- From: balfanz via GitHub <sysbot+gh@w3.org>
- Date: Fri, 17 Nov 2017 06:28:14 +0000
- To: public-webauthn@w3.org
Not sure where I'm supposed to comment, so I'll just add to the thread here:
- re/ "these are not attestation types": I think they are. The point of this parameter here is to help the client decide which of the attestation types defined in Section 6.3.3. ("Attestation Types") should be returned to the RP. If the RP insists on verifiable attestation coming directly from the Authenticator (i.e., Basic attestation or DAA), then they can say that here (using "direct"), and the client's job is to make sure the user understands what's going on, and then pass the Authenticator's attestation on to the RP. If the RP is ok with non-verifiable attestation (like self attestation), they can say that (using "none"), and the client knows that they can take certain shortcuts: not call the Privacy CA, not prompt the user, etc., and deliver *that* type of attestation to the RP. I don't understand what an "AttestationPresentationPreference" is - a preference on how the attestation is presented? Presented to whom? To the user? We don't seem to explain in the spec how the attestation is presented to the user anywhere. I'm a bit confused about this naming choice.
- re/ "verifiable" vs. "indirect": I don't think that this value always means that a Privacy CA will be involved. The point of the original names was not to be prescriptive (i.e., prescribe to the client what they're supposed to do) but descriptive (describe what types of attestations the RP is willing to accept), and give the client more freedom to figure out what to do in each case.
Having said that, I don't want to waste time bikeshedding names this late in the game. Even though I liked the original names better, I'm ok with the PR as is.
--
GitHub Notification of comment by balfanz
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/636#issuecomment-345156947 using your GitHub account
Received on Friday, 17 November 2017 06:28:16 UTC