Attestation format identifiers lack formal definition and matching rules #127
Comments
|
Saying the identifiers are allocated implies, to me, a registry. Current language is that identifiers should aim to be globally unique. It seems to me we could give your formal definition and matching rules, drop the note about allocation, and instead have something like:
|
|
Agree, with the modification that perhaps we should move away from recommending dot notation for things that are not hierarchies. |
|
Fair; I was working from e22cd4a prior to seeing your suggestion of camelCasing. I'll propose an alternate shortly. |
|
How about: (Modifying the first paragraph of Extension identifiers)
|
|
Noticed you omitted JeffH's suggested text that said people SHOULD register extensions in [I-D. hodges-webauthn-registries]. Was that accidental or intentional? Jeff's suggested text is in https://lists.w3.org/Archives/Public/public-webauthn/2016Jul/0070.html |
|
Accidental! Accidental! I seem to have missed that message. I like @equalsJeffH's suggested text. 👍 |
- Standardize the authenticator data so all formats have equal support for AAGUID, extensions, etc. This also removes a lot of duplication across structures. - Add structure to the definition of attestation formats. Fixes #126. Fixes #127. - Simplify the naming of the attestation types to make it easier to understand - Clean up mentions of GUID. Fixes #148, fixes #149, fixes #150. - Clarifies how to use self attestation. Fixes #115. - More detailed pointers on how to generate a TPM attestation. - Simplify Android attestation to remove fields that were not really attested by authenticator and were therefore creating a false sense of assurance.
|
updating terminology from "attestation type" to "attestation format" |
equalsJeffH
changed the title
|
see also #155, adding this issue to MS WD-02. |
|
@vijaybh wrote:
the suggested text and rationale from the email msg cited above is below (with updated terminology and pointer to current registries I-D)... On 7/11/16, 2:59 PM, "J.C.Jones via GitHub" sysbot+gh@w3.org wrote:
apologies, I didn't fully explain my rationale in this issue. yes, I think we do wish to have an IANA registry for attestation types,
..because it will be a useful tool for the ecosystem, e.g., by gathering That said, we should also provide guidance for those who do not wish to so I propose we make use of the registry a SHOULD, and un-registered thus: |
* Replace facet with origin Facet was a holdover from the old FIDO specs and origin is the term used everywhere in this spec (as well as in recent FIDO specs) * Clean up explanation of computing clientDataHash and passing to authenticator Fixes #153 * Remove text from authnsel extension to avoid chicken-and-egg problem Fixes #152 * Clean up attestation - Standardize the authenticator data so all formats have equal support for AAGUID, extensions, etc. This also removes a lot of duplication across structures. - Add structure to the definition of attestation formats. Fixes #126. Fixes #127. - Simplify the naming of the attestation types to make it easier to understand - Clean up mentions of GUID. Fixes #148, fixes #149, fixes #150. - Clarifies how to use self attestation. Fixes #115. - More detailed pointers on how to generate a TPM attestation. - Simplify Android attestation to remove fields that were not really attested by authenticator and were therefore creating a false sense of assurance. * Fix typo (thanks Travis!) * Incorporated feedback from @rlin1 Also cleaned up wording and naming for consistency. Added Android N attestation format. Fixes #103. Changed name for SafetyNet attestation format. Fixes #128. * Clarify that attestation is not optional Fixes #86 Also clarify that at least self attestation must be used. Fixes #115
Attestation format identifiers lack formal definition and matching rules.
suggested approach to add to spec:
The text was updated successfully, but these errors were encountered: