17:00:45 <RRSAgent> RRSAgent has joined #webauthn
17:00:45 <RRSAgent> logging to http://www.w3.org/2016/03/23-webauthn-irc
17:01:01 <Guest13> Guest13 has joined #webauthn
17:01:41 <hhalpin> RRSagent, draft minutes
17:01:41 <RRSAgent> I have made the request to generate http://www.w3.org/2016/03/23-webauthn-minutes.html hhalpin
17:04:05 <rbarnes> zakim, agenda?
17:04:05 <Zakim> I see 4 items remaining on the agenda:
17:04:06 <Zakim> 2. bikeshed vs. respec.js decision [from wseltzer]
17:04:06 <Zakim> 3. Next F2F date [from wseltzer]
17:04:06 <Zakim> 4. Open Issues if time permits [from wseltzer]
17:04:07 <Zakim> 5. AOB [from wseltzer]
17:05:55 <hhalpin> chair: tony
17:06:23 <felipe_bbg> just dropped
17:06:24 <hhalpin> Zakim, pick a victim
17:06:24 <Zakim> Not knowing who is chairing or who scribed recently, I propose Adam
17:06:42 <hhalpin> Zakim, pick a victim
17:06:42 <Zakim> Not knowing who is chairing or who scribed recently, I propose nadalin
17:06:49 <wseltzer> zakim, clear agenda
17:06:49 <Zakim> agenda cleared
17:06:59 <acz-goog> acz-goog has joined #webauthn
17:06:59 <JeffH> JeffH has joined #webauthn
17:07:15 <acz-goog> present+
17:07:21 <hhalpin> scribe: apowers
17:07:28 <jcj_moz> present+
17:07:29 <vgb> vgb has joined #webauthn
17:07:30 <hhalpin> present+ hhalpin
17:07:33 <rbarnes> present+
17:07:34 <JeffH> present+
17:07:36 <vgb> present+ vgb
17:07:39 <apowers> present+ apowers
17:07:41 <wseltzer> agenda+  Roll Call
17:07:41 <wseltzer> agenda+  Agenda bashing
17:07:42 <wseltzer> agenda+ Document merge, status/update
17:07:43 <felipe_bbg> present+
17:07:46 <hhalpin> present+ antoine
17:07:51 <Hubert-PayPal> Hubert-PayPal has joined #webauthn
17:07:53 <RobTrace> RobTrace has joined #webauthn
17:07:54 <wseltzer> agenda+   Naming issues, update from JC
17:07:54 <wseltzer> agenda+   Walk the open issues list
17:07:55 <wseltzer> agenda+   A.O.B
17:08:07 <Hubert-PayPal> +Hubert (PayPal)
17:08:11 <hhalpin> present+ christian
17:08:15 <cbrand> cbrand has joined #webauthn
17:08:19 <cbrand> present+
17:08:30 <hhalpin> present+ RobTrace
17:08:34 <hhalpin> present+ PaulGrassi
17:08:47 <juanlang> juanlang has joined #webauthn
17:08:56 <hhalpin> present+ Janet from Fed Reserve in Minneapolis
17:09:29 <Hubert-PayPal> present+ Hubert (PayPal)
17:09:34 <hhalpin> topic: status of merge document
17:09:35 <apowers> tony: reviews agenda
17:09:43 <apowers> (like that?)
17:09:58 <adl> adl has joined #webauthn
17:10:21 <apowers> ... document merge, naming issues, open issues list
17:10:21 <hhalpin> yep, apowers - looks good
17:10:23 <apowers> ... AOB
17:10:34 <apowers> ... other topics? not heard
17:10:52 <apowers> ... status of merge?
17:10:54 <apowers> jeff: complete
17:11:18 <apowers> ... merged to master
17:11:19 <hhalpin> agenda?
17:11:41 <apowers> vijay: duplications in master branch, need to blow away old ones
17:11:43 <apowers> jeff: correct
17:12:05 <apowers> jc: I did a review and didn't see any merge issues
17:12:47 <apowers> tony: we can remove the subdirectories after we hear back from Mike
17:12:51 <rbarnes> zakim, move to agendum 3
17:12:51 <Zakim> agendum 3. "Document merge, status/update" taken up [from wseltzer]
17:13:05 <apowers> jeff: I did a cursory review of the merge and it looked fine
17:13:26 <apowers> ... and having Mike follow up sounds fine
17:13:45 <apowers> ... mike = mike j (not mike west)
17:13:56 <apowers> tony: we will do a review this week and be done with it next week
17:14:30 <apowers> tony: any more discussion on merge document?
