Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names? from Dirk Balfanz on 2016-03-08 (public-webauthn@w3.org from March 2016)

From: Dirk Balfanz <balfanz@google.com>
Date: Tue, 08 Mar 2016 06:07:33 +0000
To: "Hodges, Jeff" <jeff.hodges@paypal.com>, W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <CADHfa2C-3ay6M75s=zeoHAUo3q4WDNNVPz9LSgmi8Z9aJY5T=Q@mail.gmail.com>

"FIDO" is vendor-neutral. Why do they need to be standards-org-neutral?

Maybe something along the lines of "cryptographic authentication
credential"?

Dirk.



On Mon, Mar 7, 2016 at 3:57 PM Hodges, Jeff <jeff.hodges@paypal.com> wrote:

> Beyond a simple cut-n-paste-and-jam-em-all-into-one-file approach to
> merging the three source specs (web-api, signature-format, key-attestation)
> info a single spec file, there's the issue of figuring out how to
> de-FIDO-ize the text therein.
>
> There's terms such as "FIDO 2.0 credential", "FIDO assertion", etc strewn
> throughout.
>
> The key, it seems to me, as we'd briefly chatted about in the #webauthn
> irc channel during the meeting last Fri, is figuring out how to refer to
> what is presently termed "FIDO Credentials" in the web-api and
> key-attestation specs..
>
> > grep -li "fido cred" ./*/Overview.html
>
> ./webauthn-key-attestation/Overview.html
>
> ./webauthn-web-api/Overview.html
>
> I took at look at the SiteBoundCredential term in the Creds Mgmt spec <
> http://w3c.github.io/webappsec-credential-management/#siteboundcredential>
>  and that doesn't actually map to FIDO Creds because the former are bound
> to a web origin [RFC6454] and the latter are bound to a Relying Party's
> domain name reduced (aka "domain lowered") to eTLD+1  (eTLD = effective Top
> Level Domain, aka Public Suffix), which is also known as "Relying Party
> Identity (RPID)" in the submitted fido specs.
>
> So we ought to figure out what to rename "FIDO Credentials" to,  in a
> vendor-neutral, standards-org-neutral manner.
>
> some ideas I've heard or thought of..
>
> Origin-bound strong creds (OBSCreds)        [won't work because not
> binding to origin]
>
> Scoped strong creds  / scoped creds (SSCreds)
>
> RPID-bound strong creds  (RBSCreds)
>
>
> Basically, in looking through the specs, it seems that if we nail down the
> name for the credentials, then the names of the other things (e.g.,
> assertions, extensions, etc) will follow fairly easily.
>
> WDYT?
>
> =JeffH
>
>
>
>

Received on Tuesday, 8 March 2016 06:08:13 UTC