W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] Define Public Key Credential Source and Credential ID.

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Wed, 11 Oct 2017 22:31:00 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-335967544-1507761044-sysbot+gh@w3.org>
@rlin1 You've got a bunch of comments on #623 that are actually about this change.

The basic issue is about what to call the 3 things involved with using a credential:
1. The secret or capability that the client possesses.
2. The proof that the client has the secret/capability.
3. The thing that lets the RP verify the proof.

We have a couple different kinds of credentials, and I want the terms to be consistent across them. I think I'm fine with your suggestion of:

1. Credential
2. Assertion (We'd probably have to call this a "Credential Assertion" in general, but we could use the shorthand within this spec.)
3. No suggestion, but I'd say maybe "Credential Verifier"?

I *think* those work for passwords (the password is all three) and for SMS auth (1: SIM card; 2&3: OTP).

One difficulty is that credentials.get() returns a `Credential` rather than a `CredentialAssertion`, but we could just live with that inconsistency.

@mikewest, how do you feel about these names if I were to send a patch to Credential Manager?

GitHub Notification of comment by jyasskin
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/620#issuecomment-335967544 using your GitHub account
Received on Wednesday, 11 October 2017 22:30:48 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC