- From: Vijay Bharadwaj <vijaybh@microsoft.com>
- Date: Wed, 27 Apr 2016 06:19:19 +0000
- To: W3C WebAuthn WG <public-webauthn@w3.org>
- Message-ID: <072f9447cc664ba193ddcebfe9d84f93@microsoft.com>
Hi, I wanted to tee up a few items for discussion tomorrow regarding the remaining issues: * We have a number of issues that should be really easy to fix. #38 and #74 are in this bucket, as well as a number that are currently marked SPWD. I will do a sweep of these before Berlin, but given these are not likely to be as complex or controversial as the more substantial issues, I think it's okay to get to these next week. * Issue #1: I will send out a proposal tomorrow for this. I think we could move slightly more of the attestation structure into the authenticator model section, thus making for a cleaner separation of concerns between browser/script folks and authenticator/backend folks. If that is acceptable then I think we should use it to close this issue out. * Issue #58: Dirk spoke to Alex Russell and explained some of the nuances of our world. We think this discussion with TAG is going to take a bit longer. For now I would like to add some language clarifying the dual role of origins and rpIDs (origins are signed over and are therefore a security boundary, rpIDs determine who can request an assertion with a specific credential and are therefore a client privacy boundary), and move this issue to SPWD. * Issue #61: I will send out a proposal for this by end of week, as outlined in the issue already. Would love to get feedback on that. * Issue #60: As noted in the issue, this is potentially contradictory with #61. If we agree that the #61 change sounds reasonable, I would like to move #60 to SPWD so we can have a more thoughtful consideration of what the right path forward should be. Please let me know if you have any feedback on the above, and let's discuss in the (US Pacific Time) morning.
Received on Wednesday, 27 April 2016 06:20:10 UTC