Re: [webauthn] Eliminate duplicate terminology (#1648) from Emil Lundberg via GitHub on 2021-07-16 (public-webauthn@w3.org from July 2021)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 16 Jul 2021 12:58:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-881428142-1626440294-sysbot+gh@w3.org>

I wasn't around when these terms were chosen, but anyway: Some context here is that WebAuthn is, formally speaking, an extension to the [Credential Management](https://w3c.github.io/webappsec-credential-management/) spec. That's where the first two terms come from:

>From a developer’s perspective, a **credential** is an object which allows a developer to make an authentication decision for a particular action. [...]
>Single-use credentials are generated by a **credential source**, which could be a private key, [...], or something else. [...] To unify the model, we consider a password to be a credential source on its own, which is simply copied to create password credentials.

**Public key credential** and **public key credential source** are simply a specialization of those abstract parent terms. The term gets overloaded because of the many spec audiences. From an RP point of view, the "credential" is the thing that proves the user's identity: the authentication assertion, in combination with its registered public key. But from a user point of view, the "credential" is the thing you use to authenticate: the private key in the authenticator, which CredMan calls a "credential source".

"Attested public key" does not appear as a term in the spec; the original of your quote references two separate terms "attested (attestation)" and "credential public key". There is the term **attested credential data**, which is the name of a specific new data structure.

As for "authentication assertion", I don't really know, but if I may speculate... To me, the term "digital signature" carries the sense of applying a "seal of approval" to an independently useful payload, and that the signature will be useful for a long time after it was created. By contrast, an **authentication assertion** as defined here is a response to a real-time authentication challenge and is typically only useful for the duration of the authentication ceremony. The term also appears in the context of Security Assertion Markup Language (SAML), but I don't know if that's related.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1648#issuecomment-881428142 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 16 July 2021 12:58:17 UTC