[webauthn] Merged Pull Request: Authenticator taxonomy: Attachment modality (replaces #842) from Emil Lundberg via GitHub on 2018-07-11 (public-webauthn@w3.org from July 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 11 Jul 2018 17:27:16 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.closed-195905936-1531330035-sysbot+gh@w3.org>

emlun has just merged emlun's pull request 956 for https://github.com/w3c/webauthn:

== Authenticator taxonomy: Attachment modality (replaces #842) ==
This replaces PR #842. PR #842 was from a branch in https://github.com/emlun/webauthn, which means that PRs into #842 end up in https://github.com/emlun/webauthn and don't get previews and diffs rendered. This PR is from a branch in this repository, so the bots can do those things. Sorry for the noise...

Original post from #842 below.

see also #334 -- for use case expositions

---

_This is a work in progress._

This aims to resolve #422.

This is what I've come up with so far. It will likely need some rather major surgery before it's ready to be merged, so I'd be happy for both detail-level corrections and high-level restructuring suggestions. Other editors are welcome to push commits directly into this PR, too.

Some issues I've identified while writing this:

- I think we've implicitly assumed throughout the spec that authenticators will always require user verification to create and use client-side-resident credential private keys, but this doesn't seem to be documented in the spec. CTAP2 also doesn't seem to specify this behaviour. The "username-less use case" I've written in here is probably not very useful and would be merged into the "single-step use case" given the above requirement, but without that requirement it remains a possible scenario.
  - [ ] Resolution:
- Is there someplace we can refer to for "authentication factor" and the related terms (known/possessed/biometric factor) instead of defining them in the spec? The Internet Security Glossary (RFC 4949) doesn't seem to have them.
  - [x] Resolution: Yes, [NIST SP800-63-3](https://pages.nist.gov/800-63-3/sp800-63-3.html#af).
- This text might not belong in the Authenticator Model section.
  - [ ] Resolution:


<!--
    This comment and the below content is programatically generated.
    You may add a comma-separated list of anchors you'd like a
    direct link to below (e.g. #idl-serializers, #idl-sequence):

    Don't remove this comment or modify anything below this line.
    If you don't want a preview generated for this pull request,
    just replace the whole of this comment's content by "no preview"
    and remove what's below.
-->
***
<a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/pull/956.html" title="Last updated on Jul 11, 2018, 3:35 PM GMT (d959184)">Preview</a> | <a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/956/a96110e...d959184.html" title="Last updated on Jul 11, 2018, 3:35 PM GMT (d959184)">Diff</a>

See https://github.com/w3c/webauthn/pull/956

Received on Wednesday, 11 July 2018 17:27:20 UTC