forked from w3c/websec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
web-authentication-charter.html
471 lines (383 loc) · 21.6 KB
/
web-authentication-charter.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="utf-8" />
<title>[DRAFT] Web Authentication Working Group Charter</title>
<link rel="stylesheet" href="https://www.w3.org/2005/10/w3cdoc.css" type="text/css" media="screen" />
<link rel="stylesheet" type="text/css" href="https://www.w3.org/Guide/pubrules-style.css" />
<link rel="stylesheet" type="text/css" href="https://www.w3.org/2006/02/charter-style.css" />
<style type="text/css">
ul#navbar {
font-size: small;
}
dt.spec {
font-weight: bold;
}
dt.spec new {
background: yellow;
}
ul.out-of-scope > li {
font-weight: bold;
}
ul.out-of-scope > li > ul > li{
font-weight: normal;
}
.issue {
background: cornsilk;
font-style: italic;
}
.todo {
color: red;
}
footer {
font-size: small;
}
</style>
</head>
<body>
<header id="header">
<!-- <aside>
<ul id="navbar">
<li><a href="#goals">Goals</a></li>
<li><a href="#scope">Scope</a></li>
<li><a href="#deliverables">Deliverables</a></li>
<li><a href="#coordination">Coordination</a></li>
<li><a href="#participation">Participation</a></li>
<li><a href="#communication">Communication</a></li>
<li><a href="#decisions">Decision Policy</a></li>
<li><a href="#patentpolicy">Patent Policy</a></li>
<li><a href="#licensing">Licensing</a></li>
<li><a href="#about">About this Charter</a></li>
</ul>
</aside>-->
<p>
<a href="http://www.w3.org/"><img alt="W3C" height="48" src="http://www.w3.org/Icons/w3c_home" width="72" /></a>
<a class="domainlogo" title="domain:tands" href="http://w3.org/TandS/"><img src="http://www.w3.org/Icons/tands" alt="Technology and Society Domain"></a>
</p>
</header>
<main>
<h1 id="status">STATUS: Charter Approved</h1>
<p>An <a href="https://www.w3.org/2015/12/web-authentication-charter.html">updated version of this charter</a> has been approved by the W3C Membership and Director. The <a href="https://www.w3.org/Webauthn/">Web Authentication Working Group</a> is now launched and <a href="https://github.com/w3c/webauthn/">on GitHub</a>.</p>
<h1 id="title">[DRAFT] Web Authentication Working Group Charter</h1>
<p class="todo"><a href="https://www.w3.org/2015/12/web-authentication-charter.html">This charter</a> was sent for W3C Advisory Committee review December 18, 2015.</p>
<section id="mission"><p>
The mission of the Web Authentication Working Group, in the Security Activity is to define a client-side API providing strong authentication functionality to Web Applications.</p></section>
<div class="noprint">
<p class="join"><a href="http://www.w3.org/2004/01/pp-impl/#####/join">Join the Web Authentication Working Group.</a></p>
</div>
<section id="details">
<table class="summary-table">
<tr id="Duration">
<th>
Start date
</th>
<td>
<i class="todo">[dd monthname yyyy] (date of the "Call for Participation", when the charter is approved)</i>
</td>
</tr>
<tr id="Duration">
<th>
End date
</th>
<td>
<i class="todo">[dd monthname yyyy] (1 year from start date)</i>
</td>
</tr>
<!-- <tr class="todo">
<th>Charter extension</th>
<td>See <a href="#history">Change History</a>.
<span class="issue">(<b>Note:</b> Only include this row if this is a charter extension.)</span>
</td>
</tr>
-->
<tr>
<th>
Chairs
</th>
<td>
Richard Barnes, Mozilla<br>
Anthony Nadalin, Microsoft
</td>
</tr>
<tr>
<th>
Team Contacts
</th>
<td>
TBD (0.2 <abbr title="Full-Time Equivalent">FTE</abbr>)
</td>
</tr>
<tr>
<th>
Meeting Schedule
</th>
<td>
<strong>Teleconferences:</strong> 1-hour calls will be held weekly.
<br />
<strong>Face-to-face:</strong> we will meet during the W3C's annual Technical Plenary week; additional face-to-face meetings may be scheduled by consent of the participants, no more than 3 per year.
