- From: Anthony Nadalin <tonynad@microsoft.com>
- Date: Wed, 23 Mar 2016 18:54:09 +0000
- To: Rolf Lindemann <rlindemann@noknok.com>, 'Adam Powers' <adam@fidoalliance.org>, "'J.C. Jones'" <jjones@mozilla.com>, "'W3C Web Authn WG'" <public-webauthn@w3.org>
- Message-ID: <BN3PR0301MB123486134DF1AE39DCAF7260A6810@BN3PR0301MB1234.namprd03.prod.outlook.>
At registration time I would hope you would be doing the risk assessment however the RP wants to do this, it does not have to be a metadata service at all From: Rolf Lindemann [mailto:rlindemann@noknok.com] Sent: Wednesday, March 23, 2016 11:52 AM To: Anthony Nadalin <tonynad@microsoft.com>; 'Adam Powers' <adam@fidoalliance.org>; 'J.C. Jones' <jjones@mozilla.com>; 'W3C Web Authn WG' <public-webauthn@w3.org> Subject: AW: 3/23/2016 W3C Web Authentication Agenda Hi, I don’t think the primary decision would be whether to accept or not accept an incoming registration, it is more about the estimated risk associated with it (i.e. to what extend they want to trust it). And here the authenticator model and attestation method play an important role. Kind regards, Rolf Von: Anthony Nadalin [mailto:tonynad@microsoft.com] Gesendet: Mittwoch, 23. März 2016 17:37 An: Adam Powers; J.C. Jones; W3C Web Authn WG Betreff: RE: 3/23/2016 W3C Web Authentication Agenda In the attestations from the authenticators for starters, for the most part I can’t imagine many RPs giving up general business because they did not use a specific authenticator, I see this as the more discrete case From: Adam Powers [mailto:adam@fidoalliance.org] Sent: Wednesday, March 23, 2016 9:34 AM To: J.C. Jones <jjones@mozilla.com<mailto:jjones@mozilla.com>>; W3C Web Authn WG <public-webauthn@w3.org<mailto:public-webauthn@w3.org>>; Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>> Subject: RE: 3/23/2016 W3C Web Authentication Agenda The metadata is fairly important to relying parties for making decisions about which authenticators to trust. Is there an alternative for how they would get that information? On March 23, 2016 at 9:13:42 AM, Anthony Nadalin (tonynad@microsoft.com<mailto:tonynad@microsoft.com>) wrote: We should really drop any references to the FIDO metadata service , it’s not required and it is a FIDO run service From: J.C. Jones [mailto:jjones@mozilla.com] Sent: Tuesday, March 22, 2016 5:57 PM To: W3C Web Authn WG <public-webauthn@w3.org<mailto:public-webauthn@w3.org>> Subject: Re: 3/23/2016 W3C Web Authentication Agenda All, As promised, a PR for the more-generic naming is posted. It has some whitespace changes in it as well, so I recommend reviewing using this URL that sets w=1: https://github.com/w3c/webauthn/pull/48/files?w=1 Generally, the following substitutions were made: * Extensions were renamed from "fido." to "webauth." * CredentialType "FIDO" was renamed to "ScopedUserCredential" * "FIDO Authenticators" are now "WebAuth Authenticators" * "FIDO Credential" and similar are now "Scoped Credential" * "FIDO method" and similar are now "WebAuth method" * "FIDO Relying Party" and similar are now just "Relying Party" * The WebIDL DOM interface is now type "WebAuthentication" and named "webauth" I did not attempt to change the OIDs, references to the ECDAA specification, or the FIDO Metadata Service (see Issue #47<https://github.com/w3c/webauthn/issues/47>). Cheers, J.C. On Tue, Mar 22, 2016 at 3:05 PM, Alexei Czeskis <aczeskis@google.com<mailto:aczeskis@google.com>> wrote: I think I promised to start doing the things that were marked as "do it" after the merge. I'll try to get to some of those tonight. Thanks! -Alexei ________________ . Alexei Czeskis .:. Securineer .:. 317.698.4740<tel:317.698.4740> . On Tue, Mar 22, 2016 at 2:58 PM, Dirk Balfanz <balfanz@google.com<mailto:balfanz@google.com>> wrote: Hi there, I'm afraid I will have to miss certainly the beginning, if not all, of the call tomorrow. As for the document merge, Jeff pulled the merged doc into master (source is index.src.html, output is index.html). Next step is to delete the three subdirectories webauthn-* (since they contain the old, unmerged sources) in master. Dirk. On Tue, Mar 22, 2016 at 9:50 AM Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>> wrote: 1. Roll Call 2. Agenda bashing 3. Document merge, status/update 4. Naming issues, update from JC 5. Walk the open issues list 7. A.O.B 8. Adjourn Please let Richard or I know if there are any other items you would like to see on the agenda.
Received on Wednesday, 23 March 2016 18:54:39 UTC