16:54:49 <RRSAgent> RRSAgent has joined #webauthn
16:54:49 <RRSAgent> logging to http://www.w3.org/2016/09/28-webauthn-irc
16:54:51 <trackbot> RRSAgent, make logs public
16:54:53 <trackbot> Zakim, this will be
16:54:53 <Zakim> I don't understand 'this will be', trackbot
16:54:54 <trackbot> Meeting: Web Authentication Working Group Teleconference
16:54:54 <trackbot> Date: 28 September 2016
16:55:40 <weiler> agenda: https://lists.w3.org/Archives/Public/public-webauthn/2016Sep/0536.html
16:55:41 <jcj_moz> present+
16:55:47 <weiler> weiler has changed the topic to: agenda: https://lists.w3.org/Archives/Public/public-webauthn/2016Sep/0536.html
16:57:59 <weiler> present+
16:59:39 <weiler> present+ nadalin
17:00:07 <gmandyam> gmandyam has joined #webauthn
17:00:50 <gmandyam> present+
17:05:30 <vgb> vgb has joined #webauthn
17:05:47 <vgb> present+
17:07:54 <apowers> apowers has joined #webauthn
17:08:00 <RobTrace> RobTrace has joined #webauthn
17:08:10 <weiler> present+ powers RobTrace
17:08:14 <apowers> present+
17:08:19 <weiler> present- powers
17:08:20 <JeffH> JeffH has joined #webauthn
17:08:28 <JeffH> present+ JeffH
17:08:53 <JeffH> craft beer in hong kong: http://gohongkong.about.com/od/hongkongbarsandclubs/ss/Best-craft-beer-bars-and-ale-pubs-in-Hong-Kong.htm
17:09:12 <weiler> scribenick: gmandyam
17:09:12 <weiler> chair: nadalin
17:10:09 <Ketan> Ketan has joined #webauthn
17:10:42 <gmandyam> nadalin:  Thanks to all who helped in publication of RD 02
17:10:43 <deiu> deiu has left #webauthn
17:12:13 <alexei-goog> alexei-goog has joined #webauthn
17:12:21 <alexei-goog> present+
17:09:12 <weiler> scribenick: JeffH
17:18:05 <JeffH> gmandyam: thinks that attstn formats that are vendor-proprietary and do not have "complete" specifications need to have their attstn format identifier prefixed with a vendor-specific ID
17:18:47 <JeffH> ... asserts that safetynet is an example of this -- there's opaque fields that are not documented -- is just a vendorspecific attstn
17:21:28 <JeffH> ... when they (RP) read the spec, they can verify the packed attstn by just reading the attstn spec -- for safetynet that's not the case -- the RP needs to contact the vendor in order to figure out how to validate the attstn
17:24:26 <JeffH> alexei: this sounds like you are arguing against safetynet specifically  -- you don't know about lots of items under the hood wrt attestn, such as who's code is performing the hashes/sigs....
17:25:25 <JeffH> gmandyam: notes that goog does supply a online svc to validate safetynet but it is a single point of failure...
17:26:17 <JeffH> alexei: so it seems you are arguing to designate the attstn format as sort of a 2nd class citizen...
17:28:30 <JeffH> gmandyam: thinks we should have two levels of review of attestation formats -- one is for interoperable indep impls ones -- other for vendor-specific single-source ones
17:28:58 <JeffH> ...thinks for packed / tpm=based there will be more than one impl
17:09:12 <weiler> scribenick: weiler
17:36:05 <weiler> gmandyam: thinks there are different vision re: registry doc.  proposes a separate registry doc, as an issue.
17:36:59 <weiler> ... rather than have it buried in a pull request.
17:37:12 <JeffH> https://github.com/w3c/webauthn/issues/221
17:38:57 <weiler> alexei: not sure 221 has merit.
17:38:58 <weiler> vgb: richard thinks acct into is not or the UA.  want to discuss further with him.  vgb thinks this is good future-proofing
17:39:31 <weiler> alexei: for a large class of authenticators, it will get discarded by the UA.  could be useless work by RP for a large class of authenticators.
17:39:49 <weiler> vgb: for this class of authenticators, allows smart things in UA
17:40:33 <weiler> ... on machine where you create credential, store identifier....
17:40:44 <weiler> ... doesn't really hurt.
17:41:09 <weiler> gmandyam: we don't want current state, where this is mandatory.
17:41:22 <weiler> ... is it safe to say that this should not be mandatory in makecred?
