16:45:49 RRSAgent has joined #webauthn 16:45:49 logging to http://www.w3.org/2016/03/04-webauthn-irc 16:45:55 trackbot has joined #webauthn 16:45:57 mirko has joined #webauthn 16:45:59 trackbot, prepare meeting 16:45:59 Sorry, but no Tracker is associated with this channel. 16:46:08 gmandyam has joined #webauthn 16:47:08 keiji has joined #webauthn 16:48:05 Meeting: Web Authentication WG 16:48:14 Date: March 4, 2016 16:48:14 Rolf has joined #webauthn 16:48:24 Chairs: Richard_Barnes, Tony_Nadalin 16:48:31 rrsagent, make logs public 16:48:35 rrsagent, draft minutes 16:48:35 I have made the request to generate http://www.w3.org/2016/03/04-webauthn-minutes.html wseltzer 16:51:04 alexei has joined #webauthn 16:53:10 jcj_moz has joined #webauthn 16:53:19 adamkcooper has joined #webauthn 16:53:24 jcj_moz: a/s/l? 16:53:25 :-P 16:53:45 cbrand has joined #webauthn 16:53:46 -1 / -1 / \0 :) 16:54:03 ...and i'm back in 1995 16:54:13 love it, though 16:54:27 Where's our DCC bot? 16:54:50 nickserv? i want to register my nick! 16:55:33 cbrand: hey, if you type in your pw, it will show as stars 16:55:49 i think i need to try it 16:55:56 iamasillybastard 16:56:01 it didn't work!! 16:56:08 did it show up as stars on your side? 16:56:18 i'm sure it did 16:56:21 so i won't change it 16:57:35 Guest13 has joined #webauthn 17:00:26 felipe has joined #webauthn 17:04:15 dirkbalfanz has joined #webauthn 17:05:56 Hubert-LVG has joined #webauthn 17:07:17 selfissued has joined #webauthn 17:07:57 davidM has joined #Webauthn 17:08:06 agenda+ Intros around the table 17:08:13 zakim, clear agenda 17:08:13 agenda cleared 17:08:15 agenda+ Intros around the table 17:08:18 agenda+ Intro to W3C; Intro to FIDO 17:08:22 agenda+ Charter scope 17:08:26 agenda+ Technical overview of the specs 17:08:31 agenda+ WG Adoption of the Submission drafts 17:08:37 agenda+ Privacy and security considerations 17:08:43 agenda+ Liaisons (IETF, W3C, FIDO, and other groups) Other participants who should be here, globally 17:08:49 agenda+ Any initial issues? 17:08:55 agenda+ Further use cases/requirements? 17:09:03 Hubert-LVG has left #webauthn 17:09:06 Jerrod has joined #webauthn 17:09:06 Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2016Mar/0000.html 17:09:18 juanlang has joined #webauthn 17:09:19 wseltzer has changed the topic to: Agenda WebAuthn F2F: https://lists.w3.org/Archives/Public/public-webauthn/2016Mar/0000.html 17:09:27 JeffH has joined #webauthn 17:09:34 zakim, take up agendum 1 17:09:34 agendum 1. "Intros around the table" taken up [from wseltzer] 17:09:35 hubert-paypal has joined #webauthn 17:10:19 tonynad: Welcome 17:11:01 harry has joined #webauthn 17:11:07 tonynad: reviewing the agenda 17:11:20 weiler has joined #webauthn 17:11:25 -> https://lists.w3.org/Archives/Public/public-webauthn/2016Mar/0000.html Agenda 17:11:33 mirko_ has joined #webauthn 17:11:38 ... We'll call for adoption of the drafts that began as member submission 17:11:39 nicolagreco has joined #webauthn 17:11:48 derek has joined #webauthn 17:11:55 ... we'll look at editors, workmode, scheduling 17:11:58 vgb has joined #webauthn 17:12:37 present+ Felipe_Moreno 17:12:46 Felipe_Moreno: Bloomberg 17:13:12 ... work on the fingerprint authentication for the Bloomberg terminal 17:13:18 ... also using tokens for webapp login 17:13:32 present+ 17:13:35 present+ 17:13:40 present+ keiji 17:13:49 present+ 17:13:54 SamSrin has joined #webauthn 17:13:55 Mirko: Surepass ID, a FIDO authenticator 17:13:58 present+ adam_powers 17:14:09 salah has joined #webauthn 17:14:12 rbarnes has joined #webauthn 17:14:13 Keiji: W3C fellow from Keio University 17:14:16 present+ 17:14:20 present+ nicolagreco 17:14:32 Sam_@@: RSA 17:14:38 @@2: RSA 17:14:44 present+ Vijay Bharadwaj, Microsoft 17:14:54 Rob_Trace: Microsoft, networking and security, JS APIs 17:15:10 Debbi_Mac: FIDO 17:15:16 present+ 17:15:17 Alexei: Identity team at Google 17:15:27 Dirk_Balfanz: Google, active in FIDO 17:15:46 Sam_Srinivas: Security PM at Google 17:15:50 present+ Hubert A. Le Van Gong, PayPal 17:15:54 Christiaan_Brand: Google 17:15:59 JC_Jones: Mozilla 17:16:03 present+ 17:16:06 Hubert: PayPal 17:16:12 Rolf_Lindemann: Nok Nok 17:16:20 present+ Sam Srinivas Google 17:16:22 Juan_Lang: Google engineering manager 17:16:34 present+ gmandyam 17:16:39 Pier_Deganello: Federal Reserve 17:16:48 Mike_Jones: Identity at Microsoft 17:17:04 Axel_Nnenker: Deutsche Telekom 17:17:12 Jeff_Hodges: PayPal 17:17:18 Harry_Halpin: W3C/MIT 17:17:41 Jakob_Ehrensvard: Yubico 17:18:01 David_Martin: CESG 17:18:10 Morgan_Davis: Plantronics innovation team 17:18:15 Giri_Mandyam: Qualcomm 17:18:32 Adam_Powers: Technical Director, FIDO Alliance 17:18:42 Adam_Cooper: UK Cabinet office, identity assurance 17:19:08 John_Fontana: Yubico 17:19:13 present + 17:19:19 Derek_Hanson: Yubico 17:19:33 present+ 17:19:39 scribenick: harry 17:19:43 present+ 17:19:51 present+ 17:19:54 topic: Intro to W3C 17:19:56 Mike Jones 17:21:33 wseltzer: W3C is a global standards body for the Web 17:21:41 jfontana has joined #webauthn 17:21:41 ... directed by Tim Berners-Lee, hosted by 4 offices 17:21:48 ... 70 people on staff 17:21:56 ... if you are a W3C member, get your AC member to join 17:22:03 ... if not a W3C meeting, do talk to myself or Harry 17:22:13 ... One important part of the W3C is the royalty-free patent policy 17:22:29 ... we need to assure all contributions are coming via member representatives 17:22:41 ... the chairs and Team can work together to make sure invited experts can come 17:22:46 ... if they can't be a W3C member 17:23:08 ... we run by consensus 17:23:13 ... we can't force anyone to do anything 17:23:21 ... we try to get implementable specs 17:23:25 ... that are interoperable 17:23:31 ... Working Group is governed by its charter 17:23:44 ... you and your advisory committee read the charter 17:24:09 ... approved scope and limitations 17:25:15 ... our goal is to get to Rec 17:25:20 ... within the time on the charter 17:25:45 ... chairs responsible for guiding consensus 17:25:50 ... and making sure things on track 17:25:54 ... Harry Halpin is Team Contact 17:25:57 ... we have WebEx for scheduling 17:26:02 ... usually teleconferenes 17:26:03 ... IRC for minutes 17:26:10 ... all meeting minutes are published 17:26:22 ... we broadcast all our decisions and give people on mailing list opportunity to follow up 17:26:33 ... anything that happens in F2F and teleconference 17:26:37 ... or W3C Recommendation Track 17:26:42 ... is our process 17:26:51 ... for moving to a Recommendation 17:26:56 ... W3C is a Member Submisison 17:27:03 ... it can then be adopted as a Working Draft 17:27:30 are these slides available online? 