W3C

- DRAFT -

Web Authentication WG

03 May 2017

Agenda

See also: IRC log

Attendees

Present
alexei-goog, apowers, gmandyam, jcj_moz, jeffh, jyasskin, kpaulh, nadalin, selfissued, wseltzer, rolf, jfontana
Regrets
Chair
Nadalin
Scribe
wseltzer

Contents

present=

nadalin: trying to get to an implementation draft
... 8 PRs, review the priority: implementation ones
... then any others people feel must absolutely be in implementation draft
... not waiting until it's perfect for implementation draft, since we want feedback from implementers and developers

jeffh: 5 PRs now open
... others closed or marked for CR

https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AWD-05

nadalin: start with 379

<gmandyam> Where is implementation draft defined in current W3C process? - see https://www.w3.org/2017/Process-20170301/#Reports

angelo: we don't need that urgently

nadalin: other implementers?

jcj_moz: fine slipping from this release

alexei: ok to push to next WD

JeffH: fine by me

<angelo> We are talking about 379. Alexei, J.C., Angelo, and Jeff are ok with waiting until next WD

nadalin: 427

https://github.com/w3c/webauthn/pull/427

jeffh: jeffrey and I were talking about a few changes

jyasskin: some details about how transport is dealt with
... fine to merge parts
... not critical to get by implementation draft

giri: there's no "implmentation draft" in Process

<angelo> Implementation draft is not part of W3C. We are going to snap something in between.

nadalin: we're trying to get that as an in-between snap-to stage
... can still change before CR
... but it will be harder to justify breaking changes later

jcj_moz: Mozilla is ok with that process
... re 427, it's not material for WD-05, as we won't have multiple transports

angelo: ok for us

alexei: getting implmentation will help us figure out what should happen

nadalin: move this one to WD-06
... 429

https://github.com/w3c/webauthn/pull/429

angelo: people seem on-board with the idea
... can we get consent on the call to merge?

nadalin: alexei and jeffH requested changes

angelo: look like editorial
... I think I can address them

jyasskin: substance looks right

nadalin: can we get agreement to do the merge if angelo makes changes today?

gmandyam: can we propose changes re selection criteria?

@@: this PR adds one specific selection criteria

gmandyam: add dictionary

@@: this PR only adds one, as a side effect, cleans up the API by making it a dictionary

scribe: if you have issues with the creation of dictionary, put them in this PR

gmandyam: Qualcomm objects if we can't consider other criteria
... e.g. adding criteria for RP to select authenticator enclave

@@: I'm ok adding more things, just as a separate PR for the next WD

gmandyam: then move the attachment out, and just create the dictionary

@@: the attachment is already there, this just moves it

gmandyam: make it an empty dictionary, then address parameters separately

@@: this one was already in the spec, we just didn't know where

gmandyam: please record Qualcomm's objection

selfissued: we've been talking about this feature for weeks
... we should discuss each individual feature independently.

nadalin: I didn't hear an objection to the approach; but that it didn't contain everything you want
... we've generalized the approach to make it extensible

gmandyam: but we'll be arguing as each one is added

@@: don't you want each element discussed on its merits?

scribe: I think that's what we're doing, but the two criteria under discussion were already in the API

gmandyam: I'm not blocking the merge
... I think we shouldn't be debating each criterion in a separate PR
... so can I propose more in this PR?

selfissued: we already had those two; nothing stops you from proposing another

nadalin: Agreement that once angelo updates 429, he can merge it

JeffH: 426, fix the figure

nadalin: 432

https://github.com/w3c/webauthn/pull/432

JeffH: Mike West pushed us, if we're going to rename, do so sooner rather than later

rolf: looked like straightforward search-and-replace

jcj_moz: I like calling it public key, because it is

JeffH: should we punt to WD-06 and query the TAG?

@@: aligned with Credential Management

angelo: my worry, we change everything, then the WG decides there's a better name, and then we have to change again

jcj_moz: I'm not going to propose further rename; when I have to explain "scoped credential", I always explain it as public key

alexei: I just want to merge

nadalin: Any objection to merge?

<Rolf> no objection to merge

nadalin: , and please, never change it again

<apowers> do it! do it! ;)

nadalin: hearing no objections, merge it

<apowers> is it time to write tests now?

nadalin: that gets us through the open WD-05 PRs
... any other priority: implementation that have to be in WD-05?
... for this week or early next

JeffH: I have some
... dealing with origin and RPID
... do we need them for WD-05, implementers?
... 255, 259, 260
... where we talk about origin; right now the spec is inconsistent

angelo: tuple vs hostname not a problem for edge

jeffh: if I were implementing, I'd want to clear up that ambiguity

@@: same-orgin code serializes the origin, not just the host

jcj_moz: specify serializing the origing, rather than leaving undefined?

jeffh: do we want the relaxing the host option?
... Do we want to polish it for WD-05 or -06?

@@: 06. We haven't yet worked on the relaxing part

jcj_moz: I'll have more thoughts further in

nadalin: we'll mark this as WD-06

jeffh: I'll work on that

nadalin: 259 and 260 too?

jeffh: yes
... moving all of those to -06

nadalin: any other priority implemntation issues that people feel need to be covered?

gmandyam: question on attestation verification
... do we need normative procedures from RP perspective?

@@: should be written down somewhere

gmandyam: could be non-normative guidance to RPs
... normative could raise conflicts

@@: section 6 should call out to other specs. Don't think it's critical to fix for WD-05

nadalin: issue 412?

alexei-goog: we have 2 fields, RawID and ID, confusing

jyasskin: wait on sorting this out

nadalin: ok
... Can we delcare WD-05 and get this published?
... any objections?

<jeffh> so we are going to punt #412 to WD-06?

nadalin: we'll publish it and point people to it
... reminder, no call next week

[adjourned]

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/05/03 17:58:40 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/alexei/jyasskin/
Default Present: wseltzer, nadalin, selfissued, gmandyam, jyasskin, jcj_moz, battre, apowers, kpaulh, jeffh, alexei-goog, rolf, jfontana
Present: alexei-goog apowers gmandyam jcj_moz jeffh jyasskin kpaulh nadalin selfissued wseltzer rolf jfontana
No ScribeNick specified.  Guessing ScribeNick: wseltzer
Inferring Scribes: wseltzer

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017May/0035.html
Got date from IRC log name: 03 May 2017
Guessing minutes URL: http://www.w3.org/2017/05/03-webauthn-minutes.html
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report
[End of scribe.perl diagnostic output]