17:14:40 <apowers> jeff: is talking about nomenclature a subtopic
17:14:42 <apowers> tony: sure
17:14:56 <apowers> jeff: JC did a good start
17:15:19 <apowers> ... made some suggestions on some minor polish for nomenclature
17:16:21 <apowers> ... be aware that if you are using gmail, emails from PayPal (Jeff and Hubert) may end up in your spam folder
17:16:26 <jcj_moz> JeffH's comments: https://github.com/w3c/webauthn/pull/48
17:16:48 <apowers> vijay: thanks for doing this, I'm reviewing the pull request, let me know if that's the right way to do it
17:16:56 <apowers> jeff: up to the group
17:17:18 <apowers> jc: prefer GitHub
17:17:19 <hhalpin> I think Github is generally preferable for things that require actual references to the spec
17:17:26 <apowers> vijay: prefer GitHub
17:17:29 <hhalpin> If it's some overarching issue, then you do the lsit
17:17:50 <apowers> jeff: GitHub doesn't notify the list
17:18:04 <apowers> hhalpin: that's being changed right now
17:18:19 <apowers> richard: the PR relates to many points
17:18:44 <apowers> jeff: from my experience, you explicitly have to watch the repo
17:18:52 <apowers> hhalpin: yes
17:18:58 <apowers> jeff: let's talk offline
17:19:08 <acz-goog> q+
17:19:19 <apowers> jeff: it would be good to let the list know when someone submits a bunch of comments
17:19:31 <rbarnes> zakim, who is speaking?
17:19:31 <Zakim> I am sorry, rbarnes; I don't have the necessary resources to track talkers right now
17:19:32 <apowers> (who is speaking?)
17:19:49 <apowers> alexei?
17:20:29 <apowers> alexei: if we have the same name everywhere and we do this global renaming, can we just create variables that get renamed?
17:20:59 <apowers> ... does such a mechanism exist in bikeshed?
17:21:09 <apowers> hhalpin: I will look into it, it might be possible
17:21:43 <apowers> jeff: mkwst has experience with bikeshed and may know
17:21:58 <felipe_bbg> q+
17:22:11 <hhalpin> Here's all the bikshed docs
17:22:12 <hhalpin> https://github.com/tabatkins/bikeshed
17:22:31 <apowers> tony: if we are done with nomenclature the next item is ...
17:22:49 <apowers> agenda?
17:22:58 <rbarnes> zakim, go to agendum 4
17:22:58 <Zakim> I don't understand 'go to agendum 4', rbarnes
17:23:10 <wseltzer> zakim, take up agendum 4
17:23:11 <Zakim> agendum 4. "Naming issues, update from JC" taken up [from wseltzer]
17:23:18 <apowers> jc: not sure what to do about IANA numbers
17:23:56 <apowers> jeff: what was registered?
17:24:00 <apowers> apowers: crypto formats?
17:24:06 <apowers> jeff: not registered yet
17:24:15 <apowers> jc: OID number
17:24:34 <apowers> ... open a ticket to choose a different number or keep them
17:24:42 <apowers> jeff: maybe talk about it on the mailing list
17:24:56 <apowers> ... up to that organization to choose and manage the subtree
17:25:05 <apowers> rbarnes: what are the OIDs?
17:25:23 <apowers> jc: some of the extensions have OIDs, standard form based on org tree
17:25:32 <apowers> ... some are registered to FIDO Alliance
17:25:36 <apowers> jeff: open an issue
17:26:14 <apowers> jc: I did change the strings, I think it would make sense to change the strings or OIDs or neither, but not the intermediate state
17:26:45 <apowers> rbarnes: if they are extensions and they are optional, then it may not make a difference
17:27:12 <apowers> ... probably want to pull all the OIDs into a non FIDO-org
17:27:26 <apowers> jc: I'm not familiar with how common these extensions are
17:27:43 <apowers> ... maybe we discuss on the list whether we want to keep them or rename them
17:27:49 <adrianba> adrianba has joined #webauthn
17:27:50 <acz-goog> ... phone rings
17:28:15 <apowers> ... reference to ECDAA specification
17:28:20 <apowers> ... maybe another topic for the list
17:28:27 <apowers> jeff: leave it alone for now
17:28:31 <apowers> ... spec is forthcoming
17:28:43 <apowers> ... will be buttoned up by other SDO, perfectly fine to reference
17:28:53 <apowers> jc: metadata service we have another thread going on on the list
17:29:01 <apowers> ... not sure if we want to discuss that today, assume not
17:29:14 <apowers> jc: state of naming
17:29:27 <apowers> ... seems like from the PR we can genericize things
17:29:31 <apowers> ... open to suggestions
17:29:36 <apowers> jeff: looks good, thank you
17:29:47 <apowers> tony: jeff, do you want to review the relying party issue?
