Re: Spec and issue status from Hodges, Jeff on 2016-04-27 (public-webauthn@w3.org from April 2016)

From: Hodges, Jeff <jeff.hodges@paypal.com>
Date: Wed, 27 Apr 2016 17:09:34 +0000
To: Vijay Bharadwaj <vijaybh@microsoft.com>
CC: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <D3464017.BA9EF%jehodges@paypalcorp.com>

On 4/27/16, 10:05 AM, "Vijay Bharadwaj" <vijaybh@microsoft.com> wrote:
>[vgb]>>Issue #1: I will send out a proposal tomorrow for this. I think we
>[vgb]>>could move slightly more of the attestation structure into the
>[vgb]>>authenticator model section,
>
>[jeffh]>you are referring to sections 3.8, 3.9, 3.10 ?
>
>Yes. Specifically slim down 3.8 and move most/all of 3.9 and 3.10 into
>authenticator model.
>
>[vgb]>> [about issue #58]...
>[jeffh]> it would be "nice" if this discussion with "the TAG" were
>generally visible...
>
>Hence my proposal to write up the current status in the spec and use that
>as a basis for discussion, so things become more visible :)

Ah, that wasn't fully clear to me -- thx -- yeah that sounds fine to me.


>
>-----Original Message-----
>From: Hodges, Jeff [mailto:jeff.hodges@paypal.com]
>Sent: Wednesday, April 27, 2016 9:46 AM
>To: Vijay Bharadwaj <vijaybh@microsoft.com>
>Cc: W3C WebAuthn WG <public-webauthn@w3.org>
>Subject: Re: Spec and issue status
>
>On 4/26/16, 11:19 PM, "Vijay Bharadwaj" <vijaybh@microsoft.com> wrote:
>
>>I wanted to tee up a few items for discussion tomorrow regarding the
>>remaining issues:
>>
>>·        
>>We have a number of issues that should be really easy to fix. #38 and
>>#74 are in this bucket, as well as a number that are currently marked
>>SPWD. I will do a sweep of these before Berlin, but given these are not
>>likely to be as  complex or controversial as the more substantial
>>issues, I think it¹s okay to get to these next week.
>
>agreed.
>
>
>>·        
>>Issue #1: I will send out a proposal tomorrow for this. I think we
>>could move slightly more of the attestation structure into the
>>authenticator model section,
>
>you are referring to sections 3.8, 3.9, 3.10 ?
>
>>thus making for a cleaner separation of concerns between browser/script
>>folks and authenticator/backend folks. If that is acceptable then I
>>think we should use it to close this issue out.
>
>sounds nominally ok.
>
>>·        
>>Issue #58: Dirk spoke to Alex Russell and explained some of the nuances
>>of our world. We think this discussion with TAG is going to take a bit
>>longer. For now I would like to add some language clarifying the dual
>>role of origins  and rpIDs (origins are signed over and are therefore a
>>security boundary, rpIDs determine who can request an assertion with a
>>specific credential and are therefore a client privacy boundary), and
>>move this issue to SPWD.
>
>it would be "nice" if this discussion with "the TAG" were generally
>visible...
>
>
>>·        
>>Issue #61: I will send out a proposal for this by end of week, as
>>outlined in the issue already. Would love to get feedback on that.
>
>ok
>
>>·        
>>Issue #60: As noted in the issue, this is potentially contradictory
>>with #61. If we agree that the #61 change sounds reasonable, I would
>>like to move #60 to SPWD so we can have a more thoughtful consideration
>>of what the right  path forward should be.
>
>sure, I agree that we should take more time to work out #60.
>
>hth,
>
>=JeffH
>
>
>
>
>

Received on Wednesday, 27 April 2016 17:10:06 UTC