<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "http://xml2rfc.tools.ietf.org/authoring/rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc5234 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5234.xml">
<!ENTITY rfc8126 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml">
<!ENTITY rfc8174 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
]>
<?xml-stylesheet type="text/xsl" href="http://xml2rfc.tools.ietf.org/authoring/rfc2629.xslt" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="yes" ?>
<?rfc toc="yes" ?>
<?rfc sortrefs="yes" ?>
<?rfc symrefs="yes" ?>
<!--
-00a: initial version based on RFC5988
-00b: adapt 5988bis per mnot's suggestion: draft-nottingham-rfc5988bis-01
* 'attestation type' -> 'attestation format'
* updated to latest extension id format, adjusted list of registered extensions to
match [WebAuthn] editors' draft.
-00c: ?
-00d: Let initial values be in the [WebAuthn] spec, rather than here.
--> "rfc2629-xhtml.ent">
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF"
category="info" consensus="true" ipr="trust200902" docName="draft-hodges-webauthn-registries-10">
docName="draft-hodges-webauthn-registries-10" number="8809" obsoletes=""
updates="" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true"
version="3">
<!-- xml2rfc v2v3 conversion 2.45.2 -->
<front>
<title>Registries for Web Authentication (WebAuthn)</title>
<seriesInfo name="RFC" value="8809"/>
<author initials="J." surname="Hodges" fullname="Jeff Hodges">
<organization>Google</organization>
<address>
<postal>
<street>1600 Amphitheater Amphitheatre Parkway</street>
<city>Mountain View</city>
<region>California</region>
<region>CA</region>
<code>94043</code>
<country>US</country>
<country>United States of America</country>
</postal>
<email>jdhodges@google.com</email>
<uri>https://kingsmountain.com/people/Jeff.Hodges/</uri>
</address>
</author>
<author fullname="Giridhar Mandyam" initials="G.D." initials="G." surname="Mandyam">
<organization>Qualcomm Technologies Inc.</organization>
<address>
<postal>
<street>5775 Morehouse Drive</street>
<city>San Diego</city>
<region>California</region>
<region>CA</region>
<code>92121</code>
<country>USA</country>
<country>United States of America</country>
</postal>
<phone>+1 858 651 7200</phone>
<email>mandyam@qti.qualcomm.com</email>
</address>
</author>
<author fullname="Michael B. Jones" initials="M.B." initials="M." surname="Jones">
<organization abbrev="Microsoft">Microsoft</organization>
<address>
<email>mbj@microsoft.com</email>
<uri>https://self-issued.info/</uri>
</address>
</author>
<date month="June" year="2020" /> month="August" year="2020"/>
<area>Security</area>
<workgroup>W3C WebAuthn Working Group</workgroup>
<keyword>webauthn</keyword>
<keyword>attestation</keyword>
<keyword>extensions</keyword>
<keyword>registry</keyword>
<abstract>
<t>
This specification defines IANA registries for W3C Web Authentication (WebAuthn)
attestation statement format identifiers and extension identifiers.
</t>
</abstract>
<note title="Note to Readers">
<t><spanx style="emph">RFC EDITOR: please remove this section before publication</spanx></t>
<t>This is a work-in-progress.</t>
<t>The issues list can be found at
<eref target="https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+label%3Aspec%3Awebauthn-registries">
https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+label%3Aspec%3Awebauthn-registries
</eref>.</t>
<t>The most recent _published_ draft revision is at
<eref target="https://tools.ietf.org/html/draft-hodges-webauthn-registries">
https://tools.ietf.org/html/draft-hodges-webauthn-registries</eref>.</t>
<t>The editors' draft is at
<eref target="https://github.com/w3c/webauthn/blob/master/draft-hodges-webauthn-registries.txt">
https://github.com/w3c/webauthn/blob/master/draft-hodges-webauthn-registries.txt
</eref></t>
<t>Changes in the editors' draft, both proposed and incorporated, are listed at
<eref target="https://github.com/w3c/webauthn/pulls?q=is%3Apr+label%3Aspec%3Awebauthn-registries">
https://github.com/w3c/webauthn/pulls?q=is%3Apr+label%3Aspec%3Awebauthn-registries
</eref></t>
</note>
</front>
<middle>
<section anchor="Introduction" title="Introduction"> numbered="true" toc="default">
<name>Introduction</name>
<t>
This specification establishes IANA registries for W3C Web
Authentication <xref
target="WebAuthn"/> target="WebAuthn" format="default"/> attestation
statement format identifiers and extension identifiers. The initial
values for these registries are in the IANA Considerations section of
the <xref target="WebAuthn"/> target="WebAuthn" format="default"/> specification.
