16:41:08 RRSAgent has joined #webauthn 16:41:08 logging to http://www.w3.org/2017/04/14-webauthn-irc 16:59:14 vgb has joined #webauthn 17:00:50 present+ 17:00:59 present+ 17:02:34 present+ jcj_moz, dominic 17:02:55 present+ nadalin 17:02:59 present+ mkwst 17:03:11 apowers has joined #webauthn 17:03:56 battre has joined #webauthn 17:04:08 zakim, who is here? 17:04:08 Present: vgb, wseltzer, jcj_moz, dominic, nadalin, mkwst 17:04:10 On IRC I see battre, apowers, vgb, RRSAgent, Zakim, wseltzer, jyasskin, jcj_moz, schuki, adrianba, jochen___, slightlyoff, mkwst, trackbot 17:04:17 jeffh has joined #webauthn 17:04:53 present+ jeffh 17:05:00 present+ battre 17:05:27 present+ 17:05:54 present+ dirk alexei 17:06:46 present+ apowers 17:06:54 alexei-goog has joined #webauthn 17:07:00 present+ 17:07:04 zakim, who is here? 17:07:04 Present: vgb, wseltzer, jcj_moz, dominic, nadalin, mkwst, jeffh, battre, jyasskin, dirk, alexei, apowers, alexei-goog 17:07:07 On IRC I see alexei-goog, jeffh, battre, apowers, vgb, RRSAgent, Zakim, wseltzer, jyasskin, jcj_moz, schuki, adrianba, jochen___, slightlyoff, mkwst, trackbot 17:07:37 angelo has joined #webauthn 17:08:28 present+ angelo 17:08:58 Let's start from 397 17:09:34 https://github.com/w3c/webauthn/pull/397 17:10:16 selfissued has joined #webauthn 17:10:43 Alexei is ok with merging it without further changes 17:11:56 J.C. and Jeff would like some editorial changes to be done 17:14:51 MikeW will change the text according to what Jeff wants and then Mike will merge it. 17:15:24 That last comment was for 397 17:16:10 For 398, Mike will make editorial changes today and will merge. 17:18:17 For 399, Jeff is fine with the overall idea but would like some small changes 17:19:14 We are looking through every comment on 399 and address each one. 17:23:02 The decision is we will keep ScopedCredentialEntity what it is today. 17:23:20 ...and modify the algorithm accordingly, yes? 17:23:41 mikew? 17:23:50 we were discussing: https://github.com/w3c/webauthn/pull/399#discussion_r111592611 17:24:58 now discussing: https://github.com/w3c/webauthn/pull/399/files#r111592125 17:25:11 and https://github.com/w3c/webauthn/pull/399/files#r111597596 17:28:18 vgb: just delete line #803 ? 17:28:27 jeffh: ok with me 17:28:34 We will delete line 803 and leave line 872 as it is 17:31:46 vgb: ok, so once we merge these 3 PRs 397398,399 -- we still have the big issues in pr#384 17:31:56 After we merge the 3 PRs, we can start discussing the navigator.credentials 17:32:43 alexei-goog: ok, want to methodically analyze #384, submit issues on each item, and then figure out if we can address them 17:33:52 jyasskin: wrt an issue we might leave open, eg whether an rp can call makeCred asking for any credenail type -- we could leave that for Level 2 spec 17:35:03 angelo: so the question is do we want to make the change of hanging off the Credential object in the CredMan spec...? 17:35:42 alexei-goog: not comfortable that we can pick and choose from the issues they will enumerate in #384.... 17:36:06 alexei-goog: is working on doing the enumeration -- did one this morning, try to get done by next Wed 17:36:55 Alexei proposed we he would make issues and enumerate through all of them. 17:37:15 mkwst: am comfrotable to wait on folks being ok with this -- so want to discuss concrete discrete issues with the pr#384 -- so identifying things we agree on and do not agree on is helpful way to go 17:37:54 dialing back in, sorry,hangouts dies. 17:38:01 mkwst: suggest GOOG folk do this because they have firm disagreements wiht pr#384 and best they identify them 17:38:12 jyasskin: what is timeframe MSFT has? 17:40:15 angelo: uh...now 17:42:24 angelo: wants to do nominal merge that is in #384 and just do it and polish later -- right thing to do in longer term -- can clean it up later... 17:43:11 alexei-goog: well, you are going to get more than u want if you just do that merge and it will is not clear what that will mean given discussion s on the list... 17:43:12 Sorry I missed out on the scribe 17:43:25 mkwst: those two funcs are no-ops in the resultant specs 17:43:44 from the microsoft perspective, we just want two core methods that can get user authenticated. 17:43:56 mkwst: requireusermediation() and store() are no-ops for scoped nee publickey creds 17:45:32 angelo: arguing for we obtain navigator.credential.create() and ? -- do that and then deal with details later 17:45:58 angelo: need to do at least that now (in his perspective) 17:46:38 tonyn: you are ok with ... not bing in the implementor's draft? ie wd-05 17:46:49 We okay with not making requireUserMediation, store, isPlatformAuthenticatorReady, cancel method part of the implementer's draft 17:47:14 mkwst: can you make a concrete proposal on this? 17:47:43 vgb: -- can you write that into the notes here please? 17:48:08 vgb: angelo, is that what you have in mind? 17:48:14 angelo: yes 17:48:25 mkwst: is this change to #384? 17:48:43 vgb: yes, tho is more or less going down same path that #384 began 17:48:45 Vijay: one proposal is the eventual result: navigator.authentication.makeCredential -> navigator.credentials.make, navigator.authentication.getAssertion -> navigator.credentials.get 17:48:55 The rest of the methods are no-op 17:50:03 Clarifying: requireUserMediation and store are defined but no-op, isPlatformAuthenticatorReady and cancel are just not there (though can be added as static methods later) 17:50:19 mkwst & dirk: 17:50:43 angelo: will make new PR that clarifies all this 17:51:07 dirk: why is not store a static method on sitebound.... 