IRC log of webauthn on 2016-03-23
Timestamps are in UTC.
- 17:00:45 [RRSAgent]
- RRSAgent has joined #webauthn
- 17:00:45 [RRSAgent]
- logging to http://www.w3.org/2016/03/23-webauthn-irc
- 17:01:01 [Guest13]
- Guest13 has joined #webauthn
- 17:01:41 [hhalpin]
- RRSagent, draft minutes
- 17:01:41 [RRSAgent]
- I have made the request to generate http://www.w3.org/2016/03/23-webauthn-minutes.html hhalpin
- 17:04:05 [rbarnes]
- zakim, agenda?
- 17:04:05 [Zakim]
- I see 4 items remaining on the agenda:
- 17:04:06 [Zakim]
- 2. bikeshed vs. respec.js decision [from wseltzer]
- 17:04:06 [Zakim]
- 3. Next F2F date [from wseltzer]
- 17:04:06 [Zakim]
- 4. Open Issues if time permits [from wseltzer]
- 17:04:07 [Zakim]
- 5. AOB [from wseltzer]
- 17:05:55 [hhalpin]
- chair: tony
- 17:06:23 [felipe_bbg]
- just dropped
- 17:06:24 [hhalpin]
- Zakim, pick a victim
- 17:06:24 [Zakim]
- Not knowing who is chairing or who scribed recently, I propose Adam
- 17:06:42 [hhalpin]
- Zakim, pick a victim
- 17:06:42 [Zakim]
- Not knowing who is chairing or who scribed recently, I propose nadalin
- 17:06:49 [wseltzer]
- zakim, clear agenda
- 17:06:49 [Zakim]
- agenda cleared
- 17:06:59 [acz-goog]
- acz-goog has joined #webauthn
- 17:06:59 [JeffH]
- JeffH has joined #webauthn
- 17:07:15 [acz-goog]
- present+
- 17:07:21 [hhalpin]
- scribe: apowers
- 17:07:28 [jcj_moz]
- present+
- 17:07:29 [vgb]
- vgb has joined #webauthn
- 17:07:30 [hhalpin]
- present+ hhalpin
- 17:07:33 [rbarnes]
- present+
- 17:07:34 [JeffH]
- present+
- 17:07:36 [vgb]
- present+ vgb
- 17:07:39 [apowers]
- present+ apowers
- 17:07:41 [wseltzer]
- agenda+ Roll Call
- 17:07:41 [wseltzer]
- agenda+ Agenda bashing
- 17:07:42 [wseltzer]
- agenda+ Document merge, status/update
- 17:07:43 [felipe_bbg]
- present+
- 17:07:46 [hhalpin]
- present+ antoine
- 17:07:51 [Hubert-PayPal]
- Hubert-PayPal has joined #webauthn
- 17:07:53 [RobTrace]
- RobTrace has joined #webauthn
- 17:07:54 [wseltzer]
- agenda+ Naming issues, update from JC
- 17:07:54 [wseltzer]
- agenda+ Walk the open issues list
- 17:07:55 [wseltzer]
- agenda+ A.O.B
- 17:08:07 [Hubert-PayPal]
- +Hubert (PayPal)
- 17:08:11 [hhalpin]
- present+ christian
- 17:08:15 [cbrand]
- cbrand has joined #webauthn
- 17:08:19 [cbrand]
- present+
- 17:08:30 [hhalpin]
- present+ RobTrace
- 17:08:34 [hhalpin]
- present+ PaulGrassi
- 17:08:47 [juanlang]
- juanlang has joined #webauthn
- 17:08:56 [hhalpin]
- present+ Janet from Fed Reserve in Minneapolis
- 17:09:29 [Hubert-PayPal]
- present+ Hubert (PayPal)
- 17:09:34 [hhalpin]
- topic: status of merge document
- 17:09:35 [apowers]
- tony: reviews agenda
- 17:09:43 [apowers]
- (like that?)
- 17:09:58 [adl]
- adl has joined #webauthn
- 17:10:21 [apowers]
- ... document merge, naming issues, open issues list
- 17:10:21 [hhalpin]
- yep, apowers - looks good
- 17:10:23 [apowers]
- ... AOB
- 17:10:34 [apowers]
- ... other topics? not heard
- 17:10:52 [apowers]
- ... status of merge?