17:27:31 ... when we publish first working draft 17:27:51 thanks 17:28:02 ... then we have a Last Call where we make sure we get the document finalized 17:28:13 ... we try to get patent commitments early as possible 17:28:21 ... and if someone raises a patent, we have a Patent Advisory Group 17:28:33 ... that can work through patent-related claims 17:28:40 ... we encourage regular updates 17:28:43 ... as editors work through issues 17:28:45 ... and pull requests 17:28:50 ... using Github 17:29:01 derek has joined #webauthn 17:29:11 ... we go to Candidate Recommendation when we think the spec is technically sound 17:29:16 ... and has all the features we want in place 17:29:25 ... to get to Proposed Recommendation 17:29:33 ... at least two interoperable implementations 17:29:39 ... that have been tested 17:29:55 ... every feature must have two inter-operable implementations 17:29:57 ... then goes to PR 17:30:04 ... Proposed Recommendation 17:30:08 ... there's a Director Review 17:31:57 ... we hope to do this for a year 17:32:04 rbarnes: What matters is what is stable 17:32:10 ... usually around Last Call/CR things have settled down 17:33:12 wseltzer: ideally we'd like to do things like tests as we go on 17:33:26 rbarnes: We want things stable and settled down 6-9 months given we have a mature startin 17:34:33 present+ Greg_Huges 17:34:42 Pieralberto has joined #webauthn 17:35:13 Topic: Credential Management API 17:35:26 greg_hughes has joined #webauthn 17:36:29 -> https://www.w3.org/Webauthn/slides/intro.html Wendy's Slides 17:36:40 scribenick: wseltzer 17:36:45 rbarnes: WebAppSec Credential management API 17:37:15 ... ideas from that spec informed FIDO 2.0 17:37:41 -> https://w3c.github.io/webappsec-credential-management/ Credential Management 17:37:43 adamkcooper has joined #webauthn 17:37:56 * Has the slide deck been uploaded? 17:38:24 rbarnes: can we create a deterministic password manager interface 17:38:24 * Ignore - IRC was slow in updating 17:38:41 ... instead of the heuristics UAs have been applying 17:38:54 ... imperative interface from the page to the browser 17:39:24 ... behind this interface, managing the credential 17:39:56 ... We need a name for these credentials. Get your bikeshed paint out 17:40:17 ... Introduction to the concept, so we can see how it makes sense to integrate 17:41:00 ... Moving parts: password credential, object as opaque representation 17:41:32 * Sorry - original question still stands. Where is the slide deck on Credentials Mgmt. that Richard is currently discussing? I cannot find a link, and the slide deck is difficult to see on the projector given the font color and black background. 17:42:13 rbarnes: password manager never sees the credential itself, some XSS protection 17:42:24 ... credential objects, a store and get interface 17:42:29 ... types of credentials 17:43:29 R3C has joined #Webauthn 17:43:47 ... the spec has notion of federated credential, password credential 17:43:55 AxelNennker has joined #webauthn 17:44:05 ... does it make sense to have a FIDO credential, encapsulating the functionality we're talking about here 17:44:17 ... internal keyHandle, pubKey, sign() 17:44:30 ... what do we want the object to look like, how do you create, manage 17:44:31 felipe_bbg has joined #webauthn 17:44:54 Pier: thinking about how browsers handle PKI, does FIDO look like client cert? 17:45:07 rbarnes: sounds like a question for another WG 17:45:16 ... you'd want to handle differently because of origin separation 17:45:30 ... it's important here that each origin has a different keypair 17:45:42 Pier: so it's a different use case 17:46:30 AxelNennker: Crential management spec renamed local to site-bound credential 17:46:51 +1 StrongOriginBoundCredential 17:46:53 rbarnes: origin-bound is important 17:47:17 ... sketch of what a FIDO credential would look like 17:47:18 OriginBoundStrongCred 17:47:35 aka OBSCred 17:47:46 ... create, register, 17:47:51 ... we need registration to be async 17:47:53 q+ 17:48:01 ... but constructors can't be async 17:48:34 ... that would pass back some signature objects 17:48:49 i like OBSCred better than SOB Credential... 17:48:53 ack hha 17:48:58 lol 17:49:00 ack gmandyam 17:49:13 Pieralberto has joined #webauthn 17:49:24 gmandyam: FIDO 2.0 uses credential management 17:49:49 rbarnes: do we want to align more closely? 17:50:13 ... we might just need to re-align 17:50:19 To re-state, do we want to align with Credentials API or expose via multiple levels (i.e. FIDO 2.0 is higher level now, Credentials API is a bit lower) 17:50:55 rbarnes: worth thinking about the benefits: determinism, a simpler data-store 17:51:08 ... than indexdb 17:51:52 ... FIDO-like credentials, you'd get simplicity of storage interface, reuse of design patterns 17:52:21 ... think about a site where you can log in with password or FIDO credential 17:52:28 ... makes the flow easier 17:52:49 q? 17:53:49 rbarnes has joined #webauthn 17:55:11 link to the Credentials slides https://docs.google.com/a/mozilla.com/presentation/d/1pMUuw2xiZt36Mn4GJG51917smsqHS0u77E5l5rd5kmY/edit?usp=sharing 17:55:12 rrsagent, draft inutes 17:55:12 I'm logging. I don't understand 'draft inutes', wseltzer. Try /msg RRSAgent help 17:55:18 rrsagent, draft minutes 17:55:18 I have made the request to generate http://www.w3.org/2016/03/04-webauthn-minutes.html wseltzer 17:55:30 Topic: FIDO 2.0 Current Status 17:55:33 cbran has joined #webauthn 17:55:43 btw, "/msg Zakim help" if you want to see the full list of commands or https://www.w3.org/2001/12/zakim-irc-bot 17:57:39 dirkbalfanz: I'll share some background, Adam on FIDO, Rolf, Alexei, Vijay on JS API 17:58:13 ... FIDO 2.0. FIDO released 1.0, then submitted 2.0 to W3C 17:58:47 Here is the link to the W3C WebAppSec's credentialmanagement draft: https://w3c.github.io/webappsec-credential-management/ 17:58:48 ... 1.0, UAF and U2F 17:59:02 ... UAF focused on mobile deployment 17:59:12 FIDO 1.0 = UAF + U2F 17:59:34 to the point raised by gmandyam earlier: today is going to have a lot of intro/background to get everyone on the same page 18:00:12 UAF is about replacing passwords. U2F is about making pswds non-phishable. 18:00:12 ... U2F, hardware tokens that help with authn 18:00:44 ... we want to get to a spec that covers all use cases, is implemented on all platforms 18:01:08 ... "platform"=think I write an application atop 18:01:30 s/think/thing/ 18:02:09 ... use cases: authenticator 18:02:33 ... authenticate local user, auth to server 18:03:00 ... 1/ built-in authenticator 18:03:38 ... 2/ special-purpose devices, e.g. USB tokens, 2d factor device with key material 18:04:14 ... renders password non-phishable 18:04:38 a top-level goal of OBSCreds is non-phishability 18:04:55 ... 3/ smartphone, has key material and can authenticate user 18:06:18 ... What do we need to standardize to create ecosystem 18:07:15 ... RP App to Client 18:07:31 ... Web Platform, we need agreement among those in this room 18:08:07 ... also RP App to RP server 18:08:50 ... e.g. verifying signature, what the signature should look like 18:08:58 ... when you create a new keypair 18:09:41 ... also system to authenticator, if the authenticator isn't built-in 18:10:18 ... CTAP, happening elsewhere 18:10:42 Pieralberto has joined #Webauthn 18:10:47 CTAP == Client To Authenticator Protocol (was: External Authnr Protocol) 18:10:58 ... FIDO 2.0 API, 2 calls 18:11:07 ... makeCredential, getAssertion 18:11:21 ... makeCredential, asymmetric crypto, generate a new keypair 18:11:30 ... with attestation 18:11:44 ... telling you what generated the keypair 18:12:09 ... makeCredential, get back the public key, attestation 18:12:21 ... getAssertion asks for signature 18:12:35 ... get a challenge from the server, call getAssertion to sign challenge 18:13:24 ... sign the challenge+some platform information: origin 18:14:10 ... unphishable, MITM-resistant authentication 18:15:07 " 18:15:11 ... typeless authentication 18:16:13 Pieralberto: can this do server authentication to client? 