Re: Status report re: WebAuth extension interop reporting

At the risk of transparency, and based on my assessment that we are talking
past each other and duplicating effort, may I suggest Sam jump on a call
with Yuriy, open up some form of screen sharing, and get to the bottom of
what needs answering once and for all?  Heck, it could be a bridge we
advertise so others could join as well (for transparency). But the emails
are just keeping us in a loop of "I answered your question, I don't think
you answered my question..."



Brett McDowell | Sent from mobile

On Wed, Nov 28, 2018, 5:25 AM Samuel Weiler <weiler@w3.org wrote:

> Thank you, Yuriy.
>
> I'm not trivially seeing in these documents the answers to the specific
> questions I asked on 7 November.
>
> I think it would be helpful to go through the specific questions I asked
> on 7 November, address them directly, and (ideally) point us at the
> portions of documents (similar to these test plans) that support those
> answers.
>
> I also see that this v1.1 test plan is dated 8 November 2018.  I would
> expect to see artifacts from when the relevant interop testing happened,
> acknowledging that might not match what is happening now.
>
> -- Sam
>
> On 11/20/18 5:39 PM, Ackermann Yuriy wrote:
> > Current certification process made of three stages:
> >
> > - Conformance testing, done through our automated conformance tests
> > tools. Conformance tools ensure that:
> >   * Server returns valid requests and accepts valid responses(Positive
> > tests)
> >   * Server throws error when bad response is received(Negative tests)
> >   * Authenticator successfully process valid requests, and it responses
> > are compliant to the specs(Positive tests)
> >   * Authenticator returns an error if bad request was sent(Negative
> tests)
> >
> > - Interoperability event, short Interop, is an event where server, and
> > authenticator vendors meet and test their implementations against each
> > other. Every authenticator is tested against every server. If issue
> > found, investigation is done by the authenticator and server vendor
> > under supervision of the FIDO engineer. If changes are made to any code,
> > server or/and authenticator vendor will re-run conformance tools, and
> > repeat their testing.
> >
> > - Security questionary: authenticator vendor will sit with FIDO security
> > secretariat representative and will assert their claims to their
> > security level.
> >
> > The conformance testing is governed by the testplan, that is approved by
> > the TWG. Here is UAF1.1 test plan and FIDO2 testplan for the extension
> > testing(sorry my bikeshed is broken and I am in the middle of flying)
> >
> > Please let me know if there is any other information you are required
> >
> > Yuriy Ackermann
> > FIDO, Identity, Standards
> > skype: ackermann.yuriy
> > github: @herrjemand <https://github.com/herrjemand>
> > twitter: @herrjemand <https://twitter.com/herrjemand>
> > medium: @herrjemand <https://medium.com/@herrjemand>
> >
> >
> > ср, 21 нояб. 2018 г. в 08:56, Brett McDowell <brett@fidoalliance.org
> > <mailto:brett@fidoalliance.org>>:
> >
> >     Thanks Sam.  Jumping to the question you didn't think we answered
> yet...
> >
> >     On Tue, Nov 20, 2018 at 2:37 PM Samuel Weiler <weiler@w3.org
> >     <mailto:weiler@w3.org>> wrote:
> >
> >         Rather than try to reformat the data FIDO has, I encourage you
> >         to focus
> >         first on the specific question I asked on November 7th.  That
> >         question,
> >         which I managed to phrase as a yes/no, boils down to "would you
> >         please
> >         clarify the minimum requirements for certification, so we can
> >         see if
> >         certification necessarily would prove extension interop?".
> >
> >
> >     In a word -- YES -- and I thought Yuriy had actually answered that
> >     in detail by passing along the certification criteria and test plan.
> >
> >     Yuriy,
> >     Since you are already on the list can you package up all the details
> >     you previously sent to W3C separately and include them all here in
> >     one reply to the public list?
> >
>