IRC log of webauthn on 2016-03-23

Timestamps are in UTC.

17:00:45 [RRSAgent]
RRSAgent has joined #webauthn
17:00:45 [RRSAgent]
logging to http://www.w3.org/2016/03/23-webauthn-irc
17:01:01 [Guest13]
Guest13 has joined #webauthn
17:01:41 [hhalpin]
RRSagent, draft minutes
17:01:41 [RRSAgent]
I have made the request to generate http://www.w3.org/2016/03/23-webauthn-minutes.html hhalpin
17:04:05 [rbarnes]
zakim, agenda?
17:04:05 [Zakim]
I see 4 items remaining on the agenda:
17:04:06 [Zakim]
2. bikeshed vs. respec.js decision [from wseltzer]
17:04:06 [Zakim]
3. Next F2F date [from wseltzer]
17:04:06 [Zakim]
4. Open Issues if time permits [from wseltzer]
17:04:07 [Zakim]
5. AOB [from wseltzer]
17:05:55 [hhalpin]
chair: tony
17:06:23 [felipe_bbg]
just dropped
17:06:24 [hhalpin]
Zakim, pick a victim
17:06:24 [Zakim]
Not knowing who is chairing or who scribed recently, I propose Adam
17:06:42 [hhalpin]
Zakim, pick a victim
17:06:42 [Zakim]
Not knowing who is chairing or who scribed recently, I propose nadalin
17:06:49 [wseltzer]
zakim, clear agenda
17:06:49 [Zakim]
agenda cleared
17:06:59 [acz-goog]
acz-goog has joined #webauthn
17:06:59 [JeffH]
JeffH has joined #webauthn
17:07:15 [acz-goog]
present+
17:07:21 [hhalpin]
scribe: apowers
17:07:28 [jcj_moz]
present+
17:07:29 [vgb]
vgb has joined #webauthn
17:07:30 [hhalpin]
present+ hhalpin
17:07:33 [rbarnes]
present+
17:07:34 [JeffH]
present+
17:07:36 [vgb]
present+ vgb
17:07:39 [apowers]
present+ apowers
17:07:41 [wseltzer]
agenda+ Roll Call
17:07:41 [wseltzer]
agenda+ Agenda bashing
17:07:42 [wseltzer]
agenda+ Document merge, status/update
17:07:43 [felipe_bbg]
present+
17:07:46 [hhalpin]
present+ antoine
17:07:51 [Hubert-PayPal]
Hubert-PayPal has joined #webauthn
17:07:53 [RobTrace]
RobTrace has joined #webauthn
17:07:54 [wseltzer]
agenda+ Naming issues, update from JC
17:07:54 [wseltzer]
agenda+ Walk the open issues list
17:07:55 [wseltzer]
agenda+ A.O.B
17:08:07 [Hubert-PayPal]
+Hubert (PayPal)
17:08:11 [hhalpin]
present+ christian
17:08:15 [cbrand]
cbrand has joined #webauthn
17:08:19 [cbrand]
present+
17:08:30 [hhalpin]
present+ RobTrace
17:08:34 [hhalpin]
present+ PaulGrassi
17:08:47 [juanlang]
juanlang has joined #webauthn
17:08:56 [hhalpin]
present+ Janet from Fed Reserve in Minneapolis
17:09:29 [Hubert-PayPal]
present+ Hubert (PayPal)
17:09:34 [hhalpin]
topic: status of merge document
17:09:35 [apowers]
tony: reviews agenda
17:09:43 [apowers]
(like that?)
17:09:58 [adl]
adl has joined #webauthn
17:10:21 [apowers]
... document merge, naming issues, open issues list
17:10:21 [hhalpin]
yep, apowers - looks good
17:10:23 [apowers]
... AOB
17:10:34 [apowers]
... other topics? not heard
17:10:52 [apowers]
... status of merge?
17:10:54 [apowers]
jeff: complete
17:11:18 [apowers]
... merged to master
17:11:19 [hhalpin]
agenda?
17:11:41 [apowers]
vijay: duplications in master branch, need to blow away old ones
17:11:43 [apowers]
jeff: correct
17:12:05 [apowers]
jc: I did a review and didn't see any merge issues
17:12:47 [apowers]
tony: we can remove the subdirectories after we hear back from Mike
17:12:51 [rbarnes]
zakim, move to agendum 3
17:12:51 [Zakim]
agendum 3. "Document merge, status/update" taken up [from wseltzer]
17:13:05 [apowers]
jeff: I did a cursory review of the merge and it looked fine
17:13:26 [apowers]
... and having Mike follow up sounds fine
17:13:45 [apowers]
... mike = mike j (not mike west)
17:13:56 [apowers]
tony: we will do a review this week and be done with it next week
17:14:30 [apowers]
tony: any more discussion on merge document?
