Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names? from J.C. Jones on 2016-03-10 (public-webauthn@w3.org from March 2016)

From: J.C. Jones <jjones@mozilla.com>
Date: Wed, 9 Mar 2016 17:38:27 -0700
To: Vijay Bharadwaj <vijaybh@microsoft.com>
Cc: Anthony Nadalin <tonynad@microsoft.com>, Richard Barnes <rbarnes@mozilla.com>, "Hodges, Jeff" <jeff.hodges@paypal.com>, W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <CAObDDPCO1U0ENWRC9JAWie24CHvGw8nZybzxdC=S7rRJdZ67mg@mail.gmail.com>

Having the FIDO name inside the CredentialType enumeration is acceptable to
me personally, but the assertions, extensions and like that Jeff brought up
in the original posting _still_ need to be made web-generic, as we seem to
all be in agreement that FIDO-compatible devices are only one way to
perform authentication within the resulting standard.

To cite a specific example,when we are rewording a line from the JS API
that currently says: "The script asks the client platform for a FIDO
identity assertion," I think it reads alright after `s/FIDO/scoped
credential/g`: "The script asks the client platform for a scoped credential
[identity] assertion," (possibly omitting "identity", depending on context).

I think we should focus on whether "scoped credential" a viable bit of
vocabulary for the rest of the documents, or how we would like to reword
that.

On Wed, Mar 9, 2016 at 4:40 PM, Vijay Bharadwaj <vijaybh@microsoft.com>
wrote:

> Tony beat me to this one.
>
>
>
> This seems to add unnecessary cognitive overhead for web developers. They
> have to just know that if they want to support those flashy dongles with
> the FIDO logo, they need to use “ScopedSignature” (having a CredentialType
> enum value include Credential in its name seems like a redundant bit of
> redundancy) in their code. Moreover, using “FIDO” as an enum value in no
> way prevents the existence of other possible enum values. The API names and
> namespaces remain generic after all.
>
>
>
> *From:* Anthony Nadalin [mailto:tonynad@microsoft.com]
> *Sent:* Wednesday, March 09, 2016 3:06 PM
> *To:* Richard Barnes <rbarnes@mozilla.com>; Hodges, Jeff <
> jeff.hodges@paypal.com>
> *Cc:* W3C WebAuthn WG <public-webauthn@w3.org>
> *Subject:* RE: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new
> names?
>
>
>
> I’m getting a little worried that we are now in meaningless territory as
> “FIDO” had a specific meaning the “ScopedSignatureCredentails” can mean
> anything. The use of FIDO is just like the use of RSA here.
>
>
>
> *From:* Richard Barnes [mailto:rbarnes@mozilla.com <rbarnes@mozilla.com>]
> *Sent:* Wednesday, March 9, 2016 1:30 PM
> *To:* Hodges, Jeff <jeff.hodges@paypal.com>
> *Cc:* W3C WebAuthn WG <public-webauthn@w3.org>
> *Subject:* Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new
> names?
>
>
>
>
>
>
>
> On Wed, Mar 9, 2016 at 4:28 PM, Hodges, Jeff <jeff.hodges@paypal.com>
> wrote:
>
> On 3/9/16, 1:20 PM, "Richard Barnes" <rbarnes@mozilla.com> wrote:
>
>
>
> """
> API Features in scope are: (1) Requesting generation of an asymmetric key
> pair within a specific scope (e.g., an origin); (2) Proving that the
> browser has possession of a specific private key, where the proof can only
> be done within the scope of the key pair. In other words, authentication
> should obey the same origin policy.
> """
>
> So this is a credential that provides authentication based on proof of
> possession of a signing key (i.e., a signature), where that signature is
> limited to some scope via the signing protocol we will define.
>
> Could people live with "ScopedSignatureCredential"?
>
>
>
> so you are suggesting..
>
>
>
> enum CredentialType {
>
>     "ScopedSignatureCredential"
>
> };
>
> .. yes?
>
> Precisely.
>
>
>
>
> sure, I can live with that.
>
>
>
> =JeffH
>
>
>
>
>

Received on Thursday, 10 March 2016 00:39:20 UTC