[webauthn] Pull Request: WIP: Authenticator taxonomy (replaces #842) from Emil Lundberg via GitHub on 2018-06-19 (public-webauthn@w3.org from June 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 19 Jun 2018 17:41:47 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.opened-195905936-1529430105-sysbot+gh@w3.org>

emlun has just submitted a new pull request for https://github.com/w3c/webauthn:

== WIP: Authenticator taxonomy (replaces #842) ==
This replaces PR #842. PR #842 was from a branch in https://github.com/emlun/, which means that PRs into #842 end up in https://github.com/emlun/ and don't get previews and diffs rendered. This PR is from a branch in this repository, so the bots can do those things. Sorry for the noise...

Original post from #842 below.

---

_This is a work in progress._

This aims to resolve #422.

This is what I've come up with so far. It will likely need some rather major surgery before it's ready to be merged, so I'd be happy for both detail-level corrections and high-level restructuring suggestions. Other editors are welcome to push commits directly into this PR, too.

Some issues I've identified while writing this:

- I think we've implicitly assumed throughout the spec that authenticators will always require user verification to create and use client-side-resident credential private keys, but this doesn't seem to be documented in the spec. CTAP2 also doesn't seem to specify this behaviour. The "username-less use case" I've written in here is probably not very useful and would be merged into the "single-step use case" given the above requirement, but without that requirement it remains a possible scenario.
  - [ ] Resolution:
- Is there someplace we can refer to for "authentication factor" and the related terms (known/possessed/biometric factor) instead of defining them in the spec? The Internet Security Glossary (RFC 4949) doesn't seem to have them.
  - [x] Resolution: Yes, [NIST SP800-63-3](https://pages.nist.gov/800-63-3/sp800-63-3.html#af).
- This text might not belong in the Authenticator Model section.
  - [ ] Resolution:


<!--
    This comment and the below content is programatically generated.
    You may add a comma-separated list of anchors you'd like a
    direct link to below (e.g. #idl-serializers, #idl-sequence):

    Don't remove this comment or modify anything below this line.
    If you don't want a preview generated for this pull request,
    just replace the whole of this comment's content by "no preview"
    and remove what's below.
-->
***
<a href="https://pr-preview.s3.amazonaws.com/emlun/webauthn/pull/842.html" title="Last updated on Jun 14, 2018, 8:15 PM GMT (4fcb566)">Preview</a> | <a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/842/4fd5dd5...emlun:4fcb566.html" title="Last updated on Jun 14, 2018, 8:15 PM GMT (4fcb566)">Diff</a>

See https://github.com/w3c/webauthn/pull/956

Received on Tuesday, 19 June 2018 17:41:49 UTC