Web Authentication Working Group Teleconference

20 Sep 2016


See also: IRC log


JeffH, alexei-goog, gmandyam, jcj_moz, nadalin, rbarnes, weiler, wseltzer, yaronf(remote), Ketan, Rolf, selfissued, SamSrinivas, Axel, RobTrace, vgb, dirkbalfanz


<wseltzer> present=

<yaronf> @wseltzer: are you joining WebEX?

<yaronf> Thx!

<yaronf> You are on WebEX but there's no audio.

<rbarnes> https://public.etherpad-mozilla.org/p/webauthn-tpac-2016

<yaronf> I can hear you, but quality is real bad.

<rbarnes> sam agreed to scribe, but i don't see him here

Introductions by all.

<weiler> scribenick: SamSrinivas

Spec updates from VGB

Richard asks Vijay to give overview of status

<JeffH> SamS or SamW scribe?

<rbarnes> SamS

<JeffH> oh SamS

Vijay giving big view: We are focusing on looking through end to end scenarios.

<rbarnes> relevant repo for those following along: https://github.com/w3c/webauthn

One set of PRs is focuses on that. Two large issues in current list: (Issue 1) Attestation -- Rolf and Vijay discussing extensively (Issue 2) Origins --- what that means. Jeff has PR which does a lot of that.

(SamW, glad for you to take over -- let me know -- either way)

Vijay says: i18n folks asked us how we are doing -- some places where we need to pay attention -- prompt messages, internaationalized origin names (domian names).

We have not had objections to the security model etc for a while -- meaning not fundamental structural issues. Vijay would like to get to implementations rolling.

Agenda bash. Afternoon Google people wants to talk about compatibility with u2f, later afternoon accessibility issues discussion.

sorry "google wants to talk about compatiblity with u2f".

Tony: We have to decide whether we want to WD-03 before we go with CR.

Vijay: We should get to more frequent working drafts, perhaps every other week as we work through the existing issues after current pull requests -- there are 60 issues.

Tony: Problem is that other groups watching us will complain about having to watch through frequent change. We should have milestones which 'external' people can invest in for review -- we should mark those in some way.

Vijay: Pull request convergence has become slow -- wiating times one month. We should have quicker cadence and frequent WD will force that.

Tony: Let us now discuss open pull requests.

<rbarnes> https://github.com/w3c/webauthn/pull/161

We have outstanding attestation PR #161 -- vijay and rolf?

Rolf: Am happy in general with current status. Wouild like to get feedback on readability.

Vijay: Downside of having it in PR means it is not in WD and so very limited set of peole reviewing it. We should merge it in and there may be issues like incompletenees of TPM structure. But those are minor can can be fixed.
... (Okes the pull request in real time)

<rbarnes> https://github.com/w3c/webauthn/pull/194

Tony: #194 Transport Hints

Alexei: is a narrative of what exactly client does with transport hints.

Tony: Can you fix markup issues and merge it in?

Alexei: I think that is what we should do.

Jeff: The enum does not include plain Bluetooth

Alexei: The reason is we didn't need it in U2F coz nobody wanted to implement it.

Rolf: What are people using then?

Alexei: Bluetooth Low Energy (as against classic Bluetooth)

Tony: Alexei, you'll fix and create new issue?

Alexei: Yes

<rbarnes> https://github.com/w3c/webauthn/pull/196

Tony: #196: Few outstanding technical issues Vijay opened this morning

Vijay: Need to be explicit about what errors are thrown in what situation. Havent' gotten a lot of feed back.

Tony: Didn't Yaron ask about this?

Vijay: No, he was talking about whether we have privacy leaks thrygh errors rather than what the error details are. That's my recollection.

Jeff: Question: Why do you call it scoped credential description and use the term 'descriptor'?

Vijay: We will make it consistent to 'descriptor'
... any other opinions?

Room: Silence

Tony: So will you close that out?

Vijay: Will do it during the day today.

<rbarnes> https://github.com/w3c/webauthn/pull/198

Richard: What we are doing here is transitioning from the client computing the origin to it being speciied by the caller. Isn't that material change?

Vijay: We are saying that the client will check what is specified and make sure it is permitted.

<SamSrinivas_> Mike: I'll review 201 right now.

<SamSrinivas_> Jeff: will resolve 202.

<SamSrinivas_> Tony: We have 203

<SamSrinivas_> Jeff: This is simple, adds secure context qualifier to all interfaces in the API.

<rbarnes> https://github.com/w3c/webauthn/issues/6

<rbarnes> https://github.com/w3c/webauthn/issues/8

Brad: Security Context went to CR last week.

Tony: We need to create a milestone (in response to Jeff). Next we have #53, error codes.

VIjay: This will merge along with error code changes.

Tony: We have #160

Jeff: That is fixed.

JC: Has reviewed, is ok.

Dirk: What algorithm are using to jump between issues?

