See also: IRC log
<wseltzer> present=
<yaronf> @wseltzer: are you joining WebEX?
<yaronf> Thx!
<yaronf> You are on WebEX but there's no audio.
<rbarnes> https://public.etherpad-mozilla.org/p/webauthn-tpac-2016
<yaronf> I can hear you, but quality is real bad.
<rbarnes> sam agreed to scribe, but i don't see him here
Introductions by all.
<weiler> scribenick: SamSrinivas
Richard asks Vijay to give overview of status
<JeffH> SamS or SamW scribe?
<rbarnes> SamS
<JeffH> oh SamS
Vijay giving big view: We are focusing on looking through end to end scenarios.
<rbarnes> relevant repo for those following along: https://github.com/w3c/webauthn
One set of PRs is focuses on that. Two large issues in current list: (Issue 1) Attestation -- Rolf and Vijay discussing extensively (Issue 2) Origins --- what that means. Jeff has PR which does a lot of that.
(SamW, glad for you to take over -- let me know -- either way)
Vijay says: i18n folks asked us how we are doing -- some places where we need to pay attention -- prompt messages, internaationalized origin names (domian names).
We have not had objections to the security model etc for a while -- meaning not fundamental structural issues. Vijay would like to get to implementations rolling.
Agenda bash. Afternoon Google people wants to talk about compatibility with u2f, later afternoon accessibility issues discussion.
sorry "google wants to talk about compatiblity with u2f".
Tony: We have to decide whether we want to WD-03 before we go with CR.
Vijay: We should get to more frequent working drafts, perhaps every other week as we work through the existing issues after current pull requests -- there are 60 issues.
Tony: Problem is that other groups watching us will complain about having to watch through frequent change. We should have milestones which 'external' people can invest in for review -- we should mark those in some way.
Vijay: Pull request convergence has become slow -- wiating times one month. We should have quicker cadence and frequent WD will force that.
Tony: Let us now discuss open pull requests.
<rbarnes> https://github.com/w3c/webauthn/pull/161
We have outstanding attestation PR #161 -- vijay and rolf?
Rolf: Am happy in general with current status. Wouild like to get feedback on readability.
Vijay: Downside of having it in
PR means it is not in WD and so very limited set of peole
reviewing it. We should merge it in and there may be issues
like incompletenees of TPM structure. But those are minor can
can be fixed.
... (Okes the pull request in real time)
<rbarnes> https://github.com/w3c/webauthn/pull/194
Tony: #194 Transport Hints
Alexei: is a narrative of what exactly client does with transport hints.
Tony: Can you fix markup issues and merge it in?
Alexei: I think that is what we should do.
Jeff: The enum does not include plain Bluetooth
Alexei: The reason is we didn't need it in U2F coz nobody wanted to implement it.
Rolf: What are people using then?
Alexei: Bluetooth Low Energy (as against classic Bluetooth)
Tony: Alexei, you'll fix and create new issue?
Alexei: Yes
<rbarnes> https://github.com/w3c/webauthn/pull/196
Tony: #196: Few outstanding technical issues Vijay opened this morning
Vijay: Need to be explicit about what errors are thrown in what situation. Havent' gotten a lot of feed back.
Tony: Didn't Yaron ask about this?
Vijay: No, he was talking about whether we have privacy leaks thrygh errors rather than what the error details are. That's my recollection.
Jeff: Question: Why do you call it scoped credential description and use the term 'descriptor'?
Vijay: We will make it consistent
to 'descriptor'
... any other opinions?
Room: Silence
Tony: So will you close that out?
Vijay: Will do it during the day today.
<rbarnes> https://github.com/w3c/webauthn/pull/198
Richard: What we are doing here is transitioning from the client computing the origin to it being speciied by the caller. Isn't that material change?
Vijay: We are saying that the client will check what is specified and make sure it is permitted.
<SamSrinivas_> Mike: I'll review 201 right now.
<SamSrinivas_> Jeff: will resolve 202.
<SamSrinivas_> Tony: We have 203
<SamSrinivas_> Jeff: This is simple, adds secure context qualifier to all interfaces in the API.
<rbarnes> https://github.com/w3c/webauthn/issues/6
<rbarnes> https://github.com/w3c/webauthn/issues/8
Brad: Security Context went to CR last week.
Tony: We need to create a milestone (in response to Jeff). Next we have #53, error codes.
VIjay: This will merge along with error code changes.
Tony: We have #160
Jeff: That is fixed.
JC: Has reviewed, is ok.
Dirk: What algorithm are using to jump between issues?
Tony: All issues tagged with
WD-02. We are trying to close those today.
... #173
Jeff: Fixed in a pull request
Tony: #174?
