IRC log of webauthn on 2016-03-04

Timestamps are in UTC.

16:45:49 [RRSAgent]
RRSAgent has joined #webauthn
16:45:49 [RRSAgent]
logging to
16:45:55 [trackbot]
trackbot has joined #webauthn
16:45:57 [mirko]
mirko has joined #webauthn
16:45:59 [wseltzer]
trackbot, prepare meeting
16:45:59 [trackbot]
Sorry, but no Tracker is associated with this channel.
16:46:08 [gmandyam]
gmandyam has joined #webauthn
16:47:08 [keiji]
keiji has joined #webauthn
16:48:05 [wseltzer]
Meeting: Web Authentication WG
16:48:14 [wseltzer]
Date: March 4, 2016
16:48:14 [Rolf]
Rolf has joined #webauthn
16:48:24 [wseltzer]
Chairs: Richard_Barnes, Tony_Nadalin
16:48:31 [wseltzer]
rrsagent, make logs public
16:48:35 [wseltzer]
rrsagent, draft minutes
16:48:35 [RRSAgent]
I have made the request to generate wseltzer
16:51:04 [alexei]
alexei has joined #webauthn
16:53:10 [jcj_moz]
jcj_moz has joined #webauthn
16:53:19 [adamkcooper]
adamkcooper has joined #webauthn
16:53:24 [alexei]
jcj_moz: a/s/l?
16:53:25 [alexei]
16:53:45 [cbrand]
cbrand has joined #webauthn
16:53:46 [jcj_moz]
-1 / -1 / \0 :)
16:54:03 [cbrand]
...and i'm back in 1995
16:54:13 [cbrand]
love it, though
16:54:27 [jcj_moz]
Where's our DCC bot?
16:54:50 [cbrand]
nickserv? i want to register my nick!
16:55:33 [alexei]
cbrand: hey, if you type in your pw, it will show as stars
16:55:49 [cbrand]
i think i need to try it
16:55:56 [cbrand]
16:56:01 [cbrand]
it didn't work!!
16:56:08 [cbrand]
did it show up as stars on your side?
16:56:18 [cbrand]
i'm sure it did
16:56:21 [cbrand]
so i won't change it
16:57:35 [Guest13]
Guest13 has joined #webauthn
17:00:26 [felipe]
felipe has joined #webauthn
17:04:15 [dirkbalfanz]
dirkbalfanz has joined #webauthn
17:05:56 [Hubert-LVG]
Hubert-LVG has joined #webauthn
17:07:17 [selfissued]
selfissued has joined #webauthn
17:07:57 [davidM]
davidM has joined #Webauthn
17:08:06 [wseltzer]
agenda+ Intros around the table
17:08:13 [wseltzer]
zakim, clear agenda
17:08:13 [Zakim]
agenda cleared
17:08:15 [wseltzer]
agenda+ Intros around the table
17:08:18 [wseltzer]
agenda+ Intro to W3C; Intro to FIDO
17:08:22 [wseltzer]
agenda+ Charter scope
17:08:26 [wseltzer]
agenda+ Technical overview of the specs
17:08:31 [wseltzer]
agenda+ WG Adoption of the Submission drafts
17:08:37 [wseltzer]
agenda+ Privacy and security considerations
17:08:43 [wseltzer]
agenda+ Liaisons (IETF, W3C, FIDO, and other groups) Other participants who should be here, globally
17:08:49 [wseltzer]
agenda+ Any initial issues?
17:08:55 [wseltzer]
agenda+ Further use cases/requirements?
17:09:03 [Hubert-LVG]
Hubert-LVG has left #webauthn
17:09:06 [Jerrod]
Jerrod has joined #webauthn
17:09:06 [wseltzer]
17:09:18 [juanlang]
juanlang has joined #webauthn
17:09:19 [wseltzer]
wseltzer has changed the topic to: Agenda WebAuthn F2F:
17:09:27 [JeffH]
JeffH has joined #webauthn
17:09:34 [wseltzer]
zakim, take up agendum 1
17:09:34 [Zakim]
agendum 1. "Intros around the table" taken up [from wseltzer]
17:09:35 [hubert-paypal]
hubert-paypal has joined #webauthn
17:10:19 [wseltzer]
tonynad: Welcome
17:11:01 [harry]
harry has joined #webauthn
17:11:07 [wseltzer]
tonynad: reviewing the agenda
17:11:20 [weiler]
weiler has joined #webauthn
17:11:25 [wseltzer]
-> Agenda
17:11:33 [mirko_]
mirko_ has joined #webauthn
17:11:38 [wseltzer]
... We'll call for adoption of the drafts that began as member submission
17:11:39 [nicolagreco]
nicolagreco has joined #webauthn
17:11:48 [derek]
derek has joined #webauthn
17:11:55 [wseltzer]
... we'll look at editors, workmode, scheduling
17:11:58 [vgb]
vgb has joined #webauthn
17:12:37 [wseltzer]
present+ Felipe_Moreno
17:12:46 [wseltzer]
Felipe_Moreno: Bloomberg
17:13:12 [wseltzer]
... work on the fingerprint authentication for the Bloomberg terminal
17:13:18 [wseltzer]
... also using tokens for webapp login
17:13:32 [harry]
17:13:35 [cbrand]
17:13:40 [keiji]
present+ keiji
17:13:49 [JeffH]
17:13:54 [SamSrin]
SamSrin has joined #webauthn
17:13:55 [wseltzer]
Mirko: Surepass ID, a FIDO authenticator
17:13:58 [adam_powers]
present+ adam_powers
17:14:09 [salah]
salah has joined #webauthn
17:14:12 [rbarnes]
rbarnes has joined #webauthn
17:14:13 [wseltzer]
Keiji: W3C fellow from Keio University
17:14:16 [rbarnes]
17:14:20 [nicolagreco]
present+ nicolagreco
17:14:32 [wseltzer]
Sam_@@: RSA
17:14:38 [wseltzer]
@@2: RSA
17:14:44 [vgb]
present+ Vijay Bharadwaj, Microsoft
17:14:54 [wseltzer]
Rob_Trace: Microsoft, networking and security, JS APIs
17:15:10 [wseltzer]
Debbi_Mac: FIDO
17:15:16 [alexei_goog]
17:15:17 [wseltzer]
Alexei: Identity team at Google
17:15:27 [wseltzer]
Dirk_Balfanz: Google, active in FIDO
17:15:46 [wseltzer]
Sam_Srinivas: Security PM at Google
17:15:50 [hubert-paypal]
present+ Hubert A. Le Van Gong, PayPal
17:15:54 [wseltzer]
Christiaan_Brand: Google
17:15:59 [wseltzer]
JC_Jones: Mozilla
17:16:03 [jcj_moz]
17:16:06 [wseltzer]
Hubert: PayPal
17:16:12 [wseltzer]
Rolf_Lindemann: Nok Nok
17:16:20 [SamSrin]
present+ Sam Srinivas Google
17:16:22 [wseltzer]
Juan_Lang: Google engineering manager
17:16:34 [gmandyam]
present+ gmandyam
17:16:39 [wseltzer]
Pier_Deganello: Federal Reserve
17:16:48 [wseltzer]
Mike_Jones: Identity at Microsoft
17:17:04 [wseltzer]
Axel_Nnenker: Deutsche Telekom
17:17:12 [wseltzer]
Jeff_Hodges: PayPal
17:17:18 [wseltzer]
Harry_Halpin: W3C/MIT
17:17:41 [wseltzer]
Jakob_Ehrensvard: Yubico
17:18:01 [wseltzer]
David_Martin: CESG
17:18:10 [wseltzer]
Morgan_Davis: Plantronics innovation team
17:18:15 [wseltzer]
Giri_Mandyam: Qualcomm
17:18:32 [wseltzer]
Adam_Powers: Technical Director, FIDO Alliance
17:18:42 [wseltzer]
Adam_Cooper: UK Cabinet office, identity assurance
17:19:08 [wseltzer]
John_Fontana: Yubico
17:19:13 [derek]
present +
17:19:19 [wseltzer]
Derek_Hanson: Yubico
17:19:33 [dirkbalfanz]
17:19:39 [harry]
scribenick: harry
17:19:43 [Jerrod]
17:19:51 [selfissued]
17:19:54 [harry]
topic: Intro to W3C
17:19:56 [selfissued]
Mike Jones
17:21:33 [harry]
wseltzer: W3C is a global standards body for the Web
17:21:41 [jfontana]
jfontana has joined #webauthn
17:21:41 [harry]
... directed by Tim Berners-Lee, hosted by 4 offices
17:21:48 [harry]
... 70 people on staff
17:21:56 [harry]
... if you are a W3C member, get your AC member to join
17:22:03 [harry]
... if not a W3C meeting, do talk to myself or Harry
17:22:13 [harry]
... One important part of the W3C is the royalty-free patent policy
17:22:29 [harry]
... we need to assure all contributions are coming via member representatives
17:22:41 [harry]
... the chairs and Team can work together to make sure invited experts can come
17:22:46 [harry]
... if they can't be a W3C member
17:23:08 [harry]
... we run by consensus
17:23:13 [harry]
... we can't force anyone to do anything
17:23:21 [harry]
... we try to get implementable specs
17:23:25 [harry]
... that are interoperable
17:23:31 [harry]
... Working Group is governed by its charter
17:23:44 [harry]
... you and your advisory committee read the charter
17:24:09 [harry]
... approved scope and limitations
17:25:15 [harry]
... our goal is to get to Rec
17:25:20 [harry]
... within the time on the charter
17:25:45 [harry]
... chairs responsible for guiding consensus
17:25:50 [harry]
... and making sure things on track
17:25:54 [harry]
... Harry Halpin is Team Contact
17:25:57 [harry]
... we have WebEx for scheduling
17:26:02 [harry]
... usually teleconferenes
17:26:03 [harry]
... IRC for minutes
17:26:10 [harry]
... all meeting minutes are published
17:26:22 [harry]
... we broadcast all our decisions and give people on mailing list opportunity to follow up
17:26:33 [harry]
... anything that happens in F2F and teleconference
17:26:37 [harry]
... or W3C Recommendation Track
17:26:42 [harry]
... is our process
17:26:51 [harry]
... for moving to a Recommendation
17:26:56 [harry]
... W3C is a Member Submisison
17:27:03 [harry]
... it can then be adopted as a Working Draft
17:27:30 [adam_powers]
are these slides available online?
