Proposal for W3C-style Attestation Registry from Mandyam, Giridhar on 2016-08-23 (public-webauthn@w3.org from August 2016)

From: Mandyam, Giridhar <mandyam@qti.qualcomm.com>
Date: Tue, 23 Aug 2016 14:17:35 +0000
To: W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <0f76363ef9b844e6b9d53b1cb70938ed@NASANEXM01C.na.qualcomm.com>

Bearing in mind the proposal in https://lists.w3.org/Archives/Public/public-webauthn/2016Jun/0097.html, I am enclosing a proposal for an attestation registry that is more in line with recent W3C registries such as the one for MSE bytestream formats (https://w3c.github.io/media-source/byte-stream-format-registry.html).  Note the following:


a)      It is not clear (at least to me) how best to handle additional clientData for candidate attestation formats.  I am proposing that any new attestation format must specify any extensions to the ClientData dictionary it requires, but I am unclear as to whether this should even be allowed for candidate attestation formats.  If such information is missing from the corresponding specification for a candidate attestation format, then it will be assumed that clientData defaults to whatever the client implementation (user agent) supports.

b)      Proprietary attestation formats should be clearly designated as such, and I am suggesting to do so with a vendor prefix.  An example would be SafetyNet.

c)      I used the "type" attribute as this is consistent with the current specification.

d)      Disregard the self-referring hyperlinks in this document (e.g. https://w3c.github.io/webauthn/webauthnattestationregistry.html).  These can be updated if the group decides to adopt this registry.

-Giri Mandyam, Qualcomm

Attachments

application/pdf attachment: Web Authentication Atttestation Registry.pdf

Received on Tuesday, 23 August 2016 14:18:25 UTC