idnits 2.17.1 draft-hodges-webauthn-registries-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 88: '... MUST be a maximum of 32 octets i...' RFC 2119 keyword, line 98: '... The Expert(s) MAY define additional...' RFC 2119 keyword, line 100: '... registry MUST be unique amongst the...' RFC 2119 keyword, line 101: '...rs. The Experts(s) MAY also designate...' RFC 2119 keyword, line 106: '... Registrations MUST reference a free...' (6 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 27, 2018) is 2221 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 W3C WebAuthn Working Group J. Hodges 3 Internet-Draft PayPal 4 Intended status: Informational G. Mandyam 5 Expires: August 31, 2018 Qualcomm Technologies Inc. 6 M. Jones 7 Microsoft 8 February 27, 2018 10 Registries for Web Authentication (WebAuthn) 11 draft-hodges-webauthn-registries-01 13 Abstract 15 This specification defines IANA registries for W3C Web Authentication 16 attestation statement formats and extension identifiers. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on August 31, 2018. 35 Copyright Notice 37 Copyright (c) 2018 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. WebAuthn Attestation Statement Format Identifier Registry . . 2 54 3. WebAuthn Extension Identifier Registry . . . . . . . . . . . 3 55 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 56 4.1. WebAuthn Attestation Statement Format Identifier and 57 Extension Identifiers Registries . . . . . . . . . . . . 4 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 59 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 60 7. Document History . . . . . . . . . . . . . . . . . . . . . . 5 61 8. Normative References . . . . . . . . . . . . . . . . . . . . 5 62 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 64 1. Introduction 66 This specification establishes IANA registries for W3C Web 67 Authentication [WebAuthn] attestation statement formats and extension 68 identifiers. The initial values for these registries are in the IANA 69 Considerations section of the [WebAuthn] specification. 71 2. WebAuthn Attestation Statement Format Identifier Registry 73 WebAuthn attestation statement format identifiers are strings whose 74 semantic, syntactic, and string-matching criteria are specified in 75 [WebAuthn], along with the concepts of attestation and attestation 76 statement formats. 78 WebAuthn attestation statement formats are registered on the advice 79 of a Designated Expert (appointed by the IESG or their delegate), 80 with a Specification Required (per [RFC5226]). 82 The Expert(s) will establish procedures for requesting registrations, 83 and make them available from the registry page. 85 Registration requests consist of at least the following information: 87 o WebAuthn Attestation Statement Format Identifier: This identifier 88 MUST be a maximum of 32 octets in length and MUST consist only of 89 printable USASCII characters, excluding backslash and doublequote. 90 This name is case sensitive. Names may not match other registered 91 names in a case-insensitive manner unless the Designated Experts 92 state that there is a compelling reason to allow an exception. 93 o Description: A relatively short description of the attestation 94 format. 95 o Specification Document: Reference to the specification of the 96 attestation statement format. 97 o Notes: [optional] 98 The Expert(s) MAY define additional fields to be collected in the 99 registry. Each attestation statement format identifier added to this 100 registry MUST be unique amongst the set of registered attestation 101 statement format identifiers. The Experts(s) MAY also designate 102 attestation statement formats as proprietary if they lack complete 103 specifications, and will assign a prefix indicating as such to the 104 identifier. 106 Registrations MUST reference a freely available specification, e.g., 107 as described in [RFC2026] Section 7. 109 Note that WebAuthn attestation statement formats can be registered by 110 third parties, if the Expert(s) determine that an unregistered 111 attestation statement format is widely deployed and not likely to be 112 registered in a timely manner. 114 Decisions (or lack thereof) made by the Designated Expert can be 115 first appealed to Application Area Directors (contactable using app- 116 ads@tools.ietf.org email address or directly by looking up their 117 email addresses on http://www.iesg.org/ website) and, if the 118 appellant is not satisfied with the response, to the full IESG (using 119 the iesg@iesg.org mailing list). 121 3. WebAuthn Extension Identifier Registry 123 WebAuthn extension identifiers are strings whose semantic, syntactic, 124 and string-matching criteria are specified in [WebAuthn]. 126 WebAuthn extension identifiers are registered on the advice of a 127 Designated Expert (appointed by the IESG or their delegate), with a 128 Specification Required (per [RFC5226]). 