17:52:46 One way to express the thought is we can make a new PR that makes the changes we just requested. Another way to express that is we can change the existing 384 17:53:03 mkwst: the api is opinionated: it believes the UA mediates the conv btwn user and RP -- for pswds this is clear -- for fed it is clear -- for PK creds, there is use case for store() -- but we do not agree on that -- so generally speaking those apis are there as part of nav.cred because thats the way the other creds wwork -- but if we agree that they are noops for PK /scoped creds, am fine with them being noops at moment, but not forever -- hope this is helpful 17:53:05 We will take the first approach 17:53:27 jyasskin: would store() have func for scoped/pk creds? 17:53:44 dirk: question is how make API less confusing for dvlprs.... 17:54:50 jyasskin: say u have sec key roaming btwn systems, reg on one system, then use in another system, if it had been passed to store() in first case, then the UA could know about it in 2nd case 17:55:21 mkwst: knowing that things were successful in past can be useful for UA & RP 17:55:45 dirk: need to thinkabout this, may be something analogous in U2F 17:56:44 angelo: using TPMs, priv key does not leave them, thus this roaming approach not applicable in their case (evthing based on TPMs) 17:57:48 angelo: sees benefits for RPs to get some benefit in near term from the basic merged API 17:59:13 dirk: trying to see benefit to dvlprs having just one method to call to get creds of any type --- but concerned that getting diff creds via same method and then some other methods are noops depending on cred types -- wondering which is more confusing for dvlprs? 17:59:42 dirk: is anyone else concerned about this? 18:04:16 jeffh: all kinds of creds are used in registration ceremonies and authn ceremonies -- more that we can abstract this to enable that such that client-side dvlpr does not have to care cred types the better adoption curve we're going to have 18:05:12 vgb: what if we rename the methods to be something like yayItWorked() and ImOughtaHere() -- would that make things better for developers? 18:06:58 alexei-goog: are you asking were we really wrong that we created makeCred() and getAssn() ? 18:08:00 i think alexei was really saying - were we wrong to leave out yayItWorked and imOutaHere when we created makeCred and getAssn 18:08:01 jcj_moz: no we weren't wrong, but up-leveling this stuff to allow the UA to better mediate UX and helps us to add more functionality under the hood down the road (paraphrased heavily) 18:09:43 jcj_moz: (ought to try to learn from expr of federation ) so maybe we do the high level change now 18:10:43 angelo: need to ship, so will likely go with guts of #384... 18:12:07 vgb: clarifys that store() -> yayItWorked(), and requireUserMediation() -> imOughtaHere() 18:15:38 jeffh: the large RPs will have more head space to do a large of amount of identity things. But for the long tail end of RPs which don't have that head space, they don't have the head space to care about that. If we really want to make password go away, we need to make things really easy for those small RPs 18:16:44 Dirk; I guess since I live in the large RP world, I have a hard time imagining how a small website would just not care. But I guess once they make it to the server side, the difficulty will arise 18:17:21 jeffh: but there are libraries that will make that easy for developers 18:18:15 tony: I'd like to understand what the problems are. 18:18:59 JC: At firefox, what we are holding on to is the namespace 18:19:14 jcj_moz & angelo: getting namespaces and method structures figured out soon is priority 18:19:35 mkwst: for blink it is easy to handle webidl changes.... 18:20:22 mikew: we agreed we will make changes to the PR later today and merge them. 18:21:06 Dirk: we are ok with merging it in. 18:22:09 dirk: ok with merging in, in order to get the namespaces nailed down, and deal wtih problems afterwards 18:22:10 All of us are ok with the namespace change. 18:22:30 metaphorical beer 18:23:05 [adjourned] 18:23:10 zakim, list participants 18:23:10 As of this point the attendees have been vgb, wseltzer, jcj_moz, dominic, nadalin, mkwst, jeffh, battre, jyasskin, dirk, alexei, apowers, alexei-goog, angelo 18:23:15 present+ selfissued 18:23:20 zakim, list participants 18:23:20 As of this point the attendees have been vgb, wseltzer, jcj_moz, dominic, nadalin, mkwst, jeffh, battre, jyasskin, dirk, alexei, apowers, alexei-goog, angelo, selfissued 18:23:26 rrsagent, make logs public 18:23:36 Meeting: WebAuthn 18:23:39 chair: Nadalin 18:23:46 scribenick: angelo 18:23:49 rrsagent, draft minutes 18:23:49 I have made the request to generate http://www.w3.org/2017/04/14-webauthn-minutes.html wseltzer 18:24:14 rrsagent, draft minutes 18:24:14 I have made the request to generate http://www.w3.org/2017/04/14-webauthn-minutes.html wseltzer 18:24:25 For what it's worth, I don't think minutes were e-mailed from the previous call. Can those be sent too? 18:25:05 selfissued, they're all linked from https://www.w3.org/Webauthn/ 18:26:30 OK - I didn't know that. 18:26:52 Maybe at a minimum, you could send an e-mail to the list telling people where to find the meeting minutes. Thanks. 18:27:49 (I was wanting to look at the minutes because they recorded how far we got through the process of triaging the Priority:Implementation issues the previous Wednesday.) 18:29:41 selfissued, thanks, I'll send a link to the list 18:30:39 Sounds good 20:10:37 weiler has joined #webauthn