FIDO2

[abergs]

1.   General Information

Project Name: fido2-net-lib

License: MIT

Contributor (Company, Organization or individual name(s)): Anders Åberg, Alex Seigler

Existing OSS Project? (Yes/No): Yes

Source Code URL: https://github.com/abergs/fido2-net-lib

Project Transfer Signatories:

• Anders Åberg (anders@andersaberg.com)
• Alex Seigler (alexseigler@hotmail.com)

2.   Description

Please provide a brief statement about your project in terms that are understandable to the target consumer of the library or project, i.e. an elevator pitch for the project:

Enable passwordless sign in for all .net apps (asp, core, native). To provide a developer friendly and well tested .NET FIDO2 Server / WebAuthn relying party library for the easy validation of registration (attestation) and authentication (assertion) of FIDO2 / WebAuthn credentials, in order to increase the adoption of the technology, ultimately defeating phishing attacks.

Please provide a 1 sentence (<140 character) summary of your project to help users when searching the .NET Foundation projects

.net library for passwordless sign in powered by fido2 and webauthn

3.   Project Governance

Please complete this section about who will be maintaining the open source project and how it will run. Project Lead:

Name: Anders Åberg Email: anders@andersaberg.com GitHub Profile URL: https://github.com/abergs

Committers:

• Anders Åberg https://github.com/abergs
• Alex Seigler https://github.com/aseigler

Governance Model:

Please describe how new code changes are proposed to the project, how those changes are reviewed and how a decision is made to accept proposed changes. Also describe the process for identifying and appointing new committers.

Contributions are done via Pull Requests. They are only merged after CI/CD pipelines with unit tests and coverage are verified. Review is done by one of the Committers. All changes are categorized and automatically made part of release notes. We welcome PRs from anyone. Appointing new commiters (with write permission) to the repo requires OK from majority of existing committers.

CLA

Currently no CLA is enforced.

CLA Notification Alias cla@passwordless.dev

Assignment Model. Under the .NET Foundation assignment model, project ownership and other intellectual property is assigned to the .NET Foundation and the .NET Foundation agrees to grantback a license to the contributor(s).

Contribution Model. Under the .NET Foundation contribution model, a project retains ownership of the project, but grants the .NET Foundation a broad license to the project’s code and other intellectual property. The project also confirms that the project’s submissions to .NET Foundation are its own original work (there are also instructions for any third party materials that might be included).

4.   Repository Layout

The .NET Foundation host guidance for new projects and details on recommended structure here: https://github.com/dotnet/home/tree/master/guidance

Note that the open source repository should be the master where changes are made by the core development team using the same PR process that is used for non-committer contributions.

Please define below any changes you would want to make to your repositories as part of the process of joining the .NET Foundation

Moving it to passwordless GH organization Assigning copyright to .net foundation in license file. Evaluate if notice.md is required for dependencies. Enable code-signing with cert

5. Eligibility Criteria

Please complete the following for your project

• The project is built on the .NET platform and/or creates value within the .NET ecosystem.
• [x] Yes
• [ ] No
• The project produces source code for distribution to the public at no charge.
• [x] Yes
• [ ] No
• The project's code is easily discoverable and publicly accessible (preferably on GitHub).
• [x] Yes
• [ ] No
• The project contains a build script that can produce deployable artifacts that are identical to the official deployable artifacts, with the exception of code signing (Exception may be granted for strong name keys, though strongly encouraged to be committed. Exception relies on OSS signing being in the build script for public builds).
• [x] Yes
• [ ] No
• When applicable, project must use reproducible build settings in its toolchain.
• [x] Yes
• [ ] No
• The project uses Source Link.
• [x] Yes
• [ ] No
• The project uses either embedded PDBs or publish symbol packages to NuGet (if applicable).
• [x] Yes
• [ ] No
• The project code signs their artifacts as appropriate.
• [ ] Yes
• [x] No
• The project organization has 2FA enabled. Requiring 2FA must be done as part of onboarding if not already enabled.
• [ ] Yes
• [x] No
• Libraries that are mandatory dependencies of the project are offered under a standard, permissive open source license which has been approved by the .NET Foundation (exceptions include a dependency that is required by the target platform where no alternative open source dependency is available such as the .NET Framework or a hardware specific library).
• [x] Yes
• [ ] No
• Committers are bound by a Contributor License Agreement (CLA) and/or are willing to embrace the .NET Foundation's CLA when the project becomes a Member.
• [x] Yes
• [ ] No
• The copyright ownership of everything that the project produces is clearly defined and documented.
• [x] Yes
• [ ] No
• The project has a public issue tracker where the status of any defect can be easily obtained.
• [x] Yes
• [ ] No
• The project has a published Security Policy.
• [ ] Yes
• [x] No
• The project has a home page which provides high level information about its status and purpose.
• [x] Yes
• [ ] No
• The project has a public communication channel where community members can engage with maintainers.
• [x] Yes
• [ ] No
• The project has a publicly available location where members can review and contribute to documentation.
• [x] Yes
• [ ] No

6.   PR Plan

The story is "Community driven effort to eliminate phising attacks against applications in the .net ecosystem, backed by .net foundation". The foundation helps establishing trust, which is an important factor.

7.   Infrastructure Requirements

CI/CD is already powered by Azure Pipelines. Webhosting is powered by Anders Åbreg. I believe we need a code signing cert to correctly sign nuget package.

8.   Additional Notes

We're excited to join the .net foundation in order for more members of the .net ecosystem to discover and be comfortable adopting this new and secure technology, ultimately defating phising attacks against consumers.

[ChrisSfanos]

Hello everyone - I'll be working on the steps to onboard the project - we will be following this checklist

CLA

• [x] Project Agreement Signing via DocuSign
• [x] CLA Onboarding via GitHub

Project Onboarding

• [x] Public Announcement via the .NET Foundation site/etc
• [x] Joining the Project leader mailing list
• [x] Joining the Project leader Slack channel
• [x] Updating license/copyright in the repo + updating file headers
• [x] Reviewing the .NET Foundation Code of Conduct
• [x] Add Project to the .NET Foundation project list
• [x] Project layout cleanup (as appropriate)
• [x] README Guidance updates
• [x] Project website updates (outside of GitHub)
• [x] Enable two-factor authentication (2FA) for GitHub

[ChrisSfanos]

Project Agreement is out for signing - thanks!

[ChrisSfanos]

Agreement is signed. CLA bot instructions are coming out next

[abergs]

@dnfadmin has been invited to the organization.

[ChrisSfanos]

CLA bot is now configured - post onboarding steps email coming out shortly

[ChrisSfanos]

All on-boarding work is complete, outside of me adding the newsletter announcement

[ChrisSfanos]

Added to the next newsletter - this is the final item, so closing out this onboarding work item!