18:16:25 dirkbalfanz: we've focused on client authentication to server 18:16:42 rbarnes: we're not talking about a network protocol 18:16:54 ... interaction within the browser so web content can talk to token 18:18:27 felipe_bbg: looking at the other side of the authentication, server 18:18:36 Rolf: FIDO uses TLS 18:19:26 ... if the client is compromised, all you can do client-side is transaction authentication 18:19:41 ... man-in-the-browser can misuse the authenticated channel 18:20:20 ... implementation can use other security mechanisms, TEE, trusted UI, etc. 18:21:12 ... attested signing 18:21:51 SamSrin: we want easy authentication for the user, 2d factor 18:22:41 derek has joined #webauthn 18:22:51 vijay: if the user isn't sure the right person is asking, signature shouldn't be generated. vs in our case, signature will be generated but it won't be usable 18:22:56 juanlang has joined #webauthn 18:23:01 ... because origin is in the signature, so it can't be repurposed 18:23:17 greg_hughes_ has joined #webauthn 18:23:31 felipe_bbg: question was based on who initiates 18:23:45 q+ 18:23:59 rrsagent, this meeting spans midnight 18:24:22 dirkbalfanz: we rely on the browser to represent which origin is requesting authentication 18:24:31 wrt the threat model, please see analysis here: https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-security-ref-v1.0-ps-20141208.html 18:24:39 rbarnes: with any web API, you can't get away from some degree of trust in the browser 18:24:53 ack 18:24:54 q+ 18:24:57 ... this group should have clear documentation of which parties are trusted to do what, and the bounds of that trust 18:24:58 ack rbarnes 18:25:27 dirkbalfanz: if browser is no longer acting on user's behalf... 18:25:32 ack JeffH 18:25:45 JeffH: I included a link to the security document, threat analysis 18:25:49 rbarnes: I welcome your pull request 18:25:54 Pieralberto has joined #webauthn 18:26:59 dirkbalfanz: use case, bound authenticator 18:29:33 ... user gesture authorizes binding of the keypair 18:30:04 vgb has joined #webauthn 18:30:05 ... registration, then authentication 18:30:48 ... RP gets credential ID (server side, or left in cookie, local storage) 18:31:21 ... challenge, credential id 18:31:35 ... user gesture authorizes use of private key 18:31:51 ... return signature on nonce, origin, token binding, 18:32:31 dirkbalfanz: authentication without a username 18:32:43 ... getAssertion without credential ID 18:33:13 ... platform talks to authenticator, asks user to select account, 18:33:33 ... then same flow 18:33:41 felipe_bbg: is it assumed there's only one authenticator? 18:33:47 dirkbalfanz: no, it should work with multiple 18:34:15 dirkbalfanz: use case, 2fa token, registration 18:34:41 ... token has no storage, just returns wrapped key 18:34:59 ... registration: RP app calls makeCredential 18:35:14 ... inputs, nonce + account info 18:35:32 ... returns public key, credential id, attestation info 18:35:50 ... device could choose to wrap the private key it just generated, call that a credential 18:36:18 ... authentication. these devices probably won't be sole authenticator 18:36:36 ... but on a device that already knows who the user is 18:37:05 ... simple user gesture, such as touching a button, protects against automated attack 18:37:54 nicolagreco: where does the user gesture come from? 18:38:08 dirkbalfanz: need something unforgeable, e.g. touching a button 18:38:10 greg_hughes has joined #webauthn 18:38:28 morgandavis has joined #webauthn 18:38:41 dirkbalfanz: last use case, login with smartphone 18:39:33 ... registration, switch from username password to phone; generate credential on phone, forward request 18:39:50 ... phone makes sure the user is there, generates keypair 18:40:13 ... again, platform returns pubkey, credential id, attestation 18:40:48 ... authentication. assume there's no latent ID, I just carry my phone up to a kiosk 18:41:03 ... RP can call getAssertion without knowing user's credential id 18:41:54 dirkbalfanz: User Experience 18:42:04 ... what does it look like to a user 18:42:46 ... account chooser 18:44:48 ... UA can know what kind of authenticator the account uses 18:45:47 ... RP can draw UI that tells user what to do next, e.g. insert security key 18:48:14 pier: does the RP need to remember how the user logged in? 18:48:33 dirkbalfanz: it's useful 18:50:40 KayvanA has joined #webauthn 18:50:59 adamkcooper has joined #Webauthn 18:51:12 keiji has joined #webauthn 18:51:18 rbarnes: lots of keypairs, it's up to the RP to keep track 18:51:35 dirkbalfanz: option for the RP to make getAssertion call without credential ID 18:52:00 ... let the platform, authenticator figure out who the user is, how they want to login 18:52:24 johnk has joined #webauthn 18:53:51 ... platform can combine multiple sources of account info, RP gets it only after the user chooses one 18:55:10 SamSrin: app should be able to ask for authentication, from platform (OS, web browser) 18:55:38 ... the browser can package lots of the detail for the user 18:56:09 New participants 18:56:14 Alex_Russel: Google, TAG 18:56:30 Garret_Robinson: Freedom of the Press Foundation 18:56:34 [break] 18:56:38 rrsagent, make minutes 18:56:38 I have made the request to generate http://www.w3.org/2016/03/04-webauthn-minutes.html wseltzer 18:57:10 davidM has joined #Webauthn 19:02:57 pier has joined #webauthn 19:05:36 pier has joined #webauthn 19:16:13 nicolagreco has joined #webauthn 19:16:49 jfontana has joined #webauthN 19:17:34 mirko has joined #webauthn 19:17:53 mirko has joined #webauthn 19:18:01 jcj_moz has joined #webauthn 19:18:37 pier has joined #webauthn 19:18:52 scribenick: jcj_moz 19:18:52 Starting again with Part 2 of FIDO background, dirkbalfanz presenting 19:19:14 adamkcooper has joined #webauthn 19:20:19 dirkbalfanz: showing the system-level of what needs standardization at w3c; 3 of the documents uploaded are the parts relevant to the web 19:20:42 i/Intros around/scribenick: wseltzer 19:21:46 davidM has joined #Webauthn 19:22:24 ... we must agree on the key & signature formats, the web API, 19:22:47 morgandavis has joined #webauthn 19:22:53 ... Now going to let Vijay go through the web API 19:23:15 greg_hughes has joined #webauthn 19:23:22 Vijay: Authenticator is hardware that gathers user consent 19:23:36 ... May be simple or not, but does crypto when users tell it to 19:24:03 ... Could have a management interface, permitting credential removal, etc., but may not 19:24:40 ... Identifies the kind of authenticator, but not identify the individual device 19:24:58 ... Credentials are keypairs that live on the Authenticator 19:25:36 ... WebIDL for makeCredential: Takes in account information, 19:26:02 ... which has display names, image URL, identifiers 19:26:34 ... Does not get read back out; the RP doesn't ever get to see what Account info the Authenticator has 19:27:23 ... Second param: Crypto parameters. Wide variety of crypto algorithms, authenticator-agnostic way of specifying what's acceptable 19:27:50 rbarnes: Purpose of the algorithm is to ensure the RP can verify what comes out of the Authenticator 19:28:32 Vijay: Yes, you pass in a sequence of crypto params, if the call succeeds, the results will be one of these crypto params 19:29:27 ... The attestation is used in the challenge. The timeout is UI sugar. 