Re: [webauthn] Attestation type identifiers lack formal definition and matching rules from Hodges, Jeff on 2016-07-12 (public-webauthn@w3.org from July 2016)

From: Hodges, Jeff <jeff.hodges@paypal.com>
Date: Tue, 12 Jul 2016 07:42:10 +0000
To: J.C.Jones via GitHub <sysbot+gh@w3.org>, "public-webauthn@w3.org" <public-webauthn@w3.org>
Message-ID: <D3A9E765.CC2D2%jehodges@paypalcorp.com>

On 7/11/16, 2:59 PM, "J.C.Jones via GitHub" <sysbot+gh@w3.org> wrote:
>Saying the identifiers are allocated implies, to me, a registry.

apologies, I didn't fully explain my rationale in this issue.

yes, I think we do wish to have an IANA registry for attestation types,
see..

  draft-hodges-webauthn-registries-00
  https://lists.w3.org/Archives/Public/public-webauthn/2016Jun/0097.html

..because it will be a useful tool for the ecosystem, e.g., by gathering
publicly-specified attestation types, and pointers to their
specifications, in a well-known  place.

That said, we should also provide guidance for those who do not wish to
register their attestation type identifier(s) -- i.e., we should recognize
that not everyone will wish to publicly specify their attestation types
and specs (think propritary enterprise-specific use cases, say).

so I propose we make use of the registry a SHOULD, and un-registered
attstn type names SHOULD use reverse domain-name naming. [perhaps the
latter should be a MUST? however, a SHOULD recognizes that there's no
effective enforcement...]

thus: 

```
WebAuthn attestation type identifiers are strings, chosen
by the attenstation type developer. They SHOULD be registered
per [I-D. hodges-webauthn-registries] "Webauthn Registries".
Unregistered attestation type identifiers SHOULD use
reverse domain-name naming, using a domain name registered by
the attenstation type developer.All attestation type identifiers MUST
not be longer than 32 octets and MUST consist only of
printable USASCII characters, i.e., VCHAR as defined
in [RFC5234] (note: this means attestation type identifieers based on
domain names MUST incorporate only A-labels).
Implementations MUST match WebAuthn
attestation type identifiers in a case-insensitive fashion.
```

WDYT?

> 
>Current language is that _identifiers should aim to be globally
>unique_. It seems to me we could give your formal definition and
>matching rules, drop the note about allocation, and instead have
>something like:
>
>> Extensions are identified by a string, chosen by the extension
>author.  They MUST
>not be longer than 32 octets and MUST consist only of
>printable USASCII characters, i.e., VCHAR as defined
>in [RFC5234]. Implementations MUST match WebAuthn
>attestation type identifiers in a case-insensitive fashion.
>
>> Extension identifiers should aim to be globally unique,
>e.g., by using reverse domain-name of the defining entity such as
>`com.example.webauthn.myextension`.
>
>-- 
>GitHub Notification of comment by jcjones
>Please view or discuss this issue at
>https://github.com/w3c/webauthn/issues/127#issuecomment-231878657
>using your GitHub account
>
>
>
>

Received on Tuesday, 12 July 2016 07:42:43 UTC