- 17:10:54 [apowers]
- jeff: complete
- 17:11:18 [apowers]
- ... merged to master
- 17:11:19 [hhalpin]
- agenda?
- 17:11:41 [apowers]
- vijay: duplications in master branch, need to blow away old ones
- 17:11:43 [apowers]
- jeff: correct
- 17:12:05 [apowers]
- jc: I did a review and didn't see any merge issues
- 17:12:47 [apowers]
- tony: we can remove the subdirectories after we hear back from Mike
- 17:12:51 [rbarnes]
- zakim, move to agendum 3
- 17:12:51 [Zakim]
- agendum 3. "Document merge, status/update" taken up [from wseltzer]
- 17:13:05 [apowers]
- jeff: I did a cursory review of the merge and it looked fine
- 17:13:26 [apowers]
- ... and having Mike follow up sounds fine
- 17:13:45 [apowers]
- ... mike = mike j (not mike west)
- 17:13:56 [apowers]
- tony: we will do a review this week and be done with it next week
- 17:14:30 [apowers]
- tony: any more discussion on merge document?
- 17:14:40 [apowers]
- jeff: is talking about nomenclature a subtopic
- 17:14:42 [apowers]
- tony: sure
- 17:14:56 [apowers]
- jeff: JC did a good start
- 17:15:19 [apowers]
- ... made some suggestions on some minor polish for nomenclature
- 17:16:21 [apowers]
- ... be aware that if you are using gmail, emails from PayPal (Jeff and Hubert) may end up in your spam folder
- 17:16:26 [jcj_moz]
- JeffH's comments: https://github.com/w3c/webauthn/pull/48
- 17:16:48 [apowers]
- vijay: thanks for doing this, I'm reviewing the pull request, let me know if that's the right way to do it
- 17:16:56 [apowers]
- jeff: up to the group
- 17:17:18 [apowers]
- jc: prefer GitHub
- 17:17:19 [hhalpin]
- I think Github is generally preferable for things that require actual references to the spec
- 17:17:26 [apowers]
- vijay: prefer GitHub
- 17:17:29 [hhalpin]
- If it's some overarching issue, then you do the lsit
- 17:17:50 [apowers]
- jeff: GitHub doesn't notify the list
- 17:18:04 [apowers]
- hhalpin: that's being changed right now
- 17:18:19 [apowers]
- richard: the PR relates to many points
- 17:18:44 [apowers]
- jeff: from my experience, you explicitly have to watch the repo
- 17:18:52 [apowers]
- hhalpin: yes
- 17:18:58 [apowers]
- jeff: let's talk offline
- 17:19:08 [acz-goog]
- q+
- 17:19:19 [apowers]
- jeff: it would be good to let the list know when someone submits a bunch of comments
- 17:19:31 [rbarnes]
- zakim, who is speaking?
- 17:19:31 [Zakim]
- I am sorry, rbarnes; I don't have the necessary resources to track talkers right now
- 17:19:32 [apowers]
- (who is speaking?)
- 17:19:49 [apowers]
- alexei?
- 17:20:29 [apowers]
- alexei: if we have the same name everywhere and we do this global renaming, can we just create variables that get renamed?
- 17:20:59 [apowers]
- ... does such a mechanism exist in bikeshed?
- 17:21:09 [apowers]
- hhalpin: I will look into it, it might be possible
- 17:21:43 [apowers]
- jeff: mkwst has experience with bikeshed and may know
- 17:21:58 [felipe_bbg]
- q+
- 17:22:11 [hhalpin]
- Here's all the bikshed docs
- 17:22:12 [hhalpin]
- https://github.com/tabatkins/bikeshed
- 17:22:31 [apowers]
- tony: if we are done with nomenclature the next item is ...
- 17:22:49 [apowers]
- agenda?
- 17:22:58 [rbarnes]
- zakim, go to agendum 4
- 17:22:58 [Zakim]
- I don't understand 'go to agendum 4', rbarnes
- 17:23:10 [wseltzer]
- zakim, take up agendum 4
- 17:23:11 [Zakim]
- agendum 4. "Naming issues, update from JC" taken up [from wseltzer]
- 17:23:18 [apowers]
- jc: not sure what to do about IANA numbers
- 17:23:56 [apowers]
- jeff: what was registered?