19:29:29 "UI Sugar" -- a technical term :) 19:30:12 ... The blacklist (seq of credential) is interesting. The use case is: If you are a RP, you are creating credentials on a smartphone, you don't want to create duplicate credentials for the same account 19:30:26 ... These are the credentials I already have for this user, so if you recognize one, don't respond to this query 19:31:44 ... "If you know any one of these, I'm not interested in talking to you." 19:32:16 ... Extensions are the extra things... selecting authenticators - e.g., Bank may only want to use the authenticators they hand out 19:32:26 ... There are a set of such extensions 19:32:49 ... All extensions are all optional. When you get back a response from API, it will tell you which it processed 19:33:55 ... FIDO Credential Info object will give you a credential ID, the algorithm ID used for the credential, a pubkey, 19:34:08 rbarnes : The pubkey is a serialized.... 19:34:20 Vijay: It's a JWK object 19:34:59 Vijay clarifies it's a JS Object from WebCrypto 19:36:00 The publicKey attribute contains the public key associated with the credential, represented as a JsonWebKey structure as defined in [WebCryptoAPI]. 19:36:02 Vijay: Attestation statement is a proof about the authenticator 19:36:12 https://www.w3.org/Submission/2015/SUBM-fido-web-api-20151120/ 19:36:36 ... The consent serves 2 purposes: 1) You're consenting to the creation of the credential, and 2) you're selecting between multiple authenticators 19:36:59 (During implementation of makeCredential) 19:37:42 question: (?) "Is this an NFC case?" 19:38:03 Vijay: If you want to use something like an NFC reader, you would have to tap the NFC device on the reader, that we know it's there. It's more challenging 19:38:07 s/(?)/AxelNennker/ 19:38:14 ... Contactless smart card similar 19:38:29 ... You can always know the reader is there, and use heuristics to tell if a user has used it in the past 19:39:08 alexei_goog: We have gone through this with U2F in FIDO, we have a demo 19:39:19 ... of the platform drawing how the user interacts with u2f, we can show that 19:39:54 Vijay: If the credential cannot be created - one of twos things - if it's async, the Promise never comes back... 19:40:19 ... If there's a timeout... Well, the challenge is that this is very platform-specific 19:40:56 ... Think about multiple authenticators. The RP doesn't know there are 4 authenticators, the platform does. 19:41:12 ... If 4 authenticators, and 1 fails, do you wait for the other 3? 19:41:58 heh 19:42:00 ... This is the slow operation, makeCredential, it is not getAssertion 19:42:18 Vijay: GetAssertion - fewer parameters, basically all are optional 19:42:26 weiler: :-P 19:42:40 ... Credential object is from makeCredential prior call 19:42:53 slightlyoff has joined #webauthn 19:42:55 ... Could have an extension with a transaction confirmation string 19:43:38 question: Is "Credential" the same as the WebAppSec credential interface? 19:43:50 Vijay: It started there 19:44:25 ... client platform figures out the authenticators and includes origin, RP, and constructs the To-Be-Signed thing to the authenticator 19:44:30 ... Authenticator prompts consent 19:44:38 Align with https://w3c.github.io/webappsec-credential-management/#interfaces-credential-types-credential 19:45:06 ... The specific authenticator on which you consent responds, and can include more stuff as extensions 19:45:17 ... example: current geolocation 19:45:22 ... Also of course the signature 19:45:36 Question: This response only happens if the signature was produced? 19:45:58 Vijay: Platform gives an error, how it is presented to the client is tricky 19:46:19 ... Authenticator knows, for each credential, the RP ID it's associated with 19:46:37 ... When asked to sign something, Authenticator has to check if it matches, the credential to the RP ID 19:46:56 ... The Authenticator gets the RP ID from the credential, and from the platform, and compares the two 19:47:15 ... So that's getAssertion. At end of process you get a signature. If you request extensions they may or may not be present. 19:47:26 ... Only guarantee is that it's a signature from one of the Authenticators 19:48:12 ...You get out 3 things: One is the challenge, one is extensions the RP provided, and one is extensions what the Authenticator added 19:48:25 rbarnes: Can the authenticator add extensions that the RP doesn't ask for? 19:48:40 Vijay: There's nothing that prevents authenticators from adding all the extensions it wants to 19:49:00 ... No such thing as critical extensions. If you don't recognize, skip 19:49:15 alexei_goog: If a platform sees an extension it doesn't like, it may drop the request 19:49:32 Vijay: Platform could say 'this is a privacy-stealing extension' and throw it away 19:49:57 rbarnes: There's an affordance as to what's possible 19:49:58 davidM has joined #Webauthn 19:50:10 Vijay: Yes; this is a discussion we've had for a very very long time 19:50:54 ... critical extensions: If you have them, can make for difficult user experience. Inconsistent 19:50:59 K1 has joined #Webauthn 19:51:19 ... If an RP gets an assertion that it thinks is weak, it could prompt another factor of auth like a text message 19:51:30 ... Give the RP the tools to quantify the risk, you do what you want 19:52:01 comment (?) : Could be part of the work of this WG, re: spectrum of errors 19:52:35 s/(?)/gmandyam/ 19:53:38 question: How much do you need to protect the credential going to the wrong authenticator? 19:54:07 Vijay: The assertion is a fairly robust thing, it's signing random nonce, not reusable, assertion won't be useful tomorrow 19:54:51 MiSc has joined #webauthn 19:55:05 hubert-paypal has joined #webauthn 19:55:14 Vijay: While credential ID is a key, it's a wrapped private key. It's an attack surface, you can leak the credential ID but it requires a user to consent to attack 19:55:32 johnk has joined #webauthn 19:55:53 ... Signatures include RP ID, origin, in the response and the server can verify if the sig was not meant for you 19:56:16 rbarnes: AxelNennker brought up privacy concerns 19:56:39 rbarnes: We should be clear that the only notion of what the RP is to an Authenticator is what the platform says 19:57:06 Vijay referred to only available over HTTPS... 