Re: [webauthn] Strawman of an integration between WebAuthn and Credential Management. from =JeffH via GitHub on 2017-04-08 (public-webauthn@w3.org from April 2017)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Sat, 08 Apr 2017 17:54:20 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-292734633-1491674058-sysbot+gh@w3.org>

As ought to be apparent, my review above was pretty much entirely syntactical and editorial, while Dirk's (@balfanz) [review](https://github.com/w3c/webauthn/pull/384#issuecomment-292658726) is addressing the higher-level functionality and semantics. Dirk makes very good points which I overall agree with, and I'm glad we did not simply merge this PR last Wed as some were wont to do.  Also, I've expressed concerns with getting "this" right in a near-term timeframe ([here](https://github.com/w3c/webauthn/pull/384#issuecomment-291912912) and [here](https://github.com/w3c/webauthn/pull/384#issuecomment-291915159), above). 

Properly aligning the overall "Credential" notion, such that we can appropriately craft both symmetric-key-based and public-key-based methods and thus flows, will obviously take further dedicated thought and effort it seems. See Dirk's detailed thoughts from yesterday for example: https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0138.html

Some folks are expressing urgency to "get something" onto various browser release trains slated to leave their stations this coming summer.  Is it worth getting something poorly-designed into those browsers? 

[As Dirk noted in his preso](https://docs.google.com/presentation/d/1RyfQS3f-Dk7xU8S6pCSBzWl3jGGGrkF1zWkUypVUnik) during [our Feb-2017 F2F (minutes)](https://www.w3.org/2017/02/13-webauthn-minutes.html#item03), we have some options to consider :

A. Just Rename (slides 8, 9)
( as noted in the F2F minutes, this is to just "'rename' scopedCredential" such that webauthn (WA) does not use the term 'cedential' in its API)

B. Join credman class hierarchy, keep webauthn methods  (slides 10..14)

C. Join credman (CM) class hierarchy, use CM methods (slides 15..18)

Plus there is also the status-quo:

D.  Leave [credman](https://w3c.github.io/webappsec-credential-management/) and [webauthn](https://w3c.github.io/webauthn/) entirely separate for their "level 1" (ie initial version) incarnations (leaves door open to address some sort of merger in level 2 incarnations).

See also Dirk's summary slide.  It seems that this PR #384 is essentially option B with CM.get() and WA.getAssertion() merged (which makes it essentially option C per the latter slide) -- though, there are various unaddressed subtle-but-important aspects to this as Dirk has noted in: https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0138.html

there are various costs and risks associated with each of the above alternatives that we need to sort out. 



-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/384#issuecomment-292734633 using your GitHub account

Received on Saturday, 8 April 2017 17:54:27 UTC