-
Notifications
You must be signed in to change notification settings - Fork 178
/
draft-hodges-webauthn-registries.xml
671 lines (606 loc) · 24.4 KB
/
draft-hodges-webauthn-registries.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "http://xml2rfc.tools.ietf.org/authoring/rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc5234 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5234.xml">
<!ENTITY rfc8126 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml">
<!ENTITY rfc8174 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
]>
<?xml-stylesheet type="text/xsl" href="http://xml2rfc.tools.ietf.org/authoring/rfc2629.xslt" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="yes" ?>
<?rfc toc="yes" ?>
<?rfc sortrefs="yes" ?>
<?rfc symrefs="yes" ?>
<!--
-00a: initial version based on RFC5988
-00b: adapt 5988bis per mnot's suggestion: draft-nottingham-rfc5988bis-01
* 'attestation type' -> 'attestation format'
* updated to latest extension id format, adjusted list of registered extensions to
match [WebAuthn] editors' draft.
-00c: ?
-00d: Let initial values be in the [WebAuthn] spec, rather than here.
-->
<rfc category="info" ipr="trust200902" docName="draft-hodges-webauthn-registries-10">
<front>
<title>Registries for Web Authentication (WebAuthn)</title>
<author initials="J." surname="Hodges" fullname="Jeff Hodges">
<organization>Google</organization>
<address>
<postal>
<street>1600 Amphitheater Parkway</street>
<city>Mountain View</city>
<region>California</region>
<code>94043</code>
<country>US</country>
</postal>
<email>[email protected]</email>
<uri>https://kingsmountain.com/people/Jeff.Hodges/</uri>
</address>
</author>
<author fullname="Giridhar Mandyam" initials="G.D."
surname="Mandyam">
<organization>Qualcomm Technologies Inc.</organization>
<address>
<postal>
<street>5775 Morehouse Drive</street>
<city>San Diego</city>
<region>California</region>
<code>92121</code>
<country>USA</country>
</postal>
<phone>+1 858 651 7200</phone>
<email>[email protected]</email>
</address>
</author>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization abbrev="Microsoft">Microsoft</organization>
<address>
<email>[email protected]</email>
<uri>https://self-issued.info/</uri>
</address>
</author>
<date month="June" year="2020" />
<area>Security</area>
<workgroup>W3C WebAuthn Working Group</workgroup>
<keyword>webauthn</keyword>
<keyword>attestation</keyword>
<keyword>extensions</keyword>
<keyword>registry</keyword>
<abstract>
<t>
This specification defines IANA registries for W3C Web Authentication
attestation statement format identifiers and extension identifiers.
</t>
</abstract>
<note title="Note to Readers">
<t><spanx style="emph">RFC EDITOR: please remove this section before publication</spanx></t>
<t>This is a work-in-progress.</t>
<t>The issues list can be found at
<eref target="https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+label%3Aspec%3Awebauthn-registries">
https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+label%3Aspec%3Awebauthn-registries
</eref>.</t>
<t>The most recent _published_ draft revision is at
<eref target="https://tools.ietf.org/html/draft-hodges-webauthn-registries">
https://tools.ietf.org/html/draft-hodges-webauthn-registries</eref>.</t>
<t>The editors' draft is at
<eref target="https://github.com/w3c/webauthn/blob/master/draft-hodges-webauthn-registries.txt">
https://github.com/w3c/webauthn/blob/master/draft-hodges-webauthn-registries.txt
</eref></t>
<t>Changes in the editors' draft, both proposed and incorporated, are listed at
<eref target="https://github.com/w3c/webauthn/pulls?q=is%3Apr+label%3Aspec%3Awebauthn-registries">
https://github.com/w3c/webauthn/pulls?q=is%3Apr+label%3Aspec%3Awebauthn-registries
</eref></t>
</note>
</front>
<middle>
<section anchor="Introduction" title="Introduction">
<t>
This specification establishes IANA registries for W3C Web Authentication <xref
target="WebAuthn"/> attestation statement format identifiers and extension identifiers.
The initial values for these registries are in the IANA Considerations
section of the <xref target="WebAuthn"/> specification.
</t>
<section anchor="rnc" title="Requirements Notation and Conventions">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and
only when, they appear in all capitals, as shown here.
</t>
</section>
</section>
<section title="IANA Considerations" anchor="sctn-iana-cons">
<t>
This specification establishes two registries:
<list style="symbols">
<t>
the "WebAuthn Attestation Statement Format Identifier" registry; see
<xref target="sctn-attstn-format-registry"/>.
</t>
<t>
the "WebAuthn Extension Identifier" registry;
see <xref target="sctn-extension-ident-registry" />.