- 17:24:00 [apowers]
- apowers: crypto formats?
- 17:24:06 [apowers]
- jeff: not registered yet
- 17:24:15 [apowers]
- jc: OID number
- 17:24:34 [apowers]
- ... open a ticket to choose a different number or keep them
- 17:24:42 [apowers]
- jeff: maybe talk about it on the mailing list
- 17:24:56 [apowers]
- ... up to that organization to choose and manage the subtree
- 17:25:05 [apowers]
- rbarnes: what are the OIDs?
- 17:25:23 [apowers]
- jc: some of the extensions have OIDs, standard form based on org tree
- 17:25:32 [apowers]
- ... some are registered to FIDO Alliance
- 17:25:36 [apowers]
- jeff: open an issue
- 17:26:14 [apowers]
- jc: I did change the strings, I think it would make sense to change the strings or OIDs or neither, but not the intermediate state
- 17:26:45 [apowers]
- rbarnes: if they are extensions and they are optional, then it may not make a difference
- 17:27:12 [apowers]
- ... probably want to pull all the OIDs into a non FIDO-org
- 17:27:26 [apowers]
- jc: I'm not familiar with how common these extensions are
- 17:27:43 [apowers]
- ... maybe we discuss on the list whether we want to keep them or rename them
- 17:27:49 [adrianba]
- adrianba has joined #webauthn
- 17:27:50 [acz-goog]
- ... phone rings
- 17:28:15 [apowers]
- ... reference to ECDAA specification
- 17:28:20 [apowers]
- ... maybe another topic for the list
- 17:28:27 [apowers]
- jeff: leave it alone for now
- 17:28:31 [apowers]
- ... spec is forthcoming
- 17:28:43 [apowers]
- ... will be buttoned up by other SDO, perfectly fine to reference
- 17:28:53 [apowers]
- jc: metadata service we have another thread going on on the list
- 17:29:01 [apowers]
- ... not sure if we want to discuss that today, assume not
- 17:29:14 [apowers]
- jc: state of naming
- 17:29:27 [apowers]
- ... seems like from the PR we can genericize things
- 17:29:31 [apowers]
- ... open to suggestions
- 17:29:36 [apowers]
- jeff: looks good, thank you
- 17:29:47 [apowers]
- tony: jeff, do you want to review the relying party issue?
- 17:30:24 [apowers]
- jeff: what I was trying to bring up was changing "FIDO Relying Party" to just "Relying Party" may cause issues
- 17:30:28 [apowers]
- ... it is context dependent
- 17:30:59 [apowers]
- ... has to do with the hand off to the identity provider
- 17:31:14 [apowers]
- ... we should use the term WebAuthn Relying Party consistently
- 17:31:38 [apowers]
- ... when the context is not clear it leads to impedance mismatches
- 17:31:51 [apowers]
- vijay: should we drop the term Relying Party altogether?
- 17:31:58 [apowers]
- ... it's ambigious
- 17:32:14 [apowers]
- jeff: we went through that exercise in UAF and it went nowhere
- 17:32:21 [apowers]
- ... couldn't come up with a decent term
- 17:32:31 [apowers]
- ... could imagine adding some text to the spec
- 17:32:38 [apowers]
- ... terminology section
- 17:32:46 [apowers]
- ... relying party is not a federated relying party
- 17:33:05 [apowers]
- rbarnes: having terminology would be a good place to do that
- 17:33:23 [apowers]
- jeff: it would be good to be able to point to a more qualified term
- 17:33:52 [apowers]
- ... floated this idea last year, people seemed fine with it
- 17:34:11 [apowers]
- rbarnes: would anyone like to create a terminology section?
