16:57:19 <RRSAgent> RRSAgent has joined #webauthn
16:57:19 <RRSAgent> logging to http://www.w3.org/2017/04/19-webauthn-irc
16:57:21 <trackbot> RRSAgent, make logs public
16:57:21 <Zakim> Zakim has joined #webauthn
16:57:23 <angelo> angelo has joined #webauthn
16:57:23 <trackbot> Zakim, this will be
16:57:23 <Zakim> I don't understand 'this will be', trackbot
16:57:24 <trackbot> Meeting: Web Authentication Working Group Teleconference
16:57:24 <trackbot> Date: 19 April 2017
16:58:00 <weiler> weiler has changed the topic to: agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0244.html
16:58:07 <weiler> agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0244.html
16:58:28 <weiler> weiler has joined #webauthn
16:59:04 <weiler> present+ jfontana, weiler
16:59:49 <jochen___> present+
16:59:57 <wseltzer> present+
17:01:10 <battre> present+
17:01:17 <wseltzer> present+ jcj_moz
17:01:28 <wseltzer> scribenick: jcj_moz
17:01:44 <jeffh> jeffh has joined #webauthn
17:01:50 <jeffh> present+ jeffh
17:02:06 <mkwst> present+ mkwst
17:02:39 <apowers> apowers has joined #webauthn
17:02:52 <vgb> vgb has joined #webauthn
17:03:09 <vgb> present+
17:03:29 <weiler> present+ angelo, battre
17:04:01 <kpaulh> kpaulh has joined #webauthn
17:04:09 <jyasskin> present+
17:04:27 <kpaulh> present+
17:04:34 <selfissued> selfissued has joined #webauthn
17:04:48 <selfissued> present+
17:06:04 <wseltzer> Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0244.html
17:06:39 <wseltzer> zakim, who is here?
17:06:39 <Zakim> Present: jfontana, weiler, jochen___, wseltzer, battre, jcj_moz, jeffh, mkwst, vgb, angelo, jyasskin, kpaulh, selfissued
17:06:41 <Zakim> On IRC I see selfissued, kpaulh, vgb, apowers, jeffh, weiler, angelo, Zakim, RRSAgent, battre, wseltzer, jyasskin, jcj_moz, schuki, adrianba, jochen___, slightlyoff, mkwst,
17:06:41 <Zakim> ... trackbot
17:06:55 <gmandyam> gmandyam has joined #webauthn
17:07:05 <alexei-goog> alexei-goog has joined #webauthn
17:07:06 <alexei-goog> present+
17:07:34 <jcj_moz> wseltzer: We have a pretty detailed agenda, so the team can help move things forward
17:07:41 <wseltzer> Topic: Pull Requests 348, 350, 375, 378, 378, 384, 389, 407 and 408 (Rolf to explain 407 and 408)
17:07:45 <jcj_moz> angelo: Maybe we can just start, we are all looking at #384
17:08:02 <jcj_moz> angelo: jeffh has given his stamp of approval, does anyone have comments? are we ready to move forward?
17:08:17 <jcj_moz> vgb: I put in a minor comment this morning that is not really blocking
17:08:28 <jcj_moz> ... It's a thing we need to address down the road but we don't need to block the PR on it
17:08:37 <wseltzer> https://github.com/w3c/webauthn/pull/384
17:08:44 <jcj_moz> ... I'd like to get dirk and alexei-goog to chime in as well because they had the most coherent counter to the proposa
17:09:13 <wseltzer> present+ apowers
17:09:15 <jcj_moz> alexei-goog: My understanding is the call on Friday ended with alexei-goog and dirk agreeing to merge this in and deal with the fallout
17:09:33 <jcj_moz> alexei-goog: We reserve the right to tel you 'we told you so' multiple, multiple times
17:09:46 <gmandyam> present+ gmandyam
17:09:56 <jcj_moz> jeffh: Yeah, so I've a couple minor nit comments that if mikewest agreed could fix up before merging
17:10:05 <jcj_moz> mkwst: I'll get those after this call
17:10:26 <jcj_moz> jeffh: We need a real, proper security considerations section somewhere
17:10:39 <jcj_moz> angelo: So, after mkwst makes the change that jeffh requested, are we ready to merge?