17:14:40 [apowers]
jeff: is talking about nomenclature a subtopic
17:14:42 [apowers]
tony: sure
17:14:56 [apowers]
jeff: JC did a good start
17:15:19 [apowers]
... made some suggestions on some minor polish for nomenclature
17:16:21 [apowers]
... be aware that if you are using gmail, emails from PayPal (Jeff and Hubert) may end up in your spam folder
17:16:26 [jcj_moz]
JeffH's comments: https://github.com/w3c/webauthn/pull/48
17:16:48 [apowers]
vijay: thanks for doing this, I'm reviewing the pull request, let me know if that's the right way to do it
17:16:56 [apowers]
jeff: up to the group
17:17:18 [apowers]
jc: prefer GitHub
17:17:19 [hhalpin]
I think Github is generally preferable for things that require actual references to the spec
17:17:26 [apowers]
vijay: prefer GitHub
17:17:29 [hhalpin]
If it's some overarching issue, then you do the lsit
17:17:50 [apowers]
jeff: GitHub doesn't notify the list
17:18:04 [apowers]
hhalpin: that's being changed right now
17:18:19 [apowers]
richard: the PR relates to many points
17:18:44 [apowers]
jeff: from my experience, you explicitly have to watch the repo
17:18:52 [apowers]
hhalpin: yes
17:18:58 [apowers]
jeff: let's talk offline
17:19:08 [acz-goog]
q+
17:19:19 [apowers]
jeff: it would be good to let the list know when someone submits a bunch of comments
17:19:31 [rbarnes]
zakim, who is speaking?
17:19:31 [Zakim]
I am sorry, rbarnes; I don't have the necessary resources to track talkers right now
17:19:32 [apowers]
(who is speaking?)
17:19:49 [apowers]
alexei?
17:20:29 [apowers]
alexei: if we have the same name everywhere and we do this global renaming, can we just create variables that get renamed?
17:20:59 [apowers]
... does such a mechanism exist in bikeshed?
17:21:09 [apowers]
hhalpin: I will look into it, it might be possible
17:21:43 [apowers]
jeff: mkwst has experience with bikeshed and may know
17:21:58 [felipe_bbg]
q+
17:22:11 [hhalpin]
Here's all the bikshed docs
17:22:12 [hhalpin]
https://github.com/tabatkins/bikeshed
17:22:31 [apowers]
tony: if we are done with nomenclature the next item is ...
17:22:49 [apowers]
agenda?
17:22:58 [rbarnes]
zakim, go to agendum 4
17:22:58 [Zakim]
I don't understand 'go to agendum 4', rbarnes
17:23:10 [wseltzer]
zakim, take up agendum 4
17:23:11 [Zakim]
agendum 4. "Naming issues, update from JC" taken up [from wseltzer]
17:23:18 [apowers]
jc: not sure what to do about IANA numbers
17:23:56 [apowers]
jeff: what was registered?
17:24:00 [apowers]
apowers: crypto formats?
17:24:06 [apowers]
jeff: not registered yet
17:24:15 [apowers]
jc: OID number
17:24:34 [apowers]
... open a ticket to choose a different number or keep them
17:24:42 [apowers]
jeff: maybe talk about it on the mailing list
17:24:56 [apowers]
... up to that organization to choose and manage the subtree
17:25:05 [apowers]
rbarnes: what are the OIDs?
17:25:23 [apowers]
jc: some of the extensions have OIDs, standard form based on org tree
17:25:32 [apowers]
... some are registered to FIDO Alliance
17:25:36 [apowers]
jeff: open an issue
17:26:14 [apowers]
jc: I did change the strings, I think it would make sense to change the strings or OIDs or neither, but not the intermediate state
17:26:45 [apowers]
rbarnes: if they are extensions and they are optional, then it may not make a difference
17:27:12 [apowers]
... probably want to pull all the OIDs into a non FIDO-org
17:27:26 [apowers]
jc: I'm not familiar with how common these extensions are
17:27:43 [apowers]
... maybe we discuss on the list whether we want to keep them or rename them
17:27:49 [adrianba]
adrianba has joined #webauthn
17:27:50 [acz-goog]
... phone rings
17:28:15 [apowers]
... reference to ECDAA specification
17:28:20 [apowers]
... maybe another topic for the list
17:28:27 [apowers]
jeff: leave it alone for now
17:28:31 [apowers]
... spec is forthcoming
17:28:43 [apowers]
... will be buttoned up by other SDO, perfectly fine to reference
17:28:53 [apowers]
jc: metadata service we have another thread going on on the list
17:29:01 [apowers]
... not sure if we want to discuss that today, assume not
17:29:14 [apowers]
jc: state of naming
17:29:27 [apowers]
... seems like from the PR we can genericize things
17:29:31 [apowers]
... open to suggestions
17:29:36 [apowers]
jeff: looks good, thank you
17:29:47 [apowers]
tony: jeff, do you want to review the relying party issue?
