W3C

- DRAFT -

Web Authentication Working Group Teleconference

24 May 2017

Agenda

See also: IRC log

Attendees

Present
weiler, wseltzer, jyasskin, selfissued_, nadalin, KetanMehta, jcj_moz, AkshayKumar, jeffh, alexei-goog, gmandyam, Rolf, dirk
Regrets
angelo
Chair
nadalin
Scribe
weiler, Rolf

Contents


<weiler> scribenick: weiler

https://github.com/w3c/webauthn/pull/375

nadalin: just editorial

[we said the same thing last week!]

https://github.com/w3c/webauthn/pull/379

[last week we were waiting for google]

nadalin: I'll talk w/ angelo to make sure he addresses.

https://github.com/w3c/webauthn/pull/427

jeffh: queued for after 464
... cover 464 out of order since we have limited time from jyasskin

https://github.com/w3c/webauthn/pull/464

jeffh: have not addressed detailed comments from jyasskin yet
... note on rpid definition, gopefulyl addressing issue 260
... jyasskin raises suborigins. I need to read this. is it implemented?

jyasskin: i think not. stalled for a while. may be some new activity. something to think about.

jeffh: punt on suborigins and go ahead and merge 464?

jyasskin: even we're revisiting ports, makes sense to merge this.

jeffh: we do NOT want to include the port.
... we want to match HSTS and cookies; they are whole-host.

jyasskin: that answers my concern

nadalin: jyasskin will review? (even w/o jeffh hasn't finished w/ details)

jeffh: want to work more on it. want review of this AM's changes. goal to merge Friday/Monday. want to get this done and go back to 427.

nadalin: monday is holiday. goal of tuesday.

jyasskin: will get this reviewed. don't expect signifiant problems.

jeffh: *cackles*
... more reviewers good. jc?
... 427 after 464. 427 largely done. jyasskin noticed some stuff that needs attn.

https://github.com/w3c/webauthn/pull/442

nadalin: this is rolf's....

jyasskin: this needs more specification. need to be spelled out more - acronyms not great for readability.
... by pulling in two more selection criteria, it starts interacting w/ user verification changes. may want to pull extra bits into user verification. at least make sure all is aligned.
... this ties into 460.
... @@ says this ties into biometric auth.

jeffh: 442/460 are linked.

giri: should we assume that @2 need to be separate PRs?

selfissued: should be able to evaluate these independently. each proposed selection criteria should be written up separately
... so it's not an "all or none" decision to take them.

jeffh: +1

nadalin: who will split functionality of options out? (460)

@3: not 460, but 442.

[see: https://github.com/w3c/webauthn/pull/442#issuecomment-303794031

]

giri: don't get too hung up on Q4.... merge the PR, fix normative processing reqs for UA.

jyasskin: hard to understand selection criteria w/o a sketch of the process rules/algorithm.

giri: agree, but alg. doesn't need to be final to merge the PR. in favor if merging AAGUID criteria w/ understanding that once user verficiation is merged, need to look at alg in totoal

jyasskin: 442 has no alg for aaguid; needs something even if imperfect.

giri: ok

alexei: can we go back to 460?

https://github.com/w3c/webauthn/pull/460

alexei: can objectors please explain themselves?

jyasskin: just doing user verification doesn't guarantee same suer created/using cred.
... needs to be passed to authenticator. need to say was authenticator does w/ it.

alexei: I keep forgetting that we're specifying authenticator behavior here in the web spec.
... I'll clarify authenticator behavior.

selfissued: desc of alg @5 is wrong. assumes authenticator can do this, but client doesn't have this knowledge.
... may need to send req through to authenticator and see what happens.

alexei: client needs to call getinfo whenever authenticator shows up

selfissued: specs don't say that

alexei: implementation issue. need to figure out how to get that into the specs

jeffh: i would characterize this as an implementation consideration. advice to implementor.

alexei: we're writing pseudocode in the spec .... if we're gonna do that, I'll just add this.

selfissued: we do want this functionality. just that right now we're making assumptions

https://github.com/w3c/webauthn/pull/470

selfissued: I took action item. other things have been higher priority. i'll write a PR

wd-06 issues

https://github.com/w3c/webauthn/issues/466 is the first we haven't covered - opened 5 days ago.

https://github.com/w3c/webauthn/issues?page=1&q=is%3Aopen+is%3Aissue+milestone%3AWD-06

https://github.com/w3c/webauthn/issues/416

rpID seems to have changed meaning a bit

jeffh: will be closed by PR464

nadalin: origins stuff from last week: 259/255 will get wrapped up in that. and 260

jeffh: 167 just goes away. confirm from jyasskin/mike west / @6?

issue 393: rename "attestation data" to be "attested credential"

jehhf: re: issue 393: we should do that.... just needs to be cranked out.

<Rolf> Talking about issue #283

<Rolf> Not assigned to anyone yet.

<jcj_moz> scribenick: Rolf

according to JeffH: that one can wait

Now on 285: Will that one be picked up after credman merge?

Assigned to JeffH+jyasskin

jyasskin has identified 4 items -- simple editing change to be done

Now 292:

might be related to Issue 316 (cancel operation)

lower priority?

326 is fixed

by PR 464

Now 329

Only 2 items left: attachment+transport

Seems simple to do.

Now 351:

Simple do it as proposed in the comments of that issue

Now 362:

More complicated.

Needs more thinking

392 already discussed. Now 393:

Simple - just do it.

Now 414:

JeffH is working on it

Now 416:

Will be fixed by PR 464

Now 462: undefined terms

relevant for milestone: CR.

Simple, but work to add defs

Now: 466

MikeJ working on that.

rp.id already present.

So: just do it.

Now 467:

proposal exists. Please review.

Now 471:

Now 472:

Optimization to reduce number of bytes if only a single item is relevant

thank you - go for it

<weiler> scribenick: weiler

474:

jeffh: need yjasskin, jcj's input.

selfissued: does not allowing host #'s make it harder to test?

jeffh: dunno. w/ HSTS, we disallowed all but domain names. HTTP strict transport security. policy to say "only-TLS".

jcj: ... not a big deal to not be using port numbers.

jeffH; not only no ports; also no IP addrs.

nadalin: adjourned

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/05/24 18:04:48 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/260/issue 260/
Succeeded: s/have/want/
Succeeded: s/HSVS/HSTS/
Succeeded: s/et this/get this/
Present: weiler wseltzer jyasskin selfissued_ nadalin KetanMehta jcj_moz AkshayKumar jeffh alexei-goog gmandyam Rolf dirk
Regrets: angelo
Found ScribeNick: weiler
Found ScribeNick: Rolf
Found ScribeNick: weiler
Inferring Scribes: weiler, Rolf
Scribes: weiler, Rolf
ScribeNicks: weiler, Rolf
Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017May/0247.html
Found Date: 24 May 2017
Guessing minutes URL: http://www.w3.org/2017/05/24-webauthn-minutes.html
People with action items: 

[End of scribe.perl diagnostic output]