14:01:32 <RRSAgent> RRSAgent has joined #hb-secure-services
14:01:32 <RRSAgent> logging to http://www.w3.org/2016/06/16-hb-secure-services-irc
14:02:44 <Sebastien> wseltzer: yes
14:03:17 <virginie> virginie has joined #hb-secure-services
14:04:33 <virginie> hello all, details of the call can be found here https://lists.w3.org/Archives/Public/public-hb-secure-services/2016Jun/0008.html
14:06:03 <chaals> chaals has joined #hb-secure-services
14:06:29 <marko> Trying to dial in, just getting steady tone
14:06:49 <chaals> (says it can't connect me to the call, after getting my name and trying…)
14:07:53 <virginie> @chaals try this number local number from here : https://lync.gemalto.com/dialin
14:08:06 <virginie> @marko, where do you call from ?
14:08:29 <marko> I'm in now.
14:09:10 <wseltzer> present+ virginie, Bruno, Sebastien, marko, wseltzer
14:09:41 <phofmanntsy> present+ Peter Hofmann
14:09:52 <virginie> agenda+ Review of the current document
14:10:01 <virginie> agenda?
14:10:30 <chaals> agenda+ linking to the CG and its work
14:11:25 <wseltzer> zakim, clear agenda
14:11:25 <Zakim> agenda cleared
14:11:30 <virginie> zakim, please clear the agenda
14:11:30 <Zakim> agenda cleared
14:11:40 <wseltzer> agenda+ Review of the current document
14:11:40 <virginie> agenda+ document
14:11:47 <virginie> agenda+ scoped credentials
14:11:55 <virginie> agenda+ deliverables
14:12:01 <virginie> agenda+ TPAC meeting
14:12:04 <virginie> agenda?
14:13:36 <chaals> [By the way, I'm trying to make a link to the work of this group, and wondering where I should link to…]
14:14:19 <wseltzer> chaals, https://rawgit.com/w3c/websec/gh-pages/hbss.html#dfn-method-confirm is the document Sebastien is talking about
14:14:58 <marko> Sebastian: what has changed in document - a new introduction. Section 4.1.3.1 confirmation method.
14:15:50 <virginie> to chaals, we are working on the mailing list https://lists.w3.org/Archives/Public/public-hb-secure-services/, and on the github area https://github.com/w3c/websec
14:15:55 <wseltzer> chaals, here's the group's homepage: https://www.w3.org/community/hb-secure-services/
14:18:33 <virginie> [I think that we shold publish on a regular basis some post on the CG home page to give a clear view of the group activities and progress, thans chaals]
14:18:51 <virginie> s/shold/should
14:18:58 <virginie> s/thans/thanks
14:22:30 <virginie> mark : will we have to use TEE for trusted UI
14:22:46 <virginie> sebastien : all implementations are possible and we will have to add this into the document
14:23:00 <virginie> peter : will it be a normative part ?
14:23:35 <virginie> sebastien : it will be informal, as it will be implementation dependant
14:24:25 <marko> Virginie: reminder that we are not producing a standard, we are a non-normative group
14:25:28 <virginie> peter : there will be different security and trust level depending into the context (with or without TEE, for example)
14:27:46 <virginie> virginie : we may use a list-description of the context for executing the secure transaction confirmation
14:28:24 <virginie> virginie : we might have to list technologies involved and possible scenarios (is there a TEE, yes, no, is there a tamper resistance storage of key, yes, no, ....)
14:28:47 <virginie> peter : yes, that would be great for the srevice provider to make decision when/if to run the services
14:29:14 <marko> sebastien: privacy issues about keys managed in smartphone
14:29:14 <virginie> sebasteine : we will have to be careful with the privacy, by dsclosing too much things to the web app
14:29:37 <virginie> sebastien : this is why we decided to have the user involved into the choice of the credential to use for the confirmation
14:30:09 <virginie> sebastien : we will have to have the user and the service provider involved in the choice
14:30:40 <virginie> sebastien : we mentionned in previous discussion that the key will be associated with a given service provider, so the choice might be quite easy
14:31:16 <virginie> sebastien : the role of the certificate authority can also be usefull to make a choise : the Service provider may have its own list of acceted CA
14:34:01 <marko> need increased explanation in section 5.1 and 5.2, plus add notion of attestation
14:34:24 <marko> attestation = information related to context of storage and execution
14:34:50 <marko> attestation notion can be reused for transaction confirmation and secure credential storage
14:35:21 <marko> Virginie: do we consider that attestation should be signed by someone, or up to browser to ensure that it cannot be modified?
14:35:45 <marko> Should not be replayable - needs to be ensured by some cryptographic signature
14:36:19 <virginie> virginie : in the field today, there is no such as signed attestation
14:36:43 <wseltzer> [note there's an attestation in the webauthn:  Styling with Markdown is supported
14:36:46 <wseltzer>  Comment Close issue
14:36:55 <marko> May be added later on, when attestation is available on trusted UI component; FIDO already has concept of attestation
14:37:03 <wseltzer> s/Styling with Markdown is supported/https://w3c.github.io/webauthn//
14:37:07 <wseltzer> -> https://w3c.github.io/webauthn/
14:37:12 <wseltzer> s/ Comment Close issue
14:37:13 <virginie> sebastien : the attestation will collect the information aboutvthe Tusted Ui and the secure storage capabilities
14:37:56 <wseltzer> https://w3c.github.io/webauthn/#attestation
14:39:04 <virginie> virginie : then what do we do ?