17:30:24 [apowers]
jeff: what I was trying to bring up was changing "FIDO Relying Party" to just "Relying Party" may cause issues
17:30:28 [apowers]
... it is context dependent
17:30:59 [apowers]
... has to do with the hand off to the identity provider
17:31:14 [apowers]
... we should use the term WebAuthn Relying Party consistently
17:31:38 [apowers]
... when the context is not clear it leads to impedance mismatches
17:31:51 [apowers]
vijay: should we drop the term Relying Party altogether?
17:31:58 [apowers]
... it's ambigious
17:32:14 [apowers]
jeff: we went through that exercise in UAF and it went nowhere
17:32:21 [apowers]
... couldn't come up with a decent term
17:32:31 [apowers]
... could imagine adding some text to the spec
17:32:38 [apowers]
... terminology section
17:32:46 [apowers]
... relying party is not a federated relying party
17:33:05 [apowers]
rbarnes: having terminology would be a good place to do that
17:33:23 [apowers]
jeff: it would be good to be able to point to a more qualified term
17:33:52 [apowers]
... floated this idea last year, people seemed fine with it
17:34:11 [apowers]
rbarnes: would anyone like to create a terminology section?
17:34:15 [apowers]
jc: I don't mind taking it on
17:34:30 [apowers]
... if anyone has feelings on the subject, please let me know or let the list know
17:34:37 [apowers]
... what would work for the term Relying Party
17:35:10 [apowers]
rbarnes: since FIDO has already had that conversation, maybe those "confusables" [terms] could be mentioned
17:35:37 [apowers]
jeff: maybe we should be assigning issues in GitHub to track the work
17:35:48 [apowers]
... if you start working on something assign it to yourself
17:35:58 [apowers]
... and if the issue doesn't exist, create one and assign it to yourself
17:36:09 [hhalpin]
+1
17:36:30 [Hubert-PayPal]
Agreed - it'll make participation easier
17:36:32 [apowers]
rbarnes: I remember that alexei was going to work through the open issues
17:36:40 [apowers]
alexei: yep, that's on me
17:36:43 [jcj_moz]
Terminology Section is Issue #50: https://github.com/w3c/webauthn/issues/50
17:36:55 [apowers]
jeff: can you assign issues to yourself
17:37:02 [apowers]
alexei: yes, fine with me
17:37:16 [apowers]
jeff: separate branches and pull requests (PRs)?
17:37:32 [apowers]
alexei: maybe some trivial things direct to master (adding a comma)
17:37:34 [hhalpin]
For trivial editorial work I suggest editor's discretion
17:37:43 [apowers]
... more complex create a PR
17:37:55 [apowers]
jc: I prefer everything go through PRs
17:38:06 [jcj_moz]
^^ that's actually rbarnes
17:38:11 [apowers]
sorry, can I change that?
17:38:34 [wseltzer]
s/jc/rbarnes/
17:38:38 [apowers]
thx
17:38:42 [apowers]
s/jc/sbarnes
17:38:44 [apowers]
s/jc/sbarnes/
17:38:49 [apowers]
blah
17:38:59 [apowers]
jeff: either fork to own repo or create a branch
17:39:05 [hhalpin]
q+
17:39:08 [apowers]
rbarnes: everything through PR
17:39:11 [apowers]
jeff: works for me
17:39:19 [felipe_bbg]
I was wondering about the term Relaying Party, in the context web and leaving federated identity out of scope, wouldn't it be essentially "web application"?
17:39:33 [felipe_bbg]
q-
17:39:44 [acz-goog]
q-
17:39:45 [apowers]
vijay: use commit nomenclature for marking issues as fixed
17:39:47 [hhalpin]
rbarnes, can you handle looking at IRC queue as soon as this conversation raws to a close
17:40:25 [apowers]
... if we just use that then there won't be confusion about what the status of the issues is, especially if the changes aren't on master
17:40:34 [apowers]
... and it closes the issue when merged to master
17:41:03 [apowers]
hhalpin: W3C does use GItHub for permissions, and then we have a different permissions layer above that for IPR checks
17:41:17 [apowers]
... if you don't have permissions and you want them, contact Wendy or myslef
17:41:19 [JeffH]
how does one tell if they don't have "permissions" ?
17:41:50 [apowers]
rbarnes: I'm disappointed that you didn't mention that was called oshgnas (sp?)
