16:57:47 RRSAgent has joined #webauthn 16:57:47 logging to http://www.w3.org/2016/08/10-webauthn-irc 16:57:49 RRSAgent, make logs public 16:57:51 Zakim, this will be 16:57:51 I don't understand 'this will be', trackbot 16:57:52 Meeting: Web Authentication Working Group Teleconference 16:57:52 Date: 10 August 2016 16:59:02 Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2016Aug/0053.html 16:59:48 nadalin has joined #webauthn 17:00:04 RobTrace has joined #Webauthn 17:00:32 present= 17:01:41 present+ 17:01:45 Rolf has joined #webauthn 17:01:55 present+ 17:02:04 vgb has joined #webauthn 17:02:11 present+ 17:03:30 present+ 17:03:41 present+ 17:05:45 rbarnes has joined #webauthn 17:06:10 present+ 17:06:54 JeffH has joined #webauthn 17:07:01 present+ 17:09:02 scribenick: JeffH 17:10:02 apowers has joined #webauthn 17:10:12 eTLD+1 discussion: 17:10:23 dirkbalfanz has joined #webauthn 17:11:52 rbarnes: not totally sure how to bring to closure. default shud be web origin, all web apis are per origin other than cookies, can someone pls recap....? 17:12:16 dirk: it is overall same origiin (see dirk's msg on the list) 17:12:44 ...we are constructing per-origin, the part that's not same-origin is the "scoping of the key pair" 17:13:35 audio - down for everyone or just me? 17:13:58 it works for me 17:14:08 thx, reconnecting 17:14:41 oh did we just drop off the call? 17:14:50 Rahul has joined #webauthn 17:15:39 rbarnes: notes that client data does not seem to contain the full origin, rather has just RP ID? if actual origin is folded in per Dirk then that should be clarified in the spec 17:16:22 vijay(vj): notes that clientdata does contain full origin.... 17:16:45 ...renames facet to origin to be more clear, is queued in PR 17:17:00 dirk, looks like you dropped off too 17:17:33 ok I'm back 17:17:53 rbarnes: ...still wondering about use cases for the eTLD scoping of key pairs... 17:18:26 vj: there were expressed use cases [ relates some of them... ] 17:20:30 JeffH: wanted to make sure there is no more cross-origin sharing than with cookies. don't want to tread into federation territory 17:20:43 ...from practical perspective, it does not increase tracability beyond what exists now and meshes with current practice 17:21:01 s/.../vj (prior to above).../ 17:22:09 rbarnes: proposes ... ? 17:23:21 notes that vgb == vj 17:23:27 Boolean in options dictionary that tells the client to compute rpId = origin, or rpId = eTLD+1 17:23:29 ... == vijay 17:23:43 proposal: add an option that an RP can use to switch between (RPID == origin) and (RPID == eTLD+1) 17:24:04 dirk: thinks this might "work", but am curious as to what the problem is that you are trying to solve here... 17:25:15 rbarnes: notes that even though is useful to scope to etld+1, would be useful if it is possible to scope more tightly if the deployer desires 17:25:38 ...would be the same reason you'd use the domain-scoped cookie 17:25:50 ... ok we're good on this for now.... 17:26:15 topic: Set timeline for review and agree on a approach for handling the Credential object 17:26:57 vgb: wrt cred object 17:27:14 ...for whitelist caller would have to create cred objects 17:27:23 ...the idl is a bit incorrect 17:27:43 ...PR#159 addresses just this, cleans up the technicalities for how the IDL is written... 