- 17:34:15 [apowers]
- jc: I don't mind taking it on
- 17:34:30 [apowers]
- ... if anyone has feelings on the subject, please let me know or let the list know
- 17:34:37 [apowers]
- ... what would work for the term Relying Party
- 17:35:10 [apowers]
- rbarnes: since FIDO has already had that conversation, maybe those "confusables" [terms] could be mentioned
- 17:35:37 [apowers]
- jeff: maybe we should be assigning issues in GitHub to track the work
- 17:35:48 [apowers]
- ... if you start working on something assign it to yourself
- 17:35:58 [apowers]
- ... and if the issue doesn't exist, create one and assign it to yourself
- 17:36:09 [hhalpin]
- +1
- 17:36:30 [Hubert-PayPal]
- Agreed - it'll make participation easier
- 17:36:32 [apowers]
- rbarnes: I remember that alexei was going to work through the open issues
- 17:36:40 [apowers]
- alexei: yep, that's on me
- 17:36:43 [jcj_moz]
- Terminology Section is Issue #50: https://github.com/w3c/webauthn/issues/50
- 17:36:55 [apowers]
- jeff: can you assign issues to yourself
- 17:37:02 [apowers]
- alexei: yes, fine with me
- 17:37:16 [apowers]
- jeff: separate branches and pull requests (PRs)?
- 17:37:32 [apowers]
- alexei: maybe some trivial things direct to master (adding a comma)
- 17:37:34 [hhalpin]
- For trivial editorial work I suggest editor's discretion
- 17:37:43 [apowers]
- ... more complex create a PR
- 17:37:55 [apowers]
- jc: I prefer everything go through PRs
- 17:38:06 [jcj_moz]
- ^^ that's actually rbarnes
- 17:38:11 [apowers]
- sorry, can I change that?
- 17:38:34 [wseltzer]
- s/jc/rbarnes/
- 17:38:38 [apowers]
- thx
- 17:38:42 [apowers]
- s/jc/sbarnes
- 17:38:44 [apowers]
- s/jc/sbarnes/
- 17:38:49 [apowers]
- blah
- 17:38:59 [apowers]
- jeff: either fork to own repo or create a branch
- 17:39:05 [hhalpin]
- q+
- 17:39:08 [apowers]
- rbarnes: everything through PR
- 17:39:11 [apowers]
- jeff: works for me
- 17:39:19 [felipe_bbg]
- I was wondering about the term Relaying Party, in the context web and leaving federated identity out of scope, wouldn't it be essentially "web application"?
- 17:39:33 [felipe_bbg]
- q-
- 17:39:44 [acz-goog]
- q-
- 17:39:45 [apowers]
- vijay: use commit nomenclature for marking issues as fixed
- 17:39:47 [hhalpin]
- rbarnes, can you handle looking at IRC queue as soon as this conversation raws to a close
- 17:40:25 [apowers]
- ... if we just use that then there won't be confusion about what the status of the issues is, especially if the changes aren't on master
- 17:40:34 [apowers]
- ... and it closes the issue when merged to master
- 17:41:03 [apowers]
- hhalpin: W3C does use GItHub for permissions, and then we have a different permissions layer above that for IPR checks
- 17:41:17 [apowers]
- ... if you don't have permissions and you want them, contact Wendy or myslef
- 17:41:19 [JeffH]
- how does one tell if they don't have "permissions" ?
- 17:41:50 [apowers]
- rbarnes: I'm disappointed that you didn't mention that was called oshgnas (sp?)
- 17:41:58 [rbarnes]
- s/rbarnes/jcj/
- 17:42:12 [apowers]
- apparently all of Mozilla sounds the same to me ;)
- 17:42:25 [apowers]
- apologies
- 17:42:39 [jcj_moz]
- s/oshgnas/ash nazg/
- 17:42:42 [hhalpin]
- https://github.com/w3c/?utf8=%E2%9C%93&query=ash-na
- 17:43:05 [apowers]
- rbarnes: how are we feeling about Tony's proposal to remove the metadata service from the spec
- 17:43:12 [apowers]
- Vijay: optional add-on that's best left out
- 17:43:15 [hhalpin]
- https://github.com/w3c/ash-nazg
- 17:43:26 [apowers]
- jeff: sure, although we could reference as an informative reference
- 17:43:27 [hhalpin]
- "One interface to find all group contributors and in IPR bind them https://labs.w3.org/hatchery/ash-nazg/ — "
- 17:43:29 [acz-goog]
- q+
- 17:43:35 [hhalpin]
- q- hhalpin
- 17:43:48 [apowers]
- hubert: sure, informative for more information about the attestations and how to validate them
- 17:43:51 [wseltzer]
- regrets+ wseltzer
- 17:43:51 [felipe_bbg]
- q+
- 17:44:17 [apowers]
- alexei: I think we had decided during the last meeting to make attestation more of a blob rather than spec'ing it out
- 17:44:28 [felipe_bbg]
- q-
- 17:44:31 [apowers]
- jeff: sure, that's another way to do it
- 17:44:46 [apowers]
- rbarnes: alexei: make the changes?