</t>
<section anchor="rnc" title="Requirements numbered="true" toc="default">
<name>Requirements Notation and Conventions">
<t>
The Conventions</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and
"OPTIONAL" "<bcp14>OPTIONAL</bcp14>" in this document
are to be interpreted as described in BCP 14 <xref target="RFC2119"/> target="RFC2119"
format="default"/> <xref target="RFC8174"/> target="RFC8174" format="default"/> when, and
only when, they appear in all capitals, as shown here.
</t> here.</t>
</section>
</section>
<section title="IANA Considerations" anchor="sctn-iana-cons">
<t>
This anchor="sctn-iana-cons" numbered="true" toc="default">
<name>IANA Considerations</name>
<t>This specification establishes two registries:
<list style="symbols">
<t>
the registries:</t>
<ul spacing="normal">
<li>the "WebAuthn Attestation Statement Format Identifier" registry; see Identifiers" registry
(see <xref target="sctn-attstn-format-registry"/>.
</t>
<t>
the target="sctn-attstn-format-registry"
format="default"/>)</li>
<li>the "WebAuthn Extension Identifier" registry;
see Identifiers" registry (see <xref
target="sctn-extension-ident-registry" />.
</t>
</list>
</t>
<t>
[[ Per discussions in an email thread between the authors and IANA ( "[IANA #1154148]" ),
it is requested that the registries be located at
<https://www.iana.org/assignments/webauthn>.
RFC Editor - please delete this request after the registries have been created. ]]
</t>
<t>
Any format="default"/>)</li>
</ul>
<t>Any additional processes established by the expert(s) after the
publication of this document will be recorded on the registry Web web page
at the expert(s)' discretion.
</t> discretion of the expert(s).</t>
<section title="WebAuthn anchor="sctn-attstn-format-registry" numbered="true" toc="default">
<name>WebAuthn Attestation Statement Format Identifier Registry"
anchor="sctn-attstn-format-registry"> Identifiers Registry</name>
<t>
WebAuthn attestation statement format identifiers are strings whose semantic, syntactic,
and string-matching criteria are specified in <xref target="WebAuthn"/> the
<eref target="https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-attstn-fmt-ids">
"Attestation Statement Format Identifiers"</eref>, Identifiers"</eref> section of <xref target="WebAuthn" format="default"/>,
along with the concepts of attestation and attestation statement formats.
</t>
<t>
Registered attestation statement format identifiers are those that have been added to the
registry by following the procedure in
<xref target="sctn-registering-attstn-format-idents"/>. target="sctn-registering-attstn-format-idents" format="default"/>.
</t>
<t>
Each
<t>Each attestation statement format identifier added to this registry MUST
<bcp14>MUST</bcp14> be unique amongst the set of registered
attestation statement format identifiers.
</t>
<t>
Registered identifiers.</t>
<t>Registered attestation statement format identifiers MUST
<bcp14>MUST</bcp14> be a maximum of 32 octets in length and MUST
<bcp14>MUST</bcp14> consist only of printable ASCII <xref target="RFC20"/>
target="RFC0020" format="default"/> characters, excluding backslash
and doublequote, double quote, i.e., VCHAR as defined in <xref target="RFC5234"/> target="RFC5234"
format="default"/> but without %x22 and %x5c. Attestation statement
format identifiers are case sensitive and may not match other
registered identifiers in a case-insensitive manner unless the Designated Experts
designated experts determine that there is a compelling reason to
allow an exception.
</t> exception.</t>
<section title="Registering anchor="sctn-registering-attstn-format-idents" numbered="true" toc="default">
<name>Registering Attestation Statement Format Identifiers"
anchor="sctn-registering-attstn-format-idents">
<t>
WebAuthn Identifiers</name>
<t>WebAuthn attestation statement format identifiers are registered
using the Specification Required policy (see Section 4.6 of <xref target="RFC8126"/>).
</t> target="RFC8126"
section="4.6" sectionFormat="of"/>).</t>
<t>
The WebAuthn attestation statement format identifiers "WebAuthn Attestation Statement Format Identifiers" registry is located at
<eref target="https://www.iana.org/assignments/webauthn">https://www.iana.org/assignments/webauthn</eref>. target="https://www.iana.org/assignments/webauthn" brackets="angle"/>.