17:27:31 [harry]
... when we publish first working draft
17:27:51 [adam_powers]
17:28:02 [harry]
... then we have a Last Call where we make sure we get the document finalized
17:28:13 [harry]
... we try to get patent commitments early as possible
17:28:21 [harry]
... and if someone raises a patent, we have a Patent Advisory Group
17:28:33 [harry]
... that can work through patent-related claims
17:28:40 [harry]
... we encourage regular updates
17:28:43 [harry]
... as editors work through issues
17:28:45 [harry]
... and pull requests
17:28:50 [harry]
... using Github
17:29:01 [derek]
derek has joined #webauthn
17:29:11 [harry]
... we go to Candidate Recommendation when we think the spec is technically sound
17:29:16 [harry]
... and has all the features we want in place
17:29:25 [harry]
... to get to Proposed Recommendation
17:29:33 [harry]
... at least two interoperable implementations
17:29:39 [harry]
... that have been tested
17:29:55 [harry]
... every feature must have two inter-operable implementations
17:29:57 [harry]
... then goes to PR
17:30:04 [harry]
... Proposed Recommendation
17:30:08 [harry]
... there's a Director Review
17:31:57 [harry]
... we hope to do this for a year
17:32:04 [harry]
rbarnes: What matters is what is stable
17:32:10 [harry]
... usually around Last Call/CR things have settled down
17:33:12 [harry]
wseltzer: ideally we'd like to do things like tests as we go on
17:33:26 [harry]
rbarnes: We want things stable and settled down 6-9 months given we have a mature startin
17:34:33 [wseltzer]
present+ Greg_Huges
17:34:42 [Pieralberto]
Pieralberto has joined #webauthn
17:35:13 [wseltzer]
Topic: Credential Management API
17:35:26 [greg_hughes]
greg_hughes has joined #webauthn
17:36:29 [wseltzer]
-> Wendy's Slides
17:36:40 [harry]
scribenick: wseltzer
17:36:45 [wseltzer]
rbarnes: WebAppSec Credential management API
17:37:15 [wseltzer]
... ideas from that spec informed FIDO 2.0
17:37:41 [wseltzer]
-> Credential Management
17:37:43 [adamkcooper]
adamkcooper has joined #webauthn
17:37:56 [gmandyam]
* Has the slide deck been uploaded?
17:38:24 [wseltzer]
rbarnes: can we create a deterministic password manager interface
17:38:24 [gmandyam]
* Ignore - IRC was slow in updating
17:38:41 [wseltzer]
... instead of the heuristics UAs have been applying
17:38:54 [wseltzer]
... imperative interface from the page to the browser
17:39:24 [wseltzer]
... behind this interface, managing the credential
17:39:56 [wseltzer]
... We need a name for these credentials. Get your bikeshed paint out
17:40:17 [wseltzer]
... Introduction to the concept, so we can see how it makes sense to integrate
17:41:00 [wseltzer]
... Moving parts: password credential, object as opaque representation
17:41:32 [gmandyam]
* Sorry - original question still stands. Where is the slide deck on Credentials Mgmt. that Richard is currently discussing? I cannot find a link, and the slide deck is difficult to see on the projector given the font color and black background.
17:42:13 [wseltzer]
rbarnes: password manager never sees the credential itself, some XSS protection
17:42:24 [wseltzer]
... credential objects, a store and get interface
17:42:29 [wseltzer]
... types of credentials
17:43:29 [R3C]
R3C has joined #Webauthn
17:43:47 [wseltzer]
... the spec has notion of federated credential, password credential
17:43:55 [AxelNennker]
AxelNennker has joined #webauthn
17:44:05 [wseltzer]
... does it make sense to have a FIDO credential, encapsulating the functionality we're talking about here
17:44:17 [wseltzer]
... internal keyHandle, pubKey, sign()
17:44:30 [wseltzer]
... what do we want the object to look like, how do you create, manage
17:44:31 [felipe_bbg]
felipe_bbg has joined #webauthn
17:44:54 [wseltzer]
Pier: thinking about how browsers handle PKI, does FIDO look like client cert?
17:45:07 [wseltzer]
rbarnes: sounds like a question for another WG
17:45:16 [wseltzer]
... you'd want to handle differently because of origin separation
17:45:30 [wseltzer]
... it's important here that each origin has a different keypair
17:45:42 [wseltzer]
Pier: so it's a different use case
17:46:30 [wseltzer]
AxelNennker: Crential management spec renamed local to site-bound credential
17:46:51 [harry]
+1 StrongOriginBoundCredential
17:46:53 [wseltzer]
rbarnes: origin-bound is important
17:47:17 [wseltzer]
... sketch of what a FIDO credential would look like
17:47:18 [JeffH]
17:47:35 [JeffH]
aka OBSCred
17:47:46 [wseltzer]
... create, register,
17:47:51 [wseltzer]
... we need registration to be async
17:47:53 [gmandyam]
17:48:01 [wseltzer]
... but constructors can't be async
17:48:34 [wseltzer]
... that would pass back some signature objects
17:48:49 [vgb]
i like OBSCred better than SOB Credential...
17:48:53 [wseltzer]
ack hha
17:48:58 [JeffH]
17:49:00 [wseltzer]
ack gmandyam
17:49:13 [Pieralberto]
Pieralberto has joined #webauthn
17:49:24 [wseltzer]
gmandyam: FIDO 2.0 uses credential management
17:49:49 [wseltzer]
rbarnes: do we want to align more closely?
17:50:13 [wseltzer]
... we might just need to re-align
17:50:19 [harry]
To re-state, do we want to align with Credentials API or expose via multiple levels (i.e. FIDO 2.0 is higher level now, Credentials API is a bit lower)
17:50:55 [wseltzer]
rbarnes: worth thinking about the benefits: determinism, a simpler data-store
17:51:08 [wseltzer]
... than indexdb
17:51:52 [wseltzer]
... FIDO-like credentials, you'd get simplicity of storage interface, reuse of design patterns
17:52:21 [wseltzer]
... think about a site where you can log in with password or FIDO credential
17:52:28 [wseltzer]
... makes the flow easier
17:52:49 [wseltzer]
17:53:49 [rbarnes]
rbarnes has joined #webauthn
17:55:11 [rbarnes]
link to the Credentials slides
17:55:12 [wseltzer]
rrsagent, draft inutes
17:55:12 [RRSAgent]
I'm logging. I don't understand 'draft inutes', wseltzer. Try /msg RRSAgent help
17:55:18 [wseltzer]
rrsagent, draft minutes
17:55:18 [RRSAgent]
I have made the request to generate wseltzer
17:55:30 [wseltzer]
Topic: FIDO 2.0 Current Status
17:55:33 [cbran]
cbran has joined #webauthn
17:55:43 [adam_powers]
btw, "/msg Zakim help" if you want to see the full list of commands or
17:57:39 [wseltzer]
dirkbalfanz: I'll share some background, Adam on FIDO, Rolf, Alexei, Vijay on JS API
17:58:13 [wseltzer]
... FIDO 2.0. FIDO released 1.0, then submitted 2.0 to W3C
17:58:47 [AxelNennker]
Here is the link to the W3C WebAppSec's credentialmanagement draft:
17:58:48 [wseltzer]
... 1.0, UAF and U2F
17:59:02 [wseltzer]
... UAF focused on mobile deployment
17:59:12 [adam_powers]
FIDO 1.0 = UAF + U2F
17:59:34 [rbarnes]
to the point raised by gmandyam earlier: today is going to have a lot of intro/background to get everyone on the same page
18:00:12 [JeffH]
UAF is about replacing passwords. U2F is about making pswds non-phishable.