- 17:44:49 [acz-goog]
- q-
- 17:44:57 [apowers]
- alexei: sure after my other issues I'm working on
- 17:45:03 [apowers]
- jeff: see #47
- 17:45:45 [apowers]
- filipe: I posed a question, leaving federated identity outside the scope, would relying party be the web application?
- 17:46:05 [apowers]
- vijay: no, the web application would be the javascript, relying party is the backend
- 17:46:35 [apowers]
- ... goes back to whomever is going to grant security
- 17:46:59 [apowers]
- filipe: there are references to the "script" and it wasn't clear what that is
- 17:47:07 [apowers]
- jeff: client-side portion of web application
- 17:47:28 [apowers]
- rbarnes: relying party will get information from the script
- 17:47:48 [apowers]
- filipe: what confuses me is that this is all pinned to an origin
- 17:47:55 [apowers]
- ... I have to think a bit more about this
- 17:48:07 [apowers]
- vijay: this is why we also pulled the web origin into the signature
- 17:48:24 [apowers]
- ... telling the authenticator who the relying party (RP) si
- 17:48:52 [apowers]
- hubert: useful addition to the spec
- 17:49:01 [apowers]
- ... do we have a security considerations section anywhere?
- 17:49:08 [apowers]
- jeff: we could open an issue for that
- 17:49:20 [apowers]
- rbarnes: we need that to describe the overall security model
- 17:49:42 [apowers]
- rbarnes: hubert: could you do that?
- 17:49:49 [apowers]
- hubert: sure
- 17:50:06 [apowers]
- rbarnes: it sounds like we are in pretty good agreement on the attestation / metadata service question
- 17:50:13 [apowers]
- tony: 10 minutes left
- 17:50:23 [apowers]
- ... look at open issues, or wait until merge is closed?
- 17:50:34 [apowers]
- *tumbleweed*
- 17:50:42 [rbarnes]
- zakim, agenda?
- 17:50:42 [Zakim]
- I see 6 items remaining on the agenda:
- 17:50:43 [Zakim]
- 1. Roll Call [from wseltzer]
- 17:50:43 [Zakim]
- 2. Agenda bashing [from wseltzer]
- 17:50:43 [Zakim]
- 3. Document merge, status/update [from wseltzer]
- 17:50:43 [Zakim]
- 4. Naming issues, update from JC [from wseltzer]
- 17:50:43 [Zakim]
- 5. Walk the open issues list [from wseltzer]
- 17:50:44 [Zakim]
- 6. A.O.B [from wseltzer]
- 17:50:57 [apowers]
- alexei: I can get more work done when I'm not on a call
- 17:51:03 [apowers]
- rbarnes: good progress for the day
- 17:51:06 [apowers]
- tony: AOB?
- 17:51:10 [apowers]
- ... or 10 minutes back
- 17:51:15 [apowers]
- ... meet again next Wednesday
- 17:51:26 [apowers]
- ... adjourn
- 17:51:32 [hhalpin]
- RRSAgent, draft minutes
- 17:51:32 [RRSAgent]
- I have made the request to generate http://www.w3.org/2016/03/23-webauthn-minutes.html hhalpin
- 17:52:01 [apowers]
- ironically, my account doesn't have sufficient permissions to view the draft minutes :)
- 17:55:05 [wseltzer]
- rrsagent, make logs publi
- 17:55:07 [wseltzer]
- rrsagent, make logs public
- 17:55:16 [wseltzer]
- rrsagent, make minutes
- 17:55:16 [RRSAgent]
- I have made the request to generate http://www.w3.org/2016/03/23-webauthn-minutes.html wseltzer
- 18:57:58 [Guest13]
- Guest13 has joined #webauthn