Web Authentication Working Group Teleconference

06 Jul 2016

See also: IRC log


wseltzer, tonynad, jeffh, selfissued, vgb, apowers, ketan, weiler, christiaan, rbarnes, RobTrace


<wseltzer> present=

<rbarnes> heh, i was about to make the same request

<rbarnes> anyone know why w3.org is down?

<apowers> https://mit.webex.com/mit/j.php?MTID=m5efd2927c573e7748740d42055207a28

<wseltzer> scribenick: selfissued

Issues in flight this week, JC, Vijay, Jeff

There has been activity with JC and Jeff and Vijay tweaking some aspects of the spec

We are talking about departing from the WebAppSec credential interface

Vijay: We no longer think that alignment makes sense

Jeff: I haven't reviewed this yet
... Mike West told Jeff that they should talk

Mike West is based in Munich

He might be able to come talk to us during IETF in Berlin in 2 weeks

There's a bunch of stuff in the HTTP working group on cookies

These are subtle issues. Tony would rather not close this without input from him.

Vijay wants to not pollute the global namespace

Jeff: Is there a document to reference for namespace usage guidance?

Richard: Other things that provide device access, such as gelocation, are in the navigator namespace

Jeff: We should get this written down. We have a wide audience for this spec.

Vijay: It would be good to not have two interfaces that talk about credentials that do different things
... We had a debate a while ago about what the credential type does
... It's essentially a signature format

Jeff will propose a new name

<JeffH> s/Jeff/JeffH/ :)

<wseltzer> https://github.com/w3c/webauthn/issues/107

Talking about issue #107 - signature format doesn't cover both contexts

Issue #86

Do we want it to be possible for authenticators to not do attestation?

Rolf: Brought up "nullable attestation"
... surrogate attestation is a self-signed object

<JeffH> surrogate attstn: https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html#surrogate-basic-attestation

Rolf advocates supporting surrogate attestation

Jeff: You use the private key to sign

<apowers> one tangential point: note that the clientDataHash is stored in the attestation statement, so if you have null attestation the clientDataHash isn't signed / returned to the RP either

Rolf: A trust decision needs to be made about the authenticator

Discussions about what keys are used for what...

Vijay: You want to establish proof of possession of the private key.
... What's the alternative proposal?

Rolf: Sign with a JSON key - not a certificate

There will be a proposal made over e-mail

Vijay: Want to look at issue 84

Create an options dictionary rather than having lots of options at the end

No objections

Vijay: Those things are Vijay's first tier

Richard: Vijay should ping JC

<JeffH> ...on-list :)

The scoped credential thing is on Jeff's list

Jeff is travelling for the week before IETF

Tony: Jeff had produced an IANA draft
... We need to start putting that through the IETF process

Jeff: I need to revise it
... I will try to do this by Friday

We will meet next week but will skip the week of IETF

End of call

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2016/07/06 17:42:25 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.144  of Date: 2015/11/17 08:39:34  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

WARNING: Bad s/// command: s/Jeff/JeffH/  :)
Found ScribeNick: selfissued
Inferring Scribes: selfissued
Present: wseltzer tonynad jeffh selfissued vgb apowers ketan weiler christiaan rbarnes RobTrace

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 06 Jul 2016
Guessing minutes URL: http://www.w3.org/2016/07/06-webauthn-minutes.html
People with action items: 

[End of scribe.perl diagnostic output]