RE: Questions about some of the naming in the spec

Hi Kimberly,

Thanks for the feedback. Security people tend to make a strong distinction between authentication (authn) and authorization (authz) which is where that terminology came from. So I suspect auth by itself would be confusing to a different audience. Regarding the Web prefix, I will leave that to others to comment on – I don’t have strong feelings about it either way.

From: Kimberly Paulhamus []
Sent: Wednesday, November 30, 2016 10:35 AM
Subject: Questions about some of the naming in the spec

Hi WebAuthn working group,

We are currently working on implementing WebAuthn for Chrome. We're at the early stages of setting up the Chromium interfaces, and reviewers have had some questions on the naming in the spec that we wanted to ask you all about..

To summarize -
Regarding WebAuthnAssertion/Attestation/Extensions, "Why not just WebAuth or Auth? The n in the middle doesn't mean anything and is going to be a wart for developers to remember for the next 30 years."

Account and ClientData are too generic; either need to be more specific or scoped.

Prefixing an API with 'Web' seems to be unusual in general.

Thoughts and comments?


Received on Thursday, 1 December 2016 17:26:20 UTC