Web Authentication Working Group Charter

The mission of the Web Authentication Working Group, in the Security Activity, is to define a client-side API providing strong authentication functionality to Web Applications.

Join the Web Authentication Working Group.

Start date February 8th 2016
End date February 8th 2017
Confidentiality Proceedings are public
Chairs Richard Barnes, Mozilla
Anthony Nadalin, Microsoft
Team Contacts Harry Halpin (0.2 FTE)
Meeting Schedule Teleconferences: 1-hour calls will be held weekly.
Face-to-face: We will meet during the W3C's annual Technical Plenary week; additional face-to-face meetings may be scheduled by consent of the participants, no more than 3 per year.

Goals

The Web Authentication Working Group will develop recommendation-track specifications defining an API, as well as signature and attestation formats which provide an asymmetric cryptography-based foundation for authentication of users to Web Applications.

Overall goals include obviating the use of shared secrets, i.e. passwords, as authentication credentials, facilitating multi-factor authentication support as well as hardware-based key storage while respecting the Same Origin Policy.

Scope

The Working Group will determine use cases that the API needs to support and use these to derive requirements. Success will be determined by the implementation of API features as defined in this section of the charter.

API Features in scope are: (1) Requesting generation of an asymmetric key pair within a specific scope (e.g., an origin); (2) Proving that the browser has possession of a specific private key, where the proof can only be done within the scope of the key pair. In other words, authentication should obey the same origin policy.

Dependencies exist on the Credential Management API in the W3C Web Application Security Working Group.

Note that the details of any user experience (such as prompts) will not be normatively specified, although they may be informatively specified for certain function calls.

The Web Authentication Working Group should aim to produce specifications that have wide deployment and should adopt, refine and when needed, extend, existing practices and community-driven draft specifications when possible. The APIs should integrate well with Web Applications and so should be developed in concert with Web Application developers and reviewed by the Web Application Security and Web Platform Working Groups.

Comprehensive test suites should be developed for the specification to ensure interoperability. User-centric privacy considerations of device management and credentials should be taken into account. The Working Group may produce protocol standards as needed by the API.

Out of Scope

Out of scope: federated identity, multi-origin credentials, low-level access to cryptographic operations or key material.

Success Criteria

In order to advance to Proposed Recommendation, each specification is expected to have at least two independent implementations of each feature defined in the specification.

Deliverables

The group will aim to produce FPWDs of its normative deliverables in Q1 2016, and send them to CR by December 2016. More detailed milestones and updated publication schedules will be available on the group publication status page.

Normative Specifications

The working group will deliver at least the following:

Web Authentication API
This specification will make secure authentication available to Web application developers via a standardized API providing the operations detailed in the scope section. The FIDO 2.0 Web APIs will be an input into this standard.
Data and signature formats
Formats for signed data and verifiable attestation of a signer's properties. The FIDO 2.0 Attestations and FIDO 2.0 Signature Format will be inputs into this standard.

The specifications must contain a section detailing any known security implications for implementers, Web authors, and end users. The Web Authentication WG will actively seek an open security review.

The specifications should take advantage of existing platform and operating-system authentication libraries as appropriate.

Other Deliverables

Other non-normative documents may be created such as:

Test suite for the Web Authentication API; Primer or Best Practice documents to support Web developers when designing applications utilizing the Web Authentication API.
  • Use case and requirement documents;
  • Test suite and implementation report for the specification;
  • Primer or Best Practice documents to support web developers when designing applications.
  • Overall protocol design description and flow diagram, including reference to the protocol by which a web site interacts with a token by way of a browser, to accomplish the above API features.

Coordination

For all specifications, this Working Group will seek horizontal review for accessibility, internationalization, performance, privacy, and security with the relevant Working Groups, and with the TAG. Invitation for review will be issued during each major standards-track document transition, including FPWD and CR, and should be issued when major changes occur in a specification.

This API should work with a wide variety of authenticators and should not require non-standardized vendor-specific infrastructure. We will establish liaisons with the other standards bodies working on particular authenticators as needed.

Additional technical coordination with the following Working Groups will be made, per the W3C Process Document:

W3C Groups

Web Application Security Working Group
Coordination with Credential Management API and application security.
Web Platform Working Group
Coordination on API design.
Web Payments Working Group
To liaison over issues related to strong authentication for payments and tokenization.
Privacy Interest Group
Coordination on privacy implications.
Accessible Platform Architectures (APA) Working Group
Coordination to review accessibility requirements for APIs and for any direct user interfaces that may be specified.

External Organizations

IETF HTTP Authentication Working Group
The IETF HTTP Authentication WG is working on HTTP-based solutions for authentication.
IETF Token Binding Working Group
Coordination on token and session management.

Participation

To be successful, this Working Group is expected to have 6 or more active participants for its duration, including representatives from key implementors of this specification, and active Editors and Test Leads for each specification. The Chairs, specification Editors, and Test Leads are expected to contribute half of a day per week towards the Working Group. There is no minimum requirement for other Participants.

The group encourages questions, comments and issues on its public mailing lists and document repositories, as described in Communication.

The group also welcomes non-Members to contribute technical submissions for consideration, with the agreement from each participant to Royalty-Free licensing of those submissions under the W3C Patent Policy.

Communication

Technical discussions for this Working Group are conducted in public. Meeting minutes from teleconference and face-to-face meetings will be archived for public review, and technical discussions and issue tracking will be conducted in a manner that can be both read and written to by the general public. Working Drafts and Editor's Drafts of specifications will be developed on a public repository, and may permit direct public contribution requests.

Information about the group (including details about deliverables, issues, actions, status, participants, and meetings) will be available from the Web Authentication Working Group home page.

Most Web Authentication Working Group teleconferences will focus on discussion of particular specifications, and will be conducted on an as-needed basis.

This group primarily conducts its technical work through a GitHub repository and on the public mailing list public-webauthn@w3.org (archive). The public is invited to raise issues on GitHub.

The group may use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a participant requests such a discussion.

Decision Policy

This group will seek to make decisions through consensus and due process, per the W3C Process Document (section 3.3). Typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the group and other reviewers, and consensus emerges with little formal voting being required.

However, if a decision is necessary for timely progress, but consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a group vote, and record a decision along with any objections.

To afford asynchronous decisions and organizational deliberation, any resolution (including publication decisions) taken in a face-to-face meeting or teleconference will be considered provisional. A call for consensus (CfC) will be issued for all resolutions (for example, via email and/or web-based survey), with a response period from one week to 10 working days, depending on the chair's evaluation of the group consensus on the issue. If no objections are raised on the mailing list by the end of the response period, the resolution will be considered to have consensus as a resolution of the Working Group.

All decisions made by the group should be considered resolved unless and until new information becomes available, or unless reopened at the discretion of the Chairs or the Director.

This charter is written in accordance with the W3C Process Document (Section 3.4, Votes).

Patent Policy

To promote the widest adoption of Web standards, W3C Recommendations have a Royalty-Free IP commitment from Working Group participants, which operate under the W3C Patent Policy (5 February 2004 Version). The W3C Patent Policy Implementation details the disclosure obligations for this group.

Licensing

This Working Group will use the W3C Document License for all its deliverables.

About this Charter

This charter has been created according to section 5 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.