14:59:04 RRSAgent has joined #webauthn 14:59:04 logging to http://www.w3.org/2016/10/19-webauthn-irc 14:59:06 RRSAgent, make logs public 14:59:06 Zakim has joined #webauthn 14:59:08 Zakim, this will be 14:59:08 I don't understand 'this will be', trackbot 14:59:09 Meeting: Web Authentication Working Group Teleconference 14:59:09 Date: 19 October 2016 14:59:17 present= 14:59:47 agenda: https://lists.w3.org/Archives/Public/public-webauthn/2016Oct/0056.html 14:59:51 weiler has changed the topic to: agenda: https://lists.w3.org/Archives/Public/public-webauthn/2016Oct/0056.html 15:02:41 teddink has joined #webauthn 15:26:30 weiler has joined #webauthn 16:00:09 Rolf has joined #webauthn 16:51:14 weiler has joined #webauthn 16:56:54 present+ 16:57:03 zakim, who's here? 16:57:03 Present: weiler 16:57:05 On IRC I see weiler, teddink, Zakim, RRSAgent, hyojin, slightlyoff, mkwst, jcj_moz, rrware, adrianba, ted, sandro, aaronpk, schuki, trackbot, wseltzer 16:59:10 rbarnes has joined #webauthn 16:59:31 gmandyam has joined #webauthn 16:59:53 present+ gmandyam 17:01:04 Rolf has joined #webauthn 17:04:51 apowers has joined #webauthn 17:05:37 present+ rbarnes, nadalin, apowers 17:07:32 present+ 17:07:35 vgb has joined #webauthn 17:08:42 angelo has joined #webauthn 17:09:32 present+ gmandyam 17:09:57 zakim, who's here? 17:09:57 Present: weiler, gmandyam, rbarnes, nadalin, apowers, Rolf 17:09:59 On IRC I see angelo, vgb, apowers, Rolf, gmandyam, rbarnes, weiler, teddink, Zakim, RRSAgent, hyojin, slightlyoff, mkwst, jcj_moz, rrware, adrianba, ted, sandro, aaronpk, schuki, 17:09:59 ... trackbot, wseltzer 17:10:08 present+ vgb 17:12:40 scribenick: vgb 17:12:45 chair: nadalin, rbarnes 17:13:32 nadalin: Could discuss open PRs. Jeff and Alexei not here yet, so maybe skip for now. 17:14:21 regrets+ wseltzer 17:14:37 ... did anyone review? 17:15:03 alexei-goog has joined #webauthn 17:15:07 present+ 17:15:31 vgb: I did - look at Jeff's change removing publicKey from ScopedCredentialInfo if you can. 17:16:02 Rolf: is there supposed to be something in the vgb-u2f-attestation branch? 17:16:07 q+ 17:16:15 vgb: i'm fighting my git client, will push something up. 17:16:43 present+ angelo 17:16:46 alexei_goog: few comments need to be addressed on the PRs 17:17:21 ... such as the question around what if rpId and U2F appId extension are inconsistently specified. 17:17:39 ... haven't looked at Jeff's PRs yet, will do right now. 17:18:24 nadalin: some PRs, 16 open issues on WD-03 milestone 17:18:51 gmandyam: question on PRs 17:19:46 ... comment on one of the PRs said attestation info wasn't present in getAssertion response 17:20:02 Ketan has joined #webauthn 17:22:15 ... so no way to include dynamic "attestation" info such as health state in assertions? 17:22:49 JeffH has joined #webauthn 17:24:52 nadalin has joined #webauthn 17:24:58 vgb: can do it as an extension similar to UVI or UVM 17:25:00 present+ 17:25:21 present+ (on irc only) 17:25:41 ... attestation info itself is only generated at makeCredential time. 17:26:26 gmandyam: look at platform attestation such as SafetyNet. so if you wanted to get the API safety information again at getAssertion time, you'd want to define a SafetyNet extension. that's fine if that's what the spec says. 17:26:42 vgb: yes 17:27:52 alexei_goog: trying to understand where the public key will come from now that it is removed from ScopedCredentialInfo 17:28:10 Rolf: it was always the case that the attestation included it, because it has to be signed over. 17:28:42 there is an echo echo echo 17:29:58 alexei_goog: ScopedCredentialInfo has publicKey now, is the proposal for the pub key to come from authenticatorData? 17:30:01 gmandyam: yes 17:30:27 ... section 5.3.3 17:30:27 the credential public key is (and always has been) coveyed in authenticatorData." 17:30:36 attestation data" 17:30:49 see issue #94 17:30:56 alexei_goog: still not convinced 17:32:06 scopedCredInfo.publicKey is not utilized anywhere in the spec (in master branch) 17:32:11 q+ to tell Jfontana he's been muted. 17:32:34 vgb: 5.3.3 will be tweaked for u2f, but every format will have the public key in there 17:32:46 gmandyam: so this is a requirement on attestation formats now 17:33:25 vgb: yes, this will be in my u2f change 17:33:43 alexei_goog: and presumably the format of the key will be specified 17:34:09 vgb: yes, for each format 17:34:53 alexei_goog: about the AAGUID in there - one purpose of this is to look up metadata service 17:35:09 ... ideally should be a canonical way to go from AAID (UAF) to AAGUID 17:35:50 simplly regard AAID as a byte string ? 17:35:55 vgb: could just generate random number and check against MDS if you really want to make sure? 17:36:43 alexei_goog: AAID also contained a vendor ID which worked well. can we have a mapping from there to AAGUID? 