- From: John Kemp <stable.pseudonym@gmail.com>
- Date: Thu, 10 Mar 2016 09:39:17 -0500
- To: Richard Barnes <rbarnes@mozilla.com>
- Cc: Vijay Bharadwaj <vijaybh@microsoft.com>, Anthony Nadalin <tonynad@microsoft.com>, "Hodges, Jeff" <jeff.hodges@paypal.com>, W3C WebAuthn WG <public-webauthn@w3.org>
> On Mar 10, 2016, at 9:15 AM, Richard Barnes <rbarnes@mozilla.com> wrote: > > > > On Wed, Mar 9, 2016 at 6:40 PM, Vijay Bharadwaj <vijaybh@microsoft.com> wrote: > Tony beat me to this one. > > > > This seems to add unnecessary cognitive overhead for web developers. They have to just know that if they want to support those flashy dongles with the FIDO logo, they need to use “ScopedSignature” (having a CredentialType enum value include Credential in its name seems like a redundant bit of redundancy) in their code. Moreover, using “FIDO” as an enum value in no way prevents the existence of other possible enum values. The API names and namespaces remain generic after all. > > > That's a very myopic view. Look, I'm sure that calling WebRTC the Hangouts API would appeared to reduce developer overhead in the early days of that spec, when Hangouts was the only thing using it. But as Felipe says, not all that many developers have heard about FIDO today, and to be honest, I hope this spec outlives FIDO. I mean no ill will toward the FIDO Alliance, but honestly in this space, device standards come and go; the Web abides. Having tried to follow this thread and understand the context a bit better, I would summarize this discussion as revealing the tension between a term that accurately describes the protocols/APIs (roughly-speaking): i) User PII stored locally (and securely), and user consent to the linkage in ii) below ii) PoP of link to user credentials at RP iii) PoP credential scoped to RP … and a term that is more product/market-friendly, and has a meaning that is intentionally less specific -> the equivalent of “FIDO”. If I think of some current/recent Web/W3C specification examples: “HTML5" WebAppSec “Powerful Features” “WebRTC” And, I go look at what “Fast Identity Online” was intended to capture: http://searchsecurity.techtarget.com/definition/FIDO-Fast-Identity-Online I would personally agree that the overarching term should be rather less-specific than ScopedSignatureCredentials (even though this is very technically descriptive) but perhaps that can be achieved with an acronym (see below!) Some suggestions that attempt to capture some middle-ground between these goals: Web Strong/Scoped Authentication Framework (WebSAF)? Web Proof of Possession Framework (WebPoP(F))? Web Scoped Credentials Framework (WebSCF)? Web Scoped Signature Credentials (WebSSC)? “API" could work instead of “framework” too, IMO. - johnk > > --Richard > > > > > > From: Anthony Nadalin [mailto:tonynad@microsoft.com] > Sent: Wednesday, March 09, 2016 3:06 PM > To: Richard Barnes <rbarnes@mozilla.com>; Hodges, Jeff <jeff.hodges@paypal.com> > Cc: W3C WebAuthn WG <public-webauthn@w3.org> > Subject: RE: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names? > > > > I’m getting a little worried that we are now in meaningless territory as “FIDO” had a specific meaning the “ScopedSignatureCredentails” can mean anything. The use of FIDO is just like the use of RSA here. > > > > From: Richard Barnes [mailto:rbarnes@mozilla.com] > Sent: Wednesday, March 9, 2016 1:30 PM > To: Hodges, Jeff <jeff.hodges@paypal.com> > Cc: W3C WebAuthn WG <public-webauthn@w3.org> > Subject: Re: wrt all those "FIDO" terms, e.g. "FIDO Credentials" - new names? > > > > > > > > On Wed, Mar 9, 2016 at 4:28 PM, Hodges, Jeff <jeff.hodges@paypal.com> wrote: > > On 3/9/16, 1:20 PM, "Richard Barnes" <rbarnes@mozilla.com> wrote: > > > > """ > API Features in scope are: (1) Requesting generation of an asymmetric key pair within a specific scope (e.g., an origin); (2) Proving that the browser has possession of a specific private key, where the proof can only be done within the scope of the key pair. In other words, authentication should obey the same origin policy. > """ > > So this is a credential that provides authentication based on proof of possession of a signing key (i.e., a signature), where that signature is limited to some scope via the signing protocol we will define. > > Could people live with "ScopedSignatureCredential"? > > > > so you are suggesting.. > > > > enum CredentialType { > > "ScopedSignatureCredential" > }; > .. yes? > Precisely. > > > > > sure, I can live with that. > > > > =JeffH > > > > > >
Received on Thursday, 10 March 2016 14:39:47 UTC