undefined terms and terms we really ought to define

[equalsJeffH]

The below terms are formally undefined and we should consider defining them (and linking their occurrences to their dfn. Be sure to see also issue #358 -- there is overlap between this issue and that one.

Add to, or remove from, this list by updating this original post (OP):

• attesting authority (aka authenticator vendor (which could be a (client) platform vendor))

• attestation trust model (presently we discuss "trust model" in terms of attestation types, but do not define the latter term)

• AAGUID

• assertion

• authenticator-related terms:

          authenticator characteristics     // are discussed in #sctn-authenticator-taxonomy
          authenticator session
   cloned authenticator
          authenticator protection measures

• external authenticator (to be defined in conjunction with roaming authnr)

• CREDENTIAL:

(a credential)   bound to a authenticator
(a credential is)   bound to   an/this authenticator
                    managed by    "         "
                    controlled by    "         "
                    present on    "         "
                    stored on     "         "
                    owning             authenticator

                     credential ID
                     credential object 
Client-side-resident Public Key Credential Source  //  is presently defined 
                                                   // synonymously with 
                                                   // 'resident credential'
server-side resident credential       // presently undefined 

Note: residentKey is currently used in WebIDL (so we're likely stuck with it) and as a variable name in algorithms. It is synonymous with Client-side-resident Public Key Credential Source / resident credential.

• credential metadata -- everything in the Public Key Credential Source other than the credential private key.

CLIENT:

client-side   // see also issue #80

• cross-platform transport protocols

• extension data

• first-factor

  • as in "first-factor authenticator" aka one that is actually multi-factor because it is user verification-capable (1st factor, something you are), and wields the private key (2nd factor, a secret you possess).
  • also may want to clarify/define/use terms such as "multi-factor authn", "first multi-factor", etc.

• identifier of the credential

supported by this implementation

• LDH Labels (perhaps just make that single-occurrance term a link to https://tools.ietf.org/html/rfc5890#section-2.3.1)

• local configuration knowledge

PLATFORM:

       Android "N" or later platform
                    Android platforms

currently available on this platform
   supported by this client   "
          user agent and/or   "
          as defined by the   "
          overridden by the   "

               the client's   "
                 the client   "
                 the client   "       components

                     user's platform device

                        the platform  makes
                        The   "       is requested

                     Client platforms

                            platform-provided

• scope, as in:

  • - Public key credential's scope
  • - strong, attested, scoped, public key-based credentials

• SCRIPT:
  see also issue adopt consistent terms for RP server-side and client-side components #80

              script
Relying Party script

• signature

• define as "digital signature" ?

• signature counter

• supported extensions

• trust path

• user/account

  • user
  • user account
  • user's account
  • user's account identifier
  • user account entity
  • user account's PublicKeyCredentialUserEntity.
  • user identifier
  • username

OS level user ID

- [x] user handle

- [ ] webauthn

- [ ] webauthn operations

- [x] Web Authentication
- [ ] Web Authentication protocol

[equalsJeffH]

added to OP yesterday:

AAGUID

authenticator session

extension data

identifier of the credential

supported extensions

user account

webauthn

webauthn operations

[equalsJeffH]

see also #79 #80 #358

[equalsJeffH]

added to the list in the OP:

attestation statement

[equalsJeffH]

removed from list in the OP:

attestation statement -- we do have a dfn (d'oh!): https://w3c.github.io/webauthn/#attestation-statement

[equalsJeffH]

added to list in the OP:

(a credential)   bound to   an/this authenticator
                 managed by
                 stored on      

local configuration knowledge

[equalsJeffH]

added to list in the OP:

platform-specific API
                  default
                  handle
                  procedure
                  transports

[equalsJeffH]

added to list in the OP:

cross-platform transport protocols

                            platform
       Android "N" or later platform
                    Android platforms

                        the platform
             the underlying platform
              underlying OS platform

currently available on this platform
   supported by this client   "
          user agent and/or   "
          as defined by the   "
          overridden by the   "

               the client's   "
                 the client   "
                 the client   "       components

                     user's platform device

                        the platform  makes
                        The   "       is requested

                     Client platforms

                            platform-provided

[equalsJeffH]

added to list in the OP:

signature

[equalsJeffH]

added to list in the OP:

external authenticator (to be defined in conjunction with roaming authnr)

[AngeloKai]

As discussed on the call, the issue wouldn't change API names. Taking out the renaming flag.

[equalsJeffH]

added "first factor" to OP

[equalsJeffH]

added to list in the OP:

assertion

cloned authenticator

authenticator protection measures

trust path

[equalsJeffH]

added to list in the OP:

user's account
user's account identifier
user account entity
user account's PublicKeyCredentialUserEntity.

user handle

[equalsJeffH]

added to list in the OP:

owning authenticator

[equalsJeffH]

added to list in the OP:

blinding

[equalsJeffH]

added to list in the OP:

client-side

see also issue #833

[equalsJeffH]

added to list in the OP:

client            // note "webauthn client" is presently defined
                  // but "webauthn client device" or "webauthn client platform" are not,
                  // and are not presently used, but perhaps should be.

client device     // used a few time
client platform   // used much; see also entries for variations of "platform" below

WebAuthn client

[equalsJeffH]

added to list in the OP:

LDH Labels (perhaps just make that single-occurrance term a link to https://tools.ietf.org/html/rfc5890#section-2.3.1)

[equalsJeffH]

added to list in the OP:

              script
Relying Party script

[equalsJeffH]

added to OP:
authenticator characteristics

[emlun]

Ticked items:

• external authenticator (to be defined in conjunction with roaming authnr)
• first factor - as in "first-factor authenticator" aka one that is actually multi-factor because it is user verification-capable (1st factor, something you are), and wields the private key (2nd factor, a secret you possess).
• scope, as in:
  • Public key credential's scope
  • strong, attested, scoped, public key-based credentials

[equalsJeffH]

added to OP:
attestation trust model (presently we discuss "trust model" in terms of attestation types, but do not define the latter term)

[equalsJeffH]

Added to OP:

      U2F authenticator
CTAP1/U2F authenticator

[emlun]

Added to OP:

• user

See #1162

[equalsJeffH]

updated the section on "Credential" to be:

• CREDENTIAL:

(a credential)   bound to a authenticator
(a credential is)   bound to   an/this authenticator
                    managed by    "         "
                    controlled by    "         "
                    present on    "         "
                    stored on     "         "
                    owning             authenticator

                     credential ID
                     credential object 
Client-side-resident Public Key Credential Source  //  is presently defined 
                                                   // synonymously with 
                                                   // 'resident credential'
server-side resident credential       // presently undefined 

Note: residentKey is currently used in WebIDL (so we're likely stuck with it) and as a variable name in algorithms. It is synonymous with Client-side-resident Public Key Credential Source / resident credential.

[equalsJeffH]

added to OP:

• credential metadata -- everything in the Public Key Credential Source other than the credential private key.

[equalsJeffH]

Punting this onward to L2-WD-02....

[emlun]

Checked off:

• identifier of the credential
• assertion

[emlun]

Removed "blinding" from OP as the search term "blind" now produces 0 hits in the editor's draft.