18:00:12 [wseltzer]
... U2F, hardware tokens that help with authn
18:00:44 [wseltzer]
... we want to get to a spec that covers all use cases, is implemented on all platforms
18:01:08 [wseltzer]
... "platform"=think I write an application atop
18:01:30 [wseltzer]
18:02:09 [wseltzer]
... use cases: authenticator
18:02:33 [wseltzer]
... authenticate local user, auth to server
18:03:00 [wseltzer]
... 1/ built-in authenticator
18:03:38 [wseltzer]
... 2/ special-purpose devices, e.g. USB tokens, 2d factor device with key material
18:04:14 [wseltzer]
... renders password non-phishable
18:04:38 [JeffH]
a top-level goal of OBSCreds is non-phishability
18:04:55 [wseltzer]
... 3/ smartphone, has key material and can authenticate user
18:06:18 [wseltzer]
... What do we need to standardize to create ecosystem
18:07:15 [wseltzer]
... RP App to Client
18:07:31 [wseltzer]
... Web Platform, we need agreement among those in this room
18:08:07 [wseltzer]
... also RP App to RP server
18:08:50 [wseltzer]
... e.g. verifying signature, what the signature should look like
18:08:58 [wseltzer]
... when you create a new keypair
18:09:41 [wseltzer]
... also system to authenticator, if the authenticator isn't built-in
18:10:18 [wseltzer]
... CTAP, happening elsewhere
18:10:42 [Pieralberto]
Pieralberto has joined #Webauthn
18:10:47 [JeffH]
CTAP == Client To Authenticator Protocol (was: External Authnr Protocol)
18:10:58 [wseltzer]
... FIDO 2.0 API, 2 calls
18:11:07 [wseltzer]
... makeCredential, getAssertion
18:11:21 [wseltzer]
... makeCredential, asymmetric crypto, generate a new keypair
18:11:30 [wseltzer]
... with attestation
18:11:44 [wseltzer]
... telling you what generated the keypair
18:12:09 [wseltzer]
... makeCredential, get back the public key, attestation
18:12:21 [wseltzer]
... getAssertion asks for signature
18:12:35 [wseltzer]
... get a challenge from the server, call getAssertion to sign challenge
18:13:24 [wseltzer]
... sign the challenge+some platform information: origin
18:14:10 [wseltzer]
... unphishable, MITM-resistant authentication
18:15:07 [nicolagreco]
18:15:11 [wseltzer]
... typeless authentication
18:16:13 [wseltzer]
Pieralberto: can this do server authentication to client?
18:16:25 [wseltzer]
dirkbalfanz: we've focused on client authentication to server
18:16:42 [wseltzer]
rbarnes: we're not talking about a network protocol
18:16:54 [wseltzer]
... interaction within the browser so web content can talk to token
18:18:27 [wseltzer]
felipe_bbg: looking at the other side of the authentication, server
18:18:36 [wseltzer]
Rolf: FIDO uses TLS
18:19:26 [wseltzer]
... if the client is compromised, all you can do client-side is transaction authentication
18:19:41 [wseltzer]
... man-in-the-browser can misuse the authenticated channel
18:20:20 [wseltzer]
... implementation can use other security mechanisms, TEE, trusted UI, etc.
18:21:12 [wseltzer]
... attested signing
18:21:51 [wseltzer]
SamSrin: we want easy authentication for the user, 2d factor
18:22:41 [derek]
derek has joined #webauthn
18:22:51 [wseltzer]
vijay: if the user isn't sure the right person is asking, signature shouldn't be generated. vs in our case, signature will be generated but it won't be usable
18:22:56 [juanlang]
juanlang has joined #webauthn
18:23:01 [wseltzer]
... because origin is in the signature, so it can't be repurposed
18:23:17 [greg_hughes_]
greg_hughes_ has joined #webauthn
18:23:31 [wseltzer]
felipe_bbg: question was based on who initiates
18:23:45 [rbarnes]
18:23:59 [wseltzer]
rrsagent, this meeting spans midnight
18:24:22 [wseltzer]
dirkbalfanz: we rely on the browser to represent which origin is requesting authentication
18:24:31 [JeffH]
wrt the threat model, please see analysis here:
18:24:39 [wseltzer]
rbarnes: with any web API, you can't get away from some degree of trust in the browser
18:24:53 [rbarnes]
18:24:54 [JeffH]
18:24:57 [wseltzer]
... this group should have clear documentation of which parties are trusted to do what, and the bounds of that trust
18:24:58 [rbarnes]
ack rbarnes
18:25:27 [wseltzer]
dirkbalfanz: if browser is no longer acting on user's behalf...
18:25:32 [wseltzer]
ack JeffH
18:25:45 [wseltzer]
JeffH: I included a link to the security document, threat analysis
18:25:49 [wseltzer]
rbarnes: I welcome your pull request
18:25:54 [Pieralberto]
Pieralberto has joined #webauthn
18:26:59 [wseltzer]
dirkbalfanz: use case, bound authenticator
18:29:33 [wseltzer]
... user gesture authorizes binding of the keypair
18:30:04 [vgb]
vgb has joined #webauthn
18:30:05 [wseltzer]
... registration, then authentication
18:30:48 [wseltzer]
... RP gets credential ID (server side, or left in cookie, local storage)
18:31:21 [wseltzer]
... challenge, credential id
18:31:35 [wseltzer]
... user gesture authorizes use of private key
18:31:51 [wseltzer]
... return signature on nonce, origin, token binding,
18:32:31 [wseltzer]
dirkbalfanz: authentication without a username
18:32:43 [wseltzer]
... getAssertion without credential ID
18:33:13 [wseltzer]
... platform talks to authenticator, asks user to select account,
18:33:33 [wseltzer]
... then same flow
18:33:41 [wseltzer]
felipe_bbg: is it assumed there's only one authenticator?
18:33:47 [wseltzer]
dirkbalfanz: no, it should work with multiple
18:34:15 [wseltzer]
dirkbalfanz: use case, 2fa token, registration
18:34:41 [wseltzer]
... token has no storage, just returns wrapped key
18:34:59 [wseltzer]
... registration: RP app calls makeCredential
18:35:14 [wseltzer]
... inputs, nonce + account info
18:35:32 [wseltzer]
... returns public key, credential id, attestation info
18:35:50 [wseltzer]
... device could choose to wrap the private key it just generated, call that a credential
18:36:18 [wseltzer]
... authentication. these devices probably won't be sole authenticator
18:36:36 [wseltzer]
... but on a device that already knows who the user is
18:37:05 [wseltzer]
... simple user gesture, such as touching a button, protects against automated attack
18:37:54 [wseltzer]
nicolagreco: where does the user gesture come from?
18:38:08 [wseltzer]
dirkbalfanz: need something unforgeable, e.g. touching a button
18:38:10 [greg_hughes]
greg_hughes has joined #webauthn
18:38:28 [morgandavis]
morgandavis has joined #webauthn
18:38:41 [wseltzer]
dirkbalfanz: last use case, login with smartphone
18:39:33 [wseltzer]
... registration, switch from username password to phone; generate credential on phone, forward request
18:39:50 [wseltzer]
... phone makes sure the user is there, generates keypair
18:40:13 [wseltzer]
... again, platform returns pubkey, credential id, attestation
18:40:48 [wseltzer]
... authentication. assume there's no latent ID, I just carry my phone up to a kiosk
18:41:03 [wseltzer]
... RP can call getAssertion without knowing user's credential id
18:41:54 [wseltzer]
dirkbalfanz: User Experience
18:42:04 [wseltzer]
... what does it look like to a user
18:42:46 [wseltzer]
... account chooser
18:44:48 [wseltzer]
... UA can know what kind of authenticator the account uses
18:45:47 [wseltzer]
... RP can draw UI that tells user what to do next, e.g. insert security key
18:48:14 [wseltzer]
pier: does the RP need to remember how the user logged in?