Registration requests can be made by following the instructions located there, there or by
sending an e-mail email to the webauthn-reg-review@ietf.org mailing list.
</t>
<t> Registration requests consist of at least the following information:
<list style="symbols" >
<t>
WebAuthn information:</t>
<dl newline="true">
<dt>WebAuthn Attestation Statement Format Identifier:
<vspace/>
An Identifier:</dt>
<dd>An identifier meeting the requirements given above in
<xref target="sctn-attstn-format-registry"/>.
</t>
<t>
Description:
<vspace/>
A target="sctn-attstn-format-registry"
format="default"/>.</dd>
<dt>Description:</dt>
<dd>A relatively short description of the attestation format.
</t>
<t>
Specification Document(s):
<vspace/>
Reference format.</dd>
<dt>Specification Document(s):</dt>
<dd>Reference to the document or documents that specify the
attestation statement format.
</t>
<t>
Change Controller:
<vspace/>
For format.</dd>
<dt>Change Controller:</dt>
<dd>For Standards Track RFCs, list the "IETF". For others, give the name of the
responsible party. Other details (e.g., postal address, email address, home page
URI) may also be included.
</t>
<t>
Notes:
<vspace/>
[optional]
</t>
</list>
</t>
<t>
Registrations MUST included.</dd>
<dt>Notes:</dt>
<dd>[optional]</dd>
</dl>
<t>Registrations <bcp14>MUST</bcp14> reference a freely available,
stable specification, e.g., as described in Section 4.6 of <xref target="RFC8126"/>. target="RFC8126"
section="4.6" sectionFormat="of"/>. This specification MUST
<bcp14>MUST</bcp14> include security and privacy considerations
relevant to the attestation statement format.
</t> format.</t>
<t>
Note that WebAuthn attestation statement format identifiers can be registered by third
parties (including the expert(s) themselves), if the expert(s) determine determines that an
unregistered attestation statement format is widely deployed and not likely to be
registered in a timely manner otherwise.
Such registrations still are subject to the requirements defined, including the need to
reference a specification.
</t>
</section>
<section title="Registration anchor="sctn-registering-attstn-format-idents-processing"
numbered="true" toc="default">
<name>Registration Request Processing"
anchor="sctn-registering-attstn-format-idents-processing"> Processing</name>
<t>
As noted in <xref target="sctn-registering-attstn-format-idents"/>, target="sctn-registering-attstn-format-idents" format="default"/>,
WebAuthn attestation statement format identifiers are registered using the
Specification Required policy.
</t>
<t>
The expert(s) will clearly identify any issues that cause a registration to be refused,
such as an incompletely specified attestation format.
</t>
<t>
When a request is approved, the expert(s) will inform IANA, and the registration will
be processed.
The IESG is the arbiter of any objection.
</t>
</section>
<section title="Initial anchor="sctn-attstn-format-registry-values" numbered="true" toc="default">
<name>Initial Values in the WebAuthn Attestation Statement Format Identifier Registry Values"
anchor="sctn-attstn-format-registry-values"> Identifiers Registry</name>
<t>
The initial values for the WebAuthn "WebAuthn Attestation Statement Format Identifier Registry are
to be
Identifiers" registry have been
populated from with the values listed in the
<eref target="https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-att-fmt-reg">
"WebAuthn Attestation Statement Format Identifier
Registrations"</eref> section
of <xref target="WebAuthn"/>. target="WebAuthn" format="default"/>.
Also, the Change Controller entry to be used for each of those registrations is:
<list style='symbols'>
<t>
Change Controller:
</t>
<dl newline="true">
<dt>Change Controller:</dt>
<dd> W3C Web Authentication Working Group - public‑webauthn@w3.org
</t>
</list>
</t> (public&nbhy;webauthn@w3.org)</dd>
</dl>
</section>
</section> <!-- Attestation Statement Format Identifier Registry -->
<section title="WebAuthn anchor="sctn-extension-ident-registry" numbered="true" toc="default">
<name>WebAuthn Extension Identifier Registry"
anchor="sctn-extension-ident-registry"> Identifiers Registry</name>
<t>
WebAuthn extension identifiers are strings whose semantic, syntactic,
and string-matching criteria are specified in <xref target="WebAuthn"/> the
<eref target="https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-extension-id">
"Extension Identifiers" </eref>. </eref> section of <xref target="WebAuthn" format="default"/>.
