16:51:51 RRSAgent has joined #webauthn 16:51:51 logging to http://www.w3.org/2017/06/14-webauthn-irc 16:51:53 RRSAgent, make logs public 16:51:53 Zakim has joined #webauthn 16:51:55 Zakim, this will be 16:51:55 I don't understand 'this will be', trackbot 16:51:56 Meeting: Web Authentication Working Group Teleconference 16:51:57 Date: 14 June 2017 16:52:07 regrets+ weiler 17:00:36 apowers has joined #webauthn 17:01:10 Rolf has joined #webauthn 17:03:11 present+ 17:03:40 jeffh has joined #webauthn 17:03:45 gmandyam has joined #webauthn 17:04:15 present+ 17:04:44 present+ 17:05:05 selfissued has joined #webauthn 17:05:15 present+ 17:05:17 dirkbalfanz has joined #webauthn 17:05:18 zakim, who is here? 17:05:18 Present: battre, gmandyam, wseltzer, Rolf 17:05:19 On IRC I see dirkbalfanz, selfissued, gmandyam, jeffh, Rolf, apowers, Zakim, RRSAgent, weiler, battre, mkwst, slightlyoff, jyasskin, jochen___, adrianba, wseltzer, trackbot, 17:05:19 ... jcj_moz 17:05:48 present+ nadalin 17:06:02 present+ apowers 17:06:19 present+ jeffh, jfontana 17:06:34 present+ 17:06:48 present+ dirk 17:07:33 regrets+ angelo 17:09:18 -> https://www.w3.org/2017/11/TPAC/Overview.html TPAC 2017 17:09:29 nadalin: WebAuthn meets Thursday 17:10:35 regrets+ jyasskin 17:12:48 Topic: 476 and 477 17:13:29 nadalin: we acknowledged Qualcomm's objection and pushed them to v2 17:13:51 ... I've worked with Sam on a re-charter to extend the group 17:14:06 ... proposing that v2 of the spec looks at authenticator options 17:14:13 ... that's L2WD 17:14:17 q+ 17:14:23 q- 17:14:41 gmandyam: need clarification whether these issues will be addressed prior to Rec 17:14:55 nadalin: no, they'll be addressed in v2 17:15:12 gmandyam: we should record an organization-by-organization consensus 17:15:22 nadalin: the objections were recorded in last week's minutes 17:15:23 q+ 17:18:01 selfissued: proposed consensus is that these issue are post-recommendation 17:18:18 gmandyam: then we'd re-raise the issues at CR, and possibly at charter review 17:18:21 q- 17:18:37 nadalin: 479 17:19:03 apowers has joined #webauthn 17:19:20 jeffh: Rolf proposed some changes 17:19:50 Rolf: my recollection on last week's call, strong objection to all three PRs 17:20:10 ... I'm happy to work on them, but only if they're going somplace 17:20:27 nadalin: this one is still marked WD06 17:21:01 apowers has joined #webauthn 17:21:11 dirk: I was happy with this functionality in extension 17:21:43 dirkbalfanz: is happy with having #479 functaionality as an extension, not as a normative part of the spec 17:22:38 rolf: notes that browsers feel that extensions are optional and thus it is unlikely at this time it wold be implemented 17:22:51 gmandyam: can any authenticator mechanism be re-proposed as extensions? 17:24:07 nadalin: if accepted by the group 17:25:13 nadalin: so authenticator selection has been pushed off to Level 2, but if you'd like to see them as extensions, someone can write them up and propose per normal process 17:25:57 gmandyam: Qualcomm suggests that we pursue that for all authenticator selection criteria not in the spec now 17:26:12 ... draft them as client extensions 17:26:38 nadalin: 484 17:27:25 https://github.com/w3c/webauthn/pull/484 17:28:30 gmandyam: we can put in normative requirement that authenticator follow FIDO criteria? 17:28:38 jeffh: I wouldn't do that 17:28:55 gmandyam: I wasn't expecting this to be approved as-is, but 17:30:02 ... with what's there now, an authenticator without rate-limiting would be ok 17:30:17 jeffh: there are multiple kinds of authenticators and criterial 17:30:23 s/criterial/criteria/ 17:30:45 gmandyam: jeffh, why don't you write up a proposal? 17:30:50 gmandyam: Trust