17:11:36 <RRSAgent> RRSAgent has joined #webauthn
17:11:36 <RRSAgent> logging to http://www.w3.org/2016/06/22-webauthn-irc
17:11:38 <trackbot> RRSAgent, make logs public
17:11:38 <Zakim> Zakim has joined #webauthn
17:11:40 <trackbot> Zakim, this will be
17:11:40 <Zakim> I don't understand 'this will be', trackbot
17:11:41 <nadalin> Vgb giving overview of his pull request from last week
17:11:41 <trackbot> Meeting: Web Authentication Working Group Teleconference
17:11:41 <trackbot> Date: 22 June 2016
17:12:23 <weiler> Zakim, this will be Webauthn
17:12:23 <Zakim> ok, weiler
17:12:36 <weiler> scribenick: vgb
17:13:23 <vgb> rbarnes: generally, #130 looks okay
17:13:40 <vgb> ... a little concerned that we don't have privacy considerations well fleshed out yet
17:14:05 <vgb> nadalin: do people believe we have closure on PR #130?
17:14:20 <vgb> JeffH: need to read more
17:14:40 <vgb> rbarnes: agree
17:16:36 <vgb> vgb: clarification - we did discuss this in detail last week, this morning's commit was wordsmithing in a non-normative context
17:16:45 <vgb> ... we had discussed last week about merging this in
17:17:23 <vgb> aczeskis: yes, reviewed all commits in detail before merging it, but please do bring up any feedback or disagreements on the list
17:18:07 <nadalin> so please review the #130 merge and post to list if you agree or disagree
17:18:11 <vgb> Rolf: last week we discussed moving AAGUID from extension to attestation - would like to create a new issue for doing that
17:18:31 <vgb> ... and would do a PR. Feedback?
17:18:45 <vgb> JeffH/nadalin: go for it.
17:19:03 <vgb> Rolf: how about issue #110 to remove attestation entirely?
17:19:33 <vgb> JeffH/nadalin: work with the text as is, make progress and force the issue.
17:20:04 <vgb> s/#110/#108/
17:21:01 <vgb> nadalin: any more questions on #130? if not, please read offline and reply to list if any thoughts.
17:21:08 <vgb> JeffH: let's set a deadline
17:21:14 <vgb> nadalin: let's say Monday
17:21:20 <vgb> ... 6/27
17:21:46 <vgb> nadalin: On to Giri's request for loc extension
17:23:12 <Rolf> move AAGUID extension --> packed attestation now tracked in issue 132.
17:24:37 <vgb_> vgb_ has joined #webauthn
17:25:30 <vgb_> rbarnes: clarifying earlier reaction as a general matter - specifying formats does seem desirable
17:25:40 <nadalin> nadalin has joined #webauthn
17:25:57 <vgb_> ... strong concerns around user privacy and experience, specifically with geolocation
17:27:06 <RobTrace> RobTrace has joined #webauthn
17:27:14 <vgb_> ... seems like there is already an existing method for geolocation information, so it seems unnecessary to exacerbate such issues by adding them into authenticators
17:27:44 <Rolf> queue+
17:28:48 <vgb_> ... concern is that as we get into (even if perhaps useful) things that go beyond basic device-based proof of possession, that complicates our mission and makes it much harder to scope issues
17:29:19 <vgb_> gmandyam: now that all extensions are prompted, the client has a stronger role and the ability to filter extensions
17:30:21 <vgb_> ... also, there are many participants who want to go beyond basic PoP and do more complicated things. This falls into that bucket.
17:31:29 <vgb_> rbarnes: Note that our charter is written more narrowly, and does not explicitly cover such extended uses. It also seems feasible to carve off this additional scope and make it a separate mechanism.
17:31:59 <vgb_> gmandyam: Do you have a larger concern about extensions in general?
17:32:48 <vgb_> rbarnes: willing to be more flexible if there is some strong control. but yes, there is general concern that any extensions can be used in bad ways, so we should minimize this exposure.
17:33:20 <RobTrace_> RobTrace_ has joined #webauthn
17:33:42 <vgb_> Rolf: re: complexity, the expectation is that the UA does the right thing by the user and does not need to complicate the UX beyond what it already has (e.g.. privacy settings).
17:34:02 <vgb_> ... existing API mechanism gives the UA full control
17:34:46 <vgb_> ... so given that the information is useful, we should be open to it
17:35:07 <Hubert-PayPal> Hubert-PayPal has joined #webauthn
17:35:14 <vgb_> Hubert: maybe we should add explicit text saying that UA should prompt user to include geolocation
17:35:49 <vgb_> JeffH: seems like we have work to do regarding guidance on how to implement extensions and privacy, etc, implication
17:36:37 <vgb_> ... similar concerns apply to all extensions - UA should take into account the user's preferences / settings
17:37:06 <vgb_> rbarnes: yes, this was the concern - we need to make sure we provide strong privacy guidance to clients around extensions.
17:38:44 <vgb_> gmandyam: the usual approach has been to put in guidance and not place explicit requirements on client UI
17:39:07 <vgb_> ... getting rid of unprompted extensions gives the client tools to protect the user
17:39:53 <vgb_> rbarnes: now the UA becomes more complex, since the UA must ensure it has settings for all extensions it supports.