17:10:58 <jcj_moz> (jeffh will do the merger)
17:11:08 <jcj_moz> angelo: mkwst, you'll be able to make the change today?
17:11:13 <jcj_moz> mkwst: Yes.
17:11:47 <wseltzer> https://github.com/w3c/webauthn/pull/409
17:11:49 <jcj_moz> angelo: We're talking about things blocking CTAP, PR #409, I want to clarify that this is everything in PR 384, the only addition is having a new bit
17:12:37 <jcj_moz> alexei-goog: I took a look at the current CTAP spec and I don't see any reference to 'TUI'
17:12:50 <jcj_moz> vgb: There's an outstanding PR from Alex Rudisky
17:13:00 <jcj_moz> alexei-goog: There's a PR out in CTAP that has TUI in it?
17:13:05 <jcj_moz> vgb: Yes, I can dig up the number
17:13:17 <jcj_moz> jeffh : We shouldn't be using the term 'identity'
17:13:30 <jcj_moz> ... we should stay away from the term, we're only doing authentication
17:14:09 <jcj_moz> angelo: The idea here is the authenticator tests the fingerprints...
17:14:17 <jcj_moz> jeffh: Doesn't User Verification Method signal that?
17:14:54 <jcj_moz> vgb: #1 this is in the core thing, so even if you don't implement UVM it's there
17:15:53 <jcj_moz> ... #2 the TUP only shows if the user is present, this stands-in for when the user is identified
17:16:27 <weiler> rrsagent, make log public
17:16:33 <weiler> rrsagent, draft minutes
17:16:33 <RRSAgent> I have made the request to generate http://www.w3.org/2017/04/19-webauthn-minutes.html weiler
17:17:20 <jcj_moz> angelo: So Jeffh wants to avoid the name...
17:17:20 <jcj_moz> jeffh: I didn't say I was OK with adding the bit, either
17:17:59 <jcj_moz> jeffh: this is an ad-hoc piece
17:18:58 <jcj_moz> angelo: We have about 7 bits left, are you saying we should not use them?
17:19:07 <jcj_moz> jeffh: No, I'm saying this is an ad-hoc approach
17:19:36 <jcj_moz> angelo: This is the kind of use case we have, and based on that use case we've added this new hting
17:21:07 <jcj_moz> selfissued: We shouldn't block on this
17:21:19 <jcj_moz> ... (we should do it)
17:21:50 <selfissued> This is an important distinction between any person present and a specific person present.  Unless we have a specific counter-proposal that has support, we should do this.
17:21:53 <weiler> https://github.com/w3c/webauthn/pull/217
17:22:26 <jcj_moz> alexei-goog: I need to read it, and it assumes changes to CTAP which I also haven't read
17:22:52 <jcj_moz> vgb: I hear jeffh's concern that we might be doing things in a less methodical way than we want
17:23:25 <jcj_moz> ... We did go through a certain approach to try and get agreement about the use cases for this, and TUI - badly named though it may be - helps with one of those use cases we came up with
17:23:49 <jcj_moz> ... One of the things we need to figure out is: either we're missing something in our use case classification (which we did a long time ago) or this does not implement that classification
17:24:01 <jcj_moz> ... I'd like to get a better sense of the objection
17:24:23 <jcj_moz> jeffh: OK, but we're not trying to merge this today?
17:24:32 <jcj_moz> angelo: No, we're just trying to have the discussion
17:24:51 <wseltzer> q?
17:24:54 <jcj_moz> ... PR 378 is another one that I'm looking at right now
17:25:50 <jcj_moz> gmandyam: I have a question  -- TUI... So the user verification bit is part of the auth data and it goes to a discrete auth. Is the idae that there might be authenticators that might support two modes of authentication? Like a touch and also a fingerprint?
17:25:58 <jcj_moz> ... Is this for multi-mode authenticators?