18:48:33 [wseltzer]
dirkbalfanz: it's useful
18:50:40 [KayvanA]
KayvanA has joined #webauthn
18:50:59 [adamkcooper]
adamkcooper has joined #Webauthn
18:51:12 [keiji]
keiji has joined #webauthn
18:51:18 [wseltzer]
rbarnes: lots of keypairs, it's up to the RP to keep track
18:51:35 [wseltzer]
dirkbalfanz: option for the RP to make getAssertion call without credential ID
18:52:00 [wseltzer]
... let the platform, authenticator figure out who the user is, how they want to login
18:52:24 [johnk]
johnk has joined #webauthn
18:53:51 [wseltzer]
... platform can combine multiple sources of account info, RP gets it only after the user chooses one
18:55:10 [wseltzer]
SamSrin: app should be able to ask for authentication, from platform (OS, web browser)
18:55:38 [wseltzer]
... the browser can package lots of the detail for the user
18:56:09 [wseltzer]
New participants
18:56:14 [wseltzer]
Alex_Russel: Google, TAG
18:56:30 [wseltzer]
Garret_Robinson: Freedom of the Press Foundation
18:56:34 [wseltzer]
18:56:38 [wseltzer]
rrsagent, make minutes
18:56:38 [RRSAgent]
I have made the request to generate wseltzer
18:57:10 [davidM]
davidM has joined #Webauthn
19:02:57 [pier]
pier has joined #webauthn
19:05:36 [pier]
pier has joined #webauthn
19:16:13 [nicolagreco]
nicolagreco has joined #webauthn
19:16:49 [jfontana]
jfontana has joined #webauthN
19:17:34 [mirko]
mirko has joined #webauthn
19:17:53 [mirko]
mirko has joined #webauthn
19:18:01 [jcj_moz]
jcj_moz has joined #webauthn
19:18:37 [pier]
pier has joined #webauthn
19:18:52 [wseltzer]
scribenick: jcj_moz
19:18:52 [jcj_moz]
Starting again with Part 2 of FIDO background, dirkbalfanz presenting
19:19:14 [adamkcooper]
adamkcooper has joined #webauthn
19:20:19 [jcj_moz]
dirkbalfanz: showing the system-level of what needs standardization at w3c; 3 of the documents uploaded are the parts relevant to the web
19:20:42 [wseltzer]
i/Intros around/scribenick: wseltzer
19:21:46 [davidM]
davidM has joined #Webauthn
19:22:24 [jcj_moz]
... we must agree on the key & signature formats, the web API,
19:22:47 [morgandavis]
morgandavis has joined #webauthn
19:22:53 [jcj_moz]
... Now going to let Vijay go through the web API
19:23:15 [greg_hughes]
greg_hughes has joined #webauthn
19:23:22 [jcj_moz]
Vijay: Authenticator is hardware that gathers user consent
19:23:36 [jcj_moz]
... May be simple or not, but does crypto when users tell it to
19:24:03 [jcj_moz]
... Could have a management interface, permitting credential removal, etc., but may not
19:24:40 [jcj_moz]
... Identifies the kind of authenticator, but not identify the individual device
19:24:58 [jcj_moz]
... Credentials are keypairs that live on the Authenticator
19:25:36 [jcj_moz]
... WebIDL for makeCredential: Takes in account information,
19:26:02 [jcj_moz]
... which has display names, image URL, identifiers
19:26:34 [jcj_moz]
... Does not get read back out; the RP doesn't ever get to see what Account info the Authenticator has
19:27:23 [jcj_moz]
... Second param: Crypto parameters. Wide variety of crypto algorithms, authenticator-agnostic way of specifying what's acceptable
19:27:50 [jcj_moz]
rbarnes: Purpose of the algorithm is to ensure the RP can verify what comes out of the Authenticator
19:28:32 [jcj_moz]
Vijay: Yes, you pass in a sequence of crypto params, if the call succeeds, the results will be one of these crypto params
19:29:27 [jcj_moz]
... The attestation is used in the challenge. The timeout is UI sugar.
19:29:29 [JeffH]
"UI Sugar" -- a technical term :)
19:30:12 [jcj_moz]
... The blacklist (seq of credential) is interesting. The use case is: If you are a RP, you are creating credentials on a smartphone, you don't want to create duplicate credentials for the same account
19:30:26 [jcj_moz]
... These are the credentials I already have for this user, so if you recognize one, don't respond to this query
19:31:44 [jcj_moz]
... "If you know any one of these, I'm not interested in talking to you."
19:32:16 [jcj_moz]
... Extensions are the extra things... selecting authenticators - e.g., Bank may only want to use the authenticators they hand out
19:32:26 [jcj_moz]
... There are a set of such extensions
19:32:49 [jcj_moz]
... All extensions are all optional. When you get back a response from API, it will tell you which it processed
19:33:55 [jcj_moz]
... FIDO Credential Info object will give you a credential ID, the algorithm ID used for the credential, a pubkey,
19:34:08 [jcj_moz]
rbarnes : The pubkey is a serialized....
19:34:20 [jcj_moz]
Vijay: It's a JWK object
19:34:59 [jcj_moz]
Vijay clarifies it's a JS Object from WebCrypto
19:36:00 [JeffH]
The publicKey attribute contains the public key associated with the credential, represented as a JsonWebKey structure as defined in [WebCryptoAPI].
19:36:02 [jcj_moz]
Vijay: Attestation statement is a proof about the authenticator
19:36:12 [JeffH]
19:36:36 [jcj_moz]
... The consent serves 2 purposes: 1) You're consenting to the creation of the credential, and 2) you're selecting between multiple authenticators
19:36:59 [jcj_moz]
(During implementation of makeCredential)
19:37:42 [jcj_moz]
question: (?) "Is this an NFC case?"
19:38:03 [jcj_moz]
Vijay: If you want to use something like an NFC reader, you would have to tap the NFC device on the reader, that we know it's there. It's more challenging
19:38:07 [rbarnes]
19:38:14 [jcj_moz]
... Contactless smart card similar
19:38:29 [jcj_moz]
... You can always know the reader is there, and use heuristics to tell if a user has used it in the past
19:39:08 [jcj_moz]
alexei_goog: We have gone through this with U2F in FIDO, we have a demo
19:39:19 [jcj_moz]
... of the platform drawing how the user interacts with u2f, we can show that
19:39:54 [jcj_moz]
Vijay: If the credential cannot be created - one of twos things - if it's async, the Promise never comes back...
19:40:19 [jcj_moz]
... If there's a timeout... Well, the challenge is that this is very platform-specific
19:40:56 [jcj_moz]
... Think about multiple authenticators. The RP doesn't know there are 4 authenticators, the platform does.
19:41:12 [jcj_moz]
... If 4 authenticators, and 1 fails, do you wait for the other 3?
19:41:58 [JeffH]
19:42:00 [jcj_moz]
... This is the slow operation, makeCredential, it is not getAssertion
19:42:18 [jcj_moz]
Vijay: GetAssertion - fewer parameters, basically all are optional
19:42:26 [alexei_goog]
weiler: :-P
19:42:40 [jcj_moz]
... Credential object is from makeCredential prior call
19:42:53 [slightlyoff]
slightlyoff has joined #webauthn
19:42:55 [jcj_moz]
... Could have an extension with a transaction confirmation string
19:43:38 [jcj_moz]
question: Is "Credential" the same as the WebAppSec credential interface?
19:43:50 [jcj_moz]
Vijay: It started there
19:44:25 [jcj_moz]
... client platform figures out the authenticators and includes origin, RP, and constructs the To-Be-Signed thing to the authenticator
19:44:30 [jcj_moz]
... Authenticator prompts consent
19:44:38 [AxelNennker]
Align with
19:45:06 [jcj_moz]
... The specific authenticator on which you consent responds, and can include more stuff as extensions
19:45:17 [jcj_moz]
... example: current geolocation
19:45:22 [jcj_moz]
... Also of course the signature
19:45:36 [jcj_moz]
Question: This response only happens if the signature was produced?
19:45:58 [jcj_moz]
Vijay: Platform gives an error, how it is presented to the client is tricky
19:46:19 [jcj_moz]
... Authenticator knows, for each credential, the RP ID it's associated with
19:46:37 [jcj_moz]
... When asked to sign something, Authenticator has to check if it matches, the credential to the RP ID
19:46:56 [jcj_moz]
... The Authenticator gets the RP ID from the credential, and from the platform, and compares the two
19:47:15 [jcj_moz]
... So that's getAssertion. At end of process you get a signature. If you request extensions they may or may not be present.
19:47:26 [jcj_moz]
... Only guarantee is that it's a signature from one of the Authenticators
19:48:12 [jcj_moz]
...You get out 3 things: One is the challenge, one is extensions the RP provided, and one is extensions what the Authenticator added
19:48:25 [jcj_moz]
rbarnes: Can the authenticator add extensions that the RP doesn't ask for?
19:48:40 [jcj_moz]
Vijay: There's nothing that prevents authenticators from adding all the extensions it wants to
19:49:00 [jcj_moz]
... No such thing as critical extensions. If you don't recognize, skip
19:49:15 [jcj_moz]
alexei_goog: If a platform sees an extension it doesn't like, it may drop the request
19:49:32 [jcj_moz]
Vijay: Platform could say 'this is a privacy-stealing extension' and throw it away
19:49:57 [jcj_moz]
rbarnes: There's an affordance as to what's possible
19:49:58 [davidM]
davidM has joined #Webauthn
19:50:10 [jcj_moz]
Vijay: Yes; this is a discussion we've had for a very very long time
19:50:54 [jcj_moz]
... critical extensions: If you have them, can make for difficult user experience. Inconsistent
19:50:59 [K1]
K1 has joined #Webauthn
19:51:19 [jcj_moz]
... If an RP gets an assertion that it thinks is weak, it could prompt another factor of auth like a text message
19:51:30 [jcj_moz]
... Give the RP the tools to quantify the risk, you do what you want
19:52:01 [jcj_moz]
comment (?) : Could be part of the work of this WG, re: spectrum of errors
19:52:35 [wseltzer]
19:53:38 [jcj_moz]
question: How much do you need to protect the credential going to the wrong authenticator?
19:54:07 [jcj_moz]
Vijay: The assertion is a fairly robust thing, it's signing random nonce, not reusable, assertion won't be useful tomorrow
19:54:51 [MiSc]
MiSc has joined #webauthn
19:55:05 [hubert-paypal]
hubert-paypal has joined #webauthn
19:55:14 [jcj_moz]
Vijay: While credential ID is a key, it's a wrapped private key. It's an attack surface, you can leak the credential ID but it requires a user to consent to attack
19:55:32 [johnk]
johnk has joined #webauthn
19:55:53 [jcj_moz]
... Signatures include RP ID, origin, in the response and the server can verify if the sig was not meant for you
19:56:16 [jcj_moz]
rbarnes: AxelNennker brought up privacy concerns
19:56:39 [jcj_moz]
rbarnes: We should be clear that the only notion of what the RP is to an Authenticator is what the platform says
19:57:06 [jcj_moz]
Vijay referred to only available over HTTPS...