17:41:58 [rbarnes]
s/rbarnes/jcj/
17:42:12 [apowers]
apparently all of Mozilla sounds the same to me ;)
17:42:25 [apowers]
apologies
17:42:39 [jcj_moz]
s/oshgnas/ash nazg/
17:42:42 [hhalpin]
https://github.com/w3c/?utf8=%E2%9C%93&query=ash-na
17:43:05 [apowers]
rbarnes: how are we feeling about Tony's proposal to remove the metadata service from the spec
17:43:12 [apowers]
Vijay: optional add-on that's best left out
17:43:15 [hhalpin]
https://github.com/w3c/ash-nazg
17:43:26 [apowers]
jeff: sure, although we could reference as an informative reference
17:43:27 [hhalpin]
"One interface to find all group contributors and in IPR bind them https://labs.w3.org/hatchery/ash-nazg/ — "
17:43:29 [acz-goog]
q+
17:43:35 [hhalpin]
q- hhalpin
17:43:48 [apowers]
hubert: sure, informative for more information about the attestations and how to validate them
17:43:51 [wseltzer]
regrets+ wseltzer
17:43:51 [felipe_bbg]
q+
17:44:17 [apowers]
alexei: I think we had decided during the last meeting to make attestation more of a blob rather than spec'ing it out
17:44:28 [felipe_bbg]
q-
17:44:31 [apowers]
jeff: sure, that's another way to do it
17:44:46 [apowers]
rbarnes: alexei: make the changes?
17:44:49 [acz-goog]
q-
17:44:57 [apowers]
alexei: sure after my other issues I'm working on
17:45:03 [apowers]
jeff: see #47
17:45:45 [apowers]
filipe: I posed a question, leaving federated identity outside the scope, would relying party be the web application?
17:46:05 [apowers]
vijay: no, the web application would be the javascript, relying party is the backend
17:46:35 [apowers]
... goes back to whomever is going to grant security
17:46:59 [apowers]
filipe: there are references to the "script" and it wasn't clear what that is
17:47:07 [apowers]
jeff: client-side portion of web application
17:47:28 [apowers]
rbarnes: relying party will get information from the script
17:47:48 [apowers]
filipe: what confuses me is that this is all pinned to an origin
17:47:55 [apowers]
... I have to think a bit more about this
17:48:07 [apowers]
vijay: this is why we also pulled the web origin into the signature
17:48:24 [apowers]
... telling the authenticator who the relying party (RP) si
17:48:52 [apowers]
hubert: useful addition to the spec
17:49:01 [apowers]
... do we have a security considerations section anywhere?
17:49:08 [apowers]
jeff: we could open an issue for that
17:49:20 [apowers]
rbarnes: we need that to describe the overall security model
17:49:42 [apowers]
rbarnes: hubert: could you do that?
17:49:49 [apowers]
hubert: sure
17:50:06 [apowers]
rbarnes: it sounds like we are in pretty good agreement on the attestation / metadata service question
17:50:13 [apowers]
tony: 10 minutes left
17:50:23 [apowers]
... look at open issues, or wait until merge is closed?
17:50:34 [apowers]
*tumbleweed*
17:50:42 [rbarnes]
zakim, agenda?
17:50:42 [Zakim]
I see 6 items remaining on the agenda:
17:50:43 [Zakim]
1. Roll Call [from wseltzer]
17:50:43 [Zakim]
2. Agenda bashing [from wseltzer]
17:50:43 [Zakim]
3. Document merge, status/update [from wseltzer]
17:50:43 [Zakim]
4. Naming issues, update from JC [from wseltzer]
17:50:43 [Zakim]
5. Walk the open issues list [from wseltzer]
17:50:44 [Zakim]
6. A.O.B [from wseltzer]
17:50:57 [apowers]
alexei: I can get more work done when I'm not on a call
17:51:03 [apowers]
rbarnes: good progress for the day
17:51:06 [apowers]
tony: AOB?
17:51:10 [apowers]
... or 10 minutes back
17:51:15 [apowers]
... meet again next Wednesday
17:51:26 [apowers]
... adjourn
17:51:32 [hhalpin]
RRSAgent, draft minutes
17:51:32 [RRSAgent]
I have made the request to generate http://www.w3.org/2016/03/23-webauthn-minutes.html hhalpin
17:52:01 [apowers]
ironically, my account doesn't have sufficient permissions to view the draft minutes :)
17:55:05 [wseltzer]
rrsagent, make logs publi
17:55:07 [wseltzer]
rrsagent, make logs public
17:55:16 [wseltzer]
rrsagent, make minutes
17:55:16 [RRSAgent]
I have made the request to generate http://www.w3.org/2016/03/23-webauthn-minutes.html wseltzer
18:57:58 [Guest13]
Guest13 has joined #webauthn