leverage "credential source" term from credential management spec

[equalsJeffH]

when we say something like:

If there is any credential |X| present on this |authenticator| that:

"credential" here is actually what is presently termed a "credential source" in the credential management spec.

presently, this is a wide-ranging conflation in the webauthn spec and should be addressed. This may involve aligning the webauthn and credman specs' notions of "credential".

h/t @jyasskin

[jyasskin]

To be clear, the "credential source" term in Credential Management is new and could change if y'all have a better suggestion. The important bit is to distinguish the credential, which is actually presented to the RP, from the thing that can generate credentials, which is locked inside a secure element.

There may be a third concept—the identifier, handle, or descriptor for a credential source—but that's not formally described yet.

[equalsJeffH]

@jyasskin wrote:

The important bit is to distinguish the credential, which is actually presented to the RP, from the thing that can generate credentials, which is locked inside a secure element.

Agreed. Note that scoped credential's definition aligns with that, although the term used in RFC4949 for what credman is (presently) terming "credential source" is "authentication information" (see the "tutorial" portion of the latter reference).

"credential source" is offhand fine by me, but perhaps credman could reference RFC4949's definition and term as a footnote/sidebar/whatever.

though, a credential source (aka authn info) may or may not be "locked inside a secure element". whether it is or not is yet another facet of all of this...

[AngeloKai]

Given that there's no API renaming proposal in this issue, I am taking out the renaming label.

[equalsJeffH]

@jyasskin fixed this with PR #620 which is merged. closing.