- From: Hodges, Jeff <jeff.hodges@paypal.com>
- Date: Mon, 20 Jun 2016 14:01:53 +0000
- To: Mark Nottingham <mnot@mnot.net>
- CC: W3C WebAuthn WG <public-webauthn@w3.org>
On 6/18/16, 6:26 PM, "Mark Nottingham" <mnot@mnot.net> wrote: >Hey, > >A few notes below. > > thanks! > >> On 14 Jun 2016, at 4:30 AM, Hodges, Jeff <jeff.hodges@paypal.com> wrote: >> >> Here's an initial cut at an internet-draft creating WebAuthn registries >>at >> IANA. It is somewhat based upon RFC5988 by Mark Nottingham. >> >>Network Working Group J. Hodges >> Internet-Draft PayPal >> Intended status: Informational June 13, 2016 >> Expires: December 15, 2016 >> >> >> WebAuthn Registries >> draft-hodges-webauthn-registries-00 >> >> Abstract >> >> This specification defines IANA registries for W3C Web Authentication >> (WebAuthn) attestation types and extension identifiers. >> >>1. Introduction >> >> This specification defines IANA registries for W3C Web Authentication >> [WebAuthn] attestation types and extension identifiers, and supplies >> initial entries within each registry. >> >> 2. IANA Considerations >> >> 2.1. WebAuthn Attestation Types Registry >> >> This specification establishes the WebAuthn Attestation Types >> registry [WebAuthn]. The IANA registration policy is "Specification >> Required" per [RFC5226]. Instructions, and a request template, for a >> registrant to request the registration of a new WebAuthn Attestation >> Type are in Section 2.1.1. An example registration request is given >> in Section 2.1.2. The initial registry contents are given in >> Section 2.1.3. >> >> The underlying registry data (e.g., the XML file) must include >> Simplified BSD License text as described in Section 4.e of the Trust >> Legal Provisions (<http://trustee.ietf.org/license-info>). >> >> 2.1.1. Registering New WebAuthn Attestation Types >> >> WebAuthn Attestation Types are registered per the IANA registration >> policy of "Specification Required" [RFC5226], which implies use of a >> Designated Expert (appointed by the IESG (?) (W3C Team?) or their >> delegate). >> >> [[ISSUE: Who ought to appoint the DE and adjudicate any appeals? >> IESG (?) or W3C Team? (appeals process is described below, presently >> in terms of IESG)]] > >AUIU the IESG officially appoints all DEs, but the registry can ask them >to consult with a community -- e.g., the W3C -- to find suitable >candidates. In practice, they'll be very grateful for the help. "the registry" meaning IANA ? > >> WebAuthn attestation type identifiers are strings whose semantic, >> syntactic, uniqueness, and string-matching criteria are specified in >> [WebAuthn]. >> >> [[ISSUES: <https://github.com/w3c/webauthn/issues/126>, >> <https://github.com/w3c/webauthn/issues/127>]] >> >> Registration requests consist of the completed registration template, >> given below, typically published in a W3C Recommendation, or RFC, or >> other Open Standard (in the sense described by [RFC2026], Section 7), >> and also submitted via email per the next paragraph. However, to >> allow for the allocation of values prior to publication, the >> Designated Expert may approve registration once they are satisfied >> that a specification will be published. > >It's strongly encouraged to explicitly reference one of the registration >policies in RFC5226 section 4.1 by name. "specification required" is declared up above. > >> >> Registration requests should be sent to ... > >FWIW -- I kind of wish you hadn't take 5988 as a starting point; in >practice, we've found that to be overly bureaucratic and over-specified. >I've stated a 5988bis; see: > https://mnot.github.io/I-D/rfc5988bis/#link-relation-type-registry thx for the pointer -- easy enough to follow that as an example... thx again, =JeffH
Received on Monday, 20 June 2016 14:02:30 UTC