16:21:03 RRSAgent has joined #webauthn 16:21:04 logging to http://www.w3.org/2016/09/14-webauthn-irc 16:21:05 RRSAgent, make logs public 16:21:08 Zakim, this will be 16:21:08 I don't understand 'this will be', trackbot 16:21:09 Meeting: Web Authentication Working Group Teleconference 16:21:09 Date: 14 September 2016 16:21:44 Agenda: trackbot-ng, start telcon 16:57:47 weiler has joined #webauthn 16:59:41 present+ wseltzer 16:59:47 zakim, who is here? 16:59:47 Present: wseltzer 16:59:49 On IRC I see weiler, RRSAgent, slightlyoff, adrianba, mkwst, Zakim, trackbot, wseltzer 17:00:17 present+ 17:00:21 nadalin has joined #webauthn 17:02:33 JeffH has joined #webauthn 17:02:38 rbarnes has joined #webauthn 17:02:39 present+ 17:03:15 present+ nadalin, Rolf 17:03:53 Rolf has joined #webauthn 17:04:15 RobTrace has joined #webauthn 17:04:20 present+ 17:04:59 vgb has joined #webauthn 17:05:13 present+ 17:05:38 present+ 17:05:59 present+ 17:06:05 for the record: JC will not be able to make it today 17:06:33 regrets+ JCJ_moz 17:07:11 present+ apowers 17:07:58 scribenick jeffh 17:08:15 s/scribenick jeffh/scribenick: jeffh/ 17:08:46 Topic: Open Pull Requests 17:09:22 alexei-goog has joined #webauthn 17:10:50 vgb: rolf and he are converging on PR # 161, down to naming issue 17:11:17 ...question is what to name some of the things in the AttestationStatement dict 17:11:57 ...thinks rolf's proposed names are not evocative enough, has proposed revised names in thread... 17:12:18 Rolf: am not fundamtly apposd to those names 17:13:11 vgb: 17:13:22 present+ 17:13:47 rolf: acks gmandyam's assessment of safetynet attstn being platform attstn rather than authnr attestn 17:14:02 present+ Ketan 17:14:04 ...notes that goog android N attstn is similar to how UAF does it 17:14:17 Alexei -- will review 17:15:17 wrt #162 and #198 (PRs) 17:15:29 vgb: we can choose either of those PRs, needs review 17:16:26 ...in #198: removed eTLD+1, relies on the "relaxing same origin restriction" in HTML51 17:16:51 nadalin has joined #webauthn 17:20:41 jeffh notes that "eTLD+1" should at least appear in foot notes 17:21:09 vgb in anser to rbarnes: likes #198 a bit more, there's one cost to it wrt RP ID 17:22:02 ...rp id hash from makecred time needs to match one at getassn time, and so if folks change deployemnt domain names after user did makecred, subsqnt getassns calls may not work... 17:22:46 rbarnes: not sure that'd affect things... but yeah, seems like a richer variety of failure cases -- not sure whether #198s richness is necessary 17:23:16 vgb: am thinking similartly -- yes you get complexity, but only if you don't want strict origin policy 17:26:14 rbarnes: ok, we will finialize #162 / #198 on Tue next week in Lisbon TPAC 17:27:44 apowers has joined #webauthn 17:27:49 scribenick: wseltzer 17:28:03 JeffH: On processing rules and exclude list 17:28:15 ... teasing it apart a bit 17:28:25 ... client will use exclude list re dummy challenges 17:28:40 ... = dummy sign requests 17:29:03 issue #6 17:29:08 ... that's implementation guidance that should be in the spec to say why it's in the exclude list 17:29:21 ... since it might not be intuitively obvious 17:29:32 https://github.com/w3c/webauthn/issues/6 17:29:39 alexei-goog: background 17:29:49 ... There are authenticators that have no storage 17:29:59 ... use a key handle, in webauthn, credential ID 17:30:06 ... as a way to offload storage 17:30:10 ... gen pub-priv keypair 17:30:15 thx wseltzer 17:30:15 ... encrypt with key on authenticator 17:30:29 ... take encrypted blob, give to server in credential id 17:30:43 ... server sends cred ID to client, client sends to authenticator 17:31:02 ... auth'r decrypts blob, extracts, validates, for RPID, executes 17:31:24 ... reason for exclude list: in registration phase, don't want duplicate reg from auth'r you already have 17:31:36 ... so "here are all the credentials I have" 17:31:50 ... reject authenticators that have one of these credentials, for this operation 17:32:16 ... client takes the exclude list, cred ID, and sends to the authenticators 17:32:38 ... if get non-error reply, then auth'r could have generated assertion -- ie., owns that credential 17:32:47 ... don't accept registration replies from that authenticator 17:32:58 ... so that's why exclude list. 17:34:34 rbarnes: what if RP says "I only want to talk to USB credentials". That shouldn't be what we're doing here 17:34:41 alexei-goog: I don't think we're enabling that practice 17:34:52 rbarnes: we might want to add to authenticator model to specify the probing 17:35:07 alexei-goog: I was writing a tool without necessarily specifying all the priors 17:35:14 ... I need to figure out where to put it in the spec 17:35:29 ... Should I do in same PR or different? 