16:13:32 RRSAgent has joined #webauthn 16:13:32 logging to http://www.w3.org/2016/08/31-webauthn-irc 16:13:34 RRSAgent, make logs public 16:13:36 Zakim, this will be 16:13:36 I don't understand 'this will be', trackbot 16:13:37 Meeting: Web Authentication Working Group Teleconference 16:13:37 Date: 31 August 2016 16:15:04 weiler has changed the topic to: agenda: https://lists.w3.org/Archives/Public/public-webauthn/2016Aug/0151.html 16:15:13 agenda: https://lists.w3.org/Archives/Public/public-webauthn/2016Aug/0151.html 16:50:31 weiler has joined #webauthn 16:56:00 nadalin has joined #webauthn 16:57:38 rbarnes has joined #webauthn 17:01:25 present+ 17:01:32 present+ rbarnes, ketan 17:03:01 Rahul_Ghosh has joined #webauthn 17:03:06 jcj_moz has joined #webauthn 17:03:14 selfissued has joined #webauthn 17:04:02 present+ JeffH, jcj_moz, Rahul_Ghosh 17:04:44 vgb has joined #webauthn 17:05:15 present+ vgb, selfissued 17:05:42 Thanks, Wendy' 17:06:03 present+ nadalin 17:06:10 gmandyam has joined #webauthn 17:06:10 zakim, who is here? 17:06:10 Present: weiler, wseltzer, rbarnes, ketan, JeffH, jcj_moz, Rahul_Ghosh, vgb, selfissued, nadalin 17:06:12 On IRC I see gmandyam, vgb, selfissued, jcj_moz, Rahul_Ghosh, rbarnes, nadalin, weiler, RRSAgent, mkwst, slightlyoff, adrianba, Zakim, trackbot, wseltzer 17:06:19 JeffH has joined #webauthn 17:06:24 present+ 17:06:35 present+ 17:06:39 present+ gmandyam 17:06:49 present+ 17:07:07 present+ alexeigoog, dirkbalfanz 17:07:55 scribenick: vgb 17:08:21 alexei-goog has joined #webauthn 17:09:07 open pull requests 17:09:11 https://github.com/w3c/webauthn/pulls 17:09:22 nadalin: look at PRs 17:09:22 https://github.com/w3c/webauthn/pull/154 17:09:27 ... how about 154? 17:09:36 ... no objections, let's merge it 17:09:42 https://github.com/w3c/webauthn/pull/157 17:10:19 ... #157? 17:10:31 gmandyam: addressed feedback from JC 17:10:38 jcj_moz: okay with it now 17:10:57 alexei-goog: still going with strategy of putting things in main spec but still optional? 17:11:02 nadalin: yes 17:11:16 alexei-goog: Google likely won't implement it, just to set expectations 17:11:31 gmandyam: ok, Snapdragon web engine will likely implement 17:11:55 selfissued: clarifying that registry != specification of extension 17:12:50 nadalin: any objections to #157? 17:13:15 RobTrace has joined #webauthn 17:13:18 jcj_moz: Mozilla agrees with Google that likely won't implement at first, though this is specified okay 17:13:39 rbarnes: Reminding folks that we will need two independent implementations 17:13:46 JeffH: even of optional parts? 17:13:48 samsrinivas has joined #webauthn 17:14:10 https://github.com/w3c/webauthn/pull/162 17:14:11 rbarnes: Let's discuss more when we get there, but obviously more implementations is better 17:14:18 nadalin: #162? 17:15:03 ... not enough bake time on this yet? 17:15:17 selfissued: this one is concerning - more options hurts interop 17:15:24 rbarnes: this improves security though 17:15:51 jcj_moz: like this change from a web dev perspective 17:16:09 ... eTLD+1 matching does not feel normal 17:16:16 JeffH: normal for cookies though 17:16:19 ... default there 17:16:49 ... okay with allowing both though 17:17:23 rbarnes: why choose cookies and not other DOM storage things which are per-origin? 17:17:46 dirk: can we use domain lowering instead of Boolean? 17:18:32 ... allow caller to pass in domain of applicability, and check that it is permissible by domain lowering rules 17:19:55 nadalin: maybe we need more time to think about this one and discuss 17:20:04 ... #161? 17:21:48 vgb & rolf are having off-list discusion wrt PR#161, tho both have been on PTO, but expect to send update to the mailing list later this week... 17:22:30 ...trying to figure out a "meet in the middle" approach... eg have a single attstn format, and the RP can get details from the metadata service (MDS) 17:23:01 thanks for scribing that JeffH 17:23:59 giri: wrt attstn registry, if u propose a new attstn fmt, then you just spec the rawData, and then it all works; and one'd have a ptr in the registry to the spec 17:24:03 gmandyam: can just point to external specs for attestation rawdata formats? 