- From: Hodges, Jeff <jeff.hodges@paypal.com>
- Date: Tue, 12 Jul 2016 07:42:10 +0000
- To: J.C.Jones via GitHub <sysbot+gh@w3.org>, "public-webauthn@w3.org" <public-webauthn@w3.org>
On 7/11/16, 2:59 PM, "J.C.Jones via GitHub" <sysbot+gh@w3.org> wrote: >Saying the identifiers are allocated implies, to me, a registry. apologies, I didn't fully explain my rationale in this issue. yes, I think we do wish to have an IANA registry for attestation types, see.. draft-hodges-webauthn-registries-00 https://lists.w3.org/Archives/Public/public-webauthn/2016Jun/0097.html ..because it will be a useful tool for the ecosystem, e.g., by gathering publicly-specified attestation types, and pointers to their specifications, in a well-known place. That said, we should also provide guidance for those who do not wish to register their attestation type identifier(s) -- i.e., we should recognize that not everyone will wish to publicly specify their attestation types and specs (think propritary enterprise-specific use cases, say). so I propose we make use of the registry a SHOULD, and un-registered attstn type names SHOULD use reverse domain-name naming. [perhaps the latter should be a MUST? however, a SHOULD recognizes that there's no effective enforcement...] thus: ``` WebAuthn attestation type identifiers are strings, chosen by the attenstation type developer. They SHOULD be registered per [I-D. hodges-webauthn-registries] "Webauthn Registries". Unregistered attestation type identifiers SHOULD use reverse domain-name naming, using a domain name registered by the attenstation type developer.All attestation type identifiers MUST not be longer than 32 octets and MUST consist only of printable USASCII characters, i.e., VCHAR as defined in [RFC5234] (note: this means attestation type identifieers based on domain names MUST incorporate only A-labels). Implementations MUST match WebAuthn attestation type identifiers in a case-insensitive fashion. ``` WDYT? > >Current language is that _identifiers should aim to be globally >unique_. It seems to me we could give your formal definition and >matching rules, drop the note about allocation, and instead have >something like: > >> Extensions are identified by a string, chosen by the extension >author. They MUST >not be longer than 32 octets and MUST consist only of >printable USASCII characters, i.e., VCHAR as defined >in [RFC5234]. Implementations MUST match WebAuthn >attestation type identifiers in a case-insensitive fashion. > >> Extension identifiers should aim to be globally unique, >e.g., by using reverse domain-name of the defining entity such as >`com.example.webauthn.myextension`. > >-- >GitHub Notification of comment by jcjones >Please view or discuss this issue at >https://github.com/w3c/webauthn/issues/127#issuecomment-231878657 >using your GitHub account > > > >
Received on Tuesday, 12 July 2016 07:42:43 UTC