Tony: All issues tagged with WD-02. We are trying to close those today.
... #173

Jeff: Fixed in a pull request

Tony: #174?

Giri: I couldn't find it in the standard. It meant something else.

Vijay: It has been renamed to 'origin'.

Dirk: I'll close.

Vijay: Don't close -- there is an outstanding PR.. Jeff's changes

Dirk: which giant PR?

Vijay: #202

Tony: #178

Jeff: Will close

Tony: #179? Utf8 string?

Jeff: I

will fix this. But its not fixed rightnow.

Tony: That takes through open WD-02 issues.

Giri: #200?

JC: It just got closed 5 minutes before.

Tony: Will you do a republish?

Vijay: Yes

Richard: Is WD-02 closed for issues?

Tony: Yes, issues will go against WD-03.

Richard: 3 weeks between WD drafts. Anyone object?

Vijay: Seems ok --- aligned with calls.
... Hoping to get to last call within next few WDs.

Richard: We have a CR milestone for Oct 31. Reminder.

Alexei: Hiint; Get on a VPN and network issues go away.

Tony: Short break until network problems resolve.

Vijay, Jeff: #12 -- assign to WD-03

Vijay: #13 --may have addressed this already.

Jeff: Vijay will reference this in a PR which will be merged

Vijay: #22 -- we can put this beyond CR and do it in V2 of spec

Sam, Alexei, Tony: Use case discussion: Authenticaiton required at remote machine. Authenticator present on local machine.

Richard: Different point. Can there be a situaton where the test of user presence = 0.

Giri: Example, presence of a TPM,

Richard: We should have tesst of user presence = 0 as an option

Vijay: We can just say "Set the bit to 1" in the spec and not handle it in v1 of spec.
... Spec already says so.

Jeff: We should put this in Level 2 (= v2).

Vijay: Level is w3c terms which usually means 'version' elsewhere.

Tony: Issue #24 hasn't had updates for a while

Jeff: There are diagrams which need review

Vijay: Will review

Issue #25 Server challenge time out

Vijay: That was addressed in one of my PRs, and when I check it in it should close.

Tony: WIll be WD-02
... There is a youtube video of paint drying.

<rbarnes> https://www.youtube.com/watch?v=nGA-GCq7JWM

<rbarnes> https://github.com/w3c/webauthn/issues/66

<schuki> https://github.com/w3c/webauthn

Mike: Which issue are we not discussing?

Tony: Jeff on issue #66

<nadalin> https://github.com/w3c/webauthn/issues/66

Jeff: If someone agrees with my resolution close it.

TOny: #79 has had not activity for a quite a whi.e

Alexei: Leave it at CR

Tony: #85?

Vijay: non-normative -- can be in security considerations, is not affecting spec.

not affecting normatively, that is.

Tony: #87

Vijay: wonder whether this is relevant any more
... Will change text to adjust to this

Tony: #91 could be a blocker for CR?

JC: Would people vote no?
... It is not normative.

Vijay: This is about "how to write a server" and this is strange to have here.

Dirk: I found the example this points to and that doc says "this explainer doc is out of sync with spec - read the spec instead"!

Tony: Put in comments "Will address this post-CR"

Richard: Well, this group is not chartered to do this, actually. Lets close this.
... Has been closed

Vijay: #95will close.
... #102 will be done by Vijay

Alexei: #116 leave it open

Jeff: leave #125 open for CR

RIchard: #131 is simple editorial word fix

#133 and #208 resolved togetehr with clarifying text. Giri to do it.

<weiler> breaking for one hour , 'til 1pm local. U2F at 1pm, followed by implementation.

<wseltzer> [closed the Webex]

<weiler> does anyone need or want WebEx?

<weiler> (WebEx is up and running, just in case.)

<harry> re extensions as long as there's no MUST/SHOULD normative text and it's clearly marked as extensions, should be fine

<harry> I think testing IdP/RP support is something W3C is not optimized for, but would be worth a discussion and I'm sure somehting reasonable is possible.

<rbarnes> though i'm not really enthusiastic about having things specified that aren't implemented

<harry> agreed.

<harry> I think you'd have to argue for it.

<weiler> http://www.w3.org/2016/09/20-webauthn-minutes.html

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2016/09/20 14:13:41 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.144  of Date: 2015/11/17 08:39:34  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/with issues/with u2f/
Found ScribeNick: SamSrinivas
Inferring Scribes: SamSrinivas
Present: JeffH alexei-goog gmandyam jcj_moz nadalin rbarnes weiler wseltzer yaronf(remote) Ketan Rolf selfissued SamSrinivas Axel RobTrace vgb dirkbalfanz
Agenda: https://public.etherpad-mozilla.org/p/webauthn-tpac-2016

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 20 Sep 2016
Guessing minutes URL: http://www.w3.org/2016/09/20-webauthn-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.

[End of scribe.perl diagnostic output]