19:57:36 Vijay: RP Choices you get to make. You can use Authenticator as a first factor vs second factor 19:58:08 ... You get to decide, as a RP, maybe only rely on authenticators you handed out to people 19:58:58 ... makeCredential is kind of sensitive. Intent is to take the credential ID and associate it with the user, so that providing proof of possession later ties this to a user. So you must believe this with some level of assurance. Not specified in spec 19:59:26 ... RP may want to do significant due diligence out of band to confirm the registration 19:59:58 ... UI for getAssertion can be driven 2 ways: Driven by RP javascript and leverage localStorage... 20:00:03 ... Or it could fall back on the platform entirely 20:00:27 ... which is a lot simpler 20:00:34 q+ 20:00:42 ... There is affordances for fancy UI 20:00:47 ack keiji 20:01:50 keiji: Is there risk making a phishing UI? 20:02:14 (keiji actually said fake UI, not phishing) 20:02:45 Vijay: A lot of the security of these schemes is that authenticator is its unique thing. You can hack RP, hack the platform... 20:03:20 ... The Authenticator truthfully records what it sees, and server can evaluate what it gets from the Authenticator 20:03:30 [lunch 30 min break] 20:03:33 rrsagent, draft minutes 20:03:33 I have made the request to generate http://www.w3.org/2016/03/04-webauthn-minutes.html wseltzer 20:29:08 MiSc has joined #webauthn 20:35:15 davidM has joined #Webauthn 20:36:20 keiji has joined #webauthn 20:39:01 johnk_ has joined #webauthn 20:41:41 pier has joined #webauthn 20:41:48 morgandavis has joined #webauthn 20:42:04 Topic: FID->W3C 20:42:12 rbarnes: Just had some technical discussion, want to bring back up to higher level 20:42:26 s/FID/FIDO/ 20:42:39 ... Got some info from dirk on the FIDO specs and WebAppSec and interconnection this morning 20:43:12 ... What we're doing in WebAuth is to take the top layers of FIDO 2.0, from FIDO, and standardize them 20:43:20 mirko_ has joined #webauthn 20:43:30 ... WebAuth says, when you're in JavaScript, when you're in a Browser, here's how you ask for stuff: credentials, signatures 20:44:06 ... The Browser has to figure out how to fulfill that. The details of how the Browser does that can be FIDO. You can use some other system that fulfills these requirements 20:44:13 ... Could be provided by the OS, hardware, etc. 20:44:30 .... W3C is providing the general API and there are multiple ways to satisfy 20:45:14 rbarnes is showing a "T-shape" where the down-line is a Cryptographic protocol that transits from the Web API down to hardware 20:45:18 adamkcooper has joined #Webauthn 20:45:31 rbarnes: Any questions? Wanted to level-set in how this group relates to FIDO 20:45:32 q? 20:45:41 q+ 20:46:18 dirkbalfanz has joined #webauthn 20:46:19 rbarnes: There could be other implementations that could use this API. Could speak to some other trusted environment. 20:46:30 ... FIDO is important, got the whole thing started, but could imagine others 20:46:32 nicolagreco has joined #webauthn 20:47:00 harry: Token requirements, certifications are not done by W3C. W3C has success at the narrow focus. 20:47:02 how is that "trusted environment" different from an authenticator? 20:47:19 q+ 20:47:25 Anthony: Testing will not be for FIDO Conformance, but W3C API 20:47:42 rbarnes: When we get to browser testing, browsers under test will be tested for compliance to the API only 20:47:53 pier has joined #webauthn 20:48:08 FIDO will continue FIDO certification and testing on parts of the eco-system outside of the Web (authenticator/OS-level) 20:48:22 keiji: Who works on standard protocols between the RP Server and the RP Javascript? 20:48:30 greg_hughes has joined #webauthn 20:48:35 We'll stay in touch to make sure it all works, and the level of abstraction should be open (i.e. no lock-in) 20:48:58 rbarnes: Probably will define the message patterns between the servers, but not the wire protocol. Not concretely how the JS talks to the RP Server 20:49:11 however, browser test-suites are an entire different animal than authenticator certification 20:49:39 rbarnes: We will start from the one that's in the baseline, consider hiding things or too-fido specific things, and maybe define extensions 20:49:58 Anthony: We'll call for adoption of the docs later today 20:51:06 hubert-paypal: question regarding ...issues with implementations, deleting from the client side? 20:51:59 hubert-paypal: Can you delete credentials in WebAppSec? 20:52:14 rbarnes: I don't think deleting credentials exists right now 20:52:22 Anthony: Want to do a demo of what's working today 20:53:16 SamSrin: There are existing implementations in the wild. 20:53:34 alexei_goog: Goal: convince you all this isn't completely crazy; some of the problems have been solved before in similar context 20:53:43 rbarnes: Show what kinds of things we want to enable with this API 20:54:31 [cbran & alexei_goog presenting now] 20:55:03 alexei_goog: Show logging into Google using U2F. 2 different form factors: Both made by Yubico, same thing with different form factors 20:55:17 alexei_goog: One has NFC, and both have capacitive touch sensor 20:55:42 cbran: Credentials are on one token, but will plug both in so can demonstrate what happens when there are two 20:55:56 alexei_goog: Creds aren't ON the token, they are associated WITH a token 20:56:22 alexei_goog: Logs into Google, is prompted for a "Security Key" 20:56:55 alexei_goog logged in by touching the associated authenticator. Now logging out again 20:57:32 alexei_goog: Academics are planning to do usability studies on these devices across different demographics 20:57:46 cbran: One is registered, one is not, and touch the wrong one and see what happens 20:57:58 ... When you touch the wrong one, you get an error 20:58:07 ... alexei_goog will now perform a musical number 20:58:12 rbarnes has joined #webauthn 20:58:20 note: [difficult to translate to IRC] 20:58:57 *alexei_goog: can you share the reference to the paper you recently presented on FIDO? 20:59:06 mkwst has joined #webauthn 21:00:14 cbran shows re-sign in again, then demonstrates that Google lets you register multiple tokens 21:00:27 ... second token was registered using his mobile phone 21:00:42 ... and then he signs back out 21:01:06 Then cbran shows an Android device on the projector 21:01:33 Using his Android phone he goes to log in to Google with that same account 21:01:47 ... and then cbran shows us all his password 21:02:12 cbran: This is not the final UI. 21:02:42 alexei_goog: This login page is being rendered by an Android application, but this would be the Platform 21:03:02 cbran shows using NFC to authenticate using the yubikey 21:03:14 ... and then moves to BLE, which alexei_goog notes is even _less_ final and also flakey 21:03:35 cbran shows this doing BLE. 21:05:20 pier has joined #webauthn 21:05:24 Rolf is now presenting on Attestation Statements 21:05:36 Rolf: Now we've come to the fun stuff - Less UX, more crypto 21:06:25 ... Someone may want to implement authenticator on top of a TPM, embedded secure element, hardware... Also user gestures could be fingerprint, or face recognition, things we can't come up with now but will in the future 21:06:42 ... For the RP the security depends on these choices: what kind of authenciator was used? 21:06:57 ... Sometimes we might want a bit more strength to it sometimes, this is a distinction 21:07:03 SurePassID has a demo similar to Google's if anyone is interested in seeing it. Just find me, Mirko. I'm in the shirt with the FIDO logo on it. 21:07:49 ... Attestation lets the Server look up metadata and see what the information is about the given authenticator, or other known authenticators 21:08:12 ... Want to know things about the model of the authenticator. Strong signals (cryptographic proof) without violating privacy 21:08:23 ... 