130 The Expert(s) will establish procedures for requesting registrations, 131 and make them available from the registry page. 133 Registration requests consist of at least the following information: 135 o WebAuthn Extension Identifier: This identifier MUST be a maximum 136 of 32 octets in length and MUST consist only of printable USASCII 137 characters, excluding backslash and doublequote. This name is 138 case sensitive. Names may not match other registered names in a 139 case-insensitive manner unless the Designated Experts state that 140 there is a compelling reason to allow an exception. 141 o Description: A relatively short description of the extension. 142 o Specification Document: Reference to the specification of the 143 extension. 144 o Notes: [optional] 145 The Expert(s) MAY define additional fields to be collected in the 146 registry. Each extension identifier added to this registry MUST be 147 unique amongst the set of registered extension identifiers. 149 Registrations MUST reference a freely available specification, e.g., 150 as described in [RFC2026] Section 7. 152 Note that WebAuthn extensions can be registered by third parties, if 153 the Expert(s) determine that an unregistered extension is widely 154 deployed and not likely to be registered in a timely manner. 156 Decisions (or lack thereof) made by the Designated Expert can be 157 first appealed to Application Area Directors (contactable using app- 158 ads@tools.ietf.org email address or directly by looking up their 159 email addresses on http://www.iesg.org/ website) and, if the 160 appellant is not satisfied with the response, to the full IESG (using 161 the iesg@iesg.org mailing list). 163 4. IANA Considerations 165 4.1. WebAuthn Attestation Statement Format Identifier and Extension 166 Identifiers Registries 168 This specification establishes two registries: 170 o the "WebAuthn Attestation Statement Format Identifier" registry; 171 see Section 2. 172 o the "WebAuthn Extension Identifier" registry; see Section 3. 174 For both registries, the Expert(s) and IANA will interact as outlined 175 below: 177 IANA will direct any incoming requests regarding the registry to the 178 processes established by the Expert(s); typically, this will mean 179 referring them to the registry HTML page. 181 The Expert(s) will provide registry data to IANA in an agreed form 182 (e.g., a specific XML format). IANA will publish: 184 o The raw registry data 185 o The registry data, transformed into HTML 186 o The registry data in any alternative formats provided by the 187 Expert(s) 189 Each published document will be at a URL agreed to by IANA and the 190 Expert(s) and IANA will set HTTP response headers on them as 191 (reasonably) requested by the Expert(s). 193 Additionally, the HTML generated by IANA will: 195 o Take directions from the Expert(s) as to the content of the HTML 196 page's introductory text and markup. 197 o Include a stable HTML fragment identifier for each registered 198 attestation statement format or extension identifier. 200 All registry data documents MUST include Simplified BSD License text 201 as described in Section 4.e of the Trust Legal Provisions 202 (). 204 5. Security Considerations 206 See [WebAuthn] for relevant security considerations. 208 6. Acknowledgements 210 Thanks to Mark Nottingham for valuable comments and suggestions. 211 Thanks to Kathleen Moriarty and Benjamin Kaduk for their Area 212 Director sponsorship of this specification. 214 7. Document History 216 [[ to be removed by the RFC Editor before publication as an RFC ]] 218 -01 220 o Refresh now that the WebAuthn Committee Recommendation (CR) draft 221 is pending. 223 -00 225 o Initial version. 227 8. Normative References 229 [RFC2026] Bradner, S., "The Internet Standards Process -- Revision 230 3", BCP 9, RFC 2026, DOI 10.17487/RFC2026, October 1996, 231 . 233 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 234 IANA Considerations Section in RFCs", RFC 5226, 235 DOI 10.17487/RFC5226, May 2008, 236 . 238 [WebAuthn] 239 Balfanz, D., Czeskis, A., Hodges, J., Jones, J., Jones, 240 M., Kumar, A., Liao, A., Lindemann, R., and E. Lundberg, 241 "Web Authentication: An API for accessing Public Key 242 Credentials", Editors' Draft, World Wide Web Consortium 243 (W3C) Recommendation-track, February 2018, 244 . 246 Authors' Addresses 248 Jeff Hodges 249 PayPal 250 2211 North First Street 251 San Jose, California 95131 252 US 254 Email: Jeff.Hodges@PayPal.com 255 URI: http://kingsmountain.com/people/Jeff.Hodges/ 257 Giridhar Mandyam 258 Qualcomm Technologies Inc. 259 5775 Morehouse Drive 260 San Diego, California 92121 261 USA 263 Phone: +1 858 651 7200 264 Email: mandyam@qti.qualcomm.com 266 Michael B. Jones 267 Microsoft 269 Email: mbj@microsoft.com 270 URI: http://self-issued.info/