17:30:24 <apowers> jeff: what I was trying to bring up was changing "FIDO Relying Party" to just "Relying Party" may cause issues
17:30:28 <apowers> ... it is context dependent
17:30:59 <apowers> ... has to do with the hand off to the identity provider
17:31:14 <apowers> ... we should use the term WebAuthn Relying Party consistently
17:31:38 <apowers> ... when the context is not clear it leads to impedance mismatches
17:31:51 <apowers> vijay: should we drop the term Relying Party altogether?
17:31:58 <apowers> ... it's ambigious
17:32:14 <apowers> jeff: we went through that exercise in UAF and it went nowhere
17:32:21 <apowers> ... couldn't come up with a decent term
17:32:31 <apowers> ... could imagine adding some text to the spec
17:32:38 <apowers> ... terminology section
17:32:46 <apowers> ... relying party is not a federated relying party
17:33:05 <apowers> rbarnes: having terminology would be a good place to do that
17:33:23 <apowers> jeff: it would be good to be able to point to a more qualified term
17:33:52 <apowers> ... floated this idea last year, people seemed fine with it
17:34:11 <apowers> rbarnes: would anyone like to create a terminology section?
17:34:15 <apowers> jc: I don't mind taking it on
17:34:30 <apowers> ... if anyone has feelings on the subject, please let me know or let the list know
17:34:37 <apowers> ... what would work for the term Relying Party
17:35:10 <apowers> rbarnes: since FIDO has already had that conversation, maybe those "confusables" [terms] could be mentioned
17:35:37 <apowers> jeff: maybe we should be assigning issues in GitHub to track the work
17:35:48 <apowers> ... if you start working on something assign it to yourself
17:35:58 <apowers> ... and if the issue doesn't exist, create one and assign it to yourself
17:36:09 <hhalpin> +1
17:36:30 <Hubert-PayPal> Agreed - it'll make participation easier
17:36:32 <apowers> rbarnes: I remember that alexei was going to work through the open issues
17:36:40 <apowers> alexei: yep, that's on me
17:36:43 <jcj_moz> Terminology Section is Issue #50: https://github.com/w3c/webauthn/issues/50
17:36:55 <apowers> jeff: can you assign issues to yourself
17:37:02 <apowers> alexei: yes, fine with me
17:37:16 <apowers> jeff: separate branches and pull requests (PRs)?
17:37:32 <apowers> alexei: maybe some trivial things direct to master (adding a comma)
17:37:34 <hhalpin> For trivial editorial work I suggest editor's discretion
17:37:43 <apowers> ... more complex create a PR
17:37:55 <apowers> jc: I prefer everything go through PRs
17:38:06 <jcj_moz> ^^ that's actually rbarnes
17:38:11 <apowers> sorry, can I change that?
17:38:34 <wseltzer> s/jc/rbarnes/
17:38:38 <apowers> thx
17:38:42 <apowers> s/jc/sbarnes
17:38:44 <apowers> s/jc/sbarnes/
17:38:49 <apowers> blah
17:38:59 <apowers> jeff: either fork to own repo or create a branch
17:39:05 <hhalpin> q+
17:39:08 <apowers> rbarnes: everything through PR
17:39:11 <apowers> jeff: works for me
17:39:19 <felipe_bbg> I was wondering about the term Relaying Party, in the context web and leaving federated identity out of scope, wouldn't it be essentially "web application"?
17:39:33 <felipe_bbg> q-
17:39:44 <acz-goog> q-
17:39:45 <apowers> vijay: use commit nomenclature for marking issues as fixed
17:39:47 <hhalpin> rbarnes, can you handle looking at IRC queue as soon as this conversation raws to a close
17:40:25 <apowers> ... if we just use that then there won't be confusion about what the status of the issues is, especially if the changes aren't on master
17:40:34 <apowers> ... and it closes the issue when merged to master
17:41:03 <apowers> hhalpin: W3C does use GItHub for permissions, and then we have a different permissions layer above that for IPR checks
17:41:17 <apowers> ... if you don't have permissions and you want them, contact Wendy or myslef
17:41:19 <JeffH> how does one tell if they don't have "permissions" ?
17:41:50 <apowers> rbarnes: I'm disappointed that you didn't mention that was called oshgnas (sp?)
