Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names?

On 3/7/16, 11:19 PM, "WALSH, Scott" <scott.walsh@plantronics.com<mailto:scott.walsh@plantronics.com>> wrote:
That was my thought too, FIDO is in no way vendor or technology specific.

well, "FIDO" is trademarked by the FIDO Alliance..

https://fidoalliance.org/wp-content/uploads/FIDO_Trademark_License_Agreement_v_3.1.pdf
https://fidoalliance.org/fido-trademark-and-service-mark-usage-agreement-for-websites/

I (personally) can go either way, as long as, if "FIDO" is retained, we clearly equate the term "FIDO Credential" to some short and sweet technical description such as one of those suggested below.

in any case, we perhaps need chairs and W3C staff to figure out what W3C's position is regarding use of such a trademarked term(s) within recommendation-track specs -- i.e., simple guidance such as: "yes, you can retain the 'FIDO' moniker in the spec and add the trademark notice" or "let's excise the 'FIDO' moniker" or "it's up to the webauthn working group" -- and then go from there. . .




 From: Dirk Balfanz [mailto:balfanz@google.com]
Sent: 08 March 2016 06:08
To: Hodges, Jeff; W3C WebAuthn WG
Subject: Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names?

"FIDO" is vendor-neutral. Why do they need to be standards-org-neutral?

Maybe something along the lines of "cryptographic authentication credential"?

Dirk.



On Mon, Mar 7, 2016 at 3:57 PM Hodges, Jeff <jeff.hodges@paypal.com<mailto:jeff.hodges@paypal.com>> wrote:
Beyond a simple cut-n-paste-and-jam-em-all-into-one-file approach to merging the three source specs (web-api, signature-format, key-attestation) info a single spec file, there's the issue of figuring out how to de-FIDO-ize the text therein.

There's terms such as "FIDO 2.0 credential", "FIDO assertion", etc strewn throughout.

The key, it seems to me, as we'd briefly chatted about in the #webauthn irc channel during the meeting last Fri, is figuring out how to refer to what is presently termed "FIDO Credentials" in the web-api and key-attestation specs..


> grep -li "fido cred" ./*/Overview.html

./webauthn-key-attestation/Overview.html

./webauthn-web-api/Overview.html

I took at look at the SiteBoundCredential term in the Creds Mgmt spec <http://w3c.github.io/webappsec-credential-management/#siteboundcredential>  and that doesn't actually map to FIDO Creds because the former are bound to a web origin [RFC6454] and the latter are bound to a Relying Party's domain name reduced (aka "domain lowered") to eTLD+1  (eTLD = effective Top Level Domain, aka Public Suffix), which is also known as "Relying Party Identity (RPID)" in the submitted fido specs.

So we ought to figure out what to rename "FIDO Credentials" to,  in a vendor-neutral, standards-org-neutral manner.

some ideas I've heard or thought of..

Origin-bound strong creds (OBSCreds)        [won't work because not binding to origin]

Scoped strong creds  / scoped creds (SSCreds)

RPID-bound strong creds  (RBSCreds)

Basically, in looking through the specs, it seems that if we nail down the name for the credentials, then the names of the other things (e.g., assertions, extensions, etc) will follow fairly easily.

WDYT?

=JeffH




________________________________

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain information that is confidential and/or legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, please DO NOT disclose the contents to another person, store or copy the information in any medium, or use any of the information contained in or attached to this transmission for any purpose. If you have received this transmission in error, please immediately notify the sender by reply email or at privacy@plantronics.com<mailto:privacy@plantronics.com>, and destroy the original transmission and its attachments without reading or saving in any manner.

For further information about Plantronics - the Company, its products, brands, partners, please visit our website www.plantronics.com.

Received on Tuesday, 8 March 2016 16:23:03 UTC