Re: 3/23/2016 W3C Web Authentication Agenda from Richard Barnes on 2016-03-23 (public-webauthn@w3.org from March 2016)

From: Richard Barnes <rbarnes@mozilla.com>
Date: Wed, 23 Mar 2016 12:59:01 -0400
To: Anthony Nadalin <tonynad@microsoft.com>
Cc: Adam Powers <adam@fidoalliance.org>, "Le Van Gong, Hubert" <hlevangong@paypal.com>, W3C Web Authn WG <public-webauthn@w3.org>, "J.C. Jones" <jjones@mozilla.com>
Message-ID: <CAOAcki8c4QtCtxvp4x7P4+biMyk6uLqbD+V-eoHELqBdNnA9SA@mail.gmail.com>
+1 Tony

Attestations are a separable part of the system.  You could envision
building an RP that does no verification of attestations at all, and a
token that provides none.

On Wed, Mar 23, 2016 at 12:55 PM, Anthony Nadalin <tonynad@microsoft.com>
wrote:

> Verifying an attestation can happen many many many ways, it’s our job in
> the security considerations section to call out that the attestations
> should be verified but not the specific means as that is out of scope. The
> Metadata service is out of scope as you point out there can be many many
> many different ways to build a metadata service for attestation
> verification
>
>
>
> *From:* Adam Powers [mailto:adam@fidoalliance.org]
> *Sent:* Wednesday, March 23, 2016 9:49 AM
> *To:* Le Van Gong, Hubert <hlevangong@paypal.com>; Anthony Nadalin <
> tonynad@microsoft.com>
> *Cc:* W3C Web Authn WG <public-webauthn@w3.org>; J.C. Jones <
> jjones@mozilla.com>
> *Subject:* RE: 3/23/2016 W3C Web Authentication Agenda
>
>
>
> Doesn’t it apply to the relying parties that would be consuming the Web
> Authentication APIs, such as the algorithm outlined in Section 3.5:
> Verifying an Attestation Statement?
>
>
>
> I just realized that I should point out that the metadata service isn’t
> required to be run by FIDO — we have one instance, and others can setup
> their own (and I’ve heard rumors of that happening). I wouldn’t want this
> to be perceived as a FIDO-only service.
>
>
>
>
>
>
>
> On March 23, 2016 at 9:42:30 AM, Anthony Nadalin (tonynad@microsoft.com)
> wrote:
>
> It’s not a W3C thing or requirement, the specifications function w/o the
> metadata service. We can discuss if this is needed for “FIDO” over in FIDO
>
>
>
> *From:* Le Van Gong, Hubert [mailto:hlevangong@paypal.com
> <hlevangong@paypal.com>]
> *Sent:* Wednesday, March 23, 2016 9:38 AM
> *To:* Anthony Nadalin <tonynad@microsoft.com>
> *Cc:* J.C. Jones <jjones@mozilla.com>; W3C Web Authn WG <
> public-webauthn@w3.org>
> *Subject:* Re: 3/23/2016 W3C Web Authentication Agenda
>
>
>
> Understood but then the question is whether we lose any functionality by
> dropping the MD service (required or optional)…?
>
>
>
> Thanks,
>
> Hubert
>
>
>
> ---
>
> Hubert A. Le Van Gong
>
> Product & Ecosystem Security
>
> PayPal
>
> +1 408 601-9622
>
> hlevangong@paypal.com
>
>
>
>
>
>
>
> On Mar 23, 2016, at 9:12 AM, Anthony Nadalin <tonynad@microsoft.com>
> wrote:
>
>
>
> We should really drop any references to the FIDO metadata service , it’s
> not required and it is a FIDO run service
>
>
>
> *From:* J.C. Jones [mailto:jjones@mozilla.com <jjones@mozilla.com>]
> *Sent:* Tuesday, March 22, 2016 5:57 PM
> *To:* W3C Web Authn WG <public-webauthn@w3.org>
> *Subject:* Re: 3/23/2016 W3C Web Authentication Agenda
>
>
>
> All,
>
> As promised, a PR for the more-generic naming is posted. It has some
> whitespace changes in it as well, so I recommend reviewing using this URL
> that sets w=1:
>
> https://github.com/w3c/webauthn/pull/48/files?w=1
>
> Generally, the following substitutions were made:
>
>    - Extensions were renamed from "fido." to "webauth."
>    - CredentialType "FIDO" was renamed to "ScopedUserCredential"
>    - "FIDO Authenticators" are now "WebAuth Authenticators"
>    - "FIDO Credential" and similar are now "Scoped Credential"
>    - "FIDO method" and similar are now "WebAuth method"
>    - "FIDO Relying Party" and similar are now just "Relying Party"
>    - The WebIDL DOM interface is now type "WebAuthentication" and named
>    "webauth"
>
> I did not attempt to change the OIDs, references to the ECDAA
> specification, or the FIDO Metadata Service (see Issue #47
> <https://github.com/w3c/webauthn/issues/47>).
>
> Cheers,
>
> J.C.
>
>
>
>
>
> On Tue, Mar 22, 2016 at 3:05 PM, Alexei Czeskis <aczeskis@google.com>
> wrote:
>
> I think I promised to start doing the things that were marked as "do it"
> after the merge.  I'll try to get to some of those tonight.
>
>
>
>
> Thanks!
>
> -Alexei
>
>
>
> *____**____**____**____*
>
>  . Alexei Czeskis .:. Securineer .:. 317.698.4740 .
>
>
>
> On Tue, Mar 22, 2016 at 2:58 PM, Dirk Balfanz <balfanz@google.com> wrote:
>
> Hi there,
>
>
>
> I'm afraid I will have to miss certainly the beginning, if not all, of the
> call tomorrow.
>
>
>
> As for the document merge, Jeff pulled the merged doc into master (source
> is index.src.html, output is index.html). Next step is to delete the three
> subdirectories webauthn-* (since they contain the old, unmerged sources) in
> master.
>
>
>
> Dirk.
>
>
>
> On Tue, Mar 22, 2016 at 9:50 AM Anthony Nadalin <tonynad@microsoft.com>
> wrote:
>
> 1. Roll Call
> 2. Agenda bashing
> 3. Document merge, status/update
> 4. Naming issues, update from JC
> 5. Walk the open issues list
> 7. A.O.B
>
> 8. Adjourn
>
>
>
> Please let Richard or I know if there are any other items you would like
> to see on the agenda.
>
>
>
>
Received on Wednesday, 23 March 2016 16:59:30 UTC