Web Authentication Working Group Teleconference

22 Jun 2016

See also: IRC log


Hubert-PayPal, JeffH, RobTrace, Rolf, apowers, gmandyam, nadalin, rbarnes, vgb, weiler, wseltzer, aczeskis
Tony Nadalin, Richard Barnes


<inserted> nadalin: This week we wanted to finish up work on #130, after that we will move on to Giri's extension proposal

<nadalin> Vgb giving overview of his pull request from last week

<weiler> scribenick: vgb

rbarnes: generally, #130 looks okay
... a little concerned that we don't have privacy considerations well fleshed out yet

nadalin: do people believe we have closure on PR #130?

JeffH: need to read more

rbarnes: agree

vgb: clarification - we did discuss this in detail last week, this morning's commit was wordsmithing in a non-normative context
... we had discussed last week about merging this in

aczeskis: yes, reviewed all commits in detail before merging it, but please do bring up any feedback or disagreements on the list

<nadalin> so please review the #130 merge and post to list if you agree or disagree

Rolf: last week we discussed moving AAGUID from extension to attestation - would like to create a new issue for doing that
... and would do a PR. Feedback?

JeffH/nadalin: go for it.

Rolf: how about issue #108 to remove attestation entirely?

JeffH/nadalin: work with the text as is, make progress and force the issue.

nadalin: any more questions on #130? if not, please read offline and reply to list if any thoughts.

JeffH: let's set a deadline

nadalin: let's say Monday
... 6/27
... On to Giri's request for loc extension

<Rolf> move AAGUID extension --> packed attestation now tracked in issue 132.

rbarnes: clarifying earlier reaction as a general matter - specifying formats does seem desirable
... strong concerns around user privacy and experience, specifically with geolocation
... seems like there is already an existing method for geolocation information, so it seems unnecessary to exacerbate such issues by adding them into authenticators
... concern is that as we get into (even if perhaps useful) things that go beyond basic device-based proof of possession, that complicates our mission and makes it much harder to scope issues

gmandyam: now that all extensions are prompted, the client has a stronger role and the ability to filter extensions
... also, there are many participants who want to go beyond basic PoP and do more complicated things. This falls into that bucket.

rbarnes: Note that our charter is written more narrowly, and does not explicitly cover such extended uses. It also seems feasible to carve off this additional scope and make it a separate mechanism.

gmandyam: Do you have a larger concern about extensions in general?

rbarnes: willing to be more flexible if there is some strong control. but yes, there is general concern that any extensions can be used in bad ways, so we should minimize this exposure.

Rolf: re: complexity, the expectation is that the UA does the right thing by the user and does not need to complicate the UX beyond what it already has (e.g.. privacy settings).
... existing API mechanism gives the UA full control
... so given that the information is useful, we should be open to it

Hubert: maybe we should add explicit text saying that UA should prompt user to include geolocation

JeffH: seems like we have work to do regarding guidance on how to implement extensions and privacy, etc, implication
... similar concerns apply to all extensions - UA should take into account the user's preferences / settings

rbarnes: yes, this was the concern - we need to make sure we provide strong privacy guidance to clients around extensions.

gmandyam: the usual approach has been to put in guidance and not place explicit requirements on client UI
... getting rid of unprompted extensions gives the client tools to protect the user

rbarnes: now the UA becomes more complex, since the UA must ensure it has settings for all extensions it supports.
... and potentially needs to check what the authenticator supports

Rolf: believe most extensions we have defined are not sensitive, and geolocation being prompted makes that one safe as well.
... don't believe that RP would ask for all extensions, rather than limiting themselves to things they can use and know the authenticator can do
... browser can just drop extensions it feels unsure about

JeffH: yes

nadalin: Giri, are you proposing this as a separate extension doc, or to be merged in to the base spec?

gmandyam: to be merged in

<JeffH> ...as pre-defined extension

gmandyam: no obligations on UAs to support or to pass through
... do agree that it is good to define location object better

rbarnes: in that case would push back even harder on implying that pre-defined extensions should be passed through by clients
... things that are sensitive need concomitant user opt-in

<JeffH> ...specificaly Rolf's proposed build on the new extsn text, see branch: https://github.com/w3c/webauthn/tree/rolf-extension-opt

gmandyam: since all extensions are prompted, should we add guidance saying that we recommend the UA prompt the user when an extension is requested?

rbarnes: that is probably more detail than we need

nadalin: have to go - fire alarm in building

gmandyam: interpret conclusion as - this extension should not be merged without also adding privacy guidance. will propose some text around that.

RobTrace: share Richard's concerns around privacy, looking forward to seeing that etxt

JeffH: We should also discuss Rolf's proposed build on the PR#130 change. Should discuss on list and maybe create new issue.

Rolf: can withdraw that

rbarnes: propose to cancel calls on 6/29 and 7/20 due to conflicts with other conferences/meetings
... hearing no objections, those calls are cancelled
... no other business, adjourned

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2016/06/22 17:58:48 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.144  of Date: 2015/11/17 08:39:34  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/#110/#108/
Succeeded: i|Vgb giving overview|nadalin: This week we wanted to finish up work on #130, after that we will move on to Giri's extension proposal
Succeeded: s/vgb_/vgb/G
Succeeded: s/vgp/vgb/
Found ScribeNick: vgb
Inferring Scribes: vgb

WARNING: No "Topic:" lines found.

Default Present: wseltzer, JeffH, Rolf, rbarnes, gmandyam, apowers, vgb, weiler, Hubert-PayPal, nadalin, RobTrace
Present: Hubert-PayPal JeffH RobTrace Rolf apowers gmandyam nadalin rbarnes vgb weiler wseltzer aczeskis
Found Date: 22 Jun 2016
Guessing minutes URL: http://www.w3.org/2016/06/22-webauthn-minutes.html
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report

[End of scribe.perl diagnostic output]