Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names?

On Wed, Mar 9, 2016 at 2:11 PM, Felipe Moreno (BLOOMBERG/ 731 LEX) <
fmoreno5@bloomberg.net> wrote:

> It seems to me that keeping the term FIDO associated with the W3C standard
> would imply things that are beyond the scope of the W3C standard. It's
> conceivable that other devices could make use of these APIs and formats,
> without relaying on any other layer of the FIDO specification.
>
> I would even say that the goal of making these a W3C standard is to make
> these definitions more generic then the FIDO scope.
>

You beat me to it.  There is nothing in this spec that says that the token
role in the protocol will be fulfilled by a FIDO device.  (And even if
there were something, how would you verify it?)

Let's use a name here that is based on what the thing does.  And for that,
let's take a glance at the charter...

"""
API Features in scope are: (1) Requesting generation of an asymmetric key
pair within a specific scope (e.g., an origin); (2) Proving that the
browser has possession of a specific private key, where the proof can only
be done within the scope of the key pair. In other words, authentication
should obey the same origin policy.
"""

So this is a credential that provides authentication based on proof of
possession of a signing key (i.e., a signature), where that signature is
limited to some scope via the signing protocol we will define.

Could people live with "ScopedSignatureCredential"?

--Richard



>
> Felipe
>
>
> From: vijaybh@microsoft.com At: Mar 9 2016 11:46:27
> To: Michael.Jones@microsoft.com, jeff.hodges@paypal.com,
> public-webauthn@w3.org, wseltzer@w3.org
> Subject: RE: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new
> names?
>
> More bikeshedding – “Web authentication” seems too generic. Also I would
> like to retain the credential type as “FIDO” if possible though, it seems
> to me that it correctly represents the type of hardware involved and that
> would be lost if we genericized it – i.e. you can use the API to talk to
> all kinds of stuff but these credentials are of the FIDO type. Wendy, would
> that be okay?
>
>
>
> So in other words:
>
> -          Generically titled spec (“Web Authentication using
> Cryptographic Credentials: API and data formats” or “WACC” for short)
>
> -          Generically named API namespaces (WebAppSec uses
> navigator.credentials for example)
>
> -          Credential type of “FIDO” denotes that the selected credential
> supports the FIDO data formats and device protocols
>
>
>
> *From:* Mike Jones [mailto:Michael.Jones@microsoft.com]
> *Sent:* Wednesday, March 09, 2016 6:36 AM
> *To:* Wendy Seltzer <wseltzer@w3.org>; Hodges, Jeff <
> jeff.hodges@paypal.com>; W3C WebAuthn WG <public-webauthn@w3.org>
> *Subject:* RE: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new
> names?
>
>
>
> We could do a lot worse than simply substituting "Web" for "FIDO".  For
> instance, them we'd have "Web Credential".
>
> -- Mike
> ------------------------------
>
> *From: *Wendy Seltzer <wseltzer@w3.org>
> *Sent: *‎3/‎9/‎2016 5:02 AM
> *To: *Hodges, Jeff <jeff.hodges@paypal.com>; W3C WebAuthn WG
> <public-webauthn@w3.org>
> *Subject: *Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new
> names?
>
> Aha, a place where my legal background can be of use. I'd suggest we
> should select a different term rather than using the trademarked "FIDO"
> to refer to these credentials.
>
> Trademark imposes additional (legal) coordination costs, as trademark
> functions as a designation of source and requires an exercise of
> "quality control." We intend to coordinate with the FIDO Alliance, but
> not to the extent that they would see us as custodians of their trademark.
>
> I now return us to bikeshed-paint-color-selection.
> --Wendy
>
> On 03/08/2016 11:22 AM, Hodges, Jeff wrote:
> > On 3/7/16, 11:19 PM, "WALSH, Scott" <
> scott.walsh@plantronics.com<mailto:scott.walsh@plantronics.com>> wrote:
> > That was my thought too, FIDO is in no way vendor or technology specific.
> >
> > well, "FIDO" is trademarked by the FIDO Alliance..
> >
> >
> https://fidoalliance.org/wp-content/uploads/FIDO_Trademark_License_Agreement_v_3.1.pdf
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ffidoalliance.org%2fwp-content%2fuploads%2fFIDO_Trademark_License_Agreement_v_3.1.pdf&data=01%7c01%7cvijaybh%40exchange.microsoft.com%7c3989c1c23cf543cd446308d348283a57%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=8q5gxnF9MODu0p%2bM5VLsUrAiiJCGmMs2QX48%2bH%2b6stc%3d>
> >
> https://fidoalliance.org/fido-trademark-and-service-mark-usage-agreement-for-websites/
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ffidoalliance.org%2ffido-trademark-and-service-mark-usage-agreement-for-websites%2f&data=01%7c01%7cvijaybh%40exchange.microsoft.com%7c3989c1c23cf543cd446308d348283a57%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=S8MK9WIlYlGbjZaJk0G%2fEJZ1PfxzGuelAnOsxbduRxg%3d>
> >
