W3C

- DRAFT -

Web Authentication Working Group Teleconference

01 Mar 2017

See also: IRC log

Attendees

Present
angelo, vgb, gmandyam, jcj_moz, nadalin, Rolf, apowers, jeffh, selfissued, kpaulh, alexei, alexei-goog
Regrets
rbarnes, weiler
Chair
SV_MEETING_CHAIR
Scribe
angelo_

Contents

<weiler> trackbot, start meeting

https://lists.w3.org/Archives/Public/public-webauthn/2017Mar/0000.html

<weiler> scribenick: angelo_

The meeting is starting

j.c. will scribe next week

WWe are looking at 344

Jeff thinks RelyingPartyAccount may not be the best one

Jeff will add me to the review list

Kim doesn't have a strong opinion here and can wait until later

Both J.C. and I agree 344 is not a big issue and we should focus on other things

We are looking at 347

Vijay has submitted the reviews this morning and J.C. read about this one

JeffH proposes we should go ahead merging 347

He and Vijay will go after later to polish

He has a PR to update getAssertion so he can start get that going

Alright Vijay will merge this PR and submit a separate PR to polish this

We are looking at 348

The question is whether verification gesture should be part of getAssertion

A possibility is an authenticator may have multiple modality

<jeffh> jeffh: this is postulating a alteration to the webauthn authnr model

<jeffh> ...and is nominally handled by the UVM extension (rolf)

<jeffh> ... we need to figure out whether it is done via extension or done as a part of the API directly

<jeffh> angelo_: proposes to alter the PR to be a modification to getAssertion() (?)

<jeffh> ...only ?

I will remove user verification parameter from getAssertion

based on our belief that we consider in the majority case, there is one category of authenticators that does user verification and another category of device tha doesn't do user verification

<jeffh> rolf: ok, so makecredential can be used to select authnr with desired properties, and then UVM can be used at getAssertion time

Alexei believes our desire is to define the user experience here instead of security levels

Giri: this particular option we want to add may not be a user experience issue

Alexei: the general consensus in the F2F is that there's a whole class of UX that cannot be built without having this ability

<jeffh> gmandyam: how are we defining user verification

thank you jeff

<jeffh> alsexei: platform asks authnrs whether they support user verif, and selects the ones that can

To enforce this, the authenticator will have a bit to tell the platform whether they support user verif

Alexei: the authenticator will self-declare whether they support user-verif

Giri: what about qualcomm chips that give location to do user verification

<jeffh> gmandyam: thinks the assumed user verification definition this PR is based on is not fine-grained enough

I will make additional changes and Giri will review the changes

PR #350 throw notfounderror

<jeffh> angelo_: explains #350

<jeffh> https://github.com/w3c/webauthn/pull/350

<jeffh> jcj_moz: hm, RP is going to have to handle this error as well as timeout

<jeffh> angelo_: tho it gives the RP more info wrt what is going on

<jeffh> vgb: this pr has two purposes, 1) allowing rp more info 2) bail out more early instead of waiting for the entire timeout period

<jeffh> angelo_: yeah, it may fail out faster, plus the RP knows more about why...

<jeffh> vgb: if rp is going to handle this same as notallowederror then the main point here is the failing out earlier....

<Rolf> It is important to prevent an RP to recognize the client platform without involving the user. So returning an error if *no* authenticator is available is ok (IMHO), but allowing the RP the determine which authenticator are available will lead to privacy degradation.

We are looking at 352

Vijay took a look at 352 and is ok with merging

We are looking at 365

The PR 365 is motivated by 348 and would help 348 becoming clearer

Jeff looked at more biometric literature and found more details about user verification and how we describe those

Let's look at 367

I will make a PR to 367 and we can discuss more at that time

Jeff added CTAP tags on the issue. We need to help CTAP spec stabilize and get to implementer's draft by May

It'd be appreciated if people who understand CTAP can help resolve issues related to the CTAP spec

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/03/01 19:46:22 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/J.C./JeffH/
Succeeded: s/scribenick: angelo/scribenick: angelo_/
Default Present: angelo, vgb, gmandyam, jcj_moz, nadalin, Rolf, apowers, jeffh, selfissued, kpaulh, alexei, alexei-goog

WARNING: Replacing previous Present list. (Old list: (no, one), angelo, vgb, gmandyam, jcj_moz, nadalin)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ angelo, vgb, gmandyam, jcj_moz, nadalin

Present: angelo vgb gmandyam jcj_moz nadalin Rolf apowers jeffh selfissued kpaulh alexei alexei-goog
Regrets: rbarnes weiler
Found ScribeNick: angelo_
Inferring Scribes: angelo_

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 01 Mar 2017
Guessing minutes URL: http://www.w3.org/2017/03/01-webauthn-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.
[End of scribe.perl diagnostic output]