- From: Vijay Bharadwaj <vijaybh@microsoft.com>
- Date: Wed, 9 Mar 2016 16:45:11 +0000
- To: Mike Jones <Michael.Jones@microsoft.com>, Wendy Seltzer <wseltzer@w3.org>, "Hodges, Jeff" <jeff.hodges@paypal.com>, W3C WebAuthn WG <public-webauthn@w3.org>
- Message-ID: <abf48112ebc649048f8332618fa5949a@DFM-CO1MBX15-08.exchange.corp.microsoft.com>
More bikeshedding – “Web authentication” seems too generic. Also I would like to retain the credential type as “FIDO” if possible though, it seems to me that it correctly represents the type of hardware involved and that would be lost if we genericized it – i.e. you can use the API to talk to all kinds of stuff but these credentials are of the FIDO type. Wendy, would that be okay? So in other words: - Generically titled spec (“Web Authentication using Cryptographic Credentials: API and data formats” or “WACC” for short) - Generically named API namespaces (WebAppSec uses navigator.credentials for example) - Credential type of “FIDO” denotes that the selected credential supports the FIDO data formats and device protocols From: Mike Jones [mailto:Michael.Jones@microsoft.com] Sent: Wednesday, March 09, 2016 6:36 AM To: Wendy Seltzer <wseltzer@w3.org>; Hodges, Jeff <jeff.hodges@paypal.com>; W3C WebAuthn WG <public-webauthn@w3.org> Subject: RE: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names? We could do a lot worse than simply substituting "Web" for "FIDO". For instance, them we'd have "Web Credential". -- Mike ________________________________ From: Wendy Seltzer<mailto:wseltzer@w3.org> Sent: ý3/ý9/ý2016 5:02 AM To: Hodges, Jeff<mailto:jeff.hodges@paypal.com>; W3C WebAuthn WG<mailto:public-webauthn@w3.org> Subject: Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names? Aha, a place where my legal background can be of use. I'd suggest we should select a different term rather than using the trademarked "FIDO" to refer to these credentials. Trademark imposes additional (legal) coordination costs, as trademark functions as a designation of source and requires an exercise of "quality control." We intend to coordinate with the FIDO Alliance, but not to the extent that they would see us as custodians of their trademark. I now return us to bikeshed-paint-color-selection. --Wendy On 03/08/2016 11:22 AM, Hodges, Jeff wrote: > On 3/7/16, 11:19 PM, "WALSH, Scott" <scott.walsh@plantronics.com<mailto:scott.walsh@plantronics.com<mailto:scott.walsh@plantronics.com%3cmailto:scott.walsh@plantronics.com>>> wrote: > That was my thought too, FIDO is in no way vendor or technology specific. > > well, "FIDO" is trademarked by the FIDO Alliance.. > > https://fidoalliance.org/wp-content/uploads/FIDO_Trademark_License_Agreement_v_3.1.pdf<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ffidoalliance.org%2fwp-content%2fuploads%2fFIDO_Trademark_License_Agreement_v_3.1.pdf&data=01%7c01%7cvijaybh%40exchange.microsoft.com%7c3989c1c23cf543cd446308d348283a57%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=8q5gxnF9MODu0p%2bM5VLsUrAiiJCGmMs2QX48%2bH%2b6stc%3d> > https://fidoalliance.org/fido-trademark-and-service-mark-usage-agreement-for-websites/<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ffidoalliance.org%2ffido-trademark-and-service-mark-usage-agreement-for-websites%2f&data=01%7c01%7cvijaybh%40exchange.microsoft.com%7c3989c1c23cf543cd446308d348283a57%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=S8MK9WIlYlGbjZaJk0G%2fEJZ1PfxzGuelAnOsxbduRxg%3d> > > I (personally) can go either way, as long as, if "FIDO" is retained, we clearly equate the term "FIDO Credential" to some short and sweet technical description such as one of those suggested below. > > in any case, we perhaps need chairs and W3C staff to figure out what W3C's position is regarding use of such a trademarked term(s) within recommendation-track specs -- i.e., simple guidance such as: "yes, you can retain the 'FIDO' moniker in the spec and add the trademark notice" or "let's excise the 'FIDO' moniker" or "it's up to the webauthn working group" -- and then go from there. . . > > > > > From: Dirk Balfanz [mailto:balfanz@google.com] > Sent: 08 March 2016 06:08 > To: