W3C

- DRAFT -

Web Authentication Working Group Teleconference

15 Jun 2016

See also: IRC log

Attendees

Present
wseltzer, gmandyam, TonyNadalin, Hubert, JeffH, Ketan, alexei-goog, dirkbalfanz, weiler, Nitin, vgb, SamSrinivas, Rolf, apowers
Regrets
Chair
TonyNadalin
Scribe
SamSrinivas

Contents


<wseltzer> present=

<dirkbalfanz> prese nt

<inserted> scribenick: SamSrinivas

Extensions

Vijay to lead through his drafts. Also Rolf's alternate. Giri specific proposal.

Vijay speaking: Fixed some contradictions in the text re: extensions. Every extension has to have a client argument seems to be there. Vijay fixed up all pre-defined extensions to fit this spirit. S

Surprisied how little text needed to be added.

<wseltzer> vgb's pull request

(vijay still speaking)

Made explicit tht the client argument should be convered to authenticator argument, in many cases, it is a straight pass-thru.

All the pre-defined extensions fit this pass-thru model, except for authenticator selection, and that's prety simple too.

Giri re: trusted location -- isn't some processing required. Vijay: processing = just converting to CBOR

That transform is possible for any extension, even opaque

<wseltzer> [reviewing https://github.com/w3c/webauthn/pull/130/files ]

Vijay walking through diffs.

Line 1410: Clarifuing client takes client args, not 'authenticator args'. Latter term was not defined, is not defined better.

Line 1420: word smithing

Line 1435: extension has to specify how to convert client arg to authetnicator arg -- majority of cases it is pass thorugh.

tenet: The RP should know what happened with the extensons it requested.

Extensions should add to client data in some way to indicate to the RP that the extension was honored/respected/processed.

Shouldn't client be responsible to add to client data for every extension? Since it owns client data? (Sam and Hubert). Vijay says "ok either way". Decision, to change the text to make it client's responsibiliuty

Added standard way of passing "true" in CBOR. Takes same amount of byte space as numeral.

Makes it easy for client to just transform "true" in API call to "true" over CBOR generically.

Your client can pass through unknown extensions after CBOR-izing.

Giri: Reconfirming: All extensions are prompted. Vijay: yes, actually was always in spec that the RP has to specify a client argument.

<JeffH> SamSrinivas: my understanding is that a bound authnr that is not being accessed via CTAP, can add to clientData -- this raises issue of whether CTAP is declared the only means to access authnrs or not....

Most extensions will be pass through but extensions can also specify fancy client processing in principle. Authentucator selection requirest this for example.

(vijay said)

Sam says: any extension needing client processing si a high bar and I see it coming into the main spec rather than just being specified in registry

Giri: Authenticator selection maybe should not be extension?

It should be in main API?

Vijay summarizing all other changes near end of doc -- basically straightforward, kinds of things covered earlier (eg, specifying CBOR true etc)

<JeffH> ... i.e. see line 1474

<vgb> SamSrinivas: one issue with requiring pass-through of extensions - who will respect user's privacy if RP and authenticator maker have different view of the user's privacy than the user would have?

<vgb> Rolf: Would be great if pre-defined extensions at least would be honored

Jeeff: Are there privacy concenrs with predefined extensions? Shouldnt it be ok to implement?

(in reply to tony asking) Should client need to understand privacy implicatons?

<wseltzer> [group to continue on-list discussion of extensions]

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2016/06/15 18:06:50 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.144  of Date: 2015/11/17 08:39:34  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: i/Topic: Extensions/scribenick: SamSrinivas
Succeeded: s/his/this/
Found ScribeNick: SamSrinivas
Inferring Scribes: SamSrinivas
Default Present: wseltzer, gmandyam, TonyNadalin, Hubert, JeffH, Ketan, alexei-goog, dirkbalfanz, weiler, Nitin, vgb, SamSrinivas, Rolf, apowers
Present: wseltzer gmandyam TonyNadalin Hubert JeffH Ketan alexei-goog dirkbalfanz weiler Nitin vgb SamSrinivas Rolf apowers
Found Date: 15 Jun 2016
Guessing minutes URL: http://www.w3.org/2016/06/15-webauthn-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.


[End of scribe.perl diagnostic output]