17:40:26 <vgb_> ... and potentially needs to check what the authenticator supports
17:41:57 <vgb_> Rolf: believe most extensions we have defined are not sensitive, and geolocation being prompted makes that one safe as well.
17:42:27 <vgb_> ... don't believe that RP would ask for all extensions, rather than limiting themselves to things they can use and know the authenticator can do
17:42:45 <weiler> present-
17:43:05 <vgb_> ... browser can just drop extensions it feels unsure about
17:43:11 <vgb_> JeffH: yes
17:43:36 <vgb_> nadalin: Giri, are you proposing this as a separate extension doc, or to be merged in to the base spec?
17:43:43 <vgb_> gmandyam: to be merged in
17:44:01 <JeffH> ...as pre-defined extension
17:44:02 <vgb_> ... no obligations on UAs to support or to pass through
17:44:21 <vgb_> ... do agree that it is good to define location object better
17:45:12 <vgb_> rbarnes: in that case would push back even harder on implying that pre-defined extensions should be passed through by clients
17:45:40 <vgb_> ... things that are sensitive need concomitant user opt-in
17:46:12 <JeffH> ...specificaly Rolf's proposed build on the new extsn text, see branch: https://github.com/w3c/webauthn/tree/rolf-extension-opt
17:46:29 <vgb_> gmandyam: since all extensions are prompted, should we add guidance saying that we recommend the UA prompt the user when an extension is requested?
17:47:04 <vgb_> rbarnes: that is probably more detail than we need
17:47:33 <vgb_> nadalin: have to go - fire alarm in building
17:47:53 <RobTrace> queue+
17:47:59 <JeffH> q+
17:49:06 <vgb_> gmandyam: interpret conclusion as - this extension should not be merged without also adding privacy guidance. will propose some text around that.
17:49:26 <rbarnes> ack Rolf
17:49:30 <rbarnes> ack RobTrace
17:49:44 <vgb_> RobTrace: share Richard's concerns around privacy, looking forward to seeing that etxt
17:50:56 <vgb_> JeffH: We should also discuss Rolf's proposed build on the PR#130 change. Should discuss on list and maybe create new issue.
17:51:04 <vgb_> Rolf: can withdraw that
17:52:00 <vgb_> rbarnes: propose to cancel calls on 6/29 and 7/20 due to conflicts with other conferences/meetings
17:52:12 <vgb_> ... hearing no objections, those calls are cancelled
17:52:24 <vgb_> ... no other business, adjourned
17:52:37 <wseltzer> present+ wseltzer
17:52:46 <wseltzer> zakim, list attendees
17:52:46 <Zakim> As of this point the attendees have been wseltzer
17:53:01 <wseltzer> rrsagent, draft minutes
17:53:01 <RRSAgent> I have made the request to generate http://www.w3.org/2016/06/22-webauthn-minutes.html wseltzer
17:53:35 <wseltzer> present+ JeffH, Rolf, rbarnes, gmandyam, apowers, vgp, weiler, Hubert-PayPal
17:53:45 <wseltzer> present+ nadalin
17:54:13 <wseltzer> present+ RobTrace
17:54:28 <wseltzer> rrsagent, make minutes
17:54:28 <RRSAgent> I have made the request to generate http://www.w3.org/2016/06/22-webauthn-minutes.html wseltzer
17:54:39 <wseltzer> zakim, list attendees
17:54:40 <Zakim> As of this point the attendees have been wseltzer, JeffH, Rolf, rbarnes, gmandyam, apowers, vgp, weiler, Hubert-PayPal, nadalin, RobTrace
17:54:59 <wseltzer> rrsagent, make minutes
17:54:59 <RRSAgent> I have made the request to generate http://www.w3.org/2016/06/22-webauthn-minutes.html wseltzer
17:55:14 <wseltzer> Chair: Tony Nadalin, Richard Barnes
17:56:10 <wseltzer> i|Vgb giving overview|nadalin: This week we wanted to finish up work on #130, after that we will move on to Giri's extension proposal
17:56:13 <wseltzer> rrsagent, make minutes
17:56:13 <RRSAgent> I have made the request to generate http://www.w3.org/2016/06/22-webauthn-minutes.html wseltzer
17:56:49 <wseltzer> s/vgb_/vgb/G
17:56:50 <wseltzer> rrsagent, make minutes
17:56:50 <RRSAgent> I have made the request to generate http://www.w3.org/2016/06/22-webauthn-minutes.html wseltzer
17:57:27 <wseltzer> s/vgp/vgb/
17:57:30 <wseltzer> rrsagent, make minutes
17:57:30 <RRSAgent> I have made the request to generate http://www.w3.org/2016/06/22-webauthn-minutes.html wseltzer
17:58:16 <wseltzer> present- vgp
17:58:17 <wseltzer> rrsagent, make minutes
17:58:17 <RRSAgent> I have made the request to generate http://www.w3.org/2016/06/22-webauthn-minutes.html wseltzer
17:58:36 <wseltzer> present+ aczeskis
17:58:43 <wseltzer> rrsagent, make minutes
17:58:43 <RRSAgent> I have made the request to generate http://www.w3.org/2016/06/22-webauthn-minutes.html wseltzer
18:55:23 <apowers> apowers has joined #webauthn
19:22:17 <apowers> apowers has joined #webauthn
19:53:57 <apowers> apowers has joined #webauthn
20:28:53 <Zakim> Zakim has left #webauthn