3 models for this: 21:08:56 ... 1) Basic attestation: Set of authenticators that share one key+certificate injected at manufacturing, can't tell which auth it is, but can tell the model, so can't ID the individual 21:09:44 ... Some information you can get, based on what the model is, but don't let the RP ID the authenticator correlates between otherwise-different users 21:10:08 ... 2) Privacy CA, as defined by TCG, implemented in TPM. 21:10:40 ... 3) DAA, ECDAA, Direct Anonymous Attestation, 21:11:32 ... Back to Basic Attestation: Simple model, no need for runtime infra. Better privacy if the cert is shared over a large set, but conflict: better security if the cert is shared across a small set of authenticators 21:12:02 ... Privacy CA requires runtime infra: the CA itself has to be in the middle 21:12:12 ... 'What is the business model for those CAs?' 21:12:34 ... Maybe a company may run a privacy CA for its employees 21:12:52 ... Better security because keys aren't shared 21:13:16 ... Privacy CA itself though knows all the correlations between Authenticators and Certs 21:14:08 ... Direct Anonymous Attestation is a middle ground- doesn't need runtime infrastructure. DAA privkey is unique to an Authenticator, but the privkey is blinded / unlinkable 21:14:31 ... It's an interesting model, more complicated cryptography 21:14:49 ... TCG adopted ECDAA and are doing some tweaks 21:15:13 ... Originally slow. ECDAA much faster, based on EC 21:15:45 ... Attestation Types: The authenticator must control what gets signed as part of the Attestation Statement. 21:16:03 ... We have to support things already in the market so already support "packed", "tpm" and "android" 21:16:42 Rolf shows the WebIDL for AttestationStatement and AttestationHeader 21:17:21 ... and AttestationCore, Client Data 21:17:50 Rolf: ClientData is provided by the Platform, not the Authenticator 21:18:52 .... ClientData is in the Signature Format doc 21:19:21 Q: "Can the authenticator provide feedback to the browser re: its ability to comply, such as getting a request it cannot do." 21:19:22 -> http://fc16.ifca.ai/preproceedings/25_Lang.pdf Lang et al., Security Keys: Practical Cryptographic SecondFactors for the Modern Web (the paper alexei_goog referenced) 21:20:20 Rolf: RP server has to understand and recompute the hash of the client data, but the Client Data's hashAlg is chosen by the platform/authenticator. 21:20:56 Vijay: Another take on your question is is part of the extension definition 21:21:33 ... It's possible to define an extension and tries to do something, and the authenticator sends back an extension with whether it was successful or not 21:21:41 * Thanks for the link, wseltzer 21:22:04 ... but no one has defined one. Not clear that there is such a use case. Keep spec as simple as possible; if there's not a clearly defined use case, we don't do it 21:22:04 for the record, the Security Keys paper, refereced above by wseltzer, is academic and omits some spec details. Careful readers will notice a difference. 21:22:15 alexei_goog presenting Signature Format (returned by getAssertion) 21:22:57 alexei_goog: Goal of standardizing sig format, regardless of what Authenticator produces a signature, all RPs know how to parse it 21:23:23 ... Goal of sig is to bind together info put in by RP, put in by Client / Platform, and info put in by Authenticator 21:23:43 alexei_goog shows the WebIDL for FIDOAssertion & ClientData 21:24:44 alexei_goog: The Authenticator only sees the hash of the ClientData struct 21:25:08 Q: Does this expose the Channel ID from tokenbinding? 21:25:15 alexei_goog: Exposes it to the RP 21:26:22 Vijay: The Authenticator gets to freeze the Channel ID 21:26:35 johnk has joined #webauthn 21:26:37 alexei_goog shows AuthenticatorData 21:26:57 alexei_goog: AuthenticatorData is a bit field because want to support very limited Authenticators 21:27:38 Q: Why is this a DOMString as opposed to an ArrayBuffer? 21:27:52 Vijay: No good reason; partly because we ported over pre-existing stuff 21:28:12 ... In fact, we've been talking about the CredentialID could benefit from being ArrayBuffer 21:28:28 s/Q:/slightlyoff:/ 21:28:47 slightlyoff: The bitpacking would be error-prone to consumers 21:29:01 alexei_goog: We came into this with typing that wasn't the best 21:29:17 cbrand has joined #webauthn 21:30:14 q+ 21:30:26 ack keiji 21:30:48 keiji: This API is not only for authentication? It cannot be used for generic signature, on email messages? 21:31:00 alexei_goog: No. Meant for authentication, period 21:31:19 keiji: Any future plan to use FIDO device to sign email? 21:32:12 Rolf: Signature counter included - make sure only authenticator controls this structure 21:32:44 alexei_goog: Counter.... Variable length extensions as CBOR 21:32:55 ... There will be a registry of extensions w/ several examples 21:33:24 ... How do you generate the signature? Authenticator takes Client Data Hash,... 21:33:32 rbarnes: Client here is browser/platform 21:34:04 alexei_goog: Authenticator Data concatenated with Client Data Hash and then signed using privkey 21:34:22 rbarnes: RP provides some challenge, which reflected in Client Data? 21:34:33 alexei_goog: Yes, in the ClientData. And remainder is contributed by client. 21:40:34 davidM has joined #Webauthn 21:42:14 -> https://www.w3.org/Webauthn/slides/FIDO2.0-IntroforW3C.pdf FIDO 2.0 slides from Dirk, Alexei, Vijay, and Rolf 21:42:43 rrsagent, draft minutes 21:42:43 I have made the request to generate http://www.w3.org/2016/03/04-webauthn-minutes.html wseltzer 21:48:43 mirko has joined #webauthn 21:56:29 adamkcooper has joined #Webauthn 22:01:58 Topic: Charter scope and deliverables 22:02:26 -> https://www.w3.org/Webauthn/charter/ Webauthn Charter 22:02:27 nicolagreco has joined #webauthn 22:02:41 pier has joined #webauthn 22:02:53 garrettr has joined #webauthn 22:03:09 Jerrod has joined #webauthn 22:03:19 rbarnes has joined #webauthn 22:03:33 K1 has joined #Webauthn 22:04:25 tonynad: Charter has been adopted, so no changes now 22:04:33 ... charter gives us some deliverables 22:04:45 ... notes the contributions as proposed starting point 22:05:06 [many people show hands to having read the documents] 22:05:08 JeffH has joined #webauthn 22:05:36 Mb has joined #Webauthn 22:05:45 +1 22:05:49 wseltzer asks for any objections to the 3 submitted documents 22:05:59 PROPOSAL: Start WG with Working Drafts based on Member Submissions 22:06:01 greg_hughes_ has joined #webauthn 22:06:01 derek has joined #webauthn 22:06:05 no objections 22:06:07 +1 22:06:07 +1 22:06:07 +1 22:06:07 +1 22:06:11 +1 22:06:13 PROPOSED that we adopt the Member Submission as working drafts for the group 22:06:20 +1 22:06:21 +1 22:06:22 vgb has joined #webauthn 22:06:22 +2 22:06:25 +1 22:06:31 pier has joined #webauthn 22:06:31 +1 22:06:34 +1 22:06:34 RESOLVED: Start WG with Working Drafts based on Member Submissions (from FIDO) 22:06:39 jfontana has joined #webauthN 22:06:39 SO SAY WE ALL 22:07:03 https://github.com/w3c/webauthn 22:07:59 question: Should we merge this all into one big draft? 