[webauthn] Pull Request: WIP: Authenticator taxonomy

emlun has just submitted a new pull request for https://github.com/w3c/webauthn:

== WIP: Authenticator taxonomy ==
_This is a work in progress._

This aims to resolve #422.

This is what I've come up with so far. It will likely need some rather major surgery before it's ready to be merged, so I'd be happy for both detail-level corrections and high-level restructuring suggestions. Other editors are welcome to push commits directly into this PR, too.

Some issues I've identified while writing this:

- I think we've implicitly assumed throughout the spec that authenticators will always require user verification to create and use client-side-resident credential private keys, but this doesn't seem to be documented in the spec. CTAP2 also doesn't seem to specify this behaviour. The "username-less use case" I've written in here is probably not very useful and would be merged into the "single-step use case" given the above requirement, but without that requirement it remains a possible scenario.
  - [ ] Resolution:
- Is there someplace we can refer to for "authentication factor" and the related terms (known/possessed/biometric factor) instead of defining them in the spec? The Internet Security Glossary (RFC 4949) doesn't seem to have them.
  - [ ] Resolution:
- This text might not belong in the Authenticator Model section.
  - [ ] Resolution:

See https://github.com/w3c/webauthn/pull/842

Received on Thursday, 15 March 2018 17:02:26 UTC