17:37:06 q+ to announce the PAG, before the top of the hour 17:37:12 AAID is in the format VVVV#DDDD 17:37:15 simplly regard AAID as a byte string ? 17:37:19 vgb: could we just say AAGUID = SHA256(AAID) for such authenticators? 17:37:34 where VVVV is the hex encoding of the Vendor ID and DDDD is four hex bytes for the Device ID 17:37:34 could do that too 17:37:50 so technically AAID is 4 bytes 17:38:09 alexei_goog: could do that, but since AAID is so small maybe more potential for collisions? 17:38:21 thety are backed by a registry 17:39:24 ack me 17:39:24 weiler, you wanted to tell Jfontana he's been muted. and to announce the PAG, before the top of the hour 17:39:31 q+ to announce the PAG, before the top of the hour 17:39:38 vgb: it follows the same model as other CE standards -- assigning a namespace to a vendor and then letting them figure out how to assign the numbers in their name space 17:39:52 ... still seems icky to me, but meh 17:40:09 ... seems like no strong opinions? 17:40:41 apowers: nice thing about AAID is that it includes a vendor ID so you can ban a vendor completely 17:41:01 alexei_goog: but you could do the same by looking up vendor in MDS based on AAGUID? 17:41:07 apowers: maybe, not sure. 17:41:47 jfontana has joined #webauthn 17:41:47 alexei_goog: but MDS may want to maintain one index not three, so may be good to have a deterministic AAID -> AAGUID mapping 17:41:54 i would do most simply conversion of aaid to aaguild and add text to aaguid that impleentors should only generate aaguids that are some fixed length >> 9 bytes 17:42:35 ... reason for asking: when a BT device shows up we want to give user instructions on how to pair, so we'd like to look that up (maybe in MDS) based on PNPID 17:43:31 ... will make a PR containing some arbitrary-but-logical proposal 17:43:57 vgb: sounds good 17:44:51 Rolf: would like to think through the implications - potential collisions between PNPIDs and USB IDs, and so on 17:45:18 yeah -= so perhaps send such an analysis to the list? 17:46:07 nadalin: putting alexei_goog on the spot about issue #88 :) 17:46:31 alexei_goog: this was mostly a note to self, haven't done anything more 17:46:32 present+ jfontana 17:46:45 present+ Ketan 17:46:47 nadalin: #102? 17:46:51 zakim, who's here? 17:46:51 Present: weiler, gmandyam, rbarnes, nadalin, apowers, Rolf, vgb, alexei-goog, angelo, (on, irc, only), jfontana, Ketan 17:46:54 On IRC I see jfontana, nadalin, JeffH, Ketan, alexei-goog, vgb, apowers, Rolf, gmandyam, rbarnes, weiler, teddink, Zakim, RRSAgent, hyojin, slightlyoff, mkwst, jcj_moz, rrware, 17:46:54 ... adrianba, ted, sandro, aaronpk, schuki, trackbot, wseltzer 17:47:09 vgb: have been meaning to do that one 17:47:52 nadalin: #123, not sure if we came to a resolution? 17:48:44 i will work on #123 today/tomorow 17:48:48 ... WebCrypto or JWS? 17:49:01 it is assigned to me 17:49:09 vgb: why not JWS? WebCrypto is only advantageous if you allow the full dictionary so it can be more expressive. 17:49:42 Rolf: haven't had cycles to work on it 17:50:20 JeffH: (on IRC) will work today / tomorrow 17:50:53 vgb: thx 17:50:55 gmandyam: would prefer to follow W3C precedent by using WebCrypto (which is W3C) instead of JWS (which is IETF) 17:52:46 we need to figure out whether the data obj in question are JWS or are WebCrypto and then use the correct term. 17:52:55 nadalin: let's try and get these closed as soon as we can so we can do a WD-03 and later a CR 17:53:22 pls review current PRs 17:54:19 ... try and make some progress 17:54:27 vgb: has more time after 21st 17:54:33 Rolf: has more time after 28th 17:54:46 jeffh: has time this week & next 17:54:48 nadalin: people still believe that 27th is doable for WD-03? 17:54:55 Rolf: maybe need 2 weeks more 17:55:12 nadalin: will push it out another week, and CR correspondingly 17:55:43 ... AOB? 17:55:56 ack me 17:55:56 weiler, you wanted to announce the PAG, before the top of the hour 17:56:07 ... a PAG has been formed. some of you may be contacted. that is all. 17:56:31 ... see you next week 17:56:54 Zakim, list participants 17:56:54 As of this point the attendees have been weiler, gmandyam, rbarnes, nadalin, apowers, Rolf, vgb, alexei-goog, angelo, (on, irc, only), jfontana, Ketan 17:57:01 RRSAgent, generate minutes 17:57:01 I have made the request to generate http://www.w3.org/2016/10/19-webauthn-minutes.html weiler 17:57:09 jfontana has left #webauthn 17:57:35 RRSAgent, make log public 17:58:15 RRSAgent, generate minutes 17:58:15 I have made the request to generate http://www.w3.org/2016/10/19-webauthn-minutes.html weiler 17:58:33 zakim, bye 17:58:33 leaving. As of this point the attendees have been weiler, gmandyam, rbarnes, nadalin, apowers, Rolf, vgb, alexei-goog, angelo, (on, irc, only), jfontana, Ketan 17:58:33 Zakim has left #webauthn 17:58:39 rrsagent, bye 17:58:39 I see no action items