</t>
</list>
</t>
<t>
[[ Per discussions in an email thread between the authors and IANA ( "[IANA #1154148]" ),
it is requested that the registries be located at
<https://www.iana.org/assignments/webauthn>.
RFC Editor - please delete this request after the registries have been created. ]]
</t>
<t>
Any additional processes established by the expert(s) after the publication of this document
will be recorded on the registry Web page at the expert(s)' discretion.
</t>
<section title="WebAuthn Attestation Statement Format Identifier Registry"
anchor="sctn-attstn-format-registry">
<t>
WebAuthn attestation statement format identifiers are strings whose semantic, syntactic,
and string-matching criteria are specified in <xref target="WebAuthn"/>
<eref target="https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-attstn-fmt-ids">
"Attestation Statement Format Identifiers"</eref>,
along with the concepts of attestation and attestation statement formats.
</t>
<t>
Registered attestation statement format identifiers are those that have been added to the
registry by following the procedure in
<xref target="sctn-registering-attstn-format-idents"/>.
</t>
<t>
Each attestation statement format identifier added to this registry MUST be unique amongst
the set of registered attestation statement format identifiers.
</t>
<t>
Registered attestation statement format identifiers MUST be a maximum of 32 octets in length
and MUST consist only of printable ASCII <xref target="RFC20"/> characters, excluding backslash and doublequote,
i.e., VCHAR as defined in <xref target="RFC5234"/> but without %x22 and %x5c.
Attestation statement format identifiers are case sensitive
and may not match other registered identifiers in a
case-insensitive manner unless the Designated Experts determine that there is a compelling
reason to allow an exception.
</t>
<section title="Registering Attestation Statement Format Identifiers"
anchor="sctn-registering-attstn-format-idents">
<t>
WebAuthn attestation statement format identifiers are registered using the
Specification Required policy (see Section 4.6 of <xref target="RFC8126"/>).
</t>
<t>
The WebAuthn attestation statement format identifiers registry is located at
<eref target="https://www.iana.org/assignments/webauthn">https://www.iana.org/assignments/webauthn</eref>.
Registration requests can be made by following the instructions located there, or by
sending an e-mail to the [email protected] mailing list.
</t>
<t>
Registration requests consist of at least the following information:
<list style="symbols" >
<t>
WebAuthn Attestation Statement Format Identifier:
<vspace/>
An identifier meeting the requirements given above in
<xref target="sctn-attstn-format-registry"/>.
</t>
<t>
Description:
<vspace/>
A relatively short description of the attestation format.
</t>
<t>
Specification Document(s):
<vspace/>
Reference to the document or documents that specify the attestation statement format.
</t>
<t>
Change Controller:
<vspace/>
For Standards Track RFCs, list the "IETF". For others, give the name of the
responsible party. Other details (e.g., postal address, email address, home page
URI) may also be included.
</t>
<t>
Notes:
<vspace/>
[optional]
</t>
</list>
</t>
<t>
Registrations MUST reference a freely available, stable specification, e.g., as
described in Section 4.6 of <xref target="RFC8126"/>.
This specification MUST include security and privacy considerations
relevant to the attestation statement format.
</t>
<t>
Note that WebAuthn attestation statement format identifiers can be registered by third
parties (including the expert(s) themselves), if the expert(s) determine that an
unregistered attestation statement format is widely deployed and not likely to be
registered in a timely manner otherwise.
Such registrations still are subject to the requirements defined, including the need to
reference a specification.
</t>
</section>
<section title="Registration Request Processing"
anchor="sctn-registering-attstn-format-idents-processing">
<t>
As noted in <xref target="sctn-registering-attstn-format-idents"/>,
WebAuthn attestation statement format identifiers are registered using the
Specification Required policy.
</t>
<t>
The expert(s) will clearly identify any issues that cause a registration to be refused,
such as an incompletely specified attestation format.
</t>
<t>
When a request is approved, the expert(s) will inform IANA, and the registration will
be processed.
The IESG is the arbiter of any objection.
</t>
</section>
<section title="Initial WebAuthn Attestation Statement Format Identifier Registry Values"
anchor="sctn-attstn-format-registry-values">
<t>
The initial values for the WebAuthn Attestation Statement Format Identifier Registry are
to be populated from the values listed in
<eref target="https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-att-fmt-reg">
"WebAuthn Attestation Statement Format Identifier Registrations"</eref>
of <xref target="WebAuthn"/>.
Also, the Change Controller entry to be used for each of those registrations is:
<list style='symbols'>
<t>
Change Controller: W3C Web Authentication Working Group - public‑[email protected]
</t>
</list>
</t>
</section>
</section> <!-- Attestation Statement Format Identifier Registry -->
<section title="WebAuthn Extension Identifier Registry"
anchor="sctn-extension-ident-registry">
<t>
WebAuthn extension identifiers are strings whose semantic, syntactic,
and string-matching criteria are specified in <xref target="WebAuthn"/>
<eref target="https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-extension-id">
"Extension Identifiers" </eref>.