19:57:36 [jcj_moz]
Vijay: RP Choices you get to make. You can use Authenticator as a first factor vs second factor
19:58:08 [jcj_moz]
... You get to decide, as a RP, maybe only rely on authenticators you handed out to people
19:58:58 [jcj_moz]
... makeCredential is kind of sensitive. Intent is to take the credential ID and associate it with the user, so that providing proof of possession later ties this to a user. So you must believe this with some level of assurance. Not specified in spec
19:59:26 [jcj_moz]
... RP may want to do significant due diligence out of band to confirm the registration
19:59:58 [jcj_moz]
... UI for getAssertion can be driven 2 ways: Driven by RP javascript and leverage localStorage...
20:00:03 [jcj_moz]
... Or it could fall back on the platform entirely
20:00:27 [jcj_moz]
... which is a lot simpler
20:00:34 [keiji]
20:00:42 [jcj_moz]
... There is affordances for fancy UI
20:00:47 [wseltzer]
ack keiji
20:01:50 [jcj_moz]
keiji: Is there risk making a phishing UI?
20:02:14 [jcj_moz]
(keiji actually said fake UI, not phishing)
20:02:45 [jcj_moz]
Vijay: A lot of the security of these schemes is that authenticator is its unique thing. You can hack RP, hack the platform...
20:03:20 [jcj_moz]
... The Authenticator truthfully records what it sees, and server can evaluate what it gets from the Authenticator
20:03:30 [wseltzer]
[lunch 30 min break]
20:03:33 [wseltzer]
rrsagent, draft minutes
20:03:33 [RRSAgent]
I have made the request to generate wseltzer
20:29:08 [MiSc]
MiSc has joined #webauthn
20:35:15 [davidM]
davidM has joined #Webauthn
20:36:20 [keiji]
keiji has joined #webauthn
20:39:01 [johnk_]
johnk_ has joined #webauthn
20:41:41 [pier]
pier has joined #webauthn
20:41:48 [morgandavis]
morgandavis has joined #webauthn
20:42:04 [wseltzer]
Topic: FID->W3C
20:42:12 [jcj_moz]
rbarnes: Just had some technical discussion, want to bring back up to higher level
20:42:26 [wseltzer]
20:42:39 [jcj_moz]
... Got some info from dirk on the FIDO specs and WebAppSec and interconnection this morning
20:43:12 [jcj_moz]
... What we're doing in WebAuth is to take the top layers of FIDO 2.0, from FIDO, and standardize them
20:43:20 [mirko_]
mirko_ has joined #webauthn
20:43:30 [jcj_moz]
... WebAuth says, when you're in JavaScript, when you're in a Browser, here's how you ask for stuff: credentials, signatures
20:44:06 [jcj_moz]
... The Browser has to figure out how to fulfill that. The details of how the Browser does that can be FIDO. You can use some other system that fulfills these requirements
20:44:13 [jcj_moz]
... Could be provided by the OS, hardware, etc.
20:44:30 [jcj_moz]
.... W3C is providing the general API and there are multiple ways to satisfy
20:45:14 [jcj_moz]
rbarnes is showing a "T-shape" where the down-line is a Cryptographic protocol that transits from the Web API down to hardware
20:45:18 [adamkcooper]
adamkcooper has joined #Webauthn
20:45:31 [jcj_moz]
rbarnes: Any questions? Wanted to level-set in how this group relates to FIDO
20:45:32 [wseltzer]
20:45:41 [harry]
20:46:18 [dirkbalfanz]
dirkbalfanz has joined #webauthn
20:46:19 [jcj_moz]
rbarnes: There could be other implementations that could use this API. Could speak to some other trusted environment.
20:46:30 [jcj_moz]
... FIDO is important, got the whole thing started, but could imagine others
20:46:32 [nicolagreco]
nicolagreco has joined #webauthn
20:47:00 [jcj_moz]
harry: Token requirements, certifications are not done by W3C. W3C has success at the narrow focus.
20:47:02 [johnk_]
how is that "trusted environment" different from an authenticator?
20:47:19 [keiji]
20:47:25 [jcj_moz]
Anthony: Testing will not be for FIDO Conformance, but W3C API
20:47:42 [jcj_moz]
rbarnes: When we get to browser testing, browsers under test will be tested for compliance to the API only
20:47:53 [pier]
pier has joined #webauthn
20:48:08 [harry]
FIDO will continue FIDO certification and testing on parts of the eco-system outside of the Web (authenticator/OS-level)
20:48:22 [jcj_moz]
keiji: Who works on standard protocols between the RP Server and the RP Javascript?
20:48:30 [greg_hughes]
greg_hughes has joined #webauthn
20:48:35 [harry]
We'll stay in touch to make sure it all works, and the level of abstraction should be open (i.e. no lock-in)
20:48:58 [jcj_moz]
rbarnes: Probably will define the message patterns between the servers, but not the wire protocol. Not concretely how the JS talks to the RP Server
20:49:11 [harry]
however, browser test-suites are an entire different animal than authenticator certification
20:49:39 [jcj_moz]
rbarnes: We will start from the one that's in the baseline, consider hiding things or too-fido specific things, and maybe define extensions
20:49:58 [jcj_moz]
Anthony: We'll call for adoption of the docs later today
20:51:06 [jcj_moz]
hubert-paypal: question regarding ...issues with implementations, deleting from the client side?
20:51:59 [jcj_moz]
hubert-paypal: Can you delete credentials in WebAppSec?
20:52:14 [jcj_moz]
rbarnes: I don't think deleting credentials exists right now
20:52:22 [jcj_moz]
Anthony: Want to do a demo of what's working today
20:53:16 [jcj_moz]
SamSrin: There are existing implementations in the wild.
20:53:34 [jcj_moz]
alexei_goog: Goal: convince you all this isn't completely crazy; some of the problems have been solved before in similar context
20:53:43 [jcj_moz]
rbarnes: Show what kinds of things we want to enable with this API
20:54:31 [jcj_moz]
[cbran & alexei_goog presenting now]
20:55:03 [jcj_moz]
alexei_goog: Show logging into Google using U2F. 2 different form factors: Both made by Yubico, same thing with different form factors
20:55:17 [jcj_moz]
alexei_goog: One has NFC, and both have capacitive touch sensor
20:55:42 [jcj_moz]
cbran: Credentials are on one token, but will plug both in so can demonstrate what happens when there are two
20:55:56 [jcj_moz]
alexei_goog: Creds aren't ON the token, they are associated WITH a token
20:56:22 [jcj_moz]
alexei_goog: Logs into Google, is prompted for a "Security Key"
20:56:55 [jcj_moz]
alexei_goog logged in by touching the associated authenticator. Now logging out again
20:57:32 [jcj_moz]
alexei_goog: Academics are planning to do usability studies on these devices across different demographics
20:57:46 [jcj_moz]
cbran: One is registered, one is not, and touch the wrong one and see what happens
20:57:58 [jcj_moz]
... When you touch the wrong one, you get an error
20:58:07 [jcj_moz]
... alexei_goog will now perform a musical number
20:58:12 [rbarnes]
rbarnes has joined #webauthn
20:58:20 [jcj_moz]
note: [difficult to translate to IRC]
20:58:57 [gmandyam]
*alexei_goog: can you share the reference to the paper you recently presented on FIDO?
20:59:06 [mkwst]
mkwst has joined #webauthn
21:00:14 [jcj_moz]
cbran shows re-sign in again, then demonstrates that Google lets you register multiple tokens
21:00:27 [jcj_moz]
... second token was registered using his mobile phone
21:00:42 [jcj_moz]
... and then he signs back out
21:01:06 [jcj_moz]
Then cbran shows an Android device on the projector
21:01:33 [jcj_moz]
Using his Android phone he goes to log in to Google with that same account
21:01:47 [jcj_moz]
... and then cbran shows us all his password
21:02:12 [jcj_moz]
cbran: This is not the final UI.
21:02:42 [jcj_moz]
alexei_goog: This login page is being rendered by an Android application, but this would be the Platform
21:03:02 [jcj_moz]
cbran shows using NFC to authenticate using the yubikey
21:03:14 [jcj_moz]
... and then moves to BLE, which alexei_goog notes is even _less_ final and also flakey
21:03:35 [jcj_moz]
cbran shows this doing BLE.
21:05:20 [pier]
pier has joined #webauthn
21:05:24 [jcj_moz]
Rolf is now presenting on Attestation Statements
21:05:36 [jcj_moz]
Rolf: Now we've come to the fun stuff - Less UX, more crypto
21:06:25 [jcj_moz]
... Someone may want to implement authenticator on top of a TPM, embedded secure element, hardware... Also user gestures could be fingerprint, or face recognition, things we can't come up with now but will in the future
21:06:42 [jcj_moz]
... For the RP the security depends on these choices: what kind of authenciator was used?
21:06:57 [jcj_moz]
... Sometimes we might want a bit more strength to it sometimes, this is a distinction
21:07:03 [mirko_]
SurePassID has a demo similar to Google's if anyone is interested in seeing it. Just find me, Mirko. I'm in the shirt with the FIDO logo on it.
