn
+Authenticator manufacturer may need to ship a firmware update and inject new attestation keys and certificates into already
+manufactured WebAuthn Authenticators, if the exposure was due to a firmware flaw. (The process by which this happens is out of
+scope for this specification.) If the WebAuthn Authenticator manufacturer does not have this capability, then it may not be
+possible for Relying Parties to trust any further attestation statements from the affected WebAuthn Authenticators.
+
If attestation certificate validation fails due to a revoked intermediate attestation CA certificate, and the Relying Party's policy
+requires rejecting the registration/authentication request in these situations, then it is RECOMMENDED that the Relying Party also
+un-registers (or marks with a trust level equivalent to "self attestation") public key credentials that were registered
+after the CA compromise date using an attestation certificate chaining up to the same intermediate CA. It is thus RECOMMENDED
+that Relying Parties remember intermediate attestation CA certificates during Authenticator registration in order to un-register
+related public key credentials if the registration was performed after revocation of such certificates.
+
If an ECDAA attestation key has been compromised, it can be added to the RogueList (i.e., the list of revoked
+authenticators) maintained by the related ECDAA-Issuer. The Relying Party SHOULD verify whether an authenticator belongs to the
+RogueList when performing ECDAA-Verify (see section 3.6 in [FIDOEcdaaAlgorithm]). For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to access such information.
13.4. Browser Permissions Framework and Extensions
+
Web Authentication API implementations should leverage the browser permissions framework as much as possible when obtaining user
+permissions for certain extensions. An example is the location extension (see §10.7 Location Extension (loc)), implementations of
+which should make use of the existing browser permissions framework for the Geolocation API.
Attestation keys can be used to track users or link various online identities of the same user together. This can be mitigated
+in several ways, including:
+
+
+
A WebAuthn authenticator manufacturer may choose to ship all of their devices with the same (or a fixed number of)
+attestation key(s) (called Basic Attestation). This will anonymize the user at the risk of not being able to revoke a
+particular attestation key if its private key is compromised.
+
[UAFProtocol] requires that at least 100,000 devices share the same attestation certificate in order to produce
+sufficiently large groups. This may serve as guidance about suitable batch sizes.
+
+
A WebAuthn authenticator may be capable of dynamically generating different attestation keys (and requesting related
+certificates) per-origin (similar to the Attestation CA approach). For example, an authenticator can ship with a
+master attestation key (and certificate), and combined with a cloud-operated Anonymization CA, can dynamically generate per-origin attestation keys and attestation certificates.
+
Note: In various places outside this specification, the term "Privacy CA" is used to refer to what is termed here
+ as an Anonymization CA. Because the Trusted Computing Group (TCG) also used the term "Privacy CA" to refer to what
+ the TCG now refers to as an Attestation CA (ACA) [TCG-CMCProfile-AIKCertEnroll], and the envisioned functionality
+ of an Anonymization CA is not firmly established, we are using the term Anonymization CA here to try to mitigate
+ confusion in the specific context of this specification.
If the above cases are distinguishable, information is leaked by which a malicious Relying Party could identify the user by probing for
+which credentials are available. For example, one such information leak is if the client returns a
+failure response as soon as an excluded authenticator becomes available. In this case - especially if the excluded authenticator is a platform authenticator - the Relying Party could detect that the ceremony was canceled before the
+timeout and before the user could feasibly have canceled it manually, and thus conclude that at least one of the credentials listed in the excludeCredentials parameter is available to the user.
+
The above is not a concern, however, if the user has consented to create a new credential before a
+distinguishable error is returned, because in this case the user has confirmed intent to share the information that would be
+leaked.
A named credential is available, but the user does not consent to use it.
+
+
If the above cases are distinguishable, information is leaked by which a malicious Relying Party could identify the user by probing
+for which credentials are available. For example, one such information leak is if the client returns a
+failure response as soon as the user denies consent to proceed with an authenticationceremony. In this
+case the Relying Party could detect that the ceremony was canceled by the user and not the timeout, and thus conclude that at least
+one of the credentials listed in the allowCredentials parameter is
+available to the user.
+
15. Acknowledgements
+ We thank the following people for their reviews of, and contributions to, this specification:
+Yuriy Ackermann,
+James Barclay,
+Richard Barnes,
+Dominic Battré,
+John Bradley,
+Domenic Denicola,
+Rahul Ghosh,
+Brad Hill,
+Jing Jin,
+Wally Jones,
+Ian Kilpatrick,
+Axel Nennker,
+Yoshikazu Nojima,
+Kimberly Paulhamus,
+Adam Powers,
+Yaron Sheffer,
+Anne van Kesteren,
+Johan Verrept,
+and
+Boris Zbarsky.
+
We thank
+Anthony Nadalin,
+John Fontana,
+and
+Richard Barnes
+for their contributions as co-chairs of the Web Authentication Working Group.
+
We also thank
+Wendy Seltzer,
+Samuel Weiler,
+and
+Harry Halpin
+for their contributions as our W3C Team Contacts.
The definitions of "lifetime of" and "becomes available" are intended to represent how
+devices are hot-plugged into (USB) or discovered by (NFC) browsers, and are underspecified.
+Resolving this with good definitions or some other means will be addressed by resolving Issue #613. ↵
+
@balfanz wishes to add to the "direct" case:
+ If the authenticator violates the privacy requirements of the attestation type it is using,
+ the client SHOULD terminate this algorithm with an "AttestationNotPrivateError". ↵
+
The definitions of "lifetime of" and "becomes available" are intended to represent how
+devices are hot-plugged into (USB) or discovered by (NFC) browsers, and are underspecified.
+Resolving this with good definitions or some other means will be addressed by resolving Issue #613. ↵
+
The foregoing step _may_ be incorrect, in that we are attempting to create savedCredentialId here and use it later below, and we do not have a global in which to allocate a place for it. Perhaps this
+ is good enough? addendum: @jcjones feels the above step is likely good enough. ↵
+
The WHATWG HTML WG is discussing whether to provide a hook when a browsing context gains or
+ loses focuses. If a hook is provided, the above paragraph will be updated to include the hook.
+ See WHATWG HTML WG Issue #2711 for more details. ↵