14:11:06 RRSAgent has joined #webauthn 14:11:06 logging to http://www.w3.org/2016/06/08-webauthn-irc 14:11:35 zakim, clear agenda 14:11:35 agenda cleared 14:11:40 present= 14:13:01 trackbot, bye 14:13:01 trackbot has left #webauthn 14:13:04 trackbot has joined #webauthn 14:13:10 trackbot, prepare meeting 14:13:10 Sorry, but no Tracker is associated with this channel. 14:13:29 rrsagent, make logs public 14:13:41 Meeting: Web Authentication WG 16:25:37 Jean-Gui has joined #webauthn 16:26:09 trackbot, prepare meeting 16:26:09 Sorry, but no Tracker is associated with this channel. 16:27:44 trackbot, prepare meeting 16:27:46 RRSAgent, make logs public 16:27:48 Zakim, this will be 16:27:48 I don't understand 'this will be', trackbot 16:27:49 Meeting: Web Authentication Working Group Teleconference 16:27:49 Date: 08 June 2016 16:27:56 tackbot end meeting 16:28:07 trackbot end meeting 16:28:07 Zakim, list attendees 16:28:07 As of this point the attendees have been (no one) 16:28:15 RRSAgent, please draft minutes 16:28:15 I have made the request to generate http://www.w3.org/2016/06/08-webauthn-minutes.html trackbot 16:28:16 RRSAgent, bye 16:28:16 I see no action items 16:32:34 RRSAgent has joined #webauthn 16:32:34 logging to http://www.w3.org/2016/06/08-webauthn-irc 16:32:36 RRSAgent, make logs public 16:32:38 Zakim, this will be 16:32:38 I don't understand 'this will be', trackbot 16:32:39 Meeting: Web Authentication Working Group Teleconference 16:32:39 Date: 08 June 2016 16:34:25 wseltzer has changed the topic to: WebAuthn 8 June https://lists.w3.org/Archives/Public/public-webauthn/2016Jun/0076.html 16:34:37 agenda+ Roll Call 16:34:44 agenda+ Agenda bashing 16:34:52 agenda+ Extensions, extensions, and more 16:34:55 agenda+ AoB 16:56:50 jcj_moz has joined #webauthn 17:00:30 RobTrace has joined #webauthn 17:01:38 apowers has joined #webauthn 17:01:59 hi 17:04:01 Rolf has joined #webauthn 17:06:26 vgb has joined #webauthn 17:06:41 gmandyam has joined #webauthn 17:07:12 JeffH has joined #webauthn 17:07:14 present+ 17:07:15 present+ 17:07:16 present+ 17:07:21 present+ 17:07:30 regrets+ wseltzer 17:08:13 SamSrinivas has joined #Webauthn 17:08:20 present+ 17:08:55 present+ 17:09:22 Hubert-PayPal has joined #Webauthn 17:09:22 present+ alexei 17:09:46 agenda+ Discuss extensions 17:09:55 present+ 17:11:32 Vijay: Big theme of recent discusison unprompted exyensions 17:11:46 Shoudl autehnticator add them wihout prompting by RP 17:12:02 Should user agents be in the position of gatekeeper -- this is a 2nd issue. 17:12:31 we had agreed so far to mandate that one way or the other -- clients could choose what they do. 17:13:24 the 2nd issue seems to be settled to everyone's saatisfaciton more or less, but 1st issue (authenticaiton adding extension) 17:13:32 is the one under active discussion 17:13:42 (meta; Vijay speaking still) 17:14:45 q+ 17:15:02 Proposal: RP would say "These are the extensions we would like". 17:15:15 q- 17:16:22 Jeff: I thyght we had agreed that the backstop for autehnticatior added extensions was certification testing (reputational recourse). Giri agrees. 17:16:31 q+ 17:16:37 q? 17:17:20 Giri: We don't have consensus. Vijay: Yes, we are in the process of discussing 17:18:06 Giri: There does not seem to be a way in the standard to preserve the packed attestation signature if the client starts stripping unprompted extensions. This is problematic. 17:18:30 Jeff metnioned ReputationaL Recourse via Certifcation. Vijay says: Certifiucation is not required, how do we handle that? 17:18:36 q+ 17:18:38 q? 17:19:10 Vijay: What is the case for unprompted extension if we were starting from scartch? 17:19:17 Jeff: UVI extension. 