Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names? from Wendy Seltzer on 2016-03-09 (public-webauthn@w3.org from March 2016)

From: Wendy Seltzer <wseltzer@w3.org>
Date: Wed, 9 Mar 2016 05:01:30 -0500
To: "Hodges, Jeff" <jeff.hodges@paypal.com>, W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <56DFF47A.9040704@w3.org>
Aha, a place where my legal background can be of use. I'd suggest we
should select a different term rather than using the trademarked "FIDO"
to refer to these credentials.

Trademark imposes additional (legal) coordination costs, as trademark
functions as a designation of source and requires an exercise of
"quality control." We intend to coordinate with the FIDO Alliance, but
not to the extent that they would see us as custodians of their trademark.

I now return us to bikeshed-paint-color-selection.
--Wendy

On 03/08/2016 11:22 AM, Hodges, Jeff wrote:
> On 3/7/16, 11:19 PM, "WALSH, Scott" <scott.walsh@plantronics.com<mailto:scott.walsh@plantronics.com>> wrote:
> That was my thought too, FIDO is in no way vendor or technology specific.
> 
> well, "FIDO" is trademarked by the FIDO Alliance..
> 
> https://fidoalliance.org/wp-content/uploads/FIDO_Trademark_License_Agreement_v_3.1.pdf
> https://fidoalliance.org/fido-trademark-and-service-mark-usage-agreement-for-websites/
> 
> I (personally) can go either way, as long as, if "FIDO" is retained, we clearly equate the term "FIDO Credential" to some short and sweet technical description such as one of those suggested below.
> 
> in any case, we perhaps need chairs and W3C staff to figure out what W3C's position is regarding use of such a trademarked term(s) within recommendation-track specs -- i.e., simple guidance such as: "yes, you can retain the 'FIDO' moniker in the spec and add the trademark notice" or "let's excise the 'FIDO' moniker" or "it's up to the webauthn working group" -- and then go from there. . .
> 
> 
> 
> 
>  From: Dirk Balfanz [mailto:balfanz@google.com]
> Sent: 08 March 2016 06:08
> To: Hodges, Jeff; W3C WebAuthn WG
> Subject: Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names?
> 
> "FIDO" is vendor-neutral. Why do they need to be standards-org-neutral?
> 
> Maybe something along the lines of "cryptographic authentication credential"?
> 
> Dirk.
> 
> 
> 
> On Mon, Mar 7, 2016 at 3:57 PM Hodges, Jeff <jeff.hodges@paypal.com<mailto:jeff.hodges@paypal.com>> wrote:
> Beyond a simple cut-n-paste-and-jam-em-all-into-one-file approach to merging the three source specs (web-api, signature-format, key-attestation) info a single spec file, there's the issue of figuring out how to de-FIDO-ize the text therein.
> 
> There's terms such as "FIDO 2.0 credential", "FIDO assertion", etc strewn throughout.
> 
> The key, it seems to me, as we'd briefly chatted about in the #webauthn irc channel during the meeting last Fri, is figuring out how to refer to what is presently termed "FIDO Credentials" in the web-api and key-attestation specs..
> 
> 
>> grep -li "fido cred" ./*/Overview.html
> 
> ./webauthn-key-attestation/Overview.html
> 
> ./webauthn-web-api/Overview.html
> 
> I took at look at the SiteBoundCredential term in the Creds Mgmt spec <http://w3c.github.io/webappsec-credential-management/#siteboundcredential>  and that doesn't actually map to FIDO Creds because the former are bound to a web origin [RFC6454] and the latter are bound to a Relying Party's domain name reduced (aka "domain lowered") to eTLD+1  (eTLD = effective Top Level Domain, aka Public Suffix), which is also known as "Relying Party Identity (RPID)" in the submitted fido specs.
> 
> So we ought to figure out what to rename "FIDO Credentials" to,  in a vendor-neutral, standards-org-neutral manner.
> 
> some ideas I've heard or thought of..
> 
> Origin-bound strong creds (OBSCreds)        [won't work because not binding to origin]
> 
> Scoped strong creds  / scoped creds (SSCreds)
> 
> RPID-bound strong creds  (RBSCreds)
> 
> Basically, in looking through the specs, it seems that if we nail down the name for the credentials, then the names of the other things (e.g., assertions, extensions, etc) will follow fairly easily.
> 
> WDYT?
> 
> =JeffH
> 
> 
> 
> 
> ________________________________
> 
> CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain information that is confidential and/or legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, please DO NOT disclose the contents to another person, store or copy the information in any medium, or use any of the information contained in or attached to this transmission for any purpose. If you have received this transmission in error, please immediately notify the sender by reply email or at privacy@plantronics.com<mailto:privacy@plantronics.com>, and destroy the original transmission and its attachments without reading or saving in any manner.
> 
> For further information about Plantronics - the Company, its products, brands, partners, please visit our website www.plantronics.com.
> 
> 
> 


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
Received on Wednesday, 9 March 2016 10:01:37 UTC