21:07:49 [jcj_moz]
... Attestation lets the Server look up metadata and see what the information is about the given authenticator, or other known authenticators
21:08:12 [jcj_moz]
... Want to know things about the model of the authenticator. Strong signals (cryptographic proof) without violating privacy
21:08:23 [jcj_moz]
... 3 models for this:
21:08:56 [jcj_moz]
... 1) Basic attestation: Set of authenticators that share one key+certificate injected at manufacturing, can't tell which auth it is, but can tell the model, so can't ID the individual
21:09:44 [jcj_moz]
... Some information you can get, based on what the model is, but don't let the RP ID the authenticator correlates between otherwise-different users
21:10:08 [jcj_moz]
... 2) Privacy CA, as defined by TCG, implemented in TPM.
21:10:40 [jcj_moz]
... 3) DAA, ECDAA, Direct Anonymous Attestation,
21:11:32 [jcj_moz]
... Back to Basic Attestation: Simple model, no need for runtime infra. Better privacy if the cert is shared over a large set, but conflict: better security if the cert is shared across a small set of authenticators
21:12:02 [jcj_moz]
... Privacy CA requires runtime infra: the CA itself has to be in the middle
21:12:12 [jcj_moz]
... 'What is the business model for those CAs?'
21:12:34 [jcj_moz]
... Maybe a company may run a privacy CA for its employees
21:12:52 [jcj_moz]
... Better security because keys aren't shared
21:13:16 [jcj_moz]
... Privacy CA itself though knows all the correlations between Authenticators and Certs
21:14:08 [jcj_moz]
... Direct Anonymous Attestation is a middle ground- doesn't need runtime infrastructure. DAA privkey is unique to an Authenticator, but the privkey is blinded / unlinkable
21:14:31 [jcj_moz]
... It's an interesting model, more complicated cryptography
21:14:49 [jcj_moz]
... TCG adopted ECDAA and are doing some tweaks
21:15:13 [jcj_moz]
... Originally slow. ECDAA much faster, based on EC
21:15:45 [jcj_moz]
... Attestation Types: The authenticator must control what gets signed as part of the Attestation Statement.
21:16:03 [jcj_moz]
... We have to support things already in the market so already support "packed", "tpm" and "android"
21:16:42 [jcj_moz]
Rolf shows the WebIDL for AttestationStatement and AttestationHeader
21:17:21 [jcj_moz]
... and AttestationCore, Client Data
21:17:50 [jcj_moz]
Rolf: ClientData is provided by the Platform, not the Authenticator
21:18:52 [jcj_moz]
.... ClientData is in the Signature Format doc
21:19:21 [jcj_moz]
Q: "Can the authenticator provide feedback to the browser re: its ability to comply, such as getting a request it cannot do."
21:19:22 [wseltzer]
-> Lang et al., Security Keys: Practical Cryptographic SecondFactors for the Modern Web (the paper alexei_goog referenced)
21:20:20 [jcj_moz]
Rolf: RP server has to understand and recompute the hash of the client data, but the Client Data's hashAlg is chosen by the platform/authenticator.
21:20:56 [jcj_moz]
Vijay: Another take on your question is is part of the extension definition
21:21:33 [jcj_moz]
... It's possible to define an extension and tries to do something, and the authenticator sends back an extension with whether it was successful or not
21:21:41 [gmandyam]
* Thanks for the link, wseltzer
21:22:04 [jcj_moz]
... but no one has defined one. Not clear that there is such a use case. Keep spec as simple as possible; if there's not a clearly defined use case, we don't do it
21:22:04 [alexei_goog]
for the record, the Security Keys paper, refereced above by wseltzer, is academic and omits some spec details. Careful readers will notice a difference.
21:22:15 [jcj_moz]
alexei_goog presenting Signature Format (returned by getAssertion)
21:22:57 [jcj_moz]
alexei_goog: Goal of standardizing sig format, regardless of what Authenticator produces a signature, all RPs know how to parse it
21:23:23 [jcj_moz]
... Goal of sig is to bind together info put in by RP, put in by Client / Platform, and info put in by Authenticator
21:23:43 [jcj_moz]
alexei_goog shows the WebIDL for FIDOAssertion & ClientData
21:24:44 [jcj_moz]
alexei_goog: The Authenticator only sees the hash of the ClientData struct
21:25:08 [jcj_moz]
Q: Does this expose the Channel ID from tokenbinding?
21:25:15 [jcj_moz]
alexei_goog: Exposes it to the RP
21:26:22 [jcj_moz]
Vijay: The Authenticator gets to freeze the Channel ID
21:26:35 [johnk]
johnk has joined #webauthn
21:26:37 [jcj_moz]
alexei_goog shows AuthenticatorData
21:26:57 [jcj_moz]
alexei_goog: AuthenticatorData is a bit field because want to support very limited Authenticators
21:27:38 [jcj_moz]
Q: Why is this a DOMString as opposed to an ArrayBuffer?
21:27:52 [jcj_moz]
Vijay: No good reason; partly because we ported over pre-existing stuff
21:28:12 [jcj_moz]
... In fact, we've been talking about the CredentialID could benefit from being ArrayBuffer
21:28:28 [wseltzer]
21:28:47 [jcj_moz]
slightlyoff: The bitpacking would be error-prone to consumers
21:29:01 [jcj_moz]
alexei_goog: We came into this with typing that wasn't the best
21:29:17 [cbrand]
cbrand has joined #webauthn
21:30:14 [keiji]
21:30:26 [wseltzer]
ack keiji
21:30:48 [jcj_moz]
keiji: This API is not only for authentication? It cannot be used for generic signature, on email messages?
21:31:00 [jcj_moz]
alexei_goog: No. Meant for authentication, period
21:31:19 [jcj_moz]
keiji: Any future plan to use FIDO device to sign email?
21:32:12 [jcj_moz]
Rolf: Signature counter included - make sure only authenticator controls this structure
21:32:44 [jcj_moz]
alexei_goog: Counter.... Variable length extensions as CBOR
21:32:55 [jcj_moz]
... There will be a registry of extensions w/ several examples
21:33:24 [jcj_moz]
... How do you generate the signature? Authenticator takes Client Data Hash,...
21:33:32 [jcj_moz]
rbarnes: Client here is browser/platform
21:34:04 [jcj_moz]
alexei_goog: Authenticator Data concatenated with Client Data Hash and then signed using privkey
21:34:22 [jcj_moz]
rbarnes: RP provides some challenge, which reflected in Client Data?
21:34:33 [jcj_moz]
alexei_goog: Yes, in the ClientData. And remainder is contributed by client.
21:40:34 [davidM]
davidM has joined #Webauthn
21:42:14 [wseltzer]
-> FIDO 2.0 slides from Dirk, Alexei, Vijay, and Rolf
21:42:43 [wseltzer]
rrsagent, draft minutes
21:42:43 [RRSAgent]
I have made the request to generate wseltzer
21:48:43 [mirko]
mirko has joined #webauthn
21:56:29 [adamkcooper]
adamkcooper has joined #Webauthn
22:01:58 [wseltzer]
Topic: Charter scope and deliverables
22:02:26 [wseltzer]
-> Webauthn Charter
22:02:27 [nicolagreco]
nicolagreco has joined #webauthn
22:02:41 [pier]
pier has joined #webauthn
22:02:53 [garrettr]
garrettr has joined #webauthn
22:03:09 [Jerrod]
Jerrod has joined #webauthn
22:03:19 [rbarnes]
rbarnes has joined #webauthn
22:03:33 [K1]
K1 has joined #Webauthn
22:04:25 [wseltzer]
tonynad: Charter has been adopted, so no changes now
22:04:33 [wseltzer]
... charter gives us some deliverables
22:04:45 [wseltzer]
... notes the contributions as proposed starting point
22:05:06 [wseltzer]
[many people show hands to having read the documents]
22:05:08 [JeffH]
JeffH has joined #webauthn
22:05:36 [Mb]
Mb has joined #Webauthn
22:05:45 [cbrand]
22:05:49 [jcj_moz]
wseltzer asks for any objections to the 3 submitted documents
22:05:59 [harry]
PROPOSAL: Start WG with Working Drafts based on Member Submissions
22:06:01 [greg_hughes_]
greg_hughes_ has joined #webauthn
22:06:01 [derek]
derek has joined #webauthn
22:06:05 [JeffH]
no objections
22:06:07 [hubert-paypal]
22:06:07 [rbarnes]
22:06:07 [cbrand]
22:06:07 [harry]
22:06:11 [slightlyoff]
22:06:13 [wseltzer]
PROPOSED that we adopt the Member Submission as working drafts for the group
22:06:20 [JeffH]
22:06:21 [Rolf]
22:06:22 [vgb]
vgb has joined #webauthn
22:06:22 [alexei_goog]
22:06:25 [vgb]
22:06:31 [pier]
pier has joined #webauthn
22:06:31 [derek]
22:06:34 [alexei_goog]
22:06:34 [harry]
RESOLVED: Start WG with Working Drafts based on Member Submissions (from FIDO)
22:06:39 [jfontana]
jfontana has joined #webauthN
22:06:39 [rbarnes]
22:07:03 [wseltzer]
22:07:59 [harry]
question: Should we merge this all into one big draft?
22:08:21 [dirkbalfanz]
dirkbalfanz has joined #webauthn
22:09:38 [JeffH]
link to slides ?