</t>
<t>
Registered extension identifiers are those that have been added to the
registry by following the procedure in
<xref target="sctn-registering-extension-idents"/>. target="sctn-registering-extension-idents" format="default"/>.
</t>
<t>
Each extension identifier added to this registry MUST <bcp14>MUST</bcp14> be unique
amongst the set of registered extension identifiers.
</t>
<t>
Registered
<t>Registered extension identifiers MUST <bcp14>MUST</bcp14> be a maximum
of 32 octets in length and MUST <bcp14>MUST</bcp14> consist only of
printable ASCII characters, excluding backslash and doublequote, double quote,
i.e., VCHAR as defined in <xref target="RFC5234"/> target="RFC5234" format="default"/>
but without %x22 and %x5c. Extension identifiers are case sensitive
and may not match other registered identifiers in a case-insensitive
manner unless the Designated Experts designated experts determine that there is a
compelling reason to allow an exception.
</t> exception.</t>
<section title="Registering anchor="sctn-registering-extension-idents" numbered="true" toc="default">
<name>Registering Extension Identifiers"
anchor="sctn-registering-extension-idents">
<t>
WebAuthn Identifiers</name>
<t>WebAuthn extension identifiers registry are registered using the
Specification Required policy (see Section 4.6 of <xref target="RFC8126"/>).
</t>
<t>
The WebAuthn extension identifiers target="RFC8126"
section="4.6" sectionFormat="of"/>).</t>
<t>The "WebAuthn Extension Identifiers" registry is located at
https://www.iana.org/assignments/webauthn. <eref
target="https://www.iana.org/assignments/webauthn"
brackets="angle"/>. Registration requests can be made by following
the instructions located there, there or by sending an e-mail email to the
webauthn-reg-review@ietf.org mailing list.
</t>
<t>
Registration list.</t>
<t>Registration requests consist of at least the following information:
<list style="symbols" >
<t>
WebAuthn information:</t>
<dl newline="true">
<dt>WebAuthn Extension Identifier:
<vspace/>
An Identifier:</dt>
<dd>An identifier meeting the requirements given above in
<xref target="sctn-extension-ident-registry"/>.
</t>
<t>
Description:
<vspace/>
A target="sctn-extension-ident-registry"
format="default"/>.</dd>
<dt>Description:</dt>
<dd>A relatively short description of the extension.
</t>
<t>
Specification Document(s):
<vspace/>
Reference extension.</dd>
<dt>Specification Document(s):</dt>
<dd>Reference to the document or documents that specify the extension.
</t>
<t>
Change Controller:
<vspace/>
For extension.</dd>
<dt>Change Controller:</dt>
<dd>For Standards Track RFCs, list the "IETF". For others, give the name of the
responsible party. Other details (e.g., postal address, email address, home page
URI) may also be included.
</t>
<t>
Notes:
<vspace/>
[optional]
</t>
</list>
</t>
<t>
Registrations MUST included.</dd>
<dt>Notes:</dt>
<dd>[optional]</dd>
</dl>
<t>Registrations <bcp14>MUST</bcp14> reference a freely available,
stable specification, e.g., as described in Section 4.6 of <xref target="RFC8126"/>. target="RFC8126"
section="4.6" sectionFormat="of"/>. This specification MUST
<bcp14>MUST</bcp14> include security and privacy considerations
relevant to the extension.
</t>
<t>
Note extension.</t>
<t>Note that WebAuthn extensions can be registered by third parties
(including the expert(s) themselves), if the expert(s) determine determines
that an unregistered extension is widely deployed and not likely to
be registered in a timely manner otherwise. Such registrations still
are subject to the requirements defined, including the need to
reference a specification.
</t> specification.</t>
</section> <!-- Registering Extension Identifiers -->
<section title="Registration anchor="sctn-registering-extension-idents-processing" numbered="true" toc="default">
<name>Registration Request Processing"
anchor="sctn-registering-extension-idents-processing"> Processing</name>
<t>
As noted in <xref target="sctn-registering-extension-idents"/>, target="sctn-registering-extension-idents" format="default"/>,
WebAuthn extension identifiers are registered using the
Specification Required policy.
</t>
<t>
The expert(s) will clearly identify any issues that cause a registration to be refused,
such as an incompletely specified extension.
