16:54:42 RRSAgent has joined #webauthn 16:54:42 logging to http://www.w3.org/2016/06/15-webauthn-irc 16:54:44 RRSAgent, make logs public 16:54:44 Zakim has joined #webauthn 16:54:46 Zakim, this will be 16:54:46 I don't understand 'this will be', trackbot 16:54:47 Meeting: Web Authentication Working Group Teleconference 16:54:47 Date: 15 June 2016 16:56:04 present= 16:56:07 zakim, clear agenda 16:56:07 agenda cleared 16:59:03 present+ 16:59:16 gmandyam has joined #webauthn 16:59:26 present+ gmandyam 17:00:29 weiler has joined #webauthn 17:01:41 present+ TonyNadalin 17:02:14 present+ Hubert 17:02:49 present+ JeffH 17:02:56 alexei-goog has joined #webauthn 17:02:57 apowers has joined #webauthn 17:03:08 present+ Ketan 17:03:26 present+ alexei-goog, dirkbalfanz 17:03:33 present+ 17:03:50 present+ Nitin 17:03:59 dirkbalfanz has joined #webauthn 17:04:07 prese nt 17:04:12 present+ 17:04:13 vgb has joined #webauthn 17:04:15 present+ 17:04:23 present+ 17:04:57 zakim, who is here? 17:04:57 Present: wseltzer, gmandyam, TonyNadalin, Hubert, JeffH, Ketan, alexei-goog, dirkbalfanz, weiler, Nitin, vgb 17:04:59 On IRC I see vgb, dirkbalfanz, apowers, alexei-goog, weiler, gmandyam, Zakim, RRSAgent, adrianba, trackbot, slightlyoff, mkwst, wseltzer 17:05:42 present+ SamSrinivas 17:05:44 Rolf has joined #webauthn 17:05:59 SamSrinivas has joined #webauthn 17:06:01 present+ Rolf 17:06:04 present+ 17:06:06 present+ apowers 17:06:27 RobTrace has joined #Webauthn 17:06:38 JeffH has joined #webauthn 17:06:48 present+ 17:08:32 Topic: Extensions 17:08:36 Hubert has joined #webauthn 17:09:25 present+ 17:09:26 Vijay to lead through his drafts. Also Rolf's alternate. Giri specific proposal. 17:10:22 Vijay speaking: Fixed some contradictions in the text re: extensions. Every extension has to have a client argument seems to be there. Vijay fixed up all pre-defined extensions to fit this spirit. S 17:10:33 Surprisied how little text needed to be added. 17:10:42 -> https://github.com/w3c/webauthn/pull/130/files vgb's pull request 17:10:48 (vijay still speaking) 17:11:19 Made explicit tht the client argument should be convered to authenticator argument, in many cases, it is a straight pass-thru. 17:11:57 All the pre-defined extensions fit this pass-thru model, except for authenticator selection, and that's prety simple too. 17:14:44 Giri re: trusted location -- isn't some processing required. Vijay: processing = just converting to CBOR 17:15:11 That transform is possible for any extension, even opaque 17:15:57 i/Topic: Extensions/scribenick: SamSrinivas 17:16:23 [reviewing https://github.com/w3c/webauthn/pull/130/files ] 17:16:53 Vijay walking through diffs. 17:17:29 Line 1410: Clarifuing client takes client args, not 'authenticator args'. Latter term was not defined, is not defined better. 17:17:57 Line 1420: word smithing 17:18:44 Line 1435: extension has to specify how to convert client arg to authetnicator arg -- majority of cases it is pass thorugh. 17:20:28 tenet: The RP should know what happened with the extensons it requested. 17:22:40 Extensions should add to client data in some way to indicate to the RP that the extension was honored/respected/processed. 17:25:09 Shouldn't client be responsible to add to client data for every extension? Since it owns client data? (Sam and Hubert). Vijay says "ok either way". Decision, to change the text to make it client's responsibiliuty 17:25:38 Hubert has joined #webauthn 17:28:22 Added standard way of passing "true" in CBOR. Takes same amount of byte space as numeral. 17:29:08 Makes it easy for client to just transform "true" in API call to "true" over CBOR generically. 17:30:14 Your client can pass through unknown extensions after CBOR-izing. 17:30:53 Giri: Reconfirming: All extensions are prompted. Vijay: yes, actually was always in spec that the RP has to specify a client argument. 17:30:57 SamSrinivas: my understanding is that a bound authnr that is not being accessed via CTAP, can add to clientData -- this raises issue of whether CTAP is declared the only means to access authnrs or not.... 17:34:48 q? 17:35:13 Most extensions will be pass through but extensions can also specify fancy client processing in principle. Authentucator selection requirest his for example. 17:35:21 (vijay said) 17:35:27 s/his/this/ 17:36:03 Sam says: any extension needing client processing si a high bar and I see it coming into the main spec rather than just being specified in registry 17:36:21 Giri: Authenticator selection maybe should not be extension? 17:36:31 It should be in main API? 17:38:23 Vijay summarizing all other changes near end of doc -- basically straightforward, kinds of things covered earlier (eg, specifying CBOR true etc) 17:41:27 ... i.e. see line 1474 17:47:46 q? 17:48:42 SamSrinivas: one issue with requiring pass-through of extensions - who will respect user's privacy if RP and authenticator maker have different view of the user's privacy than the user would have? 17:49:41 Rolf: Would be great if pre-defined extensions at least would be honored 17:50:51 Jeeff: Are there privacy concenrs with predefined extensions? Shouldnt it be ok to implement? 17:51:16 (in reply to tony asking) Should client need to understand privacy implicatons? 17:58:31 q+ 18:06:00 [group to continue on-list discussion of extensions] 18:06:15 zakim, list attendees 18:06:15 As of this point the attendees have been wseltzer, gmandyam, TonyNadalin, Hubert, JeffH, Ketan, alexei-goog, dirkbalfanz, weiler, Nitin, vgb, SamSrinivas, Rolf, apowers 18:06:18 rrsagent, make minutes 18:06:18 I have made the request to generate http://www.w3.org/2016/06/15-webauthn-minutes.html wseltzer 18:06:39 rrsagent, make logs public 18:06:42 Chair: TonyNadalin 18:06:45 rrsagent, make minutes 18:06:45 I have made the request to generate http://www.w3.org/2016/06/15-webauthn-minutes.html wseltzer 18:08:59 weiler has joined #webauthn 20:47:17 Zakim has left #webauthn