RE: Spec and issue status from Vijay Bharadwaj on 2016-04-27 (public-webauthn@w3.org from April 2016)

From: Vijay Bharadwaj <vijaybh@microsoft.com>
Date: Wed, 27 Apr 2016 17:05:30 +0000
To: "Hodges, Jeff" <jeff.hodges@paypal.com>
CC: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <858cd77759224867b4b8b507ed5ba0d1@microsoft.com>

[vgb]>>Issue #1: I will send out a proposal tomorrow for this. I think we 
[vgb]>>could move slightly more of the attestation structure into the 
[vgb]>>authenticator model section,

[jeffh]>you are referring to sections 3.8, 3.9, 3.10 ?

Yes. Specifically slim down 3.8 and move most/all of 3.9 and 3.10 into authenticator model.

[vgb]>> [about issue #58]...
[jeffh]> it would be "nice" if this discussion with "the TAG" were generally visible...

Hence my proposal to write up the current status in the spec and use that as a basis for discussion, so things become more visible :)

-----Original Message-----
From: Hodges, Jeff [mailto:jeff.hodges@paypal.com] 
Sent: Wednesday, April 27, 2016 9:46 AM
To: Vijay Bharadwaj <vijaybh@microsoft.com>
Cc: W3C WebAuthn WG <public-webauthn@w3.org>
Subject: Re: Spec and issue status

On 4/26/16, 11:19 PM, "Vijay Bharadwaj" <vijaybh@microsoft.com> wrote:

>I wanted to tee up a few items for discussion tomorrow regarding the 
>remaining issues:
>
>·        
>We have a number of issues that should be really easy to fix. #38 and 
>#74 are in this bucket, as well as a number that are currently marked 
>SPWD. I will do a sweep of these before Berlin, but given these are not 
>likely to be as  complex or controversial as the more substantial 
>issues, I think it¹s okay to get to these next week.

agreed.


>·        
>Issue #1: I will send out a proposal tomorrow for this. I think we 
>could move slightly more of the attestation structure into the 
>authenticator model section,

you are referring to sections 3.8, 3.9, 3.10 ?

>thus making for a cleaner separation of concerns between browser/script  
>folks and authenticator/backend folks. If that is acceptable then I 
>think we should use it to close this issue out.

sounds nominally ok.

>·        
>Issue #58: Dirk spoke to Alex Russell and explained some of the nuances 
>of our world. We think this discussion with TAG is going to take a bit 
>longer. For now I would like to add some language clarifying the dual 
>role of origins  and rpIDs (origins are signed over and are therefore a 
>security boundary, rpIDs determine who can request an assertion with a 
>specific credential and are therefore a client privacy boundary), and 
>move this issue to SPWD.

it would be "nice" if this discussion with "the TAG" were generally visible...


>·        
>Issue #61: I will send out a proposal for this by end of week, as 
>outlined in the issue already. Would love to get feedback on that.

ok

>·        
>Issue #60: As noted in the issue, this is potentially contradictory 
>with #61. If we agree that the #61 change sounds reasonable, I would 
>like to move #60 to SPWD so we can have a more thoughtful consideration 
>of what the right  path forward should be.

sure, I agree that we should take more time to work out #60.

hth,

=JeffH

Received on Wednesday, 27 April 2016 17:06:27 UTC