</t>
<t>
Registered extension identifiers are those that have been added to the
registry by following the procedure in
<xref target="sctn-registering-extension-idents"/>.
</t>
<t>
Each extension identifier added to this registry MUST be unique
amongst the set of registered extension identifiers.
</t>
<t>
Registered extension identifiers MUST be a maximum of 32 octets in length and MUST
consist only of printable ASCII characters, excluding backslash and doublequote,
i.e., VCHAR as defined in <xref target="RFC5234"/> but without %x22 and %x5c.
Extension identifiers are case sensitive
and may not match other registered identifiers in a case-insensitive manner
unless the Designated Experts determine that there is a compelling reason
to allow an exception.
</t>
<section title="Registering Extension Identifiers"
anchor="sctn-registering-extension-idents">
<t>
WebAuthn extension identifiers registry are registered using the
Specification Required policy (see Section 4.6 of <xref target="RFC8126"/>).
</t>
<t>
The WebAuthn extension identifiers registry is located at
https://www.iana.org/assignments/webauthn.
Registration requests can be made by following the instructions located there, or by
sending an e-mail to the [email protected] mailing list.
</t>
<t>
Registration requests consist of at least the following information:
<list style="symbols" >
<t>
WebAuthn Extension Identifier:
<vspace/>
An identifier meeting the requirements given above in
<xref target="sctn-extension-ident-registry"/>.
</t>
<t>
Description:
<vspace/>
A relatively short description of the extension.
</t>
<t>
Specification Document(s):
<vspace/>
Reference to the document or documents that specify the extension.
</t>
<t>
Change Controller:
<vspace/>
For Standards Track RFCs, list the "IETF". For others, give the name of the
responsible party. Other details (e.g., postal address, email address, home page
URI) may also be included.
</t>
<t>
Notes:
<vspace/>
[optional]
</t>
</list>
</t>
<t>
Registrations MUST reference a freely available, stable specification, e.g., as
described in Section 4.6 of <xref target="RFC8126"/>.
This specification MUST include security and privacy considerations
relevant to the extension.
</t>
<t>
Note that WebAuthn extensions can be registered by third parties
(including the expert(s) themselves), if the expert(s) determine that an unregistered extension is widely deployed and not likely to be
registered in a timely manner otherwise.
Such registrations still are subject to the requirements defined, including the need to
reference a specification.
</t>
</section> <!-- Registering Extension Identifiers -->
<section title="Registration Request Processing"
anchor="sctn-registering-extension-idents-processing">
<t>
As noted in <xref target="sctn-registering-extension-idents"/>,
WebAuthn extension identifiers are registered using the
Specification Required policy.
</t>
<t>
The expert(s) will clearly identify any issues that cause a registration to be refused,
such as an incompletely specified extension.
</t>
<t>
When a request is approved, the expert(s) will inform IANA, and the registration will
be processed.
The IESG is the arbiter of any objection.
</t>
</section>
<section title="Initial WebAuthn Extension Identifier Registry Values"
anchor="sctn-extension-ident-registry-values">
<t>
The initial values for the WebAuthn Extension Identifier Registry are
to be populated from the values listed in
<eref target="https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-extensions-reg">
"WebAuthn Extension Identifier Registrations"</eref>
of <xref target="WebAuthn"/>.
Also, the Change Controller entry to be used for each of those registrations is:
<list style='symbols'>
<t>
Change Controller: W3C Web Authentication Working Group - public‑[email protected]
</t>
</list>
</t>
</section>
</section> <!-- Extension Identifier Registry -->
</section> <!-- IANA Cons -->
<section anchor="Security" title="Security Considerations">
<t>
See <xref target="WebAuthn"/> for relevant security considerations.
</t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>
Thanks to Mark Nottingham
for valuable comments and suggestions.
Thanks to Kathleen Moriarty and Benjamin Kaduk for their Area Director sponsorship
of this specification.
Thanks to
Amanda Baber,
Sarah Banks,
Alissa Cooper,
Roman Danyliw,
Murray Kucherawy,
Paul Kyzivat,
Barry Leiba,
Hilarie Orman,
Magnus Westerlund,
and Robert Wilton for their reviews.
</t>
</section>
<section anchor="sctn-history" title="Document History">
<t>[[ to be removed by the RFC Editor before publication as an RFC ]]</t>
<t>
-10
<list style="symbols">
<t>
Changed IESG to IETF in Change Controller instructions, per suggestion by Magnus Westerlund.
