Re: [webauthn] Eliminate duplicate terminology (#1648)

Hi Emil (@emlun),

I understand why the specification has the terms it does. But, my point is: when the industry had 30+ years of history, terminology and literature that documented those concepts/processes extremely well, to have thrown it all out for this specification was not only a disservice to the people who labored to write papers, articles and books explaining these complex topics, but it also denies current and future generations of technical people a basis for recognizing that these are the same concepts. This was a missed opportunity to have made the specification simpler.

A _digital signature_ has no lifetime - other than what the RP chooses to assign to it. It can be temporal - as you define - or it can be long-lived. But, it does not change what it is.

The reason SAML uses the term "assertion" is because SAML is not an authentication protocol, but a federation one. It cannot claim to authenticate someone using the SAML protocol, but merely assert that the user is who it claims to have authenticated using some other authentication protocol. RPs have to trust the assertion; and if they do, they carry on as if they authenticated the user themselves. Consequently, SAML and all the other federation protocols are third-parties to the authentication process.

FIDO, on the other hand, authenticates the user _directly_. With a digital signature! When the FIDO server responds to the web-application with a "Yea" or a "Nay", it is not _asserting_ as a third-party that it authenticated the user - but is absolute in claiming (as a first party) that it authenticated the user (or not).

In any case, I've probably said too much about this, because its unlikely the specification is going to change very much. Thanks for your effort to try to reduce the overloading and confusion.

-- 
GitHub Notification of comment by arshadnoor
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1648#issuecomment-882917560 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 19 July 2021 23:05:20 UTC