RE: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names? from Felipe Moreno (BLOOMBERG/ 731 LEX) on 2016-03-10 (public-webauthn@w3.org from March 2016)

From: Felipe Moreno (BLOOMBERG/ 731 LEX) <fmoreno5@bloomberg.net>
Date: Thu, 10 Mar 2016 01:03:30 -0000
To: rbarnes@mozilla.com, tonynad@microsoft.com, vijaybh@microsoft.com, jeff.hodges@paypal.com
Cc: public-webauthn@w3.org
Message-ID: <56E0C7E201E9021600870988_0_1368841@p171>

I am not sure about the cognitive overhead, you are assuming the web developer will be familiar with the FIDO specification and brand when it doesn't need to be the case. 

The goal of elevating the API and formats to a W3C standard is precisely to decouple these two things so I think it is a mistake to keep the FIDO term.  As Richard said it should be a term that means what it does and not an arbitrary reference with external meaning that may be familiar to some but not to everybody.

Felipe
Sent from Bloomberg Professional for iPhone

----- Original Message -----
From: Vijay Bharadwaj <vijaybh@microsoft.com>
To: jeff.hodges@paypal.com, rbarnes@mozilla.com, tonynad@microsoft.com
CC: public-webauthn@w3.org
At: 09-Mar-2016 18:41:24

Tony beat me to this one. 

This seems to add unnecessary cognitive overhead for web developers. They have to just know that if they want to support those flashy dongles with the FIDO logo,  they need to use “ScopedSignature” (having a CredentialType enum value include Credential in its name seems like a redundant bit of redundancy) in their code. Moreover, using “FIDO” as an enum value in no way prevents the existence of other possible enum values.  The API names and namespaces remain generic after all. 

From: Anthony Nadalin [mailto:tonynad@microsoft.com]
Sent: Wednesday, March 09, 2016 3:06 PM
To: Richard Barnes <rbarnes@mozilla.com>; Hodges, Jeff <jeff.hodges@paypal.com>
Cc: W3C WebAuthn WG <public-webauthn@w3.org>
Subject: RE: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names? 

I’m getting a little worried that we are now in meaningless territory as “FIDO” had a specific meaning the “ScopedSignatureCredentails” can mean anything. The use of FIDO is  just like the use of RSA here. 

From: Richard Barnes [mailto:rbarnes@mozilla.com]
Sent: Wednesday, March 9, 2016 1:30 PM
To: Hodges, Jeff <jeff.hodges@paypal.com>
Cc: W3C WebAuthn WG <public-webauthn@w3.org>
Subject: Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names? 

On Wed, Mar 9, 2016 at 4:28 PM, Hodges, Jeff <jeff.hodges@paypal.com> wrote: 

On 3/9/16, 1:20 PM, "Richard Barnes" <rbarnes@mozilla.com> wrote: 

"""
API Features in scope are: (1) Requesting generation of an asymmetric key pair within a specific scope (e.g., an origin); (2) Proving that the browser has possession of a specific private key, where the proof can only be done within the scope of the key pair.  In other words, authentication should obey the same origin policy.
""" 

So this is a credential that provides authentication based on proof of possession of a signing key (i.e., a signature), where that  signature is limited to some scope via the signing protocol we will define. 

Could people live with "ScopedSignatureCredential"?

so you are suggesting.. 

enum CredentialType { 

    "ScopedSignatureCredential"  }; 

.. yes?

Precisely. 

sure, I can live with that.  

=JeffH

Received on Thursday, 10 March 2016 01:04:01 UTC