17:36:03 JeffH: Internal authenticators 17:36:28 ... it wasn't clear what you meant by "local authenticator" 17:37:16 ... authenticator in smartphone might be used for apps on smartphone or on laptop 17:37:27 ... is it "internal" or not? 17:37:58 alexei-goog: transport attribute is a sequence, e.g. both internal and bluetooth 17:39:16 JeffH: if sequence only has "internal", then don't contact "external" devices 17:39:50 alexei-goog: if it can't contact internally, then should reach out, because it knows not made on that device 17:40:21 vgb: it's a should not a must 17:41:55 JeffH: let's do everything in that PR 17:42:01 alexei-goog: sure, and I'll fix the build 17:42:40 https://github.com/w3c/webauthn/pull/196 17:42:47 vgb: I went through errors 17:43:07 ... please take a look 17:43:32 ... when every authenticator errors out, we return immediately. creates a bit of a side channel 17:43:58 ... as RP, I can tell whether a bluetooth authenticator is in range 17:44:16 ... but we're getting improved user experience, maybe ok 17:44:31 ... then I changed credential to scoped credential to avoid name collision 17:44:40 alexei-goog: I can review the PR 17:44:44 JeffH: I will review 17:45:21 vgb: per conversation in Berlin, need to assure that 2 creds for same account ID, RP can't assume 2 continue to exist 17:45:25 ... train in a tunnel 17:46:00 ... we said things would be easier if 2d makeCredential replaces the first for same account ID 17:46:16 JeffH: Are all these PRs for WD02? 17:46:32 nadalin: only 2 currently marked that way 17:46:55 vgb: the issues and pr markings don't match 17:48:18 Topic: Registry 17:48:20 https://github.com/w3c/webauthn/pull/193 17:48:28 JeffH: Giri updated his PR 17:48:47 ... I rendered and diff 17:48:53 ... had one question 17:49:20 ... registry doesn't have to track WDs of the API 17:49:27 ... we should discuss in Lisbon 17:50:03 ... expect to see Giri there 17:51:05 ... I'll try to send the diff to the list 17:51:23 JeffH: on WD02 issues, I added all the ones that mentioned Origin 17:52:01 ... will send a PR in the next day or so 17:52:08 ... have been reading the HTML spec 17:52:28 ... we may need Anne to help identify the object 17:52:58 vgb: the newer HTML5 drafts have cleaned this up 17:53:02 ... settings object 17:53:25 q+ 17:54:00 q- 17:54:03 q- Rahul 17:54:27 wseltzer: We'll be discussing normative references and HTML5 at TPAC 17:54:37 JeffH: I'll join that conversation 17:54:42 ... and an IETF facet too 17:55:27 ... I can update to point to HTML5.1 17:55:57 nadalin: Some other open issues 17:56:33 JeffH: vgb has addressed a bunch of these in his PRs 17:56:44 ... and I'll send PRs for those assigned to me 17:57:19 JeffH: Rolf, can you review issue 99? 17:57:36 Rolf: I'll put it on the list 17:58:06 JeffH: Anne raised the question of service workers 17:58:24 ... I submitted an issue on that 17:58:45 ... use cases involving not asking user consent in situations of re-authentication 17:59:17 vgb: can we punt to v2? 17:59:23 ... along with the origin issues 17:59:37 ... i.e., opaque origin 17:59:48 ... I'd rather say, we don 18:00:02 ... don't have webauthn in non-interactive context 18:00:13 ... for now, we have site wants to know user consented 18:00:31 JeffH: We could create a level 2 milestone and assign the issue there 18:00:57 vgb: yes. does anyone object to putting it aside for now? 18:01:05 JeffH: suggest you put that into an issue reply 18:01:27 ... then we can also make statement there needs to be an active browsing context 18:02:06 nadalin: we had some issues come in as people start to read the updated draft 18:02:10 ... posted to the list 18:02:15 ... e.g. from Yaron 18:02:24 vgb: I was going to reply soon 18:02:41 JeffH: thanks 18:03:05 nadalin: we won't be meeting by phone next Wednesday 18:03:10 ... F2F Tuesday 18:03:25 ... I've asked to cancel FIDO meeting next week that overlaps with our W3C meeting 18:04:15 nadalin: at the end of next Tuesday, we'd like to have most of our WD-02 issues closed 18:04:24 ... so we can do an update, get feedback, and head to CR 18:04:38 ... important to leave TPAC with a plan for closing all the open issues 18:05:04 JeffH: I wouldn't be surprised if we have a WD-03 before CR 18:05:27 vgb: If we address all WD-02 issues, does anyone object to publishing a new WD 18:05:30 nadalin: that's our goal 18:05:55 ... at our meeting, we can decide whether the next WD is -03 or CR? 18:06:11 vgb: if we close issues by email, can I push a new WD before Lisbon? 18:06:16 nadalin: any objections? 18:06:26 ... hearing none. 18:07:02 JeffH: some of those PRs we wanted to talk about in Lisbon 18:07:13 nadalin: if it happens by email, it can be updated 18:08:12 rrsagent, make logs public 18:08:14 rrsagent, make minutes 18:08:14 I have made the request to generate http://www.w3.org/2016/09/14-webauthn-minutes.html wseltzer