17:41:58 <rbarnes> s/rbarnes/jcj/
17:42:12 <apowers> apparently all of Mozilla sounds the same to me ;)
17:42:25 <apowers> apologies
17:42:39 <jcj_moz> s/oshgnas/ash nazg/
17:42:42 <hhalpin> https://github.com/w3c/?utf8=%E2%9C%93&query=ash-na
17:43:05 <apowers> rbarnes: how are we feeling about Tony's proposal to remove the metadata service from the spec
17:43:12 <apowers> Vijay: optional add-on that's best left out
17:43:15 <hhalpin> https://github.com/w3c/ash-nazg
17:43:26 <apowers> jeff: sure, although we could reference as an informative reference
17:43:27 <hhalpin> "One interface to find all group contributors and in IPR bind them https://labs.w3.org/hatchery/ash-nazg/ — "
17:43:29 <acz-goog> q+
17:43:35 <hhalpin> q- hhalpin
17:43:48 <apowers> hubert: sure, informative for more information about the attestations and how to validate them
17:43:51 <wseltzer> regrets+ wseltzer
17:43:51 <felipe_bbg> q+
17:44:17 <apowers> alexei: I think we had decided during the last meeting to make attestation more of a blob rather than spec'ing it out
17:44:28 <felipe_bbg> q-
17:44:31 <apowers> jeff: sure, that's another way to do it
17:44:46 <apowers> rbarnes: alexei: make the changes?
17:44:49 <acz-goog> q-
17:44:57 <apowers> alexei: sure after my other issues I'm working on
17:45:03 <apowers> jeff: see #47
17:45:45 <apowers> filipe: I posed a question, leaving federated identity outside the scope, would relying party be the web application?
17:46:05 <apowers> vijay: no, the web application would be the javascript, relying party is the backend
17:46:35 <apowers> ... goes back to whomever is going to grant security
17:46:59 <apowers> filipe: there are references to the "script" and it wasn't clear what that is
17:47:07 <apowers> jeff: client-side portion of web application
17:47:28 <apowers> rbarnes: relying party will get information from the script
17:47:48 <apowers> filipe: what confuses me is that this is all pinned to an origin
17:47:55 <apowers> ... I have to think a bit more about this
17:48:07 <apowers> vijay: this is why we also pulled the web origin into the signature
17:48:24 <apowers> ... telling the authenticator who the relying party (RP) si
17:48:52 <apowers> hubert: useful addition to the spec
17:49:01 <apowers> ... do we have a security considerations section anywhere?
17:49:08 <apowers> jeff: we could open an issue for that
17:49:20 <apowers> rbarnes: we need that to describe the overall security model
17:49:42 <apowers> rbarnes: hubert: could you do that?
17:49:49 <apowers> hubert: sure
17:50:06 <apowers> rbarnes: it sounds like we are in pretty good agreement on the attestation / metadata service question
17:50:13 <apowers> tony: 10 minutes left
17:50:23 <apowers> ... look at open issues, or wait until merge is closed?
17:50:34 <apowers> *tumbleweed*
17:50:42 <rbarnes> zakim, agenda?
17:50:42 <Zakim> I see 6 items remaining on the agenda:
17:50:43 <Zakim> 1. Roll Call [from wseltzer]
17:50:43 <Zakim> 2. Agenda bashing [from wseltzer]
17:50:43 <Zakim> 3. Document merge, status/update [from wseltzer]
17:50:43 <Zakim> 4. Naming issues, update from JC [from wseltzer]
17:50:43 <Zakim> 5. Walk the open issues list [from wseltzer]
17:50:44 <Zakim> 6. A.O.B [from wseltzer]
17:50:57 <apowers> alexei: I can get more work done when I'm not on a call
17:51:03 <apowers> rbarnes: good progress for the day
17:51:06 <apowers> tony: AOB?
17:51:10 <apowers> ... or 10 minutes back
17:51:15 <apowers> ... meet again next Wednesday
17:51:26 <apowers> ... adjourn
17:51:32 <hhalpin> RRSAgent, draft minutes
17:51:32 <RRSAgent> I have made the request to generate http://www.w3.org/2016/03/23-webauthn-minutes.html hhalpin
17:52:01 <apowers> ironically, my account doesn't have sufficient permissions to view the draft minutes :)
17:55:05 <wseltzer> rrsagent, make logs publi
17:55:07 <wseltzer> rrsagent, make logs public
17:55:16 <wseltzer> rrsagent, make minutes
17:55:16 <RRSAgent> I have made the request to generate http://www.w3.org/2016/03/23-webauthn-minutes.html wseltzer
18:57:58 <Guest13> Guest13 has joined #webauthn