Re: Credential types from Hodges, Jeff on 2016-07-16 (public-webauthn@w3.org from July 2016)

From: Hodges, Jeff <jeff.hodges@paypal.com>
Date: Sat, 16 Jul 2016 09:24:38 +0000
To: Vijay Bharadwaj <vijaybh@microsoft.com>
CC: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <D3AF296B.CC782%jehodges@paypalcorp.com>

On 7/14/16, 2:02 PM, "Vijay Bharadwaj" <vijaybh@microsoft.com> wrote:
>This came up again in the call yesterday, and I¹m trying to work on #60,
>so I figured we should try and reach consensus on the list.
> 
>The question was asked  why do we have credential types any more?
> 
>Originally, the credential type was a version number for the format of
>the assertion signature. Specifically, there are a few things in Section
>5.2 that might change in a later version:
>
>- The structure of ClientData and how it is used to compute clientDataHash
>
>- The structure of authenticatorData, including the use of SHA-256 to
>hash RP IDs
>
>- The method for combining the above into a single entity to be signed by
>the
>credential

agreed.

>Note that attestation is not mentioned in the above. Since we have
>separated out the attestation formats quite cleanly from the main IDL
>(which now treats the attestation as opaque to the client), it can be
>versioned independently. Similarly, versioning of low-level hardware
>protocols can be managed at that layer.

agreed.

>So now the question is  do we care enough about maintaining flexibility
>in the areas enumerated above to keep the credential type around, or do
>we want to remove it and keep only the identifier? If we choose to remove
>the credential type, then future versions that change any of the above
>areas would have to find ways to indicate the new version in other ways
>(possibly at the hardware protocol level, in the attestation and in the
>assertion format itself).

as proposed here..

  [webauthn] CredentialType (was: TAG review feedback: Align Credential
interface 
  with  Credential Management?

  https://lists.w3.org/Archives/Public/public-webauthn/2016Jul/0043.html

..which we briefly discussed further..

  https://lists.w3.org/Archives/Public/public-webauthn/2016Jul/0047.html

..let's (at least) retain CredentialType but rename it `AssertionFormat`
(or `AssertionScheme`?), and clearly document that it signals signature
construction (aka format) and contextual data content & formats (i.e. the
items enumerated up above).

This discussion is also related to these threads..

  API consumer question: How do we recover Credential?
  https://lists.w3.org/Archives/Public/public-webauthn/2016Jul/0168.html

  use cases
  https://lists.w3.org/Archives/Public/public-webauthn/2016Jun/0086.html


  PR#143 Remove ScopedCredentialParameters tuple (by unpairing type &
algorithm)
  https://github.com/w3c/webauthn/pull/143

..thus the "at least" qualification noted above -- i.e., there's further
discussion to have in the other therads.

=JeffH

Received on Saturday, 16 July 2016 09:25:15 UTC