13 Jul 2016

See also: IRC log


jcj_moz, gmandyam, vgb, apowers, dirkbalfanz, rbarnes, Rolf, ketan


<wseltzer> scribenick: gmandyam

vgb: Rolf has two major proposals: (1) Move AGUID to attestation, and (2) Changing terminology around attestation

cgb: Rol's changes have been merged as of 07/12/16

vgb: Rolf's changes have been merged as of 07/12/16

JC: API aesthetics changes are primarily editorial. First change to be discussed: moving makeCredential from window. to navigator.
... Method belongs in navigator - it is part of the browser.

Meta: no objection expressed to moving makeCredential method to navigator

JC: "WebAuthentication" terminology is not typical. Recommend removing "web" from navigator.WebAuthentication (i.e. navigator.Authentication).

gmandyam note: navigator.authentication or navigator.Authentication? Seems like we will camel case.

<vgb> giri: we went from window.webauth to navigator.authentication - the first letter of each thing in the hierarchy is always lwoercased

JC: JC: Should we strongly type the returned assertion. Should it be an object or just something like a DOMString.

Group consensus was to keep returned assertion as object, as it is a convenience for e.g. local verification.

JC: Should extension ID's not use Java type naming, e.g. weabuth.extensionID? Prefer camel casing.

Group consensus: Camel casing for extension ID's are OK.

Group consensus (cont.'d): Underscores in addition to camel casing for indicating vendor identifiers.

JC: JC: Proposal to change ScopedCredentialParameters so that type/algm. can be specified separately. Will send follow up email to group.

gmandyam: Only one type for credentialType currently defined. Seems like we can remove type alltogether.

vgb: RP ID is currently not hashed in by the authenticator (as per spec). This can open up an attack where a compromised browser could send a bad RP ID to the authenticator.
... This allows the attacker to get a hold of a persisted credential on the compromised machine. The fix is to add RP ID to assertion and attestation.
... Latest PR has added the RP ID to auth data.

rbarnes: IETF issues impacting webauthn: token binding, new changes in TLS 1.3.

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2016/07/13 17:56:26 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.144  of Date: 2015/11/17 08:39:34  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/Changing semantics to attestation/Changing terminology around attestation/
Found ScribeNick: gmandyam
Inferring Scribes: gmandyam

WARNING: No "Topic:" lines found.

Default Present: jcj_moz, gmandyam, vgb, apowers, dirkbalfanz, rbarnes, Rolf, ketan
Present: jcj_moz gmandyam vgb apowers dirkbalfanz rbarnes Rolf ketan

WARNING: No meeting title found!
You should specify the meeting title like this:
<dbooth> Meeting: Weekly Baking Club Meeting

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Got date from IRC log name: 13 Jul 2016
Guessing minutes URL: http://www.w3.org/2016/07/13-webauthn-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report

[End of scribe.perl diagnostic output]