Re: [webauthn] Eliminate duplicate terminology (#1648)

FWIW, we have to be really careful about nuances and not footgunning ourselves (any more than we have already).  we can't simply wave a magic wand and auto-edit all those distinct terms to be a more generic term (as seemingly suggested above), it'll break all kinds of things.

for example, a [public key credential]( and a [public key credential source]( are in general different things, but it is quite context-dependent, as we attempt to clarify in the first parag of public key credential's definition:
> The term **public key credential** refers to one of: a **public key credential source**, the **possibly-attested credential public key** corresponding to a public key credential source, or an **authentication assertion**. Which one is generally determined by context.

A huge part of the problem (from my perspective) is that we are lazy in our discussions and instead of using fully-qualified terms in discussion (whether verbal or written), folks either drop the qualifications or just invent yet more terms, and then others latch onto that utterance and repeat it, and then >poof< we have yet another term.  We've documented some of the more common duplicitous terms but no where near all.

The underlying problem is that even though at a high abstract level, as @arshadnoor points out in his, the abstract WebAuthn/FIDO model is fairly simple, _under the hood_ it is decidedly _not simple_, regardless of what various folks might think. And the webauthn spec largely concerns specifying the various "under the hood" details such that this simple abstract model can be concretely manifested within complex existing systems.  This necessarily involves tons of nuances and we have a multitude of audiences (see [1.1. Specification Roadmap](
- Relying Party web application developers
- Web framework developers
- User agent developers
- OS platform developers
- Authenticator developers

IMV, hopefully, the WebAuthn adoption effort can, e.g., craft overview docs for each of those audiences and cherry-pick the necessary terminology from the main webauthn terminology (without necessarily inventing new terms).  Not inventing terms is a tough call as we found out in writing [How to FIDO]( where we ended up inventing yet more terms, from the RP developer perspective. Though, those terms are over there in that separate how2fido doc where they belong.

GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Tuesday, 13 July 2021 22:17:39 UTC