22:11:09 [harry]
wseltzer: We'll do everything via github pull requests
22:11:16 [pier]
pier has joined #webauthn
22:11:17 [harry]
... minor changes can just be done via editors
22:11:38 [harry]
... so any issue, no matter how small, should be a github pull request
22:11:46 [harry]
... we do a formal transition request (working group consensus)
22:11:56 [harry]
... for publishing the documents at
22:12:04 [Guest13]
Guest13 has joined #webauthn
22:12:32 [harry]
... the WG does not have to reflect that the group thinks is done
22:12:41 [harry]
... but that it wants more public review
22:12:50 [harry]
... we can use automated publication tools
22:13:22 [harry]
question: Do editors have to all agree on changes?
22:13:52 [harry]
wseltzer: It's for each WG to figure out, editors should figure out level of questions
22:13:57 [harry]
... and how controversial it is
22:14:04 [harry]
... in which case, bring it up on the conference call.
22:14:34 [harry]
... decisions made on meeting should be confirmed on mailing list
22:15:46 [harry]
... adding features after CR requires going back through
22:15:59 [harry]
22:16:29 [wseltzer]
ack harry
22:16:55 [weiler]
call dropped.
22:17:06 [harry]
We like testing done like this
22:17:07 [harry]
22:17:13 [harry]
its the format used by HTML5 test-suite
22:17:52 [harry]
if we add it
22:18:02 [harry]
it will then get added
22:18:08 [harry]
to the same test-suite that runs rest of W3C tests
22:18:41 [harry]
nadalin: let's make sure github notifications work for the mailing list
22:18:55 [harry]
... we prefer some discussion before opening a new issue for the WG
22:19:21 [harry]
wseltzer: Start on mailing list if the question is not clearly an issue for the spec
22:19:30 [harry]
... so we can make it concrete enough for the WG to work through
22:19:41 [harry]
topic: Editors
22:19:50 [harry]
nadalin: Let's get editors assigned
22:20:30 [harry]
... we should first see if we can keep editors and the same ones want to stay
22:20:42 [harry]
rbarnes: Attestion Rolf and Mike?
22:20:46 [harry]
rolf: Happy to say in
22:21:12 [harry]
rbarnes: Signatures, Aranar, Mike, Rolf, and Alexei
22:21:19 [harry]
Rolf: Yep, let's keep it
22:21:30 [harry]
rbarnes: API - shall we continue
22:21:36 [harry]
... vgb, want to stay?
22:21:39 [harry]
vgb: Yes
22:22:12 [harry]
... keep the same editors and add J.C. from Mozilla.
22:22:25 [Rob]
Rob has joined #Webauthn
22:22:32 [greg_hughes]
greg_hughes has joined #webauthn
22:22:55 [harry]
nadalin: Anyone else want to play editor
22:23:02 [harry]
Juan: I would like to be added
22:23:16 [harry]
rbarnes: Anyone can submit patch, but editors are commiters
22:24:23 [Rolf]
Rolf is rlin1 on
22:25:19 [harry]
wseltzer: we'll set up a single group
22:25:24 [harry]
... union of all editors
22:25:38 [harry]
jeffH: Let's move all the docs to a single document
22:25:45 [harry]
... but first just move Member Submissions in as single docs
22:25:48 [hubert-paypal]
Hubert is levangongPayPal on Github
22:25:52 [harry]
... and then do a conversion to bikeshed
22:26:02 [harry]
nadalin: Meeting plans?
22:26:22 [harry]
nadalin: Weekly meetings
22:26:28 [JeffH]
if there is a pointer to guidelines for the github<-->W3C tooling, please post to ?
22:26:32 [harry]
... what is day or time everyone is available
22:26:37 [harry]
... anyone from asia? We have some europeans
22:26:57 [harry]
nadalin: FIDO calls are on Friday
22:27:20 [harry]
22:27:30 [harry]
nadalin: We'd start next week
22:27:35 [rbarnes]
ack harry
22:29:41 [harry]
ok, will send a Doodle out re Monday/Tuesday/Wednesdays
22:30:52 [harry]
early pacific/late Europe
22:31:00 [harry]
Maybe will add a few Thursday/Friday options
22:31:07 [harry]
nadalin: For our next f2f
22:31:11 [harry]
... we are thinking May Berlin
22:31:15 [harry]
... next to FIDO F2F
22:31:32 [harry]
... Monday May 9th
22:31:39 [harry]
... will propose that to the list
22:31:57 [wseltzer]
22:32:07 [harry]
... the next meeting would likely be Lisbon in Sept.
22:32:12 [weiler]
weiler has joined #webauthn
22:32:42 [harry]
selfissued: I'd prefer Friday, I have a speaking commitment on Munich
22:33:17 [harry]
nadalin: Will send to list
22:33:36 [harry]
... the next F2F is likely 3rd week of Sept. in Lisbon
22:33:40 [harry]
... (Portugal)
22:34:42 [harry]
22:35:04 [harry]
topic: scope
22:35:16 [harry]
nadalin: Here's a set of use-cases
22:35:20 [harry]
... not normative, but guiding
22:35:25 [harry]
... will lead us into what we are doing
22:36:31 [harry]
... what's out of scope
22:36:47 [harry]
... multi-origin, federated identity, crypto-operations on keys
22:38:15 [JeffH]
FIDO and Federation:
22:38:17 [harry]
harry: note that you should be able to use FIDO with federated identity
22:38:26 [harry]
... just using authorization (i.e. OAuth)
22:38:30 [harry]
... and the IETF is already thinking of this
22:38:51 [harry]
wseltzer: We will keep this group focussed
22:39:06 [harry]
rbarnes: Note that client cert exposed to multi-origins is explicitly out of scope
22:39:19 [harry]
... some of the stuff keiji brought up, including signing other kinds of things
22:39:24 [harry]
... is out of scope
22:39:30 [harry]
... standard won't define UX
22:40:14 [adamkcooper]
adamkcooper has joined #webauthn
22:41:21 [harry]
nadalin: we'll also have a test-suite
22:41:46 [harry]
... and any informative reference
22:41:59 [harry]
adam_powers: I'm happy to write tests
22:42:01 [pier]
pier has joined #webauthn
22:42:06 [harry]
... just give me implementations
22:43:30 [harry]
we will discuss making sure people that make tests like Adam
22:43:34 [harry]
can get IE status
22:43:42 [harry]
dependent on employer s
22:44:03 [harry]
nadalin: There's been continued discussion on specs
22:44:43 [harry]
... and so we need
22:44:56 [harry]
... to move stuff from private github
22:45:45 [harry]
ACTION: Move issues from FIDO Github to W3C Github via proper channel
22:45:45 [trackbot]
Sorry, but no Tracker is associated with this channel.
22:46:06 [harry]
trackbot, this is the future
22:46:06 [trackbot]
Sorry, harry, I don't understand 'trackbot, this is the future'. Please refer to <> for help.
22:46:41 [harry]
alexei: There are 50 issues
22:47:11 [harry]
... typing between relying party and authenticators
22:47:48 [harry]
... then we can close them in FIDO
22:52:52 [harry]
wseltzer: we can use labels to classify them
22:56:44 [wseltzer]
rrsagent, draft minutes
22:56:44 [RRSAgent]
I have made the request to generate wseltzer
22:56:48 [wseltzer]
[short break]
22:58:04 [mirko]
mirko has joined #webauthn
22:58:34 [davidM]
davidM has joined #Webauthn
23:00:28 [nicolagreco]
nicolagreco has joined #webauthn
23:06:27 [wseltzer]
Topic: Workflows in github
23:07:00 [wseltzer]
alexei: In FIDO, we've used OKtoDo, Discuss status
23:09:28 [wseltzer]
alexei: 176 discuss
23:10:26 [wseltzer]
... 175, not for W3C
23:10:52 [wseltzer]
... 173
23:11:01 [wseltzer]
Rolf: for me it's OKtoDo
23:11:41 [wseltzer]
alexei: I don't fully grok this
23:11:47 [wseltzer]
... let's mark it as Discuss
23:12:10 [wseltzer]
alexei: 172
23:12:27 [wseltzer]
s/in github/in github, and reviewing issues in FIDO repository/
23:12:35 [wseltzer]
... discuss
23:12:54 [wseltzer]
... 171
23:12:58 [wseltzer]
Rolf: Just do it
23:13:19 [wseltzer]
alexei: 169, OK
23:13:33 [wseltzer]
... 168 just do it
23:13:54 [wseltzer]
... 167, discuss
23:14:24 [wseltzer]
... 166, just do it
23:14:48 [wseltzer]
... 165, discuss
23:16:09 [jcj_moz]
gmandyam: 165: Not worded as a proper W3C issue?
23:16:39 [jcj_moz]
alexei: Feel that having W3C talk about android seems wrong
23:17:23 [jcj_moz]
harry: If it is indeed android specific, the general purpose rule should be that FIDO 2 stuff that goes to W3C, should make sure there are no dependencies that pulls Android into the W3C spec
23:17:43 [jcj_moz]
alexei: Define a better abstraction for attestation
23:18:16 [jcj_moz]
rbarnes: Spec suite for this WG needs to be largely complete; go through the whole process without relying on an external spec (unless it's normative -Mike)
23:18:30 [jcj_moz]
Rolf: Have to somehow reference other specs like TPM
23:18:49 [jcj_moz]
rbarnes: Good general discussion we could have regarding what the general interoperable profile should be
23:19:08 [jcj_moz]
juanlang: Since we're having technical discussion, this is a point we should discuss
23:19:21 [rbarnes]
23:19:39 [jcj_moz]
SamSrin: Intent of attestation proposal is to slot multiple forms into a generic proposal. Permit large islands to do their own thing.