17:26:24 <jcj_moz> angelo: The intent of this is if it's a multi-mode authenticator, then as long as this can identify the user that's fine
17:26:33 <jcj_moz> gmandyam: No...
17:26:45 <jcj_moz> vgb: The intent of this bit is no different than TUP
17:27:09 <jcj_moz> ... The existence of this doesn't mean we're postulating about the mechanics of autheticators, we just want to know what it did
17:27:34 <jcj_moz> ... User Verification is supposed to be used the same way, it's signed over that says I actually verified the user's identity
17:27:40 <jcj_moz> jeffh: You performed user verification
17:27:57 <jcj_moz> vgb: Yes, that. This may lead to developers that find it useful to be multi-mode like that
17:28:13 <jcj_moz> ... but this is to define when I established presence, vs when verified identity
17:30:08 <jcj_moz> selfissued: Process point- we should do the priority implementation PRs
17:31:40 <jcj_moz> angelo: The reason I want to handle 409 is that it's blocking CTAP
17:31:54 <jcj_moz> alexei-goog: I think it'll be easier to handle after the CTAP PR merges
17:32:08 <jcj_moz> angelo: moving on to 378
17:32:49 <jcj_moz> https://github.com/w3c/webauthn/pull/378
17:33:00 <jcj_moz> angelo: I believe jeffh made some comments
17:33:30 <jcj_moz> jeffh: I need to review this in the same ...
17:33:54 <jcj_moz> jeffh: 378 and 409 are related in my nominal perspective
17:34:02 <weiler> present+ nadalin
17:34:06 <jcj_moz> ... but I've been distracted with 384 of late, and I'll commit to reviewing this stuff in the next couple of days
17:34:18 <jcj_moz> vgb: it's actually 378, 348, and 409
17:37:23 <jcj_moz> selfissued: At the request of the WG, I've done a lot of work in 389 to clarify extensions, and jeffyasskin believes its ready to merge
17:37:30 <jcj_moz> jeffh: I was trying to review it before the call
17:37:54 <jcj_moz> credman: Are 407 / 408 going to break anything?
17:38:11 <jcj_moz> vgb: They're just adding things to enums and specifying additional behavior
17:38:21 <jcj_moz> alexei-goog: The attestation format and the UAF...?
17:38:32 <jcj_moz> ... You might see another one coming down for U2F
17:38:48 <jcj_moz> jeffh: I don't think those are necessarily... we'd like to get those by CR timeframe, but not WD-05
17:39:02 <jcj_moz> credman: I agree it's late in the game, but I'm afraid they'll break implementation
17:39:27 <jcj_moz> alexei-goog: We're doing things that are restructuring the APIs completely. Adding the enum is the least destructive thing we've done this month.
17:39:35 <jcj_moz> jeffh: Let's review before the next call
17:39:56 <jeffh> 409, 384, 378 -- that is Angelo's list for WD-05
17:39:56 <jcj_moz> angelo: After 409 and 384 and 378 are merged in, we can apply wd-05 to them later if we want
17:40:08 <jcj_moz> .... we can have a WD-05 version there, and that'll be the Edge implementation
17:40:17 <jcj_moz> ... and we'll match the Chrome and Firefox implementations later on
17:40:24 <jcj_moz> ... and as long as there's no breaking change we'll be fine
17:40:42 <weiler> https://github.com/w3c/webauthn/pull/389
17:40:42 <jcj_moz> selfissued: I think we should merge in 389 because it's not breaking aknig and it makes a bunch of stuff clearer.
17:40:48 <jcj_moz> jeffh: I tend to agree
17:40:54 <jcj_moz> ... can I review it ?
17:41:01 <jcj_moz> ... I'm happy to get it merged before next call.
