W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2018

Re: Status report re: WebAuth extension interop reporting

From: Samuel Weiler <weiler@w3.org>
Date: Tue, 27 Nov 2018 16:25:37 -0500
To: Ackermann Yuriy <ackermann.yuriy@gmail.com>
Cc: Brett McDowell <brett@fidoalliance.org>, public-webauthn@w3.org, swick@w3.org, "Hayward, Rae" <rae@fidoalliance.org>
Message-ID: <f21b64ac-0f3f-3a05-0eee-e3a039499f77@w3.org>
Thank you, Yuriy.

I'm not trivially seeing in these documents the answers to the specific 
questions I asked on 7 November.

I think it would be helpful to go through the specific questions I asked 
on 7 November, address them directly, and (ideally) point us at the 
portions of documents (similar to these test plans) that support those 
answers.

I also see that this v1.1 test plan is dated 8 November 2018.  I would 
expect to see artifacts from when the relevant interop testing happened, 
acknowledging that might not match what is happening now.

-- Sam

On 11/20/18 5:39 PM, Ackermann Yuriy wrote:
> Current certification process made of three stages:
> 
> - Conformance testing, done through our automated conformance tests 
> tools. Conformance tools ensure that:
>   * Server returns valid requests and accepts valid responses(Positive 
> tests)
>   * Server throws error when bad response is received(Negative tests)
>   * Authenticator successfully process valid requests, and it responses 
> are compliant to the specs(Positive tests)
>   * Authenticator returns an error if bad request was sent(Negative tests)
> 
> - Interoperability event, short Interop, is an event where server, and 
> authenticator vendors meet and test their implementations against each 
> other. Every authenticator is tested against every server. If issue 
> found, investigation is done by the authenticator and server vendor 
> under supervision of the FIDO engineer. If changes are made to any code, 
> server or/and authenticator vendor will re-run conformance tools, and 
> repeat their testing.
> 
> - Security questionary: authenticator vendor will sit with FIDO security 
> secretariat representative and will assert their claims to their 
> security level.
> 
> The conformance testing is governed by the testplan, that is approved by 
> the TWG. Here is UAF1.1 test plan and FIDO2 testplan for the extension 
> testing(sorry my bikeshed is broken and I am in the middle of flying)
> 
> Please let me know if there is any other information you are required
> 
> Yuriy Ackermann
> FIDO, Identity, Standards
> skype: ackermann.yuriy
> github: @herrjemand <https://github.com/herrjemand>
> twitter: @herrjemand <https://twitter.com/herrjemand>
> medium: @herrjemand <https://medium.com/@herrjemand>
> 
> 
> ср, 21 нояб. 2018 г. в 08:56, Brett McDowell <brett@fidoalliance.org 
> <mailto:brett@fidoalliance.org>>:
> 
>     Thanks Sam.  Jumping to the question you didn't think we answered yet...
> 
>     On Tue, Nov 20, 2018 at 2:37 PM Samuel Weiler <weiler@w3.org
>     <mailto:weiler@w3.org>> wrote:
> 
>         Rather than try to reformat the data FIDO has, I encourage you
>         to focus
>         first on the specific question I asked on November 7th.  That
>         question,
>         which I managed to phrase as a yes/no, boils down to "would you
>         please
>         clarify the minimum requirements for certification, so we can
>         see if
>         certification necessarily would prove extension interop?".
> 
> 
>     In a word -- YES -- and I thought Yuriy had actually answered that
>     in detail by passing along the certification criteria and test plan.
> 
>     Yuriy,
>     Since you are already on the list can you package up all the details
>     you previously sent to W3C separately and include them all here in
>     one reply to the public list?
> 
Received on Tuesday, 27 November 2018 21:25:17 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:35 UTC