</td>
</tr>
</table>
</section>
<section id="goals">
<h2>Goals</h2>
<p>The Web Authentication Working Group will develop recommendation-track specifications defining an API, as well as signature and attestation formats which provide an asymmetric cryptography-based foundation for authentication of users to Web Applications.</p><p>
Overall goals include obviating the use of shared secrets, i.e. passwords, as authentication credentials, facilitating multi-factor authentication support as well as hardware-based key storage while respecting the Same Origin Policy.
</p>
</section>
<section id="scope" class="scope">
<h2>Scope</h2>
<p>
The Working Group will determine use cases that the API needs to support and use these to derive requirements. Success will be determined by the implementation of API features as defined in this section of the charter.
</p><p>
API Features in scope are:
(1) Requesting generation of an asymmetric key pair within a specific scope (e.g., an origin); (2) Proving that the browser has possession of a specific private key, where the proof can only be done within the scope of the key pair.
</p><p>
Dependencies exist on the <a href='https://w3c.github.io/webappsec-credential-management/'>Credential Management API</a> in the <a href='https://www.w3.org/2011/webappsec/'>W3C Web Application Security Working Group</a>.
</p><p>
Note that the details of any user experience (such as prompts) will not be normatively specified, although they may be informatively specified for certain function calls.
</p><p>
The Web Authentication Working Group should aim to produce specifications that have wide deployment and should adopt, refine and when needed, extend, existing practices and community-driven draft specifications when possible. The APIs should integrate well with Web Applications and so should be developed in concert with Web Application developers and reviewed by the <a href='https://www.w3.org/2011/webappsec/'>Web Application Security</a> and <a href='https://www.w3.org/WebPlatform/WG/'>Web Platform</a> Working Groups.
</p><p>
Comprehensive test suites should be developed for the specification to ensure interoperability. User-centric privacy considerations of device management and credentials should be taken into account. The Working Group may produce protocol standards as needed by the API.
</p>
<div id="section-out-of-scope">
<h3 id="out-of-scope">Out of Scope</h3>
<p>Out of scope: federated identity, multi-origin credentials, low-level access to cryptographic operations or key material.</p>
<ul class="out-of-scope">
</ul>
</div>
<div>
<h3>Success Criteria</h3>
<p>In order to advance to <a href="http://www.w3.org/Consortium/Process/#rec-pr" title="Proposed Recommendation">Proposed Recommendation</a>, each specification is expected to have at least two independent implementations of each feature defined in the specification.</p>
</div>
</section>
<section id="deliverables">
<h2>
Deliverables
</h2>
<p>The group will aim to produce FPWDs of its normative deliverables in <b>Q1 2016</b>, and send them to <b>CR by December 2016</b>. More detailed milestones and updated publication schedules will be available on the <a href="https://www.w3.org/Security/web-authentication/pubstatus.html">group publication status page</a>.</p>
<div id="normative">
<h3>
Normative Specifications
</h3>
<p>
The working group will deliver at least the following:
<dl><dt>Web Authentication API</dt>
<dd>This specification will make secure authentication available to Web application developers via a standardized API providing the operations detailed in the scope section. The <a href="http://www.w3.org/Submission/2015/SUBM-fido-web-api-20151120/">FIDO 2.0 Web APIs</a> will be an input into this standard.</dd>
</dl>
<dl><dt>Data and signature formats</dt>
<dd>
Formats for signed data and verifiable attestation of a signer's properties. The <a href="http://www.w3.org/Submission/2015/SUBM-fido-key-attestation-20151120/">FIDO 2.0 Attestations</a> and <a href="http://www.w3.org/Submission/2015/SUBM-fido-signature-format-20151120/">FIDO 2.0 Signature Format</a> will be inputs into this standard.</dd>
</dl>
<p>The specifications must contain a section detailing any known security implications for implementers, Web authors, and end users. The Web Authentication WG will actively seek an open security review.
</p><p>
The specifications should take advantage of existing platform and operating-system authentication libraries as appropriate.
</p><p>
<div id="ig-other-deliverables">
<h3>
Other Deliverables
</h3>
<p>
Other non-normative documents may be created such as:
</p>
Test suite for the Web Authentication API; Primer or Best Practice documents to support Web developers when designing applications utilizing the Web Authentication API.