17:24:20 alexei-goog: maybe strive for progress not perfection - just define 1-2 formats? 17:24:39 JeffH: we have that already, this is orthogonal 17:25:08 vgb: this is more about normalizing the claims attstn formats can make 17:25:48 ...make it so that each attstn format can claim the same things, but the 'trustworthyness' might be different, eg whether it was done in hardware or software... 17:26:03 gmandyam: can we do this later as part of reviewing new formats 17:26:15 giri: hm, maybe we can't really make decisions wrt "trustworthyness" 17:27:07 vgb: the currently defined tpm attstn format is broken. we're not taking on responsibty for "trustworthiness", we can't express presently the characteristics of say a TPM-based authnr 17:28:00 gmandyam: what else is important other than key storage? 17:28:05 vgb: user verification. 17:28:23 ... will update this week on progrerss with Rolf 17:28:32 nadalin: #164? 17:28:50 selfissued: Andrei put into the spec that TB apps should treat the ID as opaque 17:29:07 jcj_moz: Is DOMString right? 17:30:04 vgb: Remember this has to be serialized to make clientDataHash 17:30:22 dirk: had promised to think about this, forgot. let me sync up with Andrei 17:30:41 ... Feel that apps treating this as a pub key is better. 17:31:08 JeffH: will also bring it up on unbearable list to ask why it is a key anyways instead of an ID 17:31:43 selfissued: Expect that more or different things may go into ID as TB evolves, don't want to break apps when that happens 17:32:00 alexei-goog: Does that mean you need a canonical serialization format? 17:32:13 selfissued, JeffH: that's already true 17:32:49 I have to step away for a few minutes because a repairman has arrived at my house. Jeff can speak to my PR #187, which is strictly editorial cleanups. 17:33:31 alexei-goog: Agree with Dirk, but maybe it's okay for WebAuthn to treat this as opaque 17:33:47 samsrinivas: How final is TB decision on this? 17:33:51 JeffH: Fairly so 17:34:04 present+ jfontana, samsrinivas 17:34:05 dirk: Believe the same 17:34:53 nadalin: wait for Dirk to confirm before merging 17:35:22 .... #169? Rolf is not on call. 17:35:36 Rahul_Ghosh: This is independent from UVI now. 17:35:49 ... As Rolf had wanted. 17:36:07 ... this has been discussed and seems to be agreeable to everyone. 17:36:15 nadalin: Any objections to merging? 17:36:20 JeffH: Go for it. 17:37:32 alexei-goog: for transparency, Google likely wouldn't implement this either 17:37:38 ... in the first implementation 17:37:45 https://github.com/w3c/webauthn/pull/169 17:37:58 nadalin: #185? 17:37:58 https://github.com/w3c/webauthn/pull/185 17:38:29 JeffH: low-hanging editorial fruit 17:38:37 ... fits just fine with #187 17:39:12 vgb: will go through #185-187 later and merge them as I go if that's okay 17:39:23 Sounds good 17:39:40 JeffH: #186 - this is change from Respec style to Bikeshed style 17:39:52 ... Bikeshed already produces a consolidated IDL At the end. 17:40:26 https://github.com/w3c/webauthn/pull/186 17:41:21 nadalin: that concludes review of PRs 17:41:39 vgb: will do 185-187 late today/early tomorrow 17:41:56 nadalin: that leaves eTLD+1 and attestation 17:42:17 dirk: left a comment on the eTLD+1 request 17:42:50 nadalin: trying to get to a point where we can update the public WD 17:43:05 JeffH: believes no additional process to do that 17:43:10 q+ 17:43:15 ... so why not publish early and often? 17:43:36 nadalin: prefer to be in more solid state 17:44:04 JeffH: this is separate from whether we can rev the WD 17:44:34 wseltzer: Yes and it's a good idea to do so whenever we have a cohesive doc 17:44:52 JeffH: propose we merge these PRs and rev the WD 17:45:27 ... "these" meaning even just the editorial ones, and can do another for the contentious ones 17:45:37 nadalin: Objections? 