</t>
</list>
</t>
<t>
-09
<list style="symbols">
<t>
Added Change Controller fields to registries, per suggestion by Magnus Westerlund.
</t>
<t>
Applied editorial suggestions by Amanda Baber, Murray Kucherawy, and Barry Leiba.
</t>
</list>
</t>
<t>
-08
<list style="symbols">
<t>
Addressed review feedback by Murray Kucherawy.
</t>
<t>
Added BCP 14 Requirements Notation and Conventions section.
</t>
<t>
Referenced RFC 20, which defines ASCII characters.
</t>
<t>
Applied editorial cleanups.
</t>
</list>
</t>
<t>
-07
<list style="symbols">
<t>
Removed a duplicate URI listing pointed out by Hilarie Orman.
</t>
</list>
</t>
<t>
-06
<list style="symbols">
<t>
Addressed Gen-Art review comments by Paul Kyzivat by deleting text about designated experts defining additional registry fields.
</t>
<t>
Addressed Ops-Dir review comments by Sarah Banks by deleting text that duplicated requirements already specified in RFC 8126.
</t>
<t>
Addressed Security review comments by Hilarie Orman by deleting unnecessary text about attestation statement formats lacking complete specifications.
</t>
<t>
Replaced uses of the URL https://www.w3.org/TR/webauthn/ with https://www.w3.org/TR/2019/REC-webauthn-1-20190304/
so that the reference remains stable after the level 2 WebAuthn specification is published.
</t>
</list>
</t>
<t>
-05
<list style="symbols">
<t>
Updated to address the solicited IANA review comments,
per discussions in an email thread between the authors and IANA ( "[IANA #1154148]" ).
</t>
</list>
</t>
<t>
-04
<list style="symbols">
<t>
Update per Benjamin Kaduk's further AD review:
Remove 'final' wrt IESG arbitrating objections; Add explicit
requirement for extension or attestation specs to include
security and privacy considerations.
</t>
<t>
Update per IANA review: Move "IANA considerations section up in doc to encompass (former) sections 2 and 3.
</t>
</list>
</t>
<t>
-03
<list style="symbols">
<t>
Update per Benjamin Kaduk's AD review. Align with RFC 8288, rather than
draft-nottingham-rfc5988bis.
</t>
</list>
</t>
<t>
-02
<list style="symbols">
<t>
Refresh now that the WebAuthn spec is at Recommendation (REC) maturity level.
</t>
</list>
</t>
<t>
-01
<list style="symbols">
<t>
Refresh now that the WebAuthn Committee Recommendation (CR) draft is pending.
</t>
</list>
</t>
<t>
-00
<list style="symbols">
<t>
Initial version, based on draft-nottingham-rfc5988bis.
</t>
</list>
</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc5234;
&rfc8126;
&rfc8174;
<reference anchor="RFC20" target="http://www.rfc-editor.org/info/rfc20">
<front>
<title>ASCII format for Network Interchange</title>
<author fullname="Vint Cerf" surname="Cerf" initials="V.">
<organization>University California Los Angeles (UCLA)</organization>
</author>
<date month="October" year="1969"/>
</front>
<seriesInfo name="STD" value="80"/>
<seriesInfo name="RFC" value="20"/>
</reference>
<reference anchor="WebAuthn" target="https://www.w3.org/TR/2019/REC-webauthn-1-20190304/">
<front>
<title>Web Authentication: An API for accessing Public Key Credentials</title>
<author initials="D." surname="Balfanz" fullname="Dirk Balfanz">
<organization>Google</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author initials="A." surname="Czeskis" fullname="Alexei Czeskis">
<organization>Google</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author initials="J." surname="Hodges" fullname="Jeff Hodges">
<organization>PayPal</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author initials="J.C." surname="Jones" fullname="J.C. Jones">
<organization>Mozilla</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author initials="M.B." surname="Jones" fullname="Michael B. Jones">
<organization>Microsoft</organization>
<address>
<email>[email protected]</email>
<uri>http://self-issued.info/</uri>
</address>
</author>
<author initials="A." surname="Kumar" fullname="Akshay Kumar">
<organization>Microsoft</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author initials="A." surname="Liao" fullname="Angelo Liao">
<organization>Microsoft</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author initials="R." surname="Lindemann" fullname="Rolf Lindemann">
<organization>Nok Nok Labs</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author initials="E." surname="Lundberg" fullname="Emil Lundberg">
<organization>Yubico</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<date month="March" day="4" year="2019" />
</front>
<seriesInfo name="World Wide Web Consortium (W3C)" value="Recommendation" />
<format type="HTML" target="https://www.w3.org/TR/2019/REC-webauthn-1-20190304/" />
</reference>
</references>
</back>
</rfc>