17:12:03 RRSAgent has joined #webauthn 17:12:03 logging to http://www.w3.org/2016/07/13-webauthn-irc 17:12:05 On IRC I see dirkbalfanz, rbarnes, RobTrace, apowers, gmandyam, vgb, jcj_moz, Zakim, adrianba, trackbot, slightlyoff, mkwst, wseltzer 17:12:07 present+ 17:12:18 scribenick: gmandyam 17:13:23 vgb: Rolf has two major proposals: (1) Move AGUID to attestation, and (2) Changing semantics to attestation 17:13:52 cgb: Rol's changes have been merged as of 07/12/16 17:14:09 vgb: Rolf's changes have been merged as of 07/12/16 17:15:19 JC: API aesthetics changes are primarily editorial. First change to be discussed: moving makeCredential from window. to navigator. 17:15:22 s/Changing semantics to attestation/Changing terminology around attestation/ 17:15:56 JC: Method belongs in navigator - it is part of the browser. 17:16:12 Meta: no objection expressed to moving makeCredential method to navigator 17:22:11 JC: "WebAuthentication" terminology is not typical. Recommend removing "web" from navigator.WebAuthentication (i.e. navigator.Authentication). 17:23:11 gmandyam note: navigator.authentication or navigator.Authentication? Seems like we will camel case. 17:24:07 giri: we went from window.webauth to navigator.authentication - the first letter of each thing in the hierarchy is always lwoercased 17:27:32 JC: JC: Should we strongly type the returned assertion. Should it be an object or just something like a DOMString. 17:27:54 Group consensus was to keep returned assertion as object, as it is a convenience for e.g. local verification. 17:28:44 JC: Should extension ID's not use Java type naming, e.g. weabuth.extensionID? Prefer camel casing. 17:29:13 Group consensus: Camel casing for extension ID's are OK. 17:33:30 Group consensus (cont.'d): Underscores in addition to camel casing for indicating vendor identifiers. 17:38:15 Rolf has joined #webauthn 17:38:30 present+ 17:39:07 JC: JC: Proposal to change ScopedCredentialParameters so that type/algm. can be specified separately. Will send follow up email to group. 17:41:45 gmandyam: Only one type for credentialType currently defined. Seems like we can remove type alltogether. 17:43:40 vgb: RP ID is currently not hashed in by the authenticator (as per spec). This can open up an attack where a compromised browser could send a bad RP ID to the authenticator. 17:44:57 vgb: This allows the attacker to get a hold of a persisted credential on the compromised machine. The fix is to add RP ID to assertion and attestation. 17:45:29 vgb: Latest PR has added the RP ID to auth data. 17:53:52 zakim, who is on call? 17:53:52 I don't understand your question, gmandyam. 17:54:06 zakim, who is on here? 17:54:06 I don't understand your question, gmandyam. 17:54:10 zakim, who is here? 17:54:10 Present: jcj_moz, gmandyam, vgb, apowers, dirkbalfanz, rbarnes, Rolf 17:54:12 On IRC I see Rolf, RRSAgent, dirkbalfanz, rbarnes, RobTrace, apowers, gmandyam, vgb, jcj_moz, Zakim, adrianba, trackbot, slightlyoff, mkwst, wseltzer 17:54:34 rbarnes: IETF issues impacting webauthn: token binding, new changes in TLS 1.3. 17:54:37 zakim, who is here? 17:54:37 Present: jcj_moz, gmandyam, vgb, apowers, dirkbalfanz, rbarnes, Rolf 17:54:39 On IRC I see Rolf, RRSAgent, dirkbalfanz, rbarnes, RobTrace, apowers, gmandyam, vgb, jcj_moz, Zakim, adrianba, trackbot, slightlyoff, mkwst, wseltzer 17:54:44 present+ ketan 17:55:56 zakim, list attendees 17:55:57 As of this point the attendees have been jcj_moz, gmandyam, vgb, apowers, dirkbalfanz, rbarnes, Rolf, ketan 17:56:05 rrsagent, draft minutes 17:56:05 I have made the request to generate http://www.w3.org/2016/07/13-webauthn-minutes.html wseltzer 17:56:20 rrsagent, make logs public 17:56:21 rrsagent, draft minutes 17:56:21 I have made the request to generate http://www.w3.org/2016/07/13-webauthn-minutes.html wseltzer