16:35:52 <RRSAgent> RRSAgent has joined #webauthn
16:35:52 <RRSAgent> logging to http://www.w3.org/2017/03/01-webauthn-irc
16:35:54 <Zakim> Zakim has joined #webauthn
16:37:40 <weiler> weiler has joined #webauthn
16:38:07 <weiler> rrsagent, pointer?
16:38:07 <RRSAgent> See http://www.w3.org/2017/03/01-webauthn-irc#T16-38-07
16:38:24 <weiler> trackbot, start meeting
16:38:27 <trackbot> RRSAgent, make logs public
16:38:30 <trackbot> Zakim, this will be
16:38:30 <trackbot> Meeting: Web Authentication Working Group Teleconference
16:38:30 <trackbot> Date: 01 March 2017
16:38:30 <Zakim> I don't understand 'this will be', trackbot
16:38:32 <weiler> zakim, who's here?
16:38:32 <Zakim> Present: (no one)
16:38:34 <Zakim> On IRC I see weiler, Zakim, RRSAgent, slightlyoff, wseltzer, trackbot, adrianba, mkwst_ooo, schuki, jcj_moz
16:39:09 <weiler> topic: https://lists.w3.org/Archives/Public/public-webauthn/2017Mar/0000.html
16:39:19 <weiler> weiler has changed the topic to: agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Mar/0000.html
16:48:34 <weiler> regrets+ rbarnes
17:59:22 <weiler> weiler has joined #webauthn
18:00:16 <Rolf> Rolf has joined #webauthn
18:01:07 <weiler> regrets+ weiler
18:01:22 <vgb> vgb has joined #webauthn
18:01:50 <apowers> apowers has joined #webauthn
18:01:52 <weiler> present+ angelo, vgb, gmandyam, jcj_moz,
18:01:57 <angelo> angelo has joined #webauthn
18:02:16 <weiler> present+ nadalin
18:02:23 <weiler> zakim, who's here?
18:02:23 <Zakim> Present: angelo, vgb, gmandyam, jcj_moz, nadalin
18:02:25 <Zakim> On IRC I see angelo, apowers, vgb, Rolf, weiler, Zakim, RRSAgent, slightlyoff, wseltzer, trackbot, adrianba, mkwst_ooo, schuki, jcj_moz
18:02:31 <Rolf> present+
18:02:53 <jeffh> jeffh has joined #webauthn
18:03:29 <gmandyam> gmandyam has joined #webauthn
18:03:36 <apowers> present+
18:03:36 <gmandyam> present+ gmandyam
18:03:51 <jeffh> present+ jeffh
18:04:08 <weiler> scribenick: angelo
18:04:37 <weiler> present+ selfissued
18:05:23 <kpaulh> kpaulh has joined #webauthn
18:06:22 <angelo_> angelo_ has joined #webauthn
18:07:22 <angelo_> The meeting is starting
18:07:23 <weiler> present+ kpaulh, alexei
18:07:31 <angelo_> j.c. will scribe next week
18:09:25 <angelo_> WWe are looking at 344
18:09:59 <angelo_> Jeff thinks RelyingPartyAccount may not be the best one
18:10:28 <angelo_> Jeff will add me to the review list
18:10:45 <angelo_> Kim doesn't have a strong opinion here and can wait until later
18:11:44 <angelo_> Both J.C. and I agree 344 is not a big issue and we should focus on other things
18:12:14 <angelo_> We are looking at 347
18:12:32 <angelo_> Vijay has submitted the reviews this morning and J.C. read about this one
18:13:16 <angelo_> J.C. proposes we should go ahead merging 347
18:13:28 <angelo_> He and Vijay will go after later to polish
18:13:39 <vgb> s/J.C./JeffH/
18:14:08 <angelo_> He has a PR to update getAssertion so he can start get that going
18:15:17 <angelo_> Alright Vijay will merge this PR and submit a separate PR to polish this
18:17:27 <alexei-goog> alexei-goog has joined #webauthn
18:17:31 <alexei-goog> present+
18:19:29 <angelo_> We are looking at 348
18:19:58 <angelo_> The question is whether verification gesture should be part of getAssertion
18:20:47 <angelo_> A possibility is an authenticator may have multiple modality
18:23:36 <jeffh> jeffh: this is postulating a alteration to the webauthn authnr model
18:24:07 <jeffh> ...and is nominally handled by the UVM extension (rolf)
18:25:40 <jeffh> ... we need to figure out whether it is done via extension or done as a part of the API directly
18:26:24 <jeffh> angelo_: proposes to alter the PR to be a modification to getAssertion() (?)