</t>
<t>
When a request is approved, the expert(s) will inform IANA, and the registration will
be processed.
The IESG is the arbiter of any objection.
</t>
</section>
<section title="Initial anchor="sctn-extension-ident-registry-values" numbered="true" toc="default">
<name>Initial Values in the WebAuthn Extension Identifier Registry Values"
anchor="sctn-extension-ident-registry-values"> Identifiers Registry</name>
<t>
The initial values for the WebAuthn "WebAuthn Extension Identifier Registry are
to be Identifiers"
registry have been
populated from with the values listed in the
<eref target="https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-extensions-reg">
"WebAuthn Extension Identifier Registrations"</eref> section
of <xref target="WebAuthn"/>. target="WebAuthn" format="default"/>.
Also, the Change Controller entry to be used for each of those registrations is:
<list style='symbols'>
<t>
Change Controller:
</t>
<dl newline="true">
<dt>Change Controller:</dt>
<dd> W3C Web Authentication Working Group - public‑webauthn@w3.org
</t>
</list>
</t> (public&nbhy;webauthn@w3.org)</dd>
</dl>
</section>
</section> <!-- Extension Identifier Registry -->
</section> <!-- IANA Cons -->
<section anchor="Security" title="Security Considerations">
<t>
See numbered="true" toc="default">
<name>Security Considerations</name>
<t>See <xref target="WebAuthn"/> target="WebAuthn" format="default"/> for relevant security considerations.
</t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>
Thanks to Mark Nottingham
for valuable comments and suggestions.
Thanks to Kathleen Moriarty and Benjamin Kaduk for their Area Director sponsorship
of this specification.
Thanks to
Amanda Baber,
Sarah Banks,
Alissa Cooper,
Roman Danyliw,
Murray Kucherawy,
Paul Kyzivat,
Barry Leiba,
Hilarie Orman,
Magnus Westerlund,
and Robert Wilton for their reviews.
</t>
</section>
<section anchor="sctn-history" title="Document History">
<t>[[ to be removed by the RFC Editor before publication as an RFC ]]</t>
<t>
-10
<list style="symbols">
<t>
Changed IESG to IETF in Change Controller instructions, per suggestion by Magnus Westerlund.
</t>
</list>
</t>
<t>
-09
<list style="symbols">
<t>
Added Change Controller fields to registries, per suggestion by Magnus Westerlund.
</t>
<t>
Applied editorial suggestions by Amanda Baber, Murray Kucherawy, and Barry Leiba.
</t>
</list>
</t>
<t>
-08
<list style="symbols">
<t>
Addressed review feedback by Murray Kucherawy.
</t>
<t>
Added BCP 14 Requirements Notation and Conventions section.
</t>
<t>
Referenced RFC 20, which defines ASCII characters.
</t>
<t>
Applied editorial cleanups.
</t>
</list>
</t>
<t>
-07
<list style="symbols">
<t>
Removed a duplicate URI listing pointed out by Hilarie Orman.
</t>
</list>
</t>
<t>
-06
<list style="symbols">
<t>
Addressed Gen-Art review comments by Paul Kyzivat by deleting text about designated experts defining additional registry fields.
</t>
<t>
Addressed Ops-Dir review comments by Sarah Banks by deleting text that duplicated requirements already specified in RFC 8126.
</t>
<t>
Addressed Security review comments by Hilarie Orman by deleting unnecessary text about attestation statement formats lacking complete specifications.
</t>
<t>
Replaced uses of the URL https://www.w3.org/TR/webauthn/ with https://www.w3.org/TR/2019/REC-webauthn-1-20190304/
so that the reference remains stable after the level 2 WebAuthn specification is published.
</t>
</list>
</t>
<t>
-05
<list style="symbols">
<t>
Updated to address the solicited IANA review comments,
per discussions in an email thread between the authors and IANA ( "[IANA #1154148]" ).
</t>
</list>
</t>
<t>
-04
<list style="symbols">
<t>
Update per Benjamin Kaduk's further AD review:
Remove 'final' wrt IESG arbitrating objections; Add explicit
requirement for extension or attestation specs to include
security and privacy considerations.
</t>
<t>
Update per IANA review: Move "IANA considerations section up in doc to encompass (former) sections 2 and 3.
</t>
</list>
</t>
<t>
-03
<list style="symbols">
<t>
Update per Benjamin Kaduk's AD review. Align with RFC 8288, rather than
draft-nottingham-rfc5988bis.