> > I (personally) can go either way, as long as, if "FIDO" is retained, we
> clearly equate the term "FIDO Credential" to some short and sweet technical
> description such as one of those suggested below.
> >
> > in any case, we perhaps need chairs and W3C staff to figure out what
> W3C's position is regarding use of such a trademarked term(s) within
> recommendation-track specs -- i.e., simple guidance such as: "yes, you can
> retain the 'FIDO' moniker in the spec and add the trademark notice" or
> "let's excise the 'FIDO' moniker" or "it's up to the webauthn working
> group" -- and then go from there. . .
> >
> >
> >
> >
> >  From: Dirk Balfanz [mailto:balfanz@google.com <balfanz@google.com>]
> > Sent: 08 March 2016 06:08
> > To: Hodges, Jeff; W3C WebAuthn WG
> > Subject: Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new
> names?
> >
> > "FIDO" is vendor-neutral. Why do they need to be standards-org-neutral?
> >
> > Maybe something along the lines of "cryptographic authentication
> credential"?
> >
> > Dirk.
> >
> >
> >
> > On Mon, Mar 7, 2016 at 3:57 PM Hodges, Jeff <
> jeff.hodges@paypal.com<mailto:jeff.hodges@paypal.com>> wrote:
> > Beyond a simple cut-n-paste-and-jam-em-all-into-one-file approach to
> merging the three source specs (web-api, signature-format, key-attestation)
> info a single spec file, there's the issue of figuring out how to
> de-FIDO-ize the text therein.
> >
> > There's terms such as "FIDO 2.0 credential", "FIDO assertion", etc
> strewn throughout.
> >
> > The key, it seems to me, as we'd briefly chatted about in the #webauthn
> irc channel during the meeting last Fri, is figuring out how to refer to
> what is presently termed "FIDO Credentials" in the web-api and
> key-attestation specs..
> >
> >
> >> grep -li "fido cred" ./*/Overview.html
> >
> > ./webauthn-key-attestation/Overview.html
> >
> > ./webauthn-web-api/Overview.html
> >
> > I took at look at the SiteBoundCredential term in the Creds Mgmt spec <
> http://w3c.github.io/webappsec-credential-management/#siteboundcredential
> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fw3c.github.io%2fwebappsec-credential-management%2f%23siteboundcredential&data=01%7c01%7cvijaybh%40exchange.microsoft.com%7c3989c1c23cf543cd446308d348283a57%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=fsZL%2b2oqH62oSwcXuyTSzTbaCt%2bgfYLv2uaby%2bXAu5o%3d>>
> and that doesn't actually map to FIDO Creds because the former are bound to
> a web origin [RFC6454] and the latter are bound to a Relying Party's domain
> name reduced (aka "domain lowered") to eTLD+1  (eTLD = effective Top Level
> Domain, aka Public Suffix), which is also known as "Relying Party Identity
> (RPID)" in the submitted fido specs.
> >
> > So we ought to figure out what to rename "FIDO Credentials" to,  in a
> vendor-neutral, standards-org-neutral manner.
> >
> > some ideas I've heard or thought of..
> >
> > Origin-bound strong creds (OBSCreds)        [won't work because not
> binding to origin]
> >
> > Scoped strong creds  / scoped creds (SSCreds)
> >
> > RPID-bound strong creds  (RBSCreds)
> >
> > Basically, in looking through the specs, it seems that if we nail down
> the name for the credentials, then the names of the other things (e.g.,
> assertions, extensions, etc) will follow fairly easily.
> >
> > WDYT?
> >
> > =JeffH
> >
> >
> >
> >
> > ________________________________
> >
> > CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents,
> files or previous e-mail messages attached to it, may contain information
> that is confidential and/or legally privileged. If you are not the intended
> recipient, or a person responsible for delivering it to the intended
> recipient, please DO NOT disclose the contents to another person, store or
> copy the information in any medium, or use any of the information contained
> in or attached to this transmission for any purpose. If you have received
> this transmission in error, please immediately notify the sender by reply
> email or at privacy@plantronics.com<mailto:privacy@plantronics.com>, and
> destroy the original transmission and its attachments without reading or
> saving in any manner.
> >
> > For further information about Plantronics - the Company, its products,
> brands, partners, please visit our website www.plantronics.com
> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.plantronics.com&data=01%7c01%7cvijaybh%40exchange.microsoft.com%7c3989c1c23cf543cd446308d348283a57%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=aoawn0d36ocQbmN8wWvyT%2barxz2HYhMA62Kf3SsNCto%3d>
> .
> >
> >
> >
>
>
> --
> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
> http://wendy.seltzer.org/
> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwendy.seltzer.org%2f&data=01%7c01%7cvijaybh%40exchange.microsoft.com%7c3989c1c23cf543cd446308d348283a57%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=%2fcqTEYcBfEI4O%2bgH2x2IuiFUf2fFivAXJ7yTLomaxOE%3d>
> +1.617.863.0613 (mobile)
>
>
>

Received on Wednesday, 9 March 2016 21:20:33 UTC