W3C

- DRAFT -

Web Authentication WG

13 Apr 2016

See also: IRC log

Attendees

Present
wseltzer, jcj_moz, felipe_bbg, vgb, alexei-goog, JeffH, Rolf, Hubert-PayPal, hhalpin, todd_albers, adamkcooper, (IRC, only), Sam
Regrets
rbarnes
Chair
TonyNad, RBarnes
Scribe
selfissued

Contents

<wseltzer> trackbot, start teleconf

<trackbot> Sorry, but no Tracker is associated with this channel.

Mike Jones here

<wseltzer> todd_albers: Federal Reserve

agenda bashing

<hhalpin> or Mike Jones?

You're welcome

<wseltzer> scribenick: selfissued

<hhalpin> chair: Nadalin

Wendy: We were discussing whether all the work belongs in one document or even whether it all belongs in one working group
... We chartered to do the three pieces of work - members approved this work package
... The submitters thought that the pieces were logically related

<JeffH> could who is typing loud mute mic ?

Wendy: My preference is to keep working on all of them here

Alexei: Giving background - All started when I and Vijay looked at the spec
... Asked whether stuff that hardward vendors would be implementing belongs in a W3C spec
... Asking whether the current structure makes sense. Has struck a chord with some people. I'm fine with it as is.

Sampath: Some of attestation text doesn't belong in this document - such as Android-specific text

Vijay: Will send out a PR this week to move the attestation into an appendix
... Then we can talk about whether the appendix should remain in the document or not

Wendy: That treatment makes sense to me

<hhalpin> Or we could just do separate docs, but an appendix is fine w/i me.

Fine with several others

Rolf: What should stay in the original document then?

<wseltzer> selfissued: I believe what we'd be moving to appendix is still necessary for interop

<wseltzer> ... ok moving it, but it's still normative

Mike: The attestation format is necessary for interop

<JeffH> selfissued: the attestation stuff is necessary for interop....

Vijay: The preamble is about a conforming user agent
... Stuff about authenticators can then be in an appendix

Sergei: A conforming user agent doesn't need to understand the signature format either

Wendy: It might not all fit under the same preamble but W3C specs can talk about things other than just user agents

<wseltzer> selfissued: I'd rather change the preamble than deprecate some normative text

<JeffH> selfissued == mike jones :)_

Sampath: There will only be a handful of attestation types

Vijay: I want to move things that matter to the UA and parts that matter to the authenticator and put them in different sections
... I want to keep the signature format in

Jeff: I'm fine with Vijay's suggestion

<wseltzer> JeffH: keep it in one document while we're normalizing the terminology

<wseltzer> selfissued: I agree that editorially, things for different audiences should be in different sections

<wseltzer> ... disagree with putting some things into an appendix, since the parts for authenticators are also normative

<Hubert-PayPal> Agree with selfissued

<wseltzer> ... none of the audiences (authenticators, servers, user agents) is less important than the others

<wseltzer> ... so shouldn't be put in appendix

<JeffH> i nominally agree with mike/selfissued tho am fine to entertain reviewing proposals such as Vijay's

<hhalpin> the appendix is a short-term measure for temrinological consistency, i.e. when we have non-FIDO folks try to implement, then we can see how folks who are on authenticator-facing teams and server-facing teams prefer the docs laid out and if they can actually implement.

<hhalpin> Or if they need more docs etc.

<hhalpin> and how to best structure those docs.

Are you seeing me now?

<vgb> yes, mike

<JeffH> yes

<wseltzer> alexei-goog: I agree with both Vijay and Mike. Happy to put it into an "Authenticator" section

Mike: I'm good with sections being for different audiences being in different sections but it's all essential normative text

Tony: I agree with Mike
... We can actually refer to the attestations we want people to use with external references or inline
... We have a charter to follow which includes attestations

<JeffH> i tend to agree with Mike, tho am fine with entertaining proposals -- we don't merge to master until we have consensus....

Rolf: Sometimes it's not sufficient to refer to an external standard
... You need to say *how* you're using the external spec
... Such as how to use the TPM spec

Tony: There are things that need to stay in the WebAuthN doc - including how to use attestations

<JeffH> +1 to Rolf

Rolf: The W3C doc needs to say, for instance, how we're using the TPM spec

+1 to Rolf

Mike: Can we confirm that nothing is being moved into an appendix?

<Rolf> +1

Vijay: I will send out a PR that will be reviewed

<wseltzer> JeffH: No pull request will be merged to master without group consensus

Tony: Let's see what the PR requests says

<wseltzer> selfissued: If it includes "section," I'll propose changing it to a section

Open Issue status for FPWD

Tony: We've had action lately in the repository
... JC did his terminology section

Vijay: We have 5 open issues - 1 terminology
... JC has created follow-on issues

<wseltzer> https://github.com/w3c/webauthn/issues

Vijay: None of this should block FPWD
... Vijay is looking at feedback from the TAG
... Feedback on images at multiple resolutions
... Not clear to Vijay that this is widely implemented or used
... There was a question about whether we should move to the arrayBuffer types
... There was one about whether we should converge with Credential ID
... A Credential ID is a USB string
... These two things are in conflict
... Vijay will start an email thread about this
... Finally, the TAG asked about eTLD+1
... We need to get back to the TAG on eTLD+1
... Do people feel that if we address these things, we'll be ready for FPWD in Berlin?