22:08:21 dirkbalfanz has joined #webauthn 22:09:38 link to slides ? 22:11:09 wseltzer: We'll do everything via github pull requests 22:11:16 pier has joined #webauthn 22:11:17 ... minor changes can just be done via editors 22:11:38 ... so any issue, no matter how small, should be a github pull request 22:11:46 ... we do a formal transition request (working group consensus) 22:11:56 ... for publishing the documents at w3.org/TR/ 22:12:04 Guest13 has joined #webauthn 22:12:32 ... the WG does not have to reflect that the group thinks is done 22:12:41 ... but that it wants more public review 22:12:50 ... we can use automated publication tools 22:13:22 question: Do editors have to all agree on changes? 22:13:52 wseltzer: It's for each WG to figure out, editors should figure out level of questions 22:13:57 ... and how controversial it is 22:14:04 ... in which case, bring it up on the conference call. 22:14:34 ... decisions made on meeting should be confirmed on mailing list 22:15:46 ... adding features after CR requires going back through 22:15:59 q+ 22:16:29 ack harry 22:16:55 call dropped. 22:17:06 We like testing done like this 22:17:07 http://testthewebforward.org/docs/ 22:17:13 its the format used by HTML5 test-suite 22:17:52 if we add it 22:18:02 it will then get added 22:18:08 to the same test-suite that runs rest of W3C tests 22:18:41 nadalin: let's make sure github notifications work for the mailing list 22:18:55 ... we prefer some discussion before opening a new issue for the WG 22:19:21 wseltzer: Start on mailing list if the question is not clearly an issue for the spec 22:19:30 ... so we can make it concrete enough for the WG to work through 22:19:41 topic: Editors 22:19:50 nadalin: Let's get editors assigned 22:20:30 ... we should first see if we can keep editors and the same ones want to stay 22:20:42 rbarnes: Attestion Rolf and Mike? 22:20:46 rolf: Happy to say in 22:21:12 rbarnes: Signatures, Aranar, Mike, Rolf, and Alexei 22:21:19 Rolf: Yep, let's keep it 22:21:30 rbarnes: API - shall we continue 22:21:36 ... vgb, want to stay? 22:21:39 vgb: Yes 22:22:12 ... keep the same editors and add J.C. from Mozilla. 22:22:25 Rob has joined #Webauthn 22:22:32 greg_hughes has joined #webauthn 22:22:55 nadalin: Anyone else want to play editor 22:23:02 Juan: I would like to be added 22:23:16 rbarnes: Anyone can submit patch, but editors are commiters 22:24:23 Rolf is rlin1 on github.com 22:25:19 wseltzer: we'll set up a single group 22:25:24 ... union of all editors 22:25:38 jeffH: Let's move all the docs to a single document 22:25:45 ... but first just move Member Submissions in as single docs 22:25:48 Hubert is levangongPayPal on Github 22:25:52 ... and then do a conversion to bikeshed 22:26:02 nadalin: Meeting plans? 22:26:22 nadalin: Weekly meetings 22:26:28 if there is a pointer to guidelines for the github<-->W3C tooling, please post to public-webauthn@w3.org ? 22:26:32 ... what is day or time everyone is available 22:26:37 ... anyone from asia? We have some europeans 22:26:57 nadalin: FIDO calls are on Friday 22:27:20 q+ 22:27:30 nadalin: We'd start next week 22:27:35 ack harry 22:29:41 ok, will send a Doodle out re Monday/Tuesday/Wednesdays 22:30:52 early pacific/late Europe 22:31:00 Maybe will add a few Thursday/Friday options 22:31:07 nadalin: For our next f2f 22:31:11 ... we are thinking May Berlin 22:31:15 ... next to FIDO F2F 22:31:32 ... Monday May 9th 22:31:39 ... will propose that to the list 22:31:57 agenda? 22:32:07 ... the next meeting would likely be Lisbon in Sept. 22:32:12 weiler has joined #webauthn 22:32:42 selfissued: I'd prefer Friday, I have a speaking commitment on Munich 22:33:17 nadalin: Will send to list 22:33:36 ... the next F2F is likely 3rd week of Sept. in Lisbon 22:33:40 ... (Portugal) 22:34:42 agenda? 22:35:04 topic: scope 22:35:16 nadalin: Here's a set of use-cases 22:35:20 ... not normative, but guiding 22:35:25 ... will lead us into what we are doing 22:36:31 ... what's out of scope 22:36:47 ... multi-origin, federated identity, crypto-operations on keys 22:38:15 FIDO and Federation: https://docs.google.com/presentation/d/1_j6EYJZT_iT0LyLe_ErUS-Zxo6W93fmkqq1lhvnNqMM 22:38:17 harry: note that you should be able to use FIDO with federated identity 22:38:26 ... just using authorization (i.e. OAuth) 22:38:30 ... and the IETF is already thinking of this 22:38:51 wseltzer: We will keep this group focussed 22:39:06 rbarnes: Note that client cert exposed to multi-origins is explicitly out of scope 22:39:19 ... some of the stuff keiji brought up, including signing other kinds of things 22:39:24 ... is out of scope 22:39:30 ... standard won't define UX 22:40:14 adamkcooper has joined #webauthn 22:41:21 nadalin: we'll also have a test-suite 22:41:46 ... and any informative reference 22:41:59 adam_powers: I'm happy to write tests 22:42:01 pier has joined #webauthn 22:42:06 ... just give me implementations 22:43:30 we will discuss making sure people that make tests like Adam 22:43:34 can get IE status 22:43:42 dependent on employer s 22:44:03 nadalin: There's been continued discussion on specs 22:44:43 ... and so we need 22:44:56 ... to move stuff from private github 22:45:45 ACTION: Move issues from FIDO Github to W3C Github via proper channel 22:45:45 Sorry, but no Tracker is associated with this channel. 22:46:06 trackbot, this is the future 22:46:06 Sorry, harry, I don't understand 'trackbot, this is the future'. Please refer to for help. 22:46:41 alexei: There are 50 issues 22:47:11 ... typing between relying party and authenticators 22:47:48 ... then we can close them in FIDO 22:52:52 wseltzer: we can use labels to classify them 22:56:44 rrsagent, draft minutes 22:56:44 I have made the request to generate http://www.w3.org/2016/03/04-webauthn-minutes.html wseltzer 22:56:48 [short break] 22:58:04 mirko has joined #webauthn 22:58:34 davidM has joined #Webauthn 23:00:28 nicolagreco has joined #webauthn 23:06:27 Topic: Workflows in github 23:07:00 alexei: In FIDO, we've used OKtoDo, Discuss status 23:09:28 alexei: 176 discuss 23:10:26 ... 175, not for W3C 23:10:52 ... 173 23:11:01 Rolf: for me it's OKtoDo 23:11:41 alexei: I don't fully grok this 23:11:47 ... let's mark it as Discuss 23:12:10 alexei: 172 23:12:27 s/in github/in github, and reviewing issues in FIDO repository/ 23:12:35 ... discuss 23:12:54 ... 