See also: IRC log
<wseltzer> scribenick: gmandyam
vgb: Rolf has two major proposals: (1) Move AGUID to attestation, and (2) Changing terminology around attestation
cgb: Rol's changes have been merged as of 07/12/16
vgb: Rolf's changes have been merged as of 07/12/16
JC: API aesthetics changes are
primarily editorial. First change to be discussed: moving
makeCredential from window. to navigator.
... Method belongs in navigator - it is part of the
browser.
Meta: no objection expressed to moving makeCredential method to navigator
JC: "WebAuthentication" terminology is not typical. Recommend removing "web" from navigator.WebAuthentication (i.e. navigator.Authentication).
gmandyam note: navigator.authentication or navigator.Authentication? Seems like we will camel case.
<vgb> giri: we went from window.webauth to navigator.authentication - the first letter of each thing in the hierarchy is always lwoercased
JC: JC: Should we strongly type the returned assertion. Should it be an object or just something like a DOMString.
Group consensus was to keep returned assertion as object, as it is a convenience for e.g. local verification.
JC: Should extension ID's not use Java type naming, e.g. weabuth.extensionID? Prefer camel casing.
Group consensus: Camel casing for extension ID's are OK.
Group consensus (cont.'d): Underscores in addition to camel casing for indicating vendor identifiers.
JC: JC: Proposal to change ScopedCredentialParameters so that type/algm. can be specified separately. Will send follow up email to group.
gmandyam: Only one type for credentialType currently defined. Seems like we can remove type alltogether.
vgb: RP ID is currently not
hashed in by the authenticator (as per spec). This can open up
an attack where a compromised browser could send a bad RP ID to
the authenticator.
... This allows the attacker to get a hold of a persisted
credential on the compromised machine. The fix is to add RP ID
to assertion and attestation.
... Latest PR has added the RP ID to auth data.
rbarnes: IETF issues impacting webauthn: token binding, new changes in TLS 1.3.
This is scribe.perl Revision: 1.144 of Date: 2015/11/17 08:39:34 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/Changing semantics to attestation/Changing terminology around attestation/ Found ScribeNick: gmandyam Inferring Scribes: gmandyam WARNING: No "Topic:" lines found. Default Present: jcj_moz, gmandyam, vgb, apowers, dirkbalfanz, rbarnes, Rolf, ketan Present: jcj_moz gmandyam vgb apowers dirkbalfanz rbarnes Rolf ketan WARNING: No meeting title found! You should specify the meeting title like this: <dbooth> Meeting: Weekly Baking Club Meeting WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Got date from IRC log name: 13 Jul 2016 Guessing minutes URL: http://www.w3.org/2016/07/13-webauthn-minutes.html People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option. WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report[End of scribe.perl diagnostic output]