</t>
</list>
</t>
<t>
-02
<list style="symbols">
<t>
Refresh now that the WebAuthn spec is at Recommendation (REC) maturity level.
</t>
</list>
</t>
<t>
-01
<list style="symbols">
<t>
Refresh now that the WebAuthn Committee Recommendation (CR) draft is pending.
</t>
</list>
</t>
<t>
-00
<list style="symbols">
<t>
Initial version, based on draft-nottingham-rfc5988bis.
</t>
</list>
</t>
considerations.</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc5234;
&rfc8126;
&rfc8174;
<reference anchor="RFC20" target="http://www.rfc-editor.org/info/rfc20">
<front>
<title>ASCII format for Network Interchange</title>
<author fullname="Vint Cerf" surname="Cerf" initials="V.">
<organization>University California Los Angeles (UCLA)</organization>
</author>
<date month="October" year="1969"/>
</front>
<seriesInfo name="STD" value="80"/>
<seriesInfo name="RFC" value="20"/>
</reference>
<displayreference target="RFC0020" to="RFC20"/>
<references>
<name>Normative References</name>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5234.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.0020.xml"/>
<reference anchor="WebAuthn" target="https://www.w3.org/TR/2019/REC-webauthn-1-20190304/">
<front>
<title>Web Authentication: An API for accessing Public Key Credentials</title>
<seriesInfo name="World Wide Web Consortium (W3C)" value="Recommendation"/>
<author initials="D." surname="Balfanz" fullname="Dirk Balfanz">
<organization>Google</organization>
<address>
<email>balfanz@google.com</email>
</address>
</author>
<author initials="A." surname="Czeskis" fullname="Alexei Czeskis">
<organization>Google</organization>
<address>
<email>aczeskis@google.com</email>
</address>
</author>
<author initials="J." surname="Hodges" fullname="Jeff Hodges">
<organization>PayPal</organization>
<address>
<email>jdhodges@google.com</email>
</address>
</author>
<author initials="J.C." surname="Jones" fullname="J.C. Jones">
<organization>Mozilla</organization>
<address>
<email>jc@mozilla.com</email>
</address>
</author>
<author initials="M.B." initials="M." surname="Jones" fullname="Michael B. Jones">
<organization>Microsoft</organization>
<address>
<email>mbj@microsoft.com</email>
<uri>http://self-issued.info/</uri>
</address>
</author>
<author initials="A." surname="Kumar" fullname="Akshay Kumar">
<organization>Microsoft</organization>
<address>
<email>akshayku@microsoft.com</email>
</address>
</author>
<author initials="A." surname="Liao" fullname="Angelo Liao">
<organization>Microsoft</organization>
<address>
<email>huliao@microsoft.com</email>
</address>
</author>
<author initials="R." surname="Lindemann" fullname="Rolf Lindemann">
<organization>Nok Nok Labs</organization>
<address>
<email>rolf@noknok.com</email>
</address>
</author>
<author initials="E." surname="Lundberg" fullname="Emil Lundberg">
<organization>Yubico</organization>
<address>
<email>emil@yubico.com</email>
</address>
</author>
<date month="March" day="4" year="2019" /> year="2019"/>
</front>
<seriesInfo name="World Wide Web Consortium (W3C)" value="Recommendation" />
<format type="HTML" target="https://www.w3.org/TR/2019/REC-webauthn-1-20190304/" />
</reference>
</references>
<section anchor="Acknowledgements" numbered="false" toc="default">
<name>Acknowledgements</name>
<t>Thanks to <contact fullname="Mark Nottingham"/> for valuable comments
and suggestions. Thanks to <contact fullname="Kathleen Moriarty"/> and
<contact fullname="Benjamin Kaduk"/> for their Area Director sponsorship
of this specification. Thanks to <contact fullname="Amanda Baber"/>,
<contact fullname="Sarah Banks"/>, <contact fullname="Alissa Cooper"/>,
<contact fullname="Roman Danyliw"/>, <contact fullname="Murray
Kucherawy"/>, <contact fullname="Paul Kyzivat"/>, <contact
fullname="Barry Leiba"/>, <contact fullname="Hilarie Orman"/>, <contact
fullname="Magnus Westerlund"/>, and <contact fullname="Robert Wilton"/>
for their reviews.</t>
</section>
</back>
</rfc>