17:41:41 <weiler> vgb: no.  I think it should be mandatory.  even those some don't use it.
17:42:33 <weiler> alexei: confusion induced by not providing it is worse than extra work on RPs in cases where it is not used.  and I buy that argument.
17:42:50 <weiler> gmandyam: increasing testing burden on UA vendor.
17:43:05 <weiler> vgb: I think it reduces the testing burden.  one code path.
17:43:34 <weiler> gmandyam: if UA doesn't want to pass info, it has that option, right?
17:44:03 <weiler> vgb: yes, but it violates the spec.
17:44:35 <weiler> gmandyam: authenticator won't use this, so why would it pass it on?
17:45:02 <weiler> vgb: from the developers perspective, if you call API in legal way, don't want surprising results.
17:45:26 <weiler> ... if we do this, developer has know that @@
17:45:43 <weiler> ... allow list must contain only one credential from that authenticator
17:45:51 <weiler> ... this is very balanced and nuanced.
17:46:02 <weiler> ... easier to say "slap the user's name in there"
17:46:30 <weiler> gmandyam: ... could choose not to make any of these available.  developer won't now about this in advance.  could be legit reasons for this.
17:46:53 <weiler> ... if those authenticators don't accept info, developer won't benefit, since not known in advance.
17:47:13 <weiler> vgb: but at least developer knows the best thing to do.
17:47:25 <weiler> ... want to avoid situation where developer doesn't know best thing to do.
17:47:48 <weiler> ... i can't summarize to developer, if we make acct info optional, what the right thing to do is.
17:48:40 <weiler> ... if have creds made w/o act info  @@... this makes my head hurt
17:48:53 <weiler> alexei: agree w/ vgb
17:49:01 <weiler> ... undue burden on RPs
17:49:38 <weiler> vgb: need t convince rbarnes, who isn't here
17:50:10 <weiler> jcj: I can help with that.  can't speak for rbarnes, but 2nd point re: tunnel scenario makes sense to me and should make sense to him.
17:50:26 <weiler> ... we had misunderstanding re: how this field will be used.
17:50:58 <weiler> ... should point out in non-normative that even if this isn't USED, it's USEFUL.  and it's future-proofing.
17:51:24 <weiler> ... I'll talk to rbarnes.
17:51:42 <weiler> jeffh: jcj has also responded in issue 219.
17:51:48 <weiler> ... and alexei.
17:51:52 <weiler> s/219/221/
17:52:30 <weiler> alexei: may I abandon 220?
17:52:38 <weiler> jc: yes, but don't close 219 yet.
17:52:48 <weiler> ... close 221.
17:52:56 <weiler> jeffh: talk to rbarnes first?
17:53:52 <weiler> nadalin: concurs with path.
17:54:12 <weiler> topic: u2f assestation format
17:54:44 <weiler> vgb: rolf and girl pointed out different ways to do this.  rolf: 3-level to 2level.  girl: keep 3 level and...
17:55:05 <weiler> ... later this week, I'll send out a couple of PRs on this.
17:55:12 <weiler> nadalin: sounds good
17:55:20 <weiler> topic: issue 216
17:55:47 <weiler> nadalin: have people looked at 216 (alexei's proposal)
17:56:00 <weiler> alexei: I should make a PR.  that will be easier to discuss.
17:56:21 <weiler> vgb: had, in principle, agreement in room.  just need to implement.
17:57:06 <weiler> giri: this is the only hangup I had on mapping u2f...  use of apped v. RPid.  if we can compromise on that, ....
17:57:17 <weiler> alexei: glad to hear you're on board.
17:58:39 <weiler> nadalin: cxl next week because of fido plenary.
17:59:27 <weiler> weiler: do we need a blog post for new WD?  I'm assuming not
17:59:37 <weiler> ... [silence]  ok, done.
18:00:44 <weiler> Zakim, list participants
18:00:44 <Zakim> As of this point the attendees have been jcj_moz, weiler, nadalin, gmandyam, vgb, powers, RobTrace, apowers, JeffH, KetanMehta, alexei-goog
18:01:00 <weiler> RRSAgent, make log public
18:01:17 <weiler> RRSAgent, generate minutes
18:01:17 <RRSAgent> I have made the request to generate http://www.w3.org/2016/09/28-webauthn-minutes.html weiler
18:33:02 <naomi> naomi has joined #webauthn
19:19:20 <weiler> weiler has joined #webauthn
20:05:13 <rrware> rrware has joined #webauthn