17:46:00 alexei-goog: agree we should do another WD soon 17:46:27 gmandyam: Thinks we should wait for the attestation change 17:46:57 ... but also okay with doing a new WD now and another after that change 17:47:12 JeffH: won't kill anybody if we do another WD in a week 17:47:22 nadalin: consensus ? objections? 17:47:38 ... no objections, so let's do a new WD after #185-187 are merged 17:48:02 wseltzer: will work with weiler and vgb to do that 17:48:35 nadalin: so likely no CR at TPAC, but hopefully soon after 17:50:17 vgb: Bunch of issues around treatment of RP ID string (type, casing, etc.) 17:50:38 JeffH: this should be done with pointers into HTML spec 17:50:49 ... as Anne suggests in #178 17:51:35 ... learned about this this week as part of reviewing other specs 17:52:00 vgb: okay, will look at that this week, please paste in pointers to the issues if you have any 17:52:25 JeffH: was reviewing issues this week, and added milestones to them (defaulted to CR) 17:52:46 ... could also go through and review ones tagged as WD-01 17:53:02 ... nad maybe create a WD-02 and so on 17:53:41 nadalin: there are 16 WD-01, should we go through those? 17:53:54 https://github.com/w3c/webauthn/milestone/4 17:54:31 vgb: Giri, are you okay closing #98? 17:55:10 gmandyam: yes, though do think we have issue with UVI which feels opaque 17:55:20 ... should talk to Rolf 17:55:55 ... but will put in this comment and close the issue 17:56:15 rrsagent, pointer? 17:56:15 See http://www.w3.org/2016/08/31-webauthn-irc#T17-56-15 17:56:44 nadalin: let's review WD-01 issues. #6? 17:57:09 alexei-goog: can we put that in ScopedCredentialInfo? 17:57:41 vgb: is this instead a job for metadata service? 17:57:49 .. there is now an AAGUID everywhere 17:57:58 alexei-goog: will think 17:58:33 JeffH: how about we move things to WD-02 unless we have a compelling reason to keep in WD-01? 18:00:08 nadalin: #60? 18:00:27 alexei-goog: thinks we decided to not align because of the difference in cloning behavior 18:00:39 JeffH: so this is about cleaning up names now mostly 18:01:23 ... also we should punt to CR (the backstop milestone) if we don't think we will do something imminently in a WD 18:01:32 ... #86? 18:01:57 ... might want to do this as part of attestation 18:06:03 gmandyam: thinks that #103 does not belong in the spec 18:06:22 ... proprietary formats don't belong in the spec 18:06:42 nadalin: can we close #108? 18:09:02 ... done with no objections 18:09:19 .... new WD by next meeting then, if no new problems emerge 18:09:51 JeffH: will add WD-01 tag to the PRs we're targeting 18:10:53 gmandyam: want to talk about attestation registry 18:11:08 ... thinks we need to put JeffH's doc in Github 18:11:17 ... happy to help if needed 18:12:22 ... we need to be clear about what can be done to clientData for example 18:13:30 vgb: agree, something like this is in my PR 18:13:36 vgb: tends to agree w/gmandyam 18:14:08 ....authnr extensions should not modify clientData -- rather should put addtn'l data in authnrData 18:14:26 gmandyam: feel that SafetyNet is problematic and should be marked proprietary, to be treated differently than say TPM which is developed by a standards body 18:14:49 JeffH: would you please write that down so I can process? 18:15:08 gmandyam: already did, proposed prefixing the name 18:16:20 ... feel that the format is underspecified, and no way to fix the Google site which is the only spec 18:17:17 ... will file an issue about this asking to remove SafetyNet format 18:18:45 nadalin: AOB? 18:19:00 *Thanks to the scribe! 18:19:22 https://www.w3.org/2016/09/TPAC/ 18:19:22 ... Hearing none. Remember to register for TPAC! 18:20:04 wseltzer: Come to TPAC! It's great fun! Lisbon! 18:25:32 Zakim, list participants 18:25:32 As of this point the attendees have been weiler, wseltzer, rbarnes, ketan, JeffH, jcj_moz, Rahul_Ghosh, vgb, selfissued, nadalin, gmandyam, alexeigoog, dirkbalfanz, jfontana, 18:25:35 ... samsrinivas 18:25:42 RRSAgent, generate minutes 18:25:42 I have made the request to generate http://www.w3.org/2016/08/31-webauthn-minutes.html weiler