Re: Status report re: WebAuth extension interop reporting from Samuel Weiler on 2018-11-28 (public-webauthn@w3.org from November 2018)

From: Samuel Weiler <weiler@w3.org>
Date: Wed, 28 Nov 2018 16:31:18 -0500
To: Yuriy Ackermann <ackermann.yuriy@gmail.com>
Cc: public-webauthn@w3.org
Message-ID: <22ac5e04-60ac-1a3f-93ac-630af73a5711@w3.org>
Yuriy,

Thank you for getting up early this morning and calling me before the WG 
meeting.

As you might have seen in the minutes of the WG meeting, several WG 
participants advocated for publishing the WebAuthn spec with most (all 
but appid) extensions marked as non-normative.  The chairs didn't call 
consensus during that WG call, and there is a chance the WG won't reach 
consensus on that path, so I'm not going to tell you to stop working on 
the mapping, as we discussed, but I will warn you that it might (soon) 
not be blocking publication.

-- Sam


On 11/27/18 5:05 PM, Samuel Weiler wrote:
> On 11/27/18 4:59 PM, Brett McDowell wrote:
>> At the risk of transparency, and based on my assessment that we are 
>> talking past each other and duplicating effort, may I suggest Sam jump 
>> on a call with Yuriy, open up some form of screen sharing, and get to 
>> the bottom of what needs answering once and for all?  Heck, it could 
>> be a bridge we advertise so others could join as well (for 
>> transparency). But the emails are just keeping us in a loop of "I 
>> answered your question, I don't think you answered my question..."
> 
> That might well be useful - thank you for suggesting it.  I'll email Yuriy.
> 
>>
>> Brett McDowell | Sent from mobile
>>
>> On Wed, Nov 28, 2018, 5:25 AM Samuel Weiler <weiler@w3.org 
>> <mailto:weiler@w3.org> wrote:
>>
>>     Thank you, Yuriy.
>>
>>     I'm not trivially seeing in these documents the answers to the 
>> specific
>>     questions I asked on 7 November.
>>
>>     I think it would be helpful to go through the specific questions I
>>     asked
>>     on 7 November, address them directly, and (ideally) point us at the
>>     portions of documents (similar to these test plans) that support 
>> those
>>     answers.
>>
>>     I also see that this v1.1 test plan is dated 8 November 2018.  I 
>> would
>>     expect to see artifacts from when the relevant interop testing
>>     happened,
>>     acknowledging that might not match what is happening now.
>>
>>     -- Sam
>>
>>     On 11/20/18 5:39 PM, Ackermann Yuriy wrote:
>>      > Current certification process made of three stages:
>>      >
>>      > - Conformance testing, done through our automated conformance 
>> tests
>>      > tools. Conformance tools ensure that:
>>      >   * Server returns valid requests and accepts valid
>>     responses(Positive
>>      > tests)
>>      >   * Server throws error when bad response is received(Negative 
>> tests)
>>      >   * Authenticator successfully process valid requests, and it
>>     responses
>>      > are compliant to the specs(Positive tests)
>>      >   * Authenticator returns an error if bad request was
>>     sent(Negative tests)
>>      >
>>      > - Interoperability event, short Interop, is an event where
>>     server, and
>>      > authenticator vendors meet and test their implementations against
>>     each
>>      > other. Every authenticator is tested against every server. If 
>> issue
>>      > found, investigation is done by the authenticator and server 
>> vendor
>>      > under supervision of the FIDO engineer. If changes are made to
>>     any code,
>>      > server or/and authenticator vendor will re-run conformance tools,
>>     and
>>      > repeat their testing.
>>      >
>>      > - Security questionary: authenticator vendor will sit with FIDO
>>     security
>>      > secretariat representative and will assert their claims to their
>>      > security level.
>>      >
>>      > The conformance testing is governed by the testplan, that is
>>     approved by
>>      > the TWG. Here is UAF1.1 test plan and FIDO2 testplan for the
>>     extension
>>      > testing(sorry my bikeshed is broken and I am in the middle of 
>> flying)
>>      >
>>      > Please let me know if there is any other information you are 
>> required
>>      >
>>      > Yuriy Ackermann
>>      > FIDO, Identity, Standards
>>      > skype: ackermann.yuriy
>>      > github: @herrjemand <https://github.com/herrjemand>
>>      > twitter: @herrjemand <https://twitter.com/herrjemand>
>>      > medium: @herrjemand <https://medium.com/@herrjemand>
>>      >
>>      >
>>      > ср, 21 нояб. 2018 г. в 08:56, Brett McDowell
>>     <brett@fidoalliance.org <mailto:brett@fidoalliance.org>
>>      > <mailto:brett@fidoalliance.org <mailto:brett@fidoalliance.org>>>:
>>      >
>>      >     Thanks Sam.  Jumping to the question you didn't think we
>>     answered yet...
>>      >
>>      >     On Tue, Nov 20, 2018 at 2:37 PM Samuel Weiler <weiler@w3.org
>>     <mailto:weiler@w3.org>
>>      >     <mailto:weiler@w3.org <mailto:weiler@w3.org>>> wrote:
>>      >
>>      >         Rather than try to reformat the data FIDO has, I
>>     encourage you
>>      >         to focus
>>      >         first on the specific question I asked on November 
>> 7th.  That
>>      >         question,
>>      >         which I managed to phrase as a yes/no, boils down to
>>     "would you
>>      >         please
>>      >         clarify the minimum requirements for certification, so 
>> we can
>>      >         see if
>>      >         certification necessarily would prove extension interop?".
>>      >
>>      >
>>      >     In a word -- YES -- and I thought Yuriy had actually answered
>>     that
>>      >     in detail by passing along the certification criteria and
>>     test plan.
>>      >
>>      >     Yuriy,
>>      >     Since you are already on the list can you package up all the
>>     details
>>      >     you previously sent to W3C separately and include them all
>>     here in
>>      >     one reply to the public list?
>>      >
>>
>
Received on Wednesday, 28 November 2018 21:31:20 UTC