18:26:33 <jeffh> ...only ?
18:27:15 <angelo_> I will remove user verification parameter from getAssertion
18:28:13 <angelo_> based on our belief that we consider in the majority case, there is one category of authenticators that does user verification and another category of device tha doesn't do user verification
18:28:26 <jeffh> rolf: ok, so makecredential can be used to select authnr with desired properties, and then UVM can be used at getAssertion time
18:31:02 <angelo_> Alexei believes our desire is to define the user experience here instead of security levels
18:32:17 <angelo_> Giri: this particular option we want to add may not be a user experience issue
18:34:29 <angelo_> Alexei: the general consensus in the F2F is that there's a whole class of UX that cannot be built without having this ability
18:36:29 <jeffh> gmandyam: how are we defining user verification
18:36:36 <angelo_> thank you jeff
18:36:55 <jeffh> alsexei: platform asks authnrs whether they support user verif, and selects the ones that can
18:37:14 <angelo_> To enforce this, the authenticator will have a bit to tell the platform whether they support user verif
18:38:04 <angelo_> Alexei: the authenticator will self-declare whether they support user-verif
18:39:24 <selfissued> selfissued has joined #webauthn
18:39:37 <angelo_> Giri: what about qualcomm chips that give location to do user verification
18:40:57 <jeffh> gmandyam: thinks the assumed user verification definition this PR is based on is not fine-grained enough
18:42:00 <angelo_> I will make additional changes and Giri will review the changes
18:44:34 <jeffh> topic: PR #350 throw notfounderror
18:44:51 <jeffh> angelo_: explains #350
18:45:07 <jeffh> https://github.com/w3c/webauthn/pull/350
18:45:45 <jeffh> jcj_moz: hm, RP is going to have to handle this error as well as timeout
18:46:03 <jeffh> angelo_: tho it gives the RP more info wrt what is going on
18:46:46 <jeffh> vgb: this pr has two purposes, 1) allowing rp more info 2) bail out more early instead of waiting for the entire timeout period
18:47:47 <jeffh> angelo_: yeah, it may fail out faster, plus the RP knows more about why...
18:48:26 <jeffh> vgb: if rp is going to handle this same as notallowederror then the main point here is the failing out earlier....
18:49:19 <Rolf> It is important to prevent an RP to recognize the client platform without involving the user.  So returning an error if *no* authenticator is available is ok (IMHO), but allowing the RP the determine which authenticator are available will lead to privacy degradation.
18:51:19 <angelo_> We are looking at 352
18:51:46 <angelo_> Vijay took a look at 352 and is ok with merging
18:51:57 <angelo_> We are looking at 365
18:52:21 <angelo_> The PR 365 is motivated by 348 and would help 348 becoming clearer
18:53:31 <angelo_> Jeff looked at more biometric literature and found more details about user verification and how we describe those
18:56:03 <angelo_> Let's look at 367
18:57:36 <angelo_> I will make a PR to 367 and we can discuss more at that time
18:59:17 <angelo_> Jeff added CTAP tags on the issue. We need to help CTAP spec stabilize and get to implementer's draft by May
18:59:47 <angelo_> It'd be appreciated if people who understand CTAP can help resolve issues related to the CTAP spec
19:39:56 <weiler> weiler has joined #webauthn
19:40:34 <weiler> rrsagent, make log public
19:40:41 <weiler> rrsagent, draft minutes
19:40:41 <RRSAgent> I have made the request to generate http://www.w3.org/2017/03/01-webauthn-minutes.html weiler
19:41:44 <weiler> s/scribenick: angelo/scribenick: angelo_/
19:41:46 <weiler> rrsagent, draft minutes
19:41:46 <RRSAgent> I have made the request to generate http://www.w3.org/2017/03/01-webauthn-minutes.html weiler
19:46:05 <weiler> zakim, list participants
19:46:05 <Zakim> As of this point the attendees have been angelo, vgb, gmandyam, jcj_moz, nadalin, Rolf, apowers, jeffh, selfissued, kpaulh, alexei, alexei-goog
19:46:17 <weiler> rrsagent, draft minutes
19:46:17 <RRSAgent> I have made the request to generate http://www.w3.org/2017/03/01-webauthn-minutes.html weiler