Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names?

On Wed, Mar 9, 2016 at 8:17 PM, Sampath Srinivas <samsrinivas@google.com>
wrote:

> I also share the worry that 'scoped signature credential' can mean
> anything.
>
> This was supposed to be about user authentication right?
>
> In other words, we don't expect this API to either mint a key or sign a
> challenge without a human being giving explicit permission (pressing a
> button, clicking yes, showing a finger print etc), right?
>
> It would seem like a total Pandora's box without that stipulation.
>
> It is very important that we capture that flavor in whatever name. If FIDO
> is unacceptable then maybe something like "StrongUserAuth"
>

It sounds like there's some lack of clarity about exactly what properties
this API is supposed to provide.  That's unfortunate; I would have hoped
that was captured in the charter.

Nonetheless, if we want to take some time to hash that out, I would prefer
we swap "FIDO" out for something neutral in the meantime (say "WebAuth"),
with the idea that once we have the functional characteristics nailed down,
we will rename to something more descriptive.

--Richard



>
> Sam
>
>
> On Wed, Mar 9, 2016 at 3:05 PM, Anthony Nadalin <tonynad@microsoft.com>
> wrote:
>
>> I’m getting a little worried that we are now in meaningless territory as
>> “FIDO” had a specific meaning the “ScopedSignatureCredentails” can mean
>> anything. The use of FIDO is just like the use of RSA here.
>>
>>
>>
>> *From:* Richard Barnes [mailto:rbarnes@mozilla.com]
>> *Sent:* Wednesday, March 9, 2016 1:30 PM
>> *To:* Hodges, Jeff <jeff.hodges@paypal.com>
>> *Cc:* W3C WebAuthn WG <public-webauthn@w3.org>
>> *Subject:* Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new
>> names?
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Mar 9, 2016 at 4:28 PM, Hodges, Jeff <jeff.hodges@paypal.com>
>> wrote:
>>
>> On 3/9/16, 1:20 PM, "Richard Barnes" <rbarnes@mozilla.com> wrote:
>>
>>
>>
>> """
>> API Features in scope are: (1) Requesting generation of an asymmetric key
>> pair within a specific scope (e.g., an origin); (2) Proving that the
>> browser has possession of a specific private key, where the proof can only
>> be done within the scope of the key pair. In other words, authentication
>> should obey the same origin policy.
>> """
>>
>> So this is a credential that provides authentication based on proof of
>> possession of a signing key (i.e., a signature), where that signature is
>> limited to some scope via the signing protocol we will define.
>>
>> Could people live with "ScopedSignatureCredential"?
>>
>>
>>
>> so you are suggesting..
>>
>>
>>
>> enum CredentialType {
>>
>>     "ScopedSignatureCredential"
>>
>> };
>>
>> .. yes?
>>
>> Precisely.
>>
>>
>>
>>
>> sure, I can live with that.
>>
>>
>>
>> =JeffH
>>
>>
>>
>>
>>
>
>

Received on Thursday, 10 March 2016 14:11:12 UTC