W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2021

Re: [webauthn] Requesting properties of created credentials. (#1449)

From: Arshad Noor via GitHub <sysbot+gh@w3.org>
Date: Fri, 02 Jul 2021 23:16:02 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-873299194-1625267760-sysbot+gh@w3.org>
Given that the WebAuthn specification has already become sufficiently complex to make it challenging to follow (even for people who've been part of the FIDO Alliance for years), may I suggest a simplification?

The [TLS Cipher Suite](https://wiki.mozilla.org/Security/Cipher_Suites) defines very precise requirements through mnemonics/hex-codes on precisely what cipher suite (aka security policy) is desired in a TLS connection. Would it not make sense to define a sequence for FIDO credential policy requirements, mnemonics for those policies with equivalent hex-codes and just pass those mnemonics/hex-codes in a **_credentialPolicy_** to the authenticator?

This would allow for a simpler WebAuthn specification for defining policy, and allow for a table to list all the policies that RPs may define, that implementions might support and labs might test for certification. If new policy attributes arise, then by simply adding new mnemonics to existing policies with new hex-codes would extend credential policies without creating new versions of WebAuthn to deal with every policy change that comes along.

It would greatly simplify FIDO authenticator and server implementations for policy management.

GitHub Notification of comment by arshadnoor
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1449#issuecomment-873299194 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 2 July 2021 23:16:03 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:44 UTC