23:19:55 [jcj_moz]
... Don't want to get into Android / iOS, but give a generic spec
23:20:26 [jcj_moz]
rbarnes: I'm realizing I confused attestations with assertions.
23:20:31 [jcj_moz]
... Attestations not critical path
23:20:44 [jcj_moz]
... Assertions are more important to be interoperable
23:21:42 [jcj_moz]
[Harry is creating the issue[
23:22:11 [jcj_moz]
alexei: 164, skipping since it's related to last issue
23:22:48 [jcj_moz]
...163, this needs another issue
23:22:58 [jcj_moz]
... figure out the correct interface between CTAP and WebAPI
23:23:16 [jcj_moz]
Vijay: Seems like a 'just do it'
23:23:23 [jcj_moz]
alexei: OK to-do.
23:24:31 [jcj_moz]
... 162, okay to do
23:24:41 [jcj_moz]
^-- that was rbarnes
23:26:12 [jcj_moz]
alexei: 161, clear the milestone
23:26:27 [jcj_moz]
... 160, attestation, skip
23:27:06 [jcj_moz]
... 159, close
23:27:32 [jcj_moz]
... 158, discus
23:27:42 [jcj_moz]
156, remove milestone
23:28:17 [jcj_moz]
... 155, account deletion, discuss
23:28:34 [jcj_moz]
anthony: Or just remove milestone and not discuss
23:29:33 [jcj_moz]
alexei: 154, discuss (it has a lot of text)
23:30:11 [jcj_moz]
... 151, dangling references. Closed
23:30:51 [jcj_moz]
... 150, a bunch of tags...
23:30:59 [jcj_moz]
JeffH: 150, i would say okay to do.
23:31:07 [jcj_moz]
rbarnes agrees and suggests adding to the WebAPI
23:31:18 [jcj_moz]
alexei: 150: okay to do
23:31:58 [jcj_moz]
... 148, okay to do
23:32:56 [jcj_moz]
... 142, this is tied to deletiong
23:33:16 [jcj_moz]
JeffH: We can reference this together with the deletion
23:33:21 [jcj_moz]
alexei: 142 mark as discuss
23:34:49 [jcj_moz]
... 140, Rolf asks for discussion.
23:35:01 [jcj_moz]
Rolf: This must be unqiue globally
23:35:05 [jcj_moz]
alexei: 140 we must discuss it
23:35:24 [jcj_moz]
... 139, just do it
23:36:45 [jcj_moz]
... 137, CTAP layer... there is no cancel in the WebAPI
23:37:02 [jcj_moz]
JeffH: This is more about the effect on the Authenticator. Pull this milestone and reclassify
23:37:23 [jcj_moz]
alexei: Should it be in the algorithm?
23:37:32 [jcj_moz]
JeffH: we should open another issue.
23:38:43 [jcj_moz]
alexei: 137 then discuss
23:39:11 [jcj_moz]
...136, discuss
23:40:04 [jcj_moz]
... 135, mark as discuss
23:40:20 [jcj_moz]
... 134, discuss b/c block of text
23:41:01 [jcj_moz]
... 133, non-normative, just do it
23:41:54 [jcj_moz]
... 132, recommend closing because we can't predict the future?
23:42:02 [jcj_moz]
rbarnes: Closing this seems fine to me
23:42:07 [jcj_moz]
JeffH: Clear the milestone
23:42:50 [jcj_moz]
alexei: 131
23:43:02 [jcj_moz]
Vijay: Provide a use case that doesn't rely on passwords
23:44:00 [jcj_moz]
alexei: 131, OK to do, clarify it
23:45:22 [jcj_moz]
130, remove milestone
23:45:51 [jcj_moz]
alexei: ... 114: okay to do
23:46:26 [jcj_moz]
... 108, Vijay says reference cleanup which is fixed if merging them all. Okay to do
23:46:32 [jcj_moz]
... 108, remove the milestone
23:47:12 [jcj_moz]
... 105, Duplicate of account deletion in 155
23:47:48 [jcj_moz]
... 92, discuss
23:48:08 [jcj_moz]
... 91, already done
23:48:38 [jcj_moz]
... 87, okay to just do it.
23:49:11 [jcj_moz]
... 74, discuss
23:49:28 [jcj_moz]
... 71,
23:49:36 [jcj_moz]
rbarnes: Already been closed twice!
23:49:55 [jcj_moz]
JeffH : I'm taking care of it. I'll make it go away.
23:50:04 [jcj_moz]
alexei: 39, going to get merged
23:51:16 [jcj_moz]
rbarnes: is there any objection to merging the 3 documents?
23:51:17 [harry]
Note I just added the three FIDO 2.0 to github
23:51:32 [harry]
Hey, fill out the Doodle for our telecon:
23:51:35 [jcj_moz]
wseltzer: Is there any chance of them moving forward out of sync?
23:52:14 [jcj_moz]
mike: Request: the editor that does it, flag the text so it's reviewable, so that nothing gets lost and that which gets added is in sync
23:52:21 [jcj_moz]
... with that caveat, I'm OK doing it
23:52:27 [jcj_moz]
JeffH: issue 39 closed
23:52:54 [jcj_moz]
alexei: Going to open another issue to merge all the documents
23:53:17 [jcj_moz]
... issue 4!
23:54:23 [hubert-paypal]
hubert-paypal has joined #webauthn
23:56:17 [wseltzer]
wseltzer: thanks to our host, chairs, and all participants!
23:56:20 [wseltzer]
23:56:23 [wseltzer]
rrsagent, make minutes
23:56:23 [RRSAgent]
I have made the request to generate wseltzer
23:56:28 [nicolagreco]
nicolagreco has joined #webauthn
23:59:02 [wseltzer]
i/question: Should we merge this all into one big draft?/scribenick: harry
23:59:17 [wseltzer]
rrsagent, make minutes
23:59:17 [RRSAgent]
I have made the request to generate wseltzer
00:01:45 [mirko]
mirko has joined #webauthn
00:02:05 [wseltzer]
i|gmandyam: 165: Not worded as a proper W3C issue?|scribenick: jcj_moz
00:02:08 [wseltzer]
rrsagent, make minutes
00:02:08 [RRSAgent]
I have made the request to generate wseltzer
00:14:24 [davidM]
davidM has joined #Webauthn
00:22:39 [yubicoderek]
yubicoderek has joined #webauthn
00:43:00 [mirko]
mirko has joined #webauthn
00:50:27 [mirko]
mirko has joined #webauthn
00:58:21 [mirko]
mirko has joined #webauthn
01:17:56 [davidM]
davidM has joined #Webauthn
01:26:35 [mirko]
mirko has joined #webauthn
02:02:42 [weiler]
weiler has joined #webauthn
02:05:13 [weiler]
weiler has left #webauthn
03:11:49 [keiji]
keiji has joined #webauthn
03:30:48 [mirko]
mirko has joined #webauthn
05:58:14 [mirko]
mirko has joined #webauthn
06:36:42 [mirko]
mirko has joined #webauthn
07:17:01 [mirko]
mirko has joined #webauthn
08:09:32 [nicolagreco]
nicolagreco has joined #webauthn
14:24:03 [davidM]
davidM has joined #Webauthn
14:29:58 [keiji]
keiji has joined #webauthn
14:41:46 [keiji]
keiji has joined #webauthn
15:26:11 [davidM]
davidM has joined #Webauthn
16:03:15 [davidM]
davidM has joined #Webauthn
16:22:30 [davidM]
davidM has joined #Webauthn
16:35:35 [nicolagreco]
nicolagreco has joined #webauthn
17:01:19 [davidM]
davidM has joined #Webauthn
18:06:22 [keiji]
keiji has joined #webauthn
18:13:33 [mirko]
mirko has joined #webauthn
18:28:41 [davidM]
davidM has joined #Webauthn
21:44:09 [nicolagreco]
nicolagreco has joined #webauthn
21:52:52 [keiji]
keiji has joined #webauthn
22:47:08 [nicolagreco_]
nicolagreco_ has joined #webauthn
22:53:48 [davidM]
davidM has joined #Webauthn
23:13:01 [davidM]
davidM has joined #Webauthn
00:23:40 [nicolagreco]
nicolagreco has joined #webauthn
03:58:02 [nicolagreco]
nicolagreco has joined #webauthn
05:48:48 [Guest13]
Guest13 has joined #webauthn
06:13:19 [slightlyoff]
slightlyoff has joined #webauthn
06:36:50 [slightlyoff]
slightlyoff has joined #webauthn
06:38:10 [mkwst]
mkwst has joined #webauthn
08:05:37 [nicolagreco]
nicolagreco has joined #webauthn
08:32:30 [nicolagreco]
nicolagreco has joined #webauthn
00:07:04 [nicolagreco]
nicolagreco has joined #webauthn
00:12:11 [nicolagreco_]
nicolagreco_ has joined #webauthn
00:13:19 [nicolagreco__]
nicolagreco__ has joined #webauthn
02:20:11 [jcj_moz]
jcj_moz has joined #webauthn
03:59:12 [jcj_moz]
jcj_moz has joined #webauthn