Hodges, Jeff; W3C WebAuthn WG > Subject: Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names? > > "FIDO" is vendor-neutral. Why do they need to be standards-org-neutral? > > Maybe something along the lines of "cryptographic authentication credential"? > > Dirk. > > > > On Mon, Mar 7, 2016 at 3:57 PM Hodges, Jeff <jeff.hodges@paypal.com<mailto:jeff.hodges@paypal.com<mailto:jeff.hodges@paypal.com%3cmailto:jeff.hodges@paypal.com>>> wrote: > Beyond a simple cut-n-paste-and-jam-em-all-into-one-file approach to merging the three source specs (web-api, signature-format, key-attestation) info a single spec file, there's the issue of figuring out how to de-FIDO-ize the text therein. > > There's terms such as "FIDO 2.0 credential", "FIDO assertion", etc strewn throughout. > > The key, it seems to me, as we'd briefly chatted about in the #webauthn irc channel during the meeting last Fri, is figuring out how to refer to what is presently termed "FIDO Credentials" in the web-api and key-attestation specs.. > > >> grep -li "fido cred" ./*/Overview.html > > ./webauthn-key-attestation/Overview.html > > ./webauthn-web-api/Overview.html > > I took at look at the SiteBoundCredential term in the Creds Mgmt spec <http://w3c.github.io/webappsec-credential-management/#siteboundcredential<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fw3c.github.io%2fwebappsec-credential-management%2f%23siteboundcredential&data=01%7c01%7cvijaybh%40exchange.microsoft.com%7c3989c1c23cf543cd446308d348283a57%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=fsZL%2b2oqH62oSwcXuyTSzTbaCt%2bgfYLv2uaby%2bXAu5o%3d>> and that doesn't actually map to FIDO Creds because the former are bound to a web origin [RFC6454] and the latter are bound to a Relying Party's domain name reduced (aka "domain lowered") to eTLD+1 (eTLD = effective Top Level Domain, aka Public Suffix), which is also known as "Relying Party Identity (RPID)" in the submitted fido specs. > > So we ought to figure out what to rename "FIDO Credentials" to, in a vendor-neutral, standards-org-neutral manner. > > some ideas I've heard or thought of.. > > Origin-bound strong creds (OBSCreds) [won't work because not binding to origin] > > Scoped strong creds / scoped creds (SSCreds) > > RPID-bound strong creds (RBSCreds) > > Basically, in looking through the specs, it seems that if we nail down the name for the credentials, then the names of the other things (e.g., assertions, extensions, etc) will follow fairly easily. > > WDYT? > > =JeffH > > > > > ________________________________ > > CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain information that is confidential and/or legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, please DO NOT disclose the contents to another person, store or copy the information in any medium, or use any of the information contained in or attached to this transmission for any purpose. If you have received this transmission in error, please immediately notify the sender by reply email or at privacy@plantronics.com<mailto:privacy@plantronics.com<mailto:privacy@plantronics.com%3cmailto:privacy@plantronics.com>>, and destroy the original transmission and its attachments without reading or saving in any manner. > > For further information about Plantronics - the Company, its products, brands, partners, please visit our website www.plantronics.com<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.plantronics.com&data=01%7c01%7cvijaybh%40exchange.microsoft.com%7c3989c1c23cf543cd446308d348283a57%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=aoawn0d36ocQbmN8wWvyT%2barxz2HYhMA62Kf3SsNCto%3d>. > > > -- Wendy Seltzer -- wseltzer@w3.org<mailto:wseltzer@w3.org> +1.617.715.4883 (office) Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) http://wendy.seltzer.org/<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwendy.seltzer.org%2f&data=01%7c01%7cvijaybh%40exchange.microsoft.com%7c3989c1c23cf543cd446308d348283a57%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=%2fcqTEYcBfEI4O%2bgH2x2IuiFUf2fFivAXJ7yTLomaxOE%3d> +1.617.863.0613 (mobile)
Received on Wednesday, 9 March 2016 16:45:49 UTC