171 23:12:58 Rolf: Just do it 23:13:19 alexei: 169, OK 23:13:33 ... 168 just do it 23:13:54 ... 167, discuss 23:14:24 ... 166, just do it 23:14:48 ... 165, discuss 23:16:09 gmandyam: 165: Not worded as a proper W3C issue? 23:16:39 alexei: Feel that having W3C talk about android seems wrong 23:17:23 harry: If it is indeed android specific, the general purpose rule should be that FIDO 2 stuff that goes to W3C, should make sure there are no dependencies that pulls Android into the W3C spec 23:17:43 alexei: Define a better abstraction for attestation 23:18:16 rbarnes: Spec suite for this WG needs to be largely complete; go through the whole process without relying on an external spec (unless it's normative -Mike) 23:18:30 Rolf: Have to somehow reference other specs like TPM 23:18:49 rbarnes: Good general discussion we could have regarding what the general interoperable profile should be 23:19:08 juanlang: Since we're having technical discussion, this is a point we should discuss 23:19:21 q? 23:19:39 SamSrin: Intent of attestation proposal is to slot multiple forms into a generic proposal. Permit large islands to do their own thing. 23:19:55 ... Don't want to get into Android / iOS, but give a generic spec 23:20:26 rbarnes: I'm realizing I confused attestations with assertions. 23:20:31 ... Attestations not critical path 23:20:44 ... Assertions are more important to be interoperable 23:21:42 [Harry is creating the issue[ 23:22:11 alexei: 164, skipping since it's related to last issue 23:22:48 ...163, this needs another issue 23:22:58 ... figure out the correct interface between CTAP and WebAPI 23:23:16 Vijay: Seems like a 'just do it' 23:23:23 alexei: OK to-do. 23:24:31 ... 162, okay to do 23:24:41 ^-- that was rbarnes 23:26:12 alexei: 161, clear the milestone 23:26:27 ... 160, attestation, skip 23:27:06 ... 159, close 23:27:32 ... 158, discus 23:27:42 156, remove milestone 23:28:17 ... 155, account deletion, discuss 23:28:34 anthony: Or just remove milestone and not discuss 23:29:33 alexei: 154, discuss (it has a lot of text) 23:30:11 ... 151, dangling references. Closed 23:30:51 ... 150, a bunch of tags... 23:30:59 JeffH: 150, i would say okay to do. 23:31:07 rbarnes agrees and suggests adding to the WebAPI 23:31:18 alexei: 150: okay to do 23:31:58 ... 148, okay to do 23:32:56 ... 142, this is tied to deletiong 23:33:16 JeffH: We can reference this together with the deletion 23:33:21 alexei: 142 mark as discuss 23:34:49 ... 140, Rolf asks for discussion. 23:35:01 Rolf: This must be unqiue globally 23:35:05 alexei: 140 we must discuss it 23:35:24 ... 139, just do it 23:36:45 ... 137, CTAP layer... there is no cancel in the WebAPI 23:37:02 JeffH: This is more about the effect on the Authenticator. Pull this milestone and reclassify 23:37:23 alexei: Should it be in the algorithm? 23:37:32 JeffH: we should open another issue. 23:38:43 alexei: 137 then discuss 23:39:11 ...136, discuss 23:40:04 ... 135, mark as discuss 23:40:20 ... 134, discuss b/c block of text 23:41:01 ... 133, non-normative, just do it 23:41:54 ... 132, recommend closing because we can't predict the future? 23:42:02 rbarnes: Closing this seems fine to me 23:42:07 JeffH: Clear the milestone 23:42:50 alexei: 131 23:43:02 Vijay: Provide a use case that doesn't rely on passwords 23:44:00 alexei: 131, OK to do, clarify it 23:45:22 130, remove milestone 23:45:51 alexei: ... 114: okay to do 23:46:26 ... 108, Vijay says reference cleanup which is fixed if merging them all. Okay to do 23:46:32 ... 108, remove the milestone 23:47:12 ... 105, Duplicate of account deletion in 155 23:47:48 ... 92, discuss 23:48:08 ... 91, already done 23:48:38 ... 87, okay to just do it. 23:49:11 ... 74, discuss 23:49:28 ... 71, 23:49:36 rbarnes: Already been closed twice! 23:49:55 JeffH : I'm taking care of it. I'll make it go away. 23:50:04 alexei: 39, going to get merged 23:51:16 rbarnes: is there any objection to merging the 3 documents? 23:51:17 Note I just added the three FIDO 2.0 to github 23:51:32 Hey, fill out the Doodle for our telecon: http://doodle.com/poll/srrmafhft29cudav 23:51:35 wseltzer: Is there any chance of them moving forward out of sync? 23:52:14 mike: Request: the editor that does it, flag the text so it's reviewable, so that nothing gets lost and that which gets added is in sync 23:52:21 ... with that caveat, I'm OK doing it 23:52:27 JeffH: issue 39 closed 23:52:54 alexei: Going to open another issue to merge all the documents 23:53:17 ... issue 4! 23:54:23 hubert-paypal has joined #webauthn 23:56:17 wseltzer: thanks to our host, chairs, and all participants! 23:56:20 [adjourned] 23:56:23 rrsagent, make minutes 23:56:23 I have made the request to generate http://www.w3.org/2016/03/04-webauthn-minutes.html wseltzer 23:56:28 nicolagreco has joined #webauthn 23:59:02 i/question: Should we merge this all into one big draft?/scribenick: harry 23:59:17 rrsagent, make minutes 23:59:17 I have made the request to generate http://www.w3.org/2016/03/04-webauthn-minutes.html wseltzer 00:01:45 mirko has joined #webauthn 00:02:05 i|gmandyam: 165: Not worded as a proper W3C issue?|scribenick: jcj_moz 00:02:08 rrsagent, make minutes 00:02:08 I have made the request to generate http://www.w3.org/2016/03/04-webauthn-minutes.html wseltzer 00:14:24 davidM has joined #Webauthn 00:22:39 yubicoderek has joined #webauthn 00:43:00 mirko has joined #webauthn 00:50:27 mirko has joined #webauthn 00:58:21 mirko has joined #webauthn 01:17:56 davidM has joined #Webauthn 01:26:35 mirko has joined #webauthn 02:02:42 weiler has joined #webauthn 02:05:13 weiler has left #webauthn 03:11:49 keiji has joined #webauthn 03:30:48 mirko has joined #webauthn 05:58:14 mirko has joined #webauthn 06:36:42 mirko has joined #webauthn 07:17:01 mirko has joined #webauthn 08:09:32 nicolagreco has joined #webauthn 14:24:03 davidM has joined #Webauthn 14:29:58 keiji has joined #webauthn 14:41:46 keiji has joined #webauthn 15:26:11 davidM has joined #Webauthn 16:03:15 davidM has joined #Webauthn 16:22:30 davidM has joined #Webauthn 16:35:35 nicolagreco has joined #webauthn 17:01:19 davidM has joined #Webauthn 18:06:22 keiji has joined #webauthn 18:13:33 mirko has joined #webauthn 18:28:41 davidM has joined #Webauthn 21:44:09 nicolagreco has joined #webauthn 21:52:52 keiji has joined #webauthn 22:47:08 nicolagreco_ has joined #webauthn 22:53:48 davidM has joined #Webauthn 23:13:01 davidM has joined #Webauthn 00:23:40 nicolagreco has joined #webauthn 03:58:02 nicolagreco has joined #webauthn 05:48:48 Guest13 has joined #webauthn 06:13:19 slightlyoff has joined #webauthn 06:36:50 slightlyoff has joined #webauthn 06:38:10 mkwst has joined #webauthn 08:05:37 nicolagreco has joined #webauthn 08:32:30 nicolagreco has joined #webauthn 00:07:04 nicolagreco has joined #webauthn 00:12:11 nicolagreco_ has joined #webauthn 00:13:19 nicolagreco__ has joined #webauthn 02:20:11 jcj_moz has joined #webauthn 03:59:12 jcj_moz has joined #webauthn