[webauthn] Closed Pull Request: WIP: Authenticator taxonomy from Emil Lundberg via GitHub on 2018-06-19 (public-webauthn@w3.org from June 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 19 Jun 2018 17:42:29 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.closed-175317240-1529430147-sysbot+gh@w3.org>

emlun has just closed emlun's pull request 842 for https://github.com/w3c/webauthn:

== WIP: Authenticator taxonomy ==
_This is a work in progress._

This aims to resolve #422.

This is what I've come up with so far. It will likely need some rather major surgery before it's ready to be merged, so I'd be happy for both detail-level corrections and high-level restructuring suggestions. Other editors are welcome to push commits directly into this PR, too.

Some issues I've identified while writing this:

- I think we've implicitly assumed throughout the spec that authenticators will always require user verification to create and use client-side-resident credential private keys, but this doesn't seem to be documented in the spec. CTAP2 also doesn't seem to specify this behaviour. The "username-less use case" I've written in here is probably not very useful and would be merged into the "single-step use case" given the above requirement, but without that requirement it remains a possible scenario.
  - [ ] Resolution:
- Is there someplace we can refer to for "authentication factor" and the related terms (known/possessed/biometric factor) instead of defining them in the spec? The Internet Security Glossary (RFC 4949) doesn't seem to have them.
  - [x] Resolution: Yes, [NIST SP800-63-3](https://pages.nist.gov/800-63-3/sp800-63-3.html#af).
- This text might not belong in the Authenticator Model section.
  - [ ] Resolution:


<!--
    This comment and the below content is programatically generated.
    You may add a comma-separated list of anchors you'd like a
    direct link to below (e.g. #idl-serializers, #idl-sequence):

    Don't remove this comment or modify anything below this line.
    If you don't want a preview generated for this pull request,
    just replace the whole of this comment's content by "no preview"
    and remove what's below.
-->
***
<a href="https://pr-preview.s3.amazonaws.com/emlun/webauthn/pull/842.html" title="Last updated on Jun 19, 2018, 5:20 PM GMT (fc385a0)">Preview</a> | <a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/842/4fd5dd5...emlun:fc385a0.html" title="Last updated on Jun 19, 2018, 5:20 PM GMT (fc385a0)">Diff</a>

See https://github.com/w3c/webauthn/pull/842

Received on Tuesday, 19 June 2018 17:42:33 UTC