Registries for Web Authentication (WebAuthn)

IANA Considerations This specification establishes two registries:

the "WebAuthn Attestation Statement Format Identifiers" registry (see )
the "WebAuthn Extension Identifiers" registry (see )

Any additional processes established by the expert(s) after the publication of this document will be recorded on the registry web page at the discretion of the expert(s).

WebAuthn Attestation Statement Format Identifiers Registry WebAuthn attestation statement format identifiers are strings whose semantic, syntactic, and string-matching criteria are specified in the "Attestation Statement Format Identifiers" section of , along with the concepts of attestation and attestation statement formats. Registered attestation statement format identifiers are those that have been added to the registry by following the procedure in . Each attestation statement format identifier added to this registry MUST be unique amongst the set of registered attestation statement format identifiers. Registered attestation statement format identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable ASCII characters, excluding backslash and double quote, i.e., VCHAR as defined in but without %x22 and %x5c. Attestation statement format identifiers are case sensitive and may not match other registered identifiers in a case-insensitive manner unless the designated experts determine that there is a compelling reason to allow an exception.

Registering Attestation Statement Format Identifiers WebAuthn attestation statement format identifiers are registered using the Specification Required policy (see ). The "WebAuthn Attestation Statement Format Identifiers" registry is located at . Registration requests can be made by following the instructions located there or by sending an email to the webauthn-reg-review@ietf.org mailing list. Registration requests consist of at least the following information:

WebAuthn Attestation Statement Format Identifier:: An identifier meeting the requirements given in .
Description:: A relatively short description of the attestation format.
Specification Document(s):: Reference to the document or documents that specify the attestation statement format.
Change Controller:: For Standards Track RFCs, list "IETF". For others, give the name of the responsible party. Other details (e.g., postal address, email address, home page URI) may also be included.
Notes:: [optional]

Registrations MUST reference a freely available, stable specification, e.g., as described in . This specification MUST include security and privacy considerations relevant to the attestation statement format. Note that WebAuthn attestation statement format identifiers can be registered by third parties (including the expert(s) themselves), if the expert(s) determines that an unregistered attestation statement format is widely deployed and not likely to be registered in a timely manner otherwise. Such registrations still are subject to the requirements defined, including the need to reference a specification.

Registration Request Processing As noted in , WebAuthn attestation statement format identifiers are registered using the Specification Required policy. The expert(s) will clearly identify any issues that cause a registration to be refused, such as an incompletely specified attestation format. When a request is approved, the expert(s) will inform IANA, and the registration will be processed. The IESG is the arbiter of any objection.

Initial Values in the WebAuthn Attestation Statement Format Identifiers Registry The initial values for the "WebAuthn Attestation Statement Format Identifiers" registry have been populated with the values listed in the "WebAuthn Attestation Statement Format Identifier Registrations" section of . Also, the Change Controller entry for each of those registrations is:

Change Controller:: W3C Web Authentication Working Group (public&nbhy;webauthn@w3.org)

WebAuthn Extension Identifiers Registry WebAuthn extension identifiers are strings whose semantic, syntactic, and string-matching criteria are specified in the "Extension Identifiers" section of . Registered extension identifiers are those that have been added to the registry by following the procedure in . Each extension identifier added to this registry MUST be unique amongst the set of registered extension identifiers. Registered extension identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable ASCII characters, excluding backslash and double quote, i.e., VCHAR as defined in but without %x22 and %x5c. Extension identifiers are case sensitive and may not match other registered identifiers in a case-insensitive manner unless the designated experts determine that there is a compelling reason to allow an exception.

Registering Extension Identifiers WebAuthn extension identifiers are registered using the Specification Required policy (see ). The "WebAuthn Extension Identifiers" registry is located at . Registration requests can be made by following the instructions located there or by sending an email to the webauthn-reg-review@ietf.org mailing list. Registration requests consist of at least the following information:

WebAuthn Extension Identifier:: An identifier meeting the requirements given in .
Description:: A relatively short description of the extension.
Specification Document(s):: Reference to the document or documents that specify the extension.
Change Controller:: For Standards Track RFCs, list "IETF". For others, give the name of the responsible party. Other details (e.g., postal address, email address, home page URI) may also be included.
Notes:: [optional]

Registrations MUST reference a freely available, stable specification, e.g., as described in . This specification MUST include security and privacy considerations relevant to the extension. Note that WebAuthn extensions can be registered by third parties (including the expert(s) themselves), if the expert(s) determines that an unregistered extension is widely deployed and not likely to be registered in a timely manner otherwise. Such registrations still are subject to the requirements defined, including the need to reference a specification.

Registration Request Processing As noted in , WebAuthn extension identifiers are registered using the Specification Required policy. The expert(s) will clearly identify any issues that cause a registration to be refused, such as an incompletely specified extension. When a request is approved, the expert(s) will inform IANA, and the registration will be processed. The IESG is the arbiter of any objection.

Initial Values in the WebAuthn Extension Identifiers Registry The initial values for the "WebAuthn Extension Identifiers" registry have been populated with the values listed in the "WebAuthn Extension Identifier Registrations" section of . Also, the Change Controller entry for each of those registrations is:

Change Controller:: W3C Web Authentication Working Group (public&nbhy;webauthn@w3.org)