Giri: I couldn't find it in the standard. It meant something else.
Vijay: It has been renamed to 'origin'.
Dirk: I'll close.
Vijay: Don't close -- there is an outstanding PR.. Jeff's changes
Dirk: which giant PR?
Vijay: #202
Tony: #178
Jeff: Will close
Tony: #179? Utf8 string?
Jeff: I
will fix this. But its not fixed rightnow.
Tony: That takes through open WD-02 issues.
Giri: #200?
JC: It just got closed 5 minutes before.
Tony: Will you do a republish?
Vijay: Yes
Richard: Is WD-02 closed for issues?
Tony: Yes, issues will go against WD-03.
Richard: 3 weeks between WD drafts. Anyone object?
Vijay: Seems ok --- aligned with
calls.
... Hoping to get to last call within next few WDs.
Richard: We have a CR milestone for Oct 31. Reminder.
Alexei: Hiint; Get on a VPN and network issues go away.
Tony: Short break until network problems resolve.
Vijay, Jeff: #12 -- assign to WD-03
Vijay: #13 --may have addressed this already.
Jeff: Vijay will reference this in a PR which will be merged
Vijay: #22 -- we can put this beyond CR and do it in V2 of spec
Sam, Alexei, Tony: Use case discussion: Authenticaiton required at remote machine. Authenticator present on local machine.
Richard: Different point. Can there be a situaton where the test of user presence = 0.
Giri: Example, presence of a TPM,
Richard: We should have tesst of user presence = 0 as an option
Vijay: We can just say "Set the
bit to 1" in the spec and not handle it in v1 of spec.
... Spec already says so.
Jeff: We should put this in Level 2 (= v2).
Vijay: Level is w3c terms which usually means 'version' elsewhere.
Tony: Issue #24 hasn't had updates for a while
Jeff: There are diagrams which need review
Vijay: Will review
Issue #25 Server challenge time out
Vijay: That was addressed in one of my PRs, and when I check it in it should close.
Tony: WIll be WD-02
... There is a youtube video of paint drying.
<rbarnes> https://www.youtube.com/watch?v=nGA-GCq7JWM
<rbarnes> https://github.com/w3c/webauthn/issues/66
<schuki> https://github.com/w3c/webauthn
Mike: Which issue are we not discussing?
Tony: Jeff on issue #66
<nadalin> https://github.com/w3c/webauthn/issues/66
Jeff: If someone agrees with my resolution close it.
TOny: #79 has had not activity for a quite a whi.e
Alexei: Leave it at CR
Tony: #85?
Vijay: non-normative -- can be in security considerations, is not affecting spec.
not affecting normatively, that is.
Tony: #87
Vijay: wonder whether this is
relevant any more
... Will change text to adjust to this
Tony: #91 could be a blocker for CR?
JC: Would people vote no?
... It is not normative.
Vijay: This is about "how to write a server" and this is strange to have here.
Dirk: I found the example this points to and that doc says "this explainer doc is out of sync with spec - read the spec instead"!
Tony: Put in comments "Will address this post-CR"
Richard: Well, this group is not
chartered to do this, actually. Lets close this.
... Has been closed
Vijay: #95will close.
... #102 will be done by Vijay
Alexei: #116 leave it open
Jeff: leave #125 open for CR
RIchard: #131 is simple editorial word fix
#133 and #208 resolved togetehr with clarifying text. Giri to do it.
<weiler> breaking for one hour , 'til 1pm local. U2F at 1pm, followed by implementation.
<wseltzer> [closed the Webex]
<weiler> does anyone need or want WebEx?
<weiler> (WebEx is up and running, just in case.)
<harry> re extensions as long as there's no MUST/SHOULD normative text and it's clearly marked as extensions, should be fine
<harry> I think testing IdP/RP support is something W3C is not optimized for, but would be worth a discussion and I'm sure somehting reasonable is possible.
<rbarnes> though i'm not really enthusiastic about having things specified that aren't implemented
<harry> agreed.
<harry> I think you'd have to argue for it.
This is scribe.perl Revision: 1.144 of Date: 2015/11/17 08:39:34 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/with issues/with u2f/ Found ScribeNick: SamSrinivas Inferring Scribes: SamSrinivas Present: JeffH alexei-goog gmandyam jcj_moz nadalin rbarnes weiler wseltzer yaronf(remote) Ketan Rolf selfissued SamSrinivas Axel RobTrace vgb dirkbalfanz Agenda: https://public.etherpad-mozilla.org/p/webauthn-tpac-2016 WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Found Date: 20 Sep 2016 Guessing minutes URL: http://www.w3.org/2016/09/20-webauthn-minutes.html People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option.[End of scribe.perl diagnostic output]