- From: Hodges, Jeff <jeff.hodges@paypal.com>
- Date: Mon, 7 Mar 2016 23:56:37 +0000
- To: W3C WebAuthn WG <public-webauthn@w3.org>
- Message-ID: <D3034E61.8F10C%jehodges@paypalcorp.com>
Beyond a simple cut-n-paste-and-jam-em-all-into-one-file approach to merging the three source specs (web-api, signature-format, key-attestation) info a single spec file, there's the issue of figuring out how to de-FIDO-ize the text therein. There's terms such as "FIDO 2.0 credential", "FIDO assertion", etc strewn throughout. The key, it seems to me, as we'd briefly chatted about in the #webauthn irc channel during the meeting last Fri, is figuring out how to refer to what is presently termed "FIDO Credentials" in the web-api and key-attestation specs.. > grep -li "fido cred" ./*/Overview.html ./webauthn-key-attestation/Overview.html ./webauthn-web-api/Overview.html I took at look at the SiteBoundCredential term in the Creds Mgmt spec <http://w3c.github.io/webappsec-credential-management/#siteboundcredential> and that doesn't actually map to FIDO Creds because the former are bound to a web origin [RFC6454] and the latter are bound to a Relying Party's domain name reduced (aka "domain lowered") to eTLD+1 (eTLD = effective Top Level Domain, aka Public Suffix), which is also known as "Relying Party Identity (RPID)" in the submitted fido specs. So we ought to figure out what to rename "FIDO Credentials" to, in a vendor-neutral, standards-org-neutral manner. some ideas I've heard or thought of.. Origin-bound strong creds (OBSCreds) [won't work because not binding to origin] Scoped strong creds / scoped creds (SSCreds) RPID-bound strong creds (RBSCreds) Basically, in looking through the specs, it seems that if we nail down the name for the credentials, then the names of the other things (e.g., assertions, extensions, etc) will follow fairly easily. WDYT? =JeffH
Received on Monday, 7 March 2016 23:57:09 UTC