Re: [webauthn] Define Public Key Credential Source and Credential ID.

@rlin1 You've got a bunch of comments on #623 that are actually about this change.

The basic issue is about what to call the 3 things involved with using a credential:
1. The secret or capability that the client possesses.
2. The proof that the client has the secret/capability.
3. The thing that lets the RP verify the proof.

We have a couple different kinds of credentials, and I want the terms to be consistent across them. I think I'm fine with your suggestion of:

1. Credential
2. Assertion (We'd probably have to call this a "Credential Assertion" in general, but we could use the shorthand within this spec.)
3. No suggestion, but I'd say maybe "Credential Verifier"?

I *think* those work for passwords (the password is all three) and for SMS auth (1: SIM card; 2&3: OTP).

One difficulty is that credentials.get() returns a `Credential` rather than a `CredentialAssertion`, but we could just live with that inconsistency.

@mikewest, how do you feel about these names if I were to send a patch to Credential Manager?

GitHub Notification of comment by jyasskin
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 11 October 2017 22:30:48 UTC