17:41:08 <jcj_moz> angelo: I don't think it's a priority for implementation
17:41:14 <jcj_moz> jeffh: I think it is
17:41:20 <jcj_moz> selfissued: It is a priority for implementation
17:42:07 <jcj_moz> ... I want the decision on the call that unless jeffh thinks it is terrible, that he'll merge it by tomorrow
17:42:15 <jcj_moz> credman: (agrees with the above)
17:42:24 <weiler> rrsagent, draft minutes
17:42:24 <RRSAgent> I have made the request to generate http://www.w3.org/2017/04/19-webauthn-minutes.html weiler
17:42:27 <jcj_moz> credman: We want the WD-05 as soon as possible
17:42:46 <jcj_moz> ... I want jeffh to look at it ASAP so we can close down WD-05
17:42:48 <jcj_moz> jeffh: OK
17:42:58 <jcj_moz> angelo: That's fine
17:43:17 <jcj_moz> vgb: How do you feel about 350?
17:43:19 <weiler> https://github.com/w3c/webauthn/pull/350
17:43:30 <jcj_moz> angelo: I think that's important, but it's a fix
17:43:46 <jcj_moz> jeffh: still some vgb comments. I'll take a look at that also
17:43:54 <jcj_moz> ... it's stale, it needs a merge
17:44:08 <jcj_moz> angelo: for 350 I have less of concern
17:44:30 <jcj_moz> alexei-goog: Looking at 350, it says throw NotFoundError and that seems great, but then it says Key Storage and ....
17:44:33 <jcj_moz> angelo: That's a mishap
17:45:07 <jcj_moz> jeffh: So we're not going to review until angelo polishes PR 350
17:45:17 <jcj_moz> angelo: that's all of the things that I think, that I consider blocking us
17:45:50 <jcj_moz> credman: I'd like some explanation on 407 and 408
17:46:00 <jcj_moz> jeffh: I talked with you about those face-to-face
17:46:08 <jcj_moz> credman: I understood they were coming
17:46:33 <jcj_moz> alexei-goog: Can you make sure the face-to-face discussion makes it on the list?
17:46:35 <jcj_moz> jeffh: OK
17:46:45 <jcj_moz> credman: Is there something you want to tell us?
17:47:14 <jcj_moz> jeffh: Both Rolf and I have mentioned this in the not too distant past - if you have a UAF-enabled smartphone, you should be able to have a CTAP shim added to it and then use it as a roaming authenticator for a WebAuthn-enabled device
17:47:30 <jcj_moz> gmandyam: It doesn't even have to be CTAP, it can be <something else>
17:47:40 <jcj_moz> jeffh: Yes, but there's a zillion devices in the field, so it seems good to enable this
17:47:48 <jcj_moz> gmandyam: Qualcomm is in favor of this
17:48:08 <jcj_moz> alexei-goog: When we were deciding if we needed a separate credential type for U2F, we decided we didn't need to
17:48:24 <jcj_moz> ... we decided (the metadata) was enough
17:48:41 <jcj_moz> ... Is that not the case for UAF? Is it not possible to indicate you're OK with a UAF device given what's there?
17:48:51 <jcj_moz> jeffh: That's a good question, as part of review we'll have to answer that
17:49:07 <jcj_moz> alexei-goog: We did think about this, adding a U2F type, and we decided we didn't need to
17:50:50 <battre> present-
17:58:37 <weiler> zakim, list participants
17:58:37 <Zakim> As of this point the attendees have been jfontana, weiler, jochen___, wseltzer, battre, jcj_moz, jeffh, mkwst, vgb, angelo, jyasskin, kpaulh, selfissued, alexei-goog, apowers,
17:58:40 <Zakim> ... gmandyam, nadalin
18:02:35 <jcj_moz> The list of PRs to go through before the end of the week, and close, is 409, 384, 378
18:02:54 <jcj_moz> Consensus eus is that should close out WD-05
18:03:20 <jcj_moz> Meeting adjourns with the acknowledgement that we should be releasing WD-05 next
18:03:26 <weiler> s/eus is/is/
18:04:03 <weiler> chair: wseltzer, selfissued, nadalin
18:04:07 <weiler> rrsagent, draft minutes
18:04:07 <RRSAgent> I have made the request to generate http://www.w3.org/2017/04/19-webauthn-minutes.html weiler
18:51:31 <weiler> weiler has joined #webauthn
18:54:37 <weiler> weiler has joined #webauthn
20:18:30 <Zakim> Zakim has left #webauthn