Thanks for getting more support and better describing the needs, Nina. LGTM2
On Tue, Oct 15, 2024, 8:19 AM Domenic Denicola <dome...@chromium.org> wrote: > LGTM1 > > On Saturday, September 21, 2024 at 1:09:55 AM UTC+9 Nina Satragno wrote: > >> Contact emailsnsatra...@chromium.org, identity-...@chromium.org >> >> Explainer >> https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Signal-API-explainer >> >> Specification >> https://pr-preview.s3.amazonaws.com/nsatragno/webauthn/pull/2093.html#sctn-signal-methods >> >> Summary >> >> Allow WebAuthn relying parties to report information about existing >> credentials back to credential storage providers, so that incorrect or >> revoked credentials can be updated or removed from provider and system UI. >> https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Signal-API-explainer >> >> >> Blink componentBlink>WebAuthentication >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWebAuthentication> >> >> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/996 >> >> TAG review statusPending >> >> Risks >> >> >> Interoperability and Compatibility >> >> None, this is a new API. >> >> >> *Gecko*: No signal ( >> https://github.com/mozilla/standards-positions/issues/1075). I'll update >> here once that changes. >> >> *WebKit*: No signal ( >> https://github.com/WebKit/standards-positions/issues/400). I'll update >> here once that changes. >> >> *Web developers*: Positive ( >> https://github.com/w3c/webauthn/issues/1967#issuecomment-1848433321) The >> signal methods address common concerns from RPs that have been voiced since >> the early days of WebAuthn. See >> https://github.com/w3c/webauthn/issues/1967 and the issues linked from >> there. >> >> *Other signals*: >> >> Ergonomics >> >> Omitting a valid credential ID from `signalAllAcceptedCredentials` can >> result in the user no longer being able to sign in with that passkey. This >> is explicitly called out in the spec [1]. The spec recommends that >> authenticators hide (instead of removing) passkeys to mitigate this issue. >> Chrome will ship a first version that removes credentials, and a follow-up >> will hide them instead. This is because removing credentials requires a lot >> less coordination from multiple products than hiding them, and lets us ship >> and iterate on the API faster. [1] >> https://w3c.github.io/webauthn/#sctn-signalAllAcceptedCredentials >> >> >> Security >> >> Relying parties can only update or remove credentials that are bound to >> their relying party ID. >> >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> N/A, this is a new API. >> >> >> Debuggability >> >> Chrome supports signal* methods through the WebAuthn devtools panel [1]. >> signal* methods are also supported through webdriver's WebAuthn API [2], >> with a small change in the works [3] specifically to be able to debug >> `signalCurrentUserDetails`. [1] >> https://developer.chrome.com/docs/devtools/webauthn [2] >> https://w3c.github.io/webauthn/#sctn-automation [3] >> https://github.com/w3c/webauthn/pull/2148 >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)?No >> >> Initially, this feature will be supported on Chrome desktop only, and on >> Chrome only for Google Password Manager (GPM) credentials. Support for >> iCloud keychain and Windows Hello will depend on macOS and Windows updates >> respectively. Android support requires an update to the Android Credential >> Manager API that is being worked on. For GPM credentials, we also need to >> update Google Play Services accordingly. Once the Android Credential >> Manager API is launched, other credential providers will be able to hook to >> the API. >> >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ?Yes >> >> >> https://wpt.fyi/results/webauthn/signal-all-accepted-credentials.https.html >> https://wpt.fyi/results/webauthn/signal-current-user-details.https.html >> https://wpt.fyi/results/webauthn/signal-unknown-credential.https.html >> >> >> DevTrial instructions >> https://github.com/w3c/webauthn/wiki/Experimenting-with-the-Signal-API-on-Chrome >> >> Flag name on chrome://flags >> chrome://flags#enable-experimental-web-platform-features >> >> Finch feature nameCredentialManagerReport >> >> Requires code in //chrome?True >> >> Tracking bughttps://crbug.com/361751877 >> >> Measurement >> https://chromestatus.com/metrics/feature/timeline/popularity/5104 >> https://chromestatus.com/metrics/feature/timeline/popularity/5105 >> https://chromestatus.com/metrics/feature/timeline/popularity/5106 >> >> Availability expectationWe expect this feature to be generally available >> on desktop for M131. Android will follow after. >> >> Adoption expectationThe feature can be adopted right away, as while the >> functionality provided significantly improves the UX of WebAuthn, it's >> provided as a "best-effort" and can safely be unimplemented. >> >> Non-OSS dependencies >> >> Does the feature depend on any code or APIs outside the Chromium open >> source repository and its open-source dependencies to function? >> * Android Credential Manager for Android support * Apple's browser >> passkey APIs for macOS and iOS support. * Windows webauthn.dll for Windows >> Hello credentials. >> >> Sample links >> https://signal-api-demo.glitch.me >> >> Estimated milestones >> DevTrial on desktop 130 >> >> Anticipated spec changes >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> No changes. >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5101778518147072?gate=5111131065286656 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> -- >> Nina Satragno >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e4f40ad6-8ee2-4822-a658-3aba5d3487a2n%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e4f40ad6-8ee2-4822-a658-3aba5d3487a2n%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA44PQhynTnP1tbOQw5_c%2BiaV8c7etBiS%2Bmbkmru4PLWfard8A%40mail.gmail.com.