webauthn
webauthn copied to clipboard
w3c
undefined terms and terms we really ought to define
The below terms are formally undefined and we should consider defining them (and linking their occurrences to their dfn. Be sure to see also issue #358 -- there is overlap between this issue and that one.
Add to, or remove from, this list by updating this original post (OP):
-
[ ] attesting authority (aka authenticator vendor (which could be a (client) platform vendor))
-
[ ] attestation trust model (presently we discuss "trust model" in terms of attestation types, but do not define the latter term)
-
[ ] AAGUID
-
[x] assertion
-
[ ] authenticator-related terms:
authenticator characteristics // are discussed in #sctn-authenticator-taxonomy
authenticator session
cloned authenticator
authenticator protection measures
-
[x] external authenticator (to be defined in conjunction with roaming authnr)
-
[ ] CREDENTIAL:
(a credential) bound to a authenticator
(a credential is) bound to an/this authenticator
managed by " "
controlled by " "
present on " "
stored on " "
owning authenticator
credential ID
credential object
Client-side-resident Public Key Credential Source // is presently defined
// synonymously with
// 'resident credential'
server-side resident credential // presently undefined
Note: residentKey is currently used in WebIDL (so we're likely stuck with it) and as a variable name in algorithms. It is synonymous with Client-side-resident Public Key Credential Source / resident credential.
- [ ] credential metadata -- everything in the Public Key Credential Source other than the credential private key.
CLIENT:
client-side // see also issue #80
-
[ ] cross-platform transport protocols
-
[ ] extension data
-
[ ] first-factor
- [x] as in "first-factor authenticator" aka one that is actually multi-factor because it is user verification-capable (1st factor, something you are), and wields the private key (2nd factor, a secret you possess).
- [ ] also may want to clarify/define/use terms such as "multi-factor authn", "first multi-factor", etc.
-
[x] identifier of the credential
supported by this implementation
-
[ ] LDH Labels (perhaps just make that single-occurrance term a link to https://tools.ietf.org/html/rfc5890#section-2.3.1)
-
[ ] local configuration knowledge
PLATFORM:
Android "N" or later platform
Android platforms
currently available on this platform
supported by this client "
user agent and/or "
as defined by the "
overridden by the "
the client's "
the client "
the client " components
user's platform device
the platform makes
The " is requested
Client platforms
platform-provided
-
[x] scope, as in:
- [x] - Public key credential's scope
- [x] - strong, attested, scoped, public key-based credentials
-
[ ] SCRIPT: see also issue #80
script
Relying Party script
-
[ ] signature
-
define as "digital signature" ?
-
[ ] signature counter
-
[ ] supported extensions
-
[ ] trust path
-
[ ] user/account
- [ ] user
- [ ] user account
- [ ] user's account
- [ ] user's account identifier
- [ ] user account entity
- [ ] user account's PublicKeyCredentialUserEntity.
- [ ] user identifier
- [ ] username
OS level user ID
- [x] user handle
- [ ] webauthn
- [ ] webauthn operations
- [x] Web Authentication
- [ ] Web Authentication protocol
added to OP yesterday:
AAGUID
authenticator session
extension data
identifier of the credential
supported extensions
user account
webauthn
webauthn operations
removed from list in the OP:
attestation statement -- we do have a dfn (d'oh!): https://w3c.github.io/webauthn/#attestation-statement
added to list in the OP:
(a credential) bound to an/this authenticator
managed by
stored on
local configuration knowledge
added to list in the OP:
platform-specific API
default
handle
procedure
transports
added to list in the OP:
cross-platform transport protocols
platform
Android "N" or later platform
Android platforms
the platform
the underlying platform
underlying OS platform
currently available on this platform
supported by this client "
user agent and/or "
as defined by the "
overridden by the "
the client's "
the client "
the client " components
user's platform device
the platform makes
The " is requested
Client platforms
platform-provided
added to list in the OP:
external authenticator (to be defined in conjunction with roaming authnr)
As discussed on the call, the issue wouldn't change API names. Taking out the renaming flag.
added to list in the OP:
assertion
cloned authenticator
authenticator protection measures
trust path
added to list in the OP:
user's account user's account identifier user account entity user account's PublicKeyCredentialUserEntity.
user handle
added to list in the OP:
client // note "webauthn client" is presently defined
// but "webauthn client device" or "webauthn client platform" are not,
// and are not presently used, but perhaps should be.
client device // used a few time
client platform // used much; see also entries for variations of "platform" below
WebAuthn client
added to list in the OP:
LDH Labels (perhaps just make that single-occurrance term a link to https://tools.ietf.org/html/rfc5890#section-2.3.1)
added to list in the OP:
client-side resident credential // presently undefined but should be as a short form for
// client-side resident credential private key, which is
// presently defined
resident credential // presently undefined, just a thought, tho dunno if we
// ought to promote its use
updated in the OP:
first-factor
- as in "first-factor authenticator" aka one that is actually multi-factor because it is user verification-capable (1st factor, something you are), and wields the private key (2nd factor, a secret you possess).
- also may want to clarify/define/use terms such as "multi-factor authn", "first multi-factor", etc.
added to list in the OP:
Device
- computing device
- user's computing device
- see also 'client device'
added to list in the OP:
scope, as in:
- Public key credential's scope
- strong, attested, scoped, public key-based credentials
Removed from OP:
- client
- client device
- client platform
Device
- computing device
- user's computing device
- see also 'client device'
platform-specific // i.e., the term itself
platform-specific API
default
handle
procedure
transports
platform
the platform
the underlying platform
underlying OS platform
Ticked items:
- external authenticator (to be defined in conjunction with roaming authnr)
- first factor - as in "first-factor authenticator" aka one that is actually multi-factor because it is user verification-capable (1st factor, something you are), and wields the private key (2nd factor, a secret you possess).
- scope, as in:
- Public key credential's scope
- strong, attested, scoped, public key-based credentials
added to OP: attestation trust model (presently we discuss "trust model" in terms of attestation types, but do not define the latter term)
updated the section on "Credential" to be:
- [ ] CREDENTIAL:
(a credential) bound to a authenticator
(a credential is) bound to an/this authenticator
managed by " "
controlled by " "
present on " "
stored on " "
owning authenticator
credential ID
credential object
Client-side-resident Public Key Credential Source // is presently defined
// synonymously with
// 'resident credential'
server-side resident credential // presently undefined
Note: residentKey is currently used in WebIDL (so we're likely stuck with it) and as a variable name in algorithms. It is synonymous with Client-side-resident Public Key Credential Source / resident credential.