Registries for Web Authentication (WebAuthn)

This specification establishes two registries: the "WebAuthn Attestation Statement Format Identifier" registry; see . the "WebAuthn Extension Identifier" registry; see . [[ Per discussions in an email thread between the authors and IANA ( "[IANA #1154148]" ), it is requested that the registries be located at <https://www.iana.org/assignments/webauthn>. RFC Editor - please delete this request after the registries have been created. ]] For both registries, the expert(s) and IANA will interact as outlined below: IANA will direct any incoming requests regarding either of these registries to this document and, if defined, the processes established by the expert(s); typically, this will mean referring them to the registry Web page.

WebAuthn attestation statement format identifiers are strings whose semantic, syntactic, and string-matching criteria are specified in "Attestation Statement Format Identifiers", along with the concepts of attestation and attestation statement formats. Registered attestation statement format identifiers are those that have been added to the registry by following the procedure in . Each attestation statement format identifier added to this registry MUST be unique amongst the set of registered attestation statement format identifiers. Registered attestation statement format identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable USASCII characters, excluding backslash and doublequote, i.e., VCHAR as defined in but without %x22 and %x5c. Attestation statement format identifiers are case sensitive. Attestation statement format identifiers may not match other registered identifiers in a case-insensitive manner unless the Designated Experts determine that there is a compelling reason to allow an exception.

WebAuthn attestation statement format identifiers are registered using the Specification Required policy (see Section 4.6 of ). The WebAuthn attestation statement format identifiers registry is located at https://www.iana.org/assignments/webauthn. Registration requests can be made by following the instructions located there, or by sending an e-mail to the webauthn-reg-review@ietf.org mailing list. Registration requests consist of at least the following information: WebAuthn Attestation Statement Format Identifier: An identifier meeting the requirements given above in . Description: A relatively short description of the attestation format. Reference: Reference to the specification of the attestation statement format. Notes: [optional] Registrations MUST reference a freely available, stable specification, e.g., as described in Section 4.6 of . This specification MUST include security and privacy considerations relevant to the attestation statement format. Note that WebAuthn attestation statement format identifiers can be registered by third parties (including the expert(s) themselves), if the expert(s) determine that an unregistered attestation statement format is widely deployed and not likely to be registered in a timely manner otherwise. Such registrations still are subject to the requirements defined, including the need to reference a specification.

As noted in , WebAuthn attestation statement format identifiers are registered using the Specification Required policy. The expert(s) will clearly identify any issues which cause a registration to be refused. When a request is approved, the expert(s) will inform IANA, and the registration will be processed. The IESG is the arbiter of any objection.

The initial values for the WebAuthn Attestation Statement Format Identifier Registry are to be populated from the values listed in "WebAuthn Attestation Statement Format Identifier Registrations" of .

WebAuthn extension identifiers are strings whose semantic, syntactic, and string-matching criteria are specified in "Extension Identifiers" . Registered extension identifiers are those that have been added to the registry by following the procedure in . Each extension identifier added to this registry MUST be unique amongst the set of registered extension identifiers. Registered extension identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable USASCII characters, excluding backslash and doublequote, i.e., VCHAR as defined in but without %x22 and %x5c. Extension identifiers are case sensitive. Extension identifiers may not match other registered names in a case-insensitive manner unless the Designated Experts determine that there is a compelling reason to allow an exception.

WebAuthn extension identifiers registry are registered using the Specification Required policy (see Section 4.6 of ). The WebAuthn extension identifiers registry is located at https://www.iana.org/assignments/webauthn. Registration requests can be made by following the instructions located there, or by sending an e-mail to the webauthn-reg-review@ietf.org mailing list. Registration requests consist of at least the following information: WebAuthn Extension Identifier: An identifier meeting the requirements given above in . Description: A relatively short description of the extension. Reference: Reference to the specification of the extension. Notes: [optional] Registrations MUST reference a freely available, stable specification, e.g., as described in Section 4.6 of . This specification MUST include security and privacy considerations relevant to the extension. Note that WebAuthn extensions can be registered by third parties (including the expert(s) themselves), if the expert(s) determine that an unregistered extension is widely deployed and not likely to be registered in a timely manner otherwise. Such registrations still are subject to the requirements defined, including the need to reference a specification.

As noted in , WebAuthn extension identifiers are registered using the Specification Required policy. The expert(s) will clearly identify any issues which cause a registration to be refused. When a request is approved, the expert(s) will inform IANA, and the registration will be processed. The IESG is the arbiter of any objection.

The initial values for the WebAuthn Extension Identifier Registry are to be populated from the values listed in "WebAuthn Extension Identifier Registrations" of .

[[ to be removed by the RFC Editor before publication as an RFC ]] -06 Addressed Gen-Art review comments by Paul Kyzivat by deleting text about designated experts defining additional registry fields. Addressed Ops-Dir review comments by Sarah Banks by deleting text that duplicated requirements already specified in RFC 8126. Addressed Security review comments by Hilarie Orman by deleting unnecessary text about attestation statement formats lacking complete specifications. Replaced uses of the URL https://www.w3.org/TR/webauthn/ with https://www.w3.org/TR/2019/REC-webauthn-1-20190304/ so that the reference remains stable after the level 2 WebAuthn specification is published. -05 Updated to address the solicited IANA review comments, per discussions in an email thread between the authors and IANA ( "[IANA #1154148]" ). -04 Update per Benjamin Kaduk's further AD review: Remove 'final' wrt IESG arbitrating objections; Add explicit requirement for extension or attestation specs to include security and privacy considerations. Update per IANA review: Move "IANA considerations section up in doc to encompass (former) sections 2 and 3. -03 Update per Benjamin Kaduk's AD review. Align with RFC 8288, rather than draft-nottingham-rfc5988bis. -02 Refresh now that the WebAuthn spec is at Recommendation (REC) maturity level. -01 Refresh now that the WebAuthn Committee Recommendation (CR) draft is pending. -00 Initial version, based on draft-nottingham-rfc5988bis.