<ul>
<li>Use case and requirement documents;</li>
<li>Test suite and implementation report for the specification;</li>
<li>Primer or Best Practice documents to support web developers when designing applications.</li>
<li>Overall protocol design description and flow diagram, including reference to the protocol by which a web site interacts with a token by way of a
browser, to accomplish the above API features.</p>
</ul>
</div>
</section>
<section id="coordination">
<h2>Coordination</h2>
<p>For all specifications, this Working Group will seek <a href="http://www.w3.org/Guide/Charter.html#horizontal-review">horizontal review</a> for accessibility, internationalization, performance, privacy, and security with the relevant Working Groups, and with the <a href="http://www.w3.org/2001/tag/" title="Technical Architecture Group">TAG</a>. Invitation for review will be issued during each major standards-track document transition, including <a href="http://www.w3.org/Consortium/Process/#first-wd" title="First Public Working Draft">FPWD</a> and <a href="http://www.w3.org/Consortium/Process/#last-call" title="Candidate Recommendation">CR</a>, and should be issued when major changes occur in a specification.</p>
<p>Additional technical coordination with the following Working Groups will be made, per the <a href="http://www.w3.org/Consortium/Process/#WGCharter">W3C Process Document</a>:</p>
<div>
<h3 id="w3c-coordination">W3C Groups</h3>
<dl>
<dt><a href="http://www.w3.org/2011/webappsec/">Web Application Security Working Group</a></dt>
<dd>Coordination with Credential Management API and application security.
<dt><a href="https://www.w3.org/WebPlatform/WG/">Web Platform Working Group</a></dt>
<dd>Coordination on API design.
<dt><a href="https://www.w3.org/Privacy/">Privacy Interest Group</a></dt>
<dd>Coordination on privacy implications.
<dt><a href="http://www.w3.org/WAI/APA/">Accessible Platform Architectures (APA) Working Group</a></dt>
<dd>Coordination to review accessibility requirements for APIs and for any direct user interfaces that may be specifie.d
</dl>
<h3 id="external-coordination">External Organizations</h3>
<dl>
<dt><a href="https://datatracker.ietf.org/wg/tokbind/charter/">IETF Token Binding Working Group</a></dt>
<dd>Coordination on token and session management.</dd>
</dl>
</div>
</section>
<section class="participation">
<h2 id="participation">
Participation
</h2>
<p>
To be successful, this Working Group is expected to have 6 or more active participants for its duration, including representatives from key implementors of this specification, and active Editors and Test Leads for each specification. The Chairs, specification Editors, and Test Leads are expected to contribute half of a day per week towards the Working Group. There is no minimum requirement for other Participants.
</p>
<p>
The group encourages questions, comments and issues on its public mailing lists and document repositories, as described in <a href='#communication'>Communication</a>.
</p>
<p>
The group also welcomes non-Members to contribute technical submissions for consideration, with the agreement from each participant to Royalty-Free licensing of those submissions under the W3C Patent Policy.
</p>
</section>
<section id="communication">
<h2>
Communication
</h2>
<p id="public">
Technical discussions for this Working Group are conducted in <a href="http://www.w3.org/Consortium/Process/#confidentiality-levels">public</a>. Meeting minutes from teleconference and face-to-face meetings will be archived for public review, and technical discussions and issue tracking will be conducted in a manner that can be both read and written to by the general public. Working Drafts and Editor's Drafts of specifications will be developed on a public repository, and may permit direct public contribution requests.
</p>
<p>
Information about the group (including details about deliverables, issues, actions, status, participants, and meetings) will be available from the <a href="https://www.w3.org/Security/web-authentication.html">Web Authentication Working Group home page.</a>
</p>
<p>
Most Web Authentication Working Group teleconferences will focus on discussion of particular specifications, and will be conducted on an as-needed basis.
</p>
<p>
This group primarily conducts its technical work through a <a href="https://github.com/w3c/webauthn">GitHub repository</a> and on the public mailing list <a id="public-name" href="mailto:[email protected]">[email protected]</a> (<a href="http://lists.w3.org/Archives/Public/public-webauthn/">archive</a>). The public is invited to raise github issues.
</p>
<p>
The group may use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a participant requests such a discussion.
</p>
</section>
<section id="decisions">
<h2>
Decision Policy
</h2>
<p>
This group will seek to make decisions through consensus and due process, per the <a href="http://www.w3.org/2015/Process-20150901/#def-Consensus"> W3C Process Document (section 3.3</a>). Typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the group and other reviewers, and consensus emerges with little formal voting being required.</p>
<p>
However, if a decision is necessary for timely progress, but consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a group vote, and record a decision along with any objections.
