- From: Anthony Nadalin <tonynad@microsoft.com>
- Date: Sat, 16 Jul 2016 20:50:00 +0000
- To: Vijay Bharadwaj <vijaybh@microsoft.com>, W3C WebAuthn WG <public-webauthn@w3.org>
- Message-ID: <CY1PR0301MB124370831A080496D1FAF5AFA6340@CY1PR0301MB1243.namprd03.prod.outlook.>
I lean towards keeping the Credential to help us future proof changing things From: Vijay Bharadwaj [mailto:vijaybh@microsoft.com] Sent: Thursday, July 14, 2016 2:03 PM To: W3C WebAuthn WG <public-webauthn@w3.org> Subject: Credential types This came up again in the call yesterday, and I'm trying to work on #60, so I figured we should try and reach consensus on the list. The question was asked - why do we have credential types any more? Originally, the credential type was a version number for the format of the assertion signature. Specifically, there are a few things in Section 5.2 that might change in a later version: - The structure of ClientData and how it is used to compute clientDataHash - The structure of authenticatorData, including the use of SHA-256 to hash RP IDs - The method for combining the above into a single entity to be signed by the credential Note that attestation is not mentioned in the above. Since we have separated out the attestation formats quite cleanly from the main IDL (which now treats the attestation as opaque to the client), it can be versioned independently. Similarly, versioning of low-level hardware protocols can be managed at that layer. So now the question is - do we care enough about maintaining flexibility in the areas enumerated above to keep the credential type around, or do we want to remove it and keep only the identifier? If we choose to remove the credential type, then future versions that change any of the above areas would have to find ways to indicate the new version in other ways (possibly at the hardware protocol level, in the attestation and in the assertion format itself). Thoughts and opinions?
Received on Saturday, 16 July 2016 20:50:30 UTC