17:00:39 RRSAgent has joined #webauthn 17:00:39 logging to http://www.w3.org/2016/07/06-webauthn-irc 17:00:41 RRSAgent, make logs public 17:00:41 Zakim has joined #webauthn 17:00:43 Zakim, this will be 17:00:43 I don't understand 'this will be', trackbot 17:00:44 Meeting: Web Authentication Working Group Teleconference 17:00:44 Date: 06 July 2016 17:01:39 present= 17:01:41 apowers has joined #webauthn 17:01:58 present+ wseltzer, tonynad, jeffh, selfissued, vgb 17:02:08 present+ apowers 17:02:10 rbarnes has joined #webauthn 17:02:39 heh, i was about to make the same request 17:02:45 anyone know why w3.org is down? 17:02:52 present+ ketan 17:02:54 https://mit.webex.com/mit/j.php?MTID=m5efd2927c573e7748740d42055207a28 17:03:03 JeffH has joined #webauthn 17:03:10 present+ 17:03:36 vgb has joined #webauthn 17:03:51 RobTrace has joined #webauthn 17:04:03 present+ 17:04:15 present+ christiaan 17:04:24 present+ 17:04:29 zakim, who is here? 17:04:29 Present: wseltzer, tonynad, jeffh, selfissued, vgb, apowers, ketan, weiler, christiaan 17:04:32 On IRC I see RobTrace, vgb, JeffH, rbarnes, apowers, Zakim, RRSAgent, weiler, selfissued, adrianba, trackbot, slightlyoff, mkwst, wseltzer 17:04:36 present+ rbarnes 17:05:15 wseltzer has changed the topic to: webauthn July 6 https://mit.webex.com/mit/j.php?MTID=m5efd2927c573e7748740d42055207a28 17:06:39 present+ RobTrace 17:06:51 agenda+ Roll call 17:06:58 agenda+ Call for scribe 17:07:06 agenda+ Issues in flight this week, JC, Vijay, Jeff 17:07:20 agenda+ IETF Discussion 17:07:22 agenda+ AOB 17:08:15 agenda? 17:08:30 zakim, who is here? 17:08:30 Present: wseltzer, tonynad, jeffh, selfissued, vgb, apowers, ketan, weiler, christiaan, rbarnes, RobTrace 17:08:33 On IRC I see RobTrace, vgb, JeffH, rbarnes, apowers, Zakim, RRSAgent, weiler, selfissued, adrianba, trackbot, slightlyoff, mkwst, wseltzer 17:08:35 Rolf has joined #webauthn 17:08:44 nadalin has joined #webauthn 17:08:46 present+ 17:09:28 scribenick: selfissued 17:09:47 zakim, take up agendum 3 17:09:47 agendum 3. "Issues in flight this week, JC, Vijay, Jeff" taken up [from wseltzer] 17:10:14 There has been activity with JC and Jeff and Vijay tweaking some aspects of the spec 17:10:44 We are talking about departing from the WebAppSec credential interface 17:11:09 Vijay: We no longer think that alignment makes sense 17:12:18 Jeff: I haven't reviewed this yet 17:12:42 ... Mike West told Jeff that they should talk 17:14:55 Mike West is based in Munich 17:15:11 He might be able to come talk to us during IETF in Berlin in 2 weeks 17:15:26 There's a bunch of stuff in the HTTP working group on cookies 17:16:07 These are subtle issues. Tony would rather not close this without input from him. 17:16:52 Vijay wants to not pollute the global namespace 17:17:05 Jeff: Is there a document to reference for namespace usage guidance? 17:17:48 Richard: Other things that provide device access, such as gelocation, are in the navigator namespace 17:18:02 Jeff: We should get this written down. We have a wide audience for this spec. 17:19:14 Vijay: It would be good to not have two interfaces that talk about credentials that do different things 17:19:45 ... We had a debate a while ago about what the credential type does 17:20:00 ... It's essentially a signature format 17:20:06 Jeff will propose a new name 17:20:54 s/Jeff/JeffH/ :) 17:22:01 https://github.com/w3c/webauthn/issues/107 17:22:01 Talking about issue #107 - signature format doesn't cover both contexts 17:22:29 Issue #86 17:23:12 Do we want it to be possible for authenticators to not do attestation? 17:24:05 Rolf: Brought up "nullable attestation" 17:24:20 ... surrogate attestation is a self-signed object 17:24:37 surrogate attstn: https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html#surrogate-basic-attestation 17:24:40 Rolf advocates supporting surrogate attestation 17:25:54 Jeff: You use the private key to sign 17:26:59 one tangential point: note that the clientDataHash is stored in the attestation statement, so if you have null attestation the clientDataHash isn't signed / returned to the RP either 17:27:39 Rolf: A trust decision needs to be made about the authenticator 17:31:06 Discussions about what keys are used for what... 17:33:36 Vijay: You want to establish proof of possession of the private key. 17:33:47 ... What's the alternative proposal? 17:34:04 Rolf: Sign with a JSON key - not a certificate 17:34:44 There will be a proposal made over e-mail 17:35:03 Vijay: Want to look at issue 84 17:35:22 Create an options dictionary rather than having lots of options at the end 17:35:33 No objections 17:36:44 Vijay: Those things are Vijay's first tier 17:36:52 Richard: Vijay should ping JC 17:37:00 ...on-list :) 17:38:49 The scoped credential thing is on Jeff's list 17:39:00 Jeff is travelling for the week before IETF 17:39:18 Tony: Jeff had produced an IANA draft 17:39:27 ... We need to start putting that through the IETF process 17:39:33 Jeff: I need to revise it 17:39:39 ... I will try to do this by Friday 17:41:08 We will meet next week but will skip the week of IETF 17:41:37 End of call 17:42:20 rrsagent, make minutes 17:42:20 I have made the request to generate http://www.w3.org/2016/07/06-webauthn-minutes.html wseltzer