Re: [webauthn] Eliminate duplicate terminology (#1648)

Jeff (@equalsJeffH),

If we are worried about shooting ourselves in the foot with definitions, I don't think we need worry. I can't imagine doing any worse damage than this referenced text in the specification:

> The term **public key credential** refers to one of: a **public key credential source**, the **possibly-attested credential public key** corresponding to a public key credential source, or an **authentication assertion**. Which one is generally determined by context.

With all due respect to the people behind this specification, this is what happens when we throw out established conventions/terms and invent new ones simply because it is a new specification, created by new people for a new environment.

As someone who was first introduced to public-key cryptography in 1992 (PGP), and built at least a dozen PKIs for some of the world's largest companies (including central banks) since then, I am appalled that future generations of technologists are going to have to live with these terms instead of what they are:

**Public Key Credential**:  Traditionally known as **Public Key**
**Public Key Credential Source**:  Traditionally known as **Keystore**
**Attested Public Key**:  Traditionally known as **Digital Certificate** (within a PKI)
**Authenticator Assertion**:  Traditionally known as **Digital Signature**

Do **all** the objects referenced by their conventional names contain a Public Key? You bet!  But, no one in their right mind would call them all "Public Key" regardless of the context. How on earth did this specification end up naming 4 different objects with the same name just because of the context? 

I realize the FIDO ecosystem is not PKI - and I'm not trying to make it look like one. But, with the exception of the use of "Digital Certificate" (I might have named an attested public key as "FIDO Key") what was wrong in calling the other objects by what they are traditionally known?

GitHub Notification of comment by arshadnoor
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 14 July 2021 20:54:16 UTC