Jeff: Yes

JC: I also agree

<jcj_moz> ack

Tony: I'd like to close that one
... Issue 50
... According to Vijay we're still in a good shape for FPWD in Berlin

We're down to 4 open issues after closing the terminology issue

scribe: We definitely need to get the structure of the document settled before we put it out

Tony: I have to depart - Wendy will take over

Glossary/Terms Discussion

Wendy: Let's take up the glossary and terms discussion

<hhalpin> I think that *depends* on the amount of terminology

<wseltzer> 

Mike: It's normal to put terminolgy up front before you use the terms

<wseltzer> https://w3c.github.io/webauthn/#terminology

JC: The terms are hyperlinked

<hhalpin> So far its quite small

Wendy: Is there additional terminology to define

Felipe: I added a comment with a longer list of terms
... I tried to include everything unusual that people would need to know as a prerequisite

Hubert: There is a reference to account creation - this likely is not correct
... This probably should be "registration"

Jeff: Yes

<wseltzer> https://github.com/w3c/webauthn/issues/50#issuecomment-206624812

The above is Felipe's comment

<hhalpin> Index

<hhalpin> JSON Web Keys -> WebCrypto

Harry: The terminology section needs a review, including the index

<hhalpin> I've done a random sample but not the whole thing

<hhalpin> i.e. the index is more important really than the 'terminology' section re implementers

Alexei: There are inconsistencies in the terminogy usage

<wseltzer> Felipe's issue re: consistency

<hhalpin> IDL type is only defined in WebCrypto

Vijay: The JWK reference is intentional

<hhalpin> i.e. just an inline note on what part of WebCrypto we are referring to (i.e. the IDL) given the whole spec is rather larger

Vijay: Find the issue and send a PR
... That's the best thing to do

Wendy: Yes, please!
... GitHub makes sure that others take a look

<wseltzer> https://github.com/w3c/webauthn/issues?q=is%3Aissue+is%3Aopen+label%3Apriority%3Ahigh

<wseltzer> JeffH: We already reviewd the FPWD milestones

Jeff: Are those that Tony labelled SPWD that people think should be FPWD?

Vijay: There are 4 SPWD issues with priority high

Issue 25: Server challenge timeout

<trackbot> Sorry, but no Tracker is associated with this channel.

Walk open issues list

<wseltzer> https://github.com/w3c/webauthn/issues/25

Vijay: The problem is that the authenticator manages to create the key but doesn't manage to respond in time for the registration to happen
... Then there is an orphaned structure
... Deal with orphaned keys
... I think this is a second-level thing we don't have to get right for FPWD

Jeff: That's fine with me

<wseltzer> https://github.com/w3c/webauthn/issues/26

Vijay: I don't see this as being a FPWD problem

<wseltzer> JeffH: put 26 on the Berlin agenda

Jeff: Agree, but we should have it on the agenda for Berlin

<wseltzer> https://github.com/w3c/webauthn/issues/37

Vijay: Rolf has text that could be added to the attestation description
... Feels like something that isn't essential for FPWD
... The goal of FPWD is "Do we have the right things in here" - not whether they're perfectly described

Jeff: Status OKToDo - If easy, someone could just do it

Rolf: These changes will not create any merge conflicts

<hhalpin> Should be fine either way really

Vijay: I'll just merge this in

<wseltzer> https://github.com/w3c/webauthn/issues/38

Vijay: Final is #38 about Credential.RPCurrency assumed to be RP unique
... Assumes that Credential ID is unique across authenticators
... It's worth having the discussion and trying to close it before Berlin

This is architectural - not editorial

Mike: This needs to be FPWD - not second

Alexei: Most people agree that that the credential ID needs to be unique

Rolf: Nothing wrong with that assumption - but it must be explicit - not implicit

Mike: +1

Vijay: Agree that Credential ID can be unique
... Will send a PR saying that it's unique

<JeffH> jeffh: +1

Vijay: If poeple agree, we can merge it and be done

Thanks, Vijay!

Wendy: Would it be useful to have a label to indicate that something is ready for WG discussion?

Vijay: Instead, just send e-mail about it

I'd rather have e-mail than tags

<JeffH> +1 vijay

<jcj_moz> +2

+1

Vijay: Both end up creating a persistent record in the future

<wseltzer> see, e.g. https://lists.w3.org/Archives/Public/public-webauthn/2016Apr/

<hhalpin> https://lists.w3.org/Archives/Public/public-webauthn/2016Apr/0045.html

Wendy: No other business

<hhalpin> Meeting adjourned

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2016/04/13 18:00:28 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.144  of Date: 2015/11/17 08:39:34  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/appendix/section/
Succeeded: s/Filipe/Felipe/
Succeeded: s/selfissued_/selfissued/G
Found ScribeNick: selfissued
Inferring Scribes: selfissued
Default Present: wseltzer, jcj_moz, felipe_bbg, vgb, alexei-goog, JeffH, Rolf, Hubert-PayPal, hhalpin, todd_albers, adamkcooper, selfissued, (IRC
Present: wseltzer jcj_moz felipe_bbg vgb alexei-goog JeffH Rolf Hubert-PayPal hhalpin todd_albers adamkcooper (IRC only) Sam
Regrets: rbarnes
Got date from IRC log name: 13 Apr 2016
Guessing minutes URL: http://www.w3.org/2016/04/13-webauthn-minutes.html
People with action items:
[End of scribe.perl diagnostic output]