See also: IRC log
<weiler> trackbot, start meeting
<weiler> scribenick: angelo_
The meeting is starting
j.c. will scribe next week
WWe are looking at 344
Jeff thinks RelyingPartyAccount may not be the best one
Jeff will add me to the review list
Kim doesn't have a strong opinion here and can wait until later
Both J.C. and I agree 344 is not a big issue and we should focus on other things
We are looking at 347
Vijay has submitted the reviews this morning and J.C. read about this one
JeffH proposes we should go ahead merging 347
He and Vijay will go after later to polish
He has a PR to update getAssertion so he can start get that going
Alright Vijay will merge this PR and submit a separate PR to polish this
We are looking at 348
The question is whether verification gesture should be part of getAssertion
A possibility is an authenticator may have multiple modality
<jeffh> jeffh: this is postulating a alteration to the webauthn authnr model
<jeffh> ...and is nominally handled by the UVM extension (rolf)
<jeffh> ... we need to figure out whether it is done via extension or done as a part of the API directly
<jeffh> angelo_: proposes to alter the PR to be a modification to getAssertion() (?)
<jeffh> ...only ?
I will remove user verification parameter from getAssertion
based on our belief that we consider in the majority case, there is one category of authenticators that does user verification and another category of device tha doesn't do user verification
<jeffh> rolf: ok, so makecredential can be used to select authnr with desired properties, and then UVM can be used at getAssertion time
Alexei believes our desire is to define the user experience here instead of security levels
Giri: this particular option we want to add may not be a user experience issue
Alexei: the general consensus in the F2F is that there's a whole class of UX that cannot be built without having this ability
<jeffh> gmandyam: how are we defining user verification
thank you jeff
<jeffh> alsexei: platform asks authnrs whether they support user verif, and selects the ones that can
To enforce this, the authenticator will have a bit to tell the platform whether they support user verif
Alexei: the authenticator will self-declare whether they support user-verif
Giri: what about qualcomm chips that give location to do user verification
<jeffh> gmandyam: thinks the assumed user verification definition this PR is based on is not fine-grained enough
I will make additional changes and Giri will review the changes
<jeffh> angelo_: explains #350
<jeffh> https://github.com/w3c/webauthn/pull/350
<jeffh> jcj_moz: hm, RP is going to have to handle this error as well as timeout
<jeffh> angelo_: tho it gives the RP more info wrt what is going on
<jeffh> vgb: this pr has two purposes, 1) allowing rp more info 2) bail out more early instead of waiting for the entire timeout period
<jeffh> angelo_: yeah, it may fail out faster, plus the RP knows more about why...
<jeffh> vgb: if rp is going to handle this same as notallowederror then the main point here is the failing out earlier....
<Rolf> It is important to prevent an RP to recognize the client platform without involving the user. So returning an error if *no* authenticator is available is ok (IMHO), but allowing the RP the determine which authenticator are available will lead to privacy degradation.
We are looking at 352
Vijay took a look at 352 and is ok with merging
We are looking at 365
The PR 365 is motivated by 348 and would help 348 becoming clearer
Jeff looked at more biometric literature and found more details about user verification and how we describe those
Let's look at 367
I will make a PR to 367 and we can discuss more at that time
Jeff added CTAP tags on the issue. We need to help CTAP spec stabilize and get to implementer's draft by May
It'd be appreciated if people who understand CTAP can help resolve issues related to the CTAP spec
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/J.C./JeffH/ Succeeded: s/scribenick: angelo/scribenick: angelo_/ Default Present: angelo, vgb, gmandyam, jcj_moz, nadalin, Rolf, apowers, jeffh, selfissued, kpaulh, alexei, alexei-goog WARNING: Replacing previous Present list. (Old list: (no, one), angelo, vgb, gmandyam, jcj_moz, nadalin) Use 'Present+ ... ' if you meant to add people without replacing the list, such as: <dbooth> Present+ angelo, vgb, gmandyam, jcj_moz, nadalin Present: angelo vgb gmandyam jcj_moz nadalin Rolf apowers jeffh selfissued kpaulh alexei alexei-goog Regrets: rbarnes weiler Found ScribeNick: angelo_ Inferring Scribes: angelo_ WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Found Date: 01 Mar 2017 Guessing minutes URL: http://www.w3.org/2017/03/01-webauthn-minutes.html People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option.[End of scribe.perl diagnostic output]