17:20:32 Jeff: Such extensions are in UAF. 17:20:48 Jeff: Was used by a server and autehnticator being both from same vendor 17:21:58 Jeff: They don't need to update front end on server -- hence we should have unprompted -- since RP will not need to query for it. 17:23:43 Rolf: Unprompted extensions make sense since authenticator can put them in without expecting browser to understand it 17:24:12 Rolf: I share the privacy concerns, but need to understand the threat model. 17:24:51 Rolf: No way to get authenticator to be any particular way. 17:25:15 q? 17:25:18 ROlf: we should only allow privacy presevring 17:29:14 Sam: External authenticator may not knw the privacy constraint and in good faith violate it 17:29:53 This is not theoretical -- there are vendors in this doscussion who may not be undestanding this distinciton. 17:30:29 q+ 17:30:52 Vijay: Someone has to police auehtnicators which are privacy vilolating -- how willwe do that 17:31:43 q- Rolf 17:32:09 Jeff: Things would work as they do now. There will be certification programs. 17:32:45 Jeff: It is not 100% effective but nothing really is. We are trying to foster low friction innovation. 17:33:37 Vijay: Who will police these? 17:34:25 q+ 17:36:53 Giri: Things are problematic but dealing with them through the API is the way to go. 17:38:41 q? 17:39:05 The browser can provide user prompts (giri) 17:40:08 Giri: providing visibility into granted permissions on an authenticator level is a current accepted best practice on the web. Plenty of W3C standards can be used for privacy violations (e.g. Geoloc, EME). 17:40:39 (speaker to be noted) If we do a reputational thing then user agents have to run white lists and black lists. Browsers are expected to try and protect users from poorly beahibg equipment. 17:40:47 q? 17:40:49 Speaker was JC 17:40:52 Giri: The solution for most browsers is to provide the necessary prompts and request permissions on a per-domain basis. 17:41:59 Vijay: Building on what Giri and JC said, if the browsre has to udnestand the extension and do sensible prompts, it has to have whitelists and blacklists. This would be high friction. 17:42:40 q+ 17:42:47 We should be able to allow a user to just "say no" to any privacy 'vioating' stuff and just use the basic autehnitcator. This will not be possible with unprmpted extenstions 17:44:15 What if instead of unprompted extensions we baked them into the spec? 17:44:22 (speaker = ...) 17:44:44 Speaker JC 17:48:51 Rolf: AAGUID can be part of attestation and give device ID 17:49:03 q+ 17:49:27 But having browser as police of extensions is impractical coz they all the various user agents have to agree on extensions which work 17:50:02 Tony: its like being in the certificate root list for a browser -- a mechnism to get into all browsers 17:51:35 q+ 17:53:56 Jeff: user agent etc will implement whitelists 17:54:44 Hubert-PayPal has joined #webauthn 17:55:55 Jeff: UVI use case -- authenticator shold be able to say what kind of biometric was used 17:56:56 q+ 17:58:12 q+ 18:00:05 Sam: How can browsers even undestand how to whitelist or backlist? What is the information source? 18:00:26 Rolf: Well, authencitaor may add unpromptec extensions anyway 18:00:41 Sam: Wouldn't the browser then drop the entire transaction? 18:01:13 Vijay: Whitelisting is very hard to do for browser vendors. 18:02:54 Tony: We are not converging 18:03:19 Viay proposal: Will try a draft making all unprompted exetsnsions into prompted extensi0ons 18:03:31 +1 for Vijay's proposal 18:04:12 Giri: already has proposal for locaton, vijay take into consideration 18:59:39 zakim, list attendees 18:59:39 As of this point the attendees have been gmandyam, vgb, JeffH, jcj_moz, SamSrinivas, Rolf, alexei, Hubert-PayPal 18:59:46 zakim, bye 18:59:46 leaving. As of this point the attendees have been gmandyam, vgb, JeffH, jcj_moz, SamSrinivas, Rolf, alexei, Hubert-PayPal 18:59:46 Zakim has left #webauthn 18:59:50 rrsagent, make minutes 18:59:50 I have made the request to generate http://www.w3.org/2016/06/08-webauthn-minutes.html wseltzer