</p>
<p>
To afford asynchronous decisions and organizational deliberation, any resolution (including publication decisions) taken in a face-to-face meeting or teleconference will be considered provisional.
A call for consensus (CfC) will be issued for all resolutions (for example, via email and/or web-based survey), with a response period from one week to 10 working days, depending on the chair's evaluation of the group consensus on the issue.
If no objections are raised on the mailing list by the end of the response period, the resolution will be considered to have consensus as a resolution of the Working Group.
</p>
<p>
All decisions made by the group should be considered resolved unless and until new information becomes available, or unless reopened at the discretion of the Chairs or the Director.
</p>
<p>
This charter is written in accordance with the <a href="http://www.w3.org/Consortium/Process/#Votes">W3C Process Document (Section 3.4, Votes)</a>.
</p>
</section>
<section id="patentpolicy">
<h2>
Patent Policy
</h2>
<p>
To promote the widest adoption of Web standards, W3C Recommendations have a Royalty-Free IP commitment from Working Group participants, which operate under the <a href="http://w3.org//Consortium/Patent-Policy-20040205/">W3C Patent Policy (5 February 2004 Version)</a>.
The <a href="http://www.w3.org/2004/01/pp-impl/">W3C Patent Policy Implementation</a> details the disclosure obligations for this group.
</p>
</section>
<section id="licensing">
<h2>Licensing</h2>
<p>This Working Group will use the <a href="http://www.w3.org/Consortium/Legal/copyright-documents">W3C Document License</a> for all its deliverables.</p>
</section>
<section id="about">
<h2>
About this Charter
</h2>
<p>
This charter has been created according to <a href="http://www.w3.org/Consortium/Process/#GAGeneral">section 6.2</a> of the <a href="http://www.w3.org/Consortium/Process">Process Document</a>. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
</p>
<!-- <section id="history">
<h3>
Charter History
</h3>
<p class="issue"><b>Note:</b> Only include this section if this is a charter extension. Requirements for charter extension history are documented in the <a href="http://www.w3.org/Guide/Charter#extension">Charter Guidebook (section 4)</a>.</p>
<p>The following table lists details of all changes from the initial charter, per the <a href="http://www.w3.org/2015/Process-20150901/#CharterReview">W3C Process Document (section 5.2.3)</a>:</p>
<table class="history">
<tbody>
<tr>
<th>
Charter Period
</th>
<th>
Start Date
</th>
<th>
End Date
</th>
<th>
Changes
</th>
</tr>
<tr>
<th>
<a class="todo" href="">Initial Charter</a>
</th>
<td>
<i class="todo">[dd monthname yyyy]</i>
</td>
<td>
<i class="todo">[dd monthname yyyy]</i>
</td>
<td>
<i class="todo">none</i>
</td>
</tr>
<tr>
<th>
<a class="todo" href="">Charter Extension</a>
</th>
<td>
<i class="todo">[dd monthname yyyy]</i>
</td>
<td>
<i class="todo">[dd monthname yyyy]</i>
</td>
<td>
<i class="todo">none</i>
</td>
</tr>
<tr>
<th>
<a class="todo" href="">Rehartered</a>
</th>
<td>
<i class="todo">[dd monthname yyyy]</i>
</td>
<td>
<i class="todo">[dd monthname yyyy]</i>
</td>
<td>
<p class="todo">[description of change to charter, with link to new deliverable item in charter] <b>Note:</b> use the class <code>new</code> for all new deliverables, for ease of recognition.</p>
</td>
</tr>
</tbody>
</table>
</section>
</section>
-->
</main>
<hr />
<footer>
<address>
<i class="todo">[team contact name]</i>
</address>
<p class="copyright">
<a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2015
<a href="http://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup>
(
<a href="http://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>,
<a href="http://www.ercim.eu/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>,
<a href="http://www.keio.ac.jp/">Keio</a>,
<a href="http://ev.buaa.edu.cn/">Beihang</a>
), All Rights Reserved.
<abbr title="World Wide Web Consortium">W3C</abbr> <a href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="http://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply.
</p>
<p>
<!-- $Date: 2015/04/30 16:53:49 $ -->
</p>
</footer>
</body>
</html>