14:39:36 <virginie> sebastein : we may just consider that the device manages attestation transarently at first usage
14:40:08 <marko> V: If a user agent implements the API, and wants to integrate attestation first, how can we do that?
14:40:30 <marko> S: because there is no attestation, we cannot request to support attestation. So first verstion would be without attestation.
14:41:27 <marko> Second version: as a result of transaction confirmation, the confirmation/cryptographic element + attestation to give additional information to server about the environment
14:42:09 <marko> V: What would be this piece of information? S: provided by the browser V: How would the browser get this information?
14:43:04 <marko> S: for smart card, it would be something new, so would not be there at the first day. Expect that TEE would provide description of its environment. Way to prove to service provider that it has been certified.
14:44:24 <marko> V: would like to measure work in explaining why we need attestation.
14:45:43 <virginie> sebastien : this would have to be managed at key issuance/creation
14:45:59 <marko> S: for transaction confirmation, too complex for service providers to implement individually. Manage at key issuance. Certificate authority will issue key only if managed by TEE.
14:46:03 <virginie> sebastien : thus the service provider would not have to manage this kind of complexity
14:46:56 <marko> V: suggests Sebastien writes requirement for attestation into document.
14:47:47 <Sebastien> https://rawgit.com/w3c/websec/gh-pages/hb-secure-services/SafranIdentitySecurity_Authorization-model-for-Javascript-usage-of-hardware-based-keys.pdf
14:47:49 <marko> Agenda: scoped credentials
14:57:59 <virginie> mark : are you proposing that, in the rowser approach, that the same key is used across different services ?
14:58:09 <virginie> mark : how do you garantee the pricavy ?
14:58:21 <virginie> sabstien : it will be undre the exclusive control of the user
14:58:27 <virginie> s/undre/under
14:59:36 <virginie> virginie : whihc solution do you prefer ?
14:59:52 <virginie> bruno : prefers the second approach with ADSL
15:00:04 <virginie> mark : suggests that we have a pro/con analysis
15:00:14 <virginie> sebastien : yes, I can provide that
15:00:35 <virginie> bruno : in the second approach the user is participating to the authorization od domains
15:01:08 <virginie> sebastien : the seocnd approach needs work on the UA side, as it is a complete new feature
15:01:52 <virginie> sebastien : but it fulfills the expectation of the user controling all the credential and taking into account the service provider policy
15:02:07 <virginie> s/seocnd/ second
15:03:23 <marko> Virginie: priorities for community group: secure credential storage needs to be written, scoped credentials would be priority 3 behind secure credentials + transaction confirmation
15:04:00 <marko> Virginie: may ask CG members for more input on the scoped credentials proposal
15:05:01 <marko> Virginie: want CG to be able to show to browser vendors what we can do, so will need some implementations
15:05:40 <marko> Ideas to improve webcrypto API to include secure storage suggestion
15:06:11 <marko> Virginie: how can we present prototypes? Would Sebastien have a demo in September?
15:06:58 <marko> Sebastian: has modified middleware available already; need to link to transaction confirmation API
15:07:11 <marko> V: would it be available for a mobile?
15:07:44 <marko> Sebastian: would be a PC-based demo. Agrees definitely need to do something on mobile
15:07:53 <marko> V: more willing to work on mobile side
15:08:45 <marko> S: mostly done on Chrome, or Firefox. V: Gemalto to work on Firefox
15:09:28 <marko> Agenda: should we meet during TPAC? W3C meeting in September in Portugal.
15:10:00 <virginie> virginie : will you be at TPAC ?
15:10:03 <virginie> +1
15:10:07 <marko> Mark: not in Lisbon, not sure whether Colin would attend
15:10:15 <phofmanntsy> +1
15:11:04 <marko> Virginie: ask w3c about possibility to invite non-w3c members.
15:12:14 <marko> V: Wednesday at W3C is open to absolutely anyone,brainstorming day
15:13:07 <phofmanntsy> phofmanntsy has joined #hb-secure-services
15:14:55 <marko> Virginie: Sebastian's document still needs to have some use cases. Ping Brian for bank-related services.
15:15:38 <marko> V: Could Peter have a look at the different use-cases?
15:17:41 <Sebastien> +1
15:17:44 <marko> -1 for Tues 28th.
15:18:10 <marko> Will check with Paul/Colin for 28th.
15:19:55 <marko> Will have next meeting on Tuesday 28th at 1400 UTC
15:20:39 <marko> quit
15:21:37 <virginie> zakim, please generate minutes
15:21:37 <Zakim> I don't understand 'please generate minutes', virginie
15:22:33 <virginie> rrsagent, please generate minutes
15:22:33 <RRSAgent> I have made the request to generate http://www.w3.org/2016/06/16-hb-secure-services-minutes.html virginie
15:24:01 <virginie> rrsagent, set logs world-visible
16:21:25 <chaals> chaals has joined #hb-secure-services