17:28:04 ...another question that has come up is "what if we removed credential type?" 17:28:14 ...pr#158 answers that 17:28:38 ...have sketched out a couple ways/options for how to do this 17:31:54 JeffH: wants to adopt one of the 2 branches 17:32:55 no. pr#159 i think is likely OK. pr#158 and the other cred experiment branch require more discussion imho 17:34:26 vgb: can just merge in pr#159 cuz is just a bugfix 17:34:30 jeffH; ok 17:34:40 jcj: ok, fine with merging this 17:35:47 ...where "this" is pr#159 17:36:22 vgg: pr#154 -- processing rules exposition 17:37:34 ...cleans up stuff in the authnr model section eg clientDataHash is what is sent to authnr 17:44:24 JeffH; review 154 by next Wed 17:45:38 vgb & jeffh: discussed pr#154 -- it raises issue of the authnr model being just a model and whether the spec ought to define a hard&fast authnr API -- ie what if an underlying authnr transport prot emerges a la implied by U2F BLE & NFC transports 17:45:39 ? 17:45:57 vgb: wrt PR#151 -- attestation cleanup proposal 17:46:32 ...no matter what the attstn format is, it produces an AAGUID 17:46:41 ...cleaned up some wording and such 17:47:09 ...this also cleans up prior issue - we had not rigorously defined what an attstn format consists of 17:47:10 q+ 17:47:16 ...this does so 17:48:14 ....also streamlines how attstn verification works 17:48:26 ... please review and raise discussion on list 17:49:55 ...this is the next-to-last technical issues -- would be good to resolve them and then get a WD-01 out door 17:50:20 vjb: merge in 159 as it is 17:50:34 JC will have 151 reviewed by next call 17:50:38 s/pr#151/pr#161/ 17:51:11 q ack 17:52:45 rolf: if tpm does attstn, it produces struct which is diff than what we spec 17:53:05 ...so addtnl goal of attstn is to have ability to plug in diff to-be-signed formats 17:54:09 ...we created packed attstn as the thing we prefer... 17:54:34 vgb: in trying to create actual authnr, we found that there's a boundry for authnr, and boundry of crypto mod 17:55:20 ...authnr is a box that contains various things.... the prior structures had no way to feed into tpm things that were in boundary of authnr but not crypto mod 17:55:52 ....so tried to address this in the pr#161 17:56:02 ...it is 400 lines 17:56:39 rolf's 1st comment was: attestationStatement was a JSON structure producing a unified view on attestation objects 17:57:30 vgb: so this refactor allows the TPM to sign the packed rawData 17:58:05 rolf: if you look at android N as an example, which would fit in the prior attstn, how would you use this refactored spec to handle it? 17:58:32 vgb: android N takes in a nonce input, and produces PoPossession, yes? 17:59:52 ...my authnr consists of android N crypto subsystem and logic above, it would take the inputs, hash them together to produce nonce, give to crypto layer to sign, RP gets the same overall result, there might be addtional validation steps.... 18:01:41 rolf: there is sever risk in this model -- app provides nonce, is impt to not look like unified system because it is not 18:01:54 ....RPs may not do adequate verification 18:02:21 Sorry have to drop off 18:07:20 yes 18:07:42 scribenick: nadalin 18:08:15 vjb will talk to Rolf and post back to list 18:10:24 No one on call to UVM Rahul is missing to discuss 18:19:29 nadalin has joined #webauthn 18:20:10 vgb: should we separate extensions form core? 18:22:09 vgb: is the set of extensions we have now enough ? 18:23:36 rolf: challenge to get support for extentions if they are not in core 18:24:16 can we agree on the 2 extensions we have now ? 18:27:05 lets get the current ext (UVM/UVI/Location) PRs created and pulled into core 18:27:16 As of this point the attendees have been jcj_moz, Rolf, vgb, weiler, nadalin, rbarnes, JeffH, apowers, dirkbalfanz, JohnFontana, KetanMehta, RahulGhosh 18:28:28 RRSAgent, generate minutes 18:28:28 I have made the request to generate http://www.w3.org/2016/08/10-webauthn-minutes.html weiler 18:29:23 Chair: nadalin 18:29:24 RRSAgent, generate minutes 18:29:24 I have made the request to generate http://www.w3.org/2016/08/10-webauthn-minutes.html weiler 21:51:47 weiler has joined #webauthn