- From: Hodges, Jeff <jeff.hodges@paypal.com>
- Date: Tue, 26 Jul 2016 18:27:34 +0000
- To: Vijay Bharadwaj <vijaybh@microsoft.com>
- CC: W3C WebAuthn WG <public-webauthn@w3.org>
- Message-ID: <D3BCF5CE.CD708%jehodges@paypalcorp.com>
On 7/25/16, 1:07 PM, "Vijay Bharadwaj" <vijaybh@microsoft.com> wrote: >For ease of review, Iıve attached HTML renderings of the two experimental >versions based on the current state of master. Iıd like to go over these >approaches (and any others > suggested) on Wednesdayıs call, but feel free to also send email >comments earlier. > > > thanks for sending these. I was hoping to review them prior to tomorrow's call, but it's getting late here in UTC+2 and I might not be able to. In case I'm unable, please note that I do intend to review them (hopefully by thed call next week, am on the road). Also, I did a texttual diff of the two files you sent -- it is attached to this message: Diff-Vijay-WebAuthn--index-noCred--from--index-objectCred.pdf HTH, =JeffH > > >From: Vijay Bharadwaj [mailto:vijaybh@microsoft.com] > >Sent: Thursday, July 21, 2016 12:58 AM >To: J.C. Jones <jc@mozilla.com>; Jeff Hodges <jeff.hodges@paypal.com> >Cc: W3C WebAuthn WG <public-webauthn@w3.org> >Subject: RE: Is the getAssertion whitelist necessary? > > > >Branch vgb-experiment-credObject is now on Github, showing an alternative >approach. Please provide feedback so we can pick an approach and move >forward. Also, if you believe > in a third approach, please provide feedback and describe your >alternative. > >Thanks! > >From: Vijay Bharadwaj > >Sent: Monday, July 18, 2016 3:51 PM >To: Vijay Bharadwaj <vijaybh@microsoft.com>; J.C. Jones <jc@mozilla.com>; >Jeff Hodges <jeff.hodges@paypal.com> >Cc: W3C WebAuthn WG <public-webauthn@w3.org> >Subject: RE: Is the getAssertion whitelist necessary? > > > >Branch vgb-experiment-noCredType is now on Github. Note this is an >experiment, so itıs not aiming to be editorially perfect. Please take a >look and let me know what you think. > >FWIW having stared at this a bit I prefer future possibility #1 over #2 >because #2 depends on extensions which are optional. So you may end up in >a situation where an RP requests > versions 2 and 3 but gets version 1 because the extension was ignored by >everyone involved. > >From: Vijay Bharadwaj [mailto:vijaybh@microsoft.com] > >Sent: Sunday, July 17, 2016 5:52 PM >To: J.C. Jones <jc@mozilla.com>; Jeff Hodges <jeff.hodges@paypal.com> >Cc: W3C WebAuthn WG <public-webauthn@w3.org> >Subject: RE: Is the getAssertion whitelist necessary? > > > >Ĝ >Instead of just constructing a dictionary, we'd need a constructor of >some fashion. > >So when would the authenticator flash its little LED and ask the user to >touch it? When the constructor is called or when getAssertion is called? >I assume the latter so the > constructor would just be a factory for dummy objects that can be used >to call getAssertion? > >Iım thinking maybe we should do quick prototypes to try this out. For my >part, I have a private branch vgb-experiment-noCred in which Iım trying >out what the removal of the > Credential object would look like. (Iıll publish this by tomorrow so you >can take a look.) I can take a crack at this object approach right after, >or you can try it out similarly and we can compare. Does that work? > >From: J.C. Jones [mailto:jc@mozilla.com] > >Sent: Sunday, July 17, 2016 5:45 AM >To: Vijay Bharadwaj <vijaybh@microsoft.com>; Jeff Hodges ><jeff.hodges@paypal.com> >Cc: W3C WebAuthn WG <public-webauthn@w3.org> >Subject: Re: Is the getAssertion whitelist necessary? > >Replying to both Vijay and Jeff: > >On Fri, Jul 15, 2016 at 11:58 PM, Vijay Bharadwaj <vijaybh@microsoft.com> >wrote: > >How would you create the Credential object? > > > > > > >Instead of just constructing a dictionary, we'd need a constructor of >some fashion. > > >On Sat, Jul 16, 2016 at 3:01 AM, Hodges, Jeff <jeff.hodges@paypal.com> >wrote: > >On 7/15/16, 5:52 PM, "J.C. Jones" <jc@mozilla.com> wrote: >>So my question is: why does getAssertion() need a whitelist? Could we add >>the getAssertion() method to the Credential, and make it an object? > >this actually was an earlier design predating the submitted specs ><https://www.w3.org/Submission/2015/02/> > >IIRC, moving to the whitelist approach with getAssertion() more naturally >accommodated use cases involving external/roaming/portable authenticators >(authnrs). perhaps we need to elucidate the design rationale... > > > > >Interesting; this must be some timing issue? Naively, it seems like it >would work the same, as you can build the current behavior out of the >'atomic' one. > >It might be worth documenting, at least before the wider public asks the >same questions. > > > >Cheers, > >J.C. > > >
Attachments
- application/pdf attachment: Diff-Vijay-WebAuthn--index-noCred--from--index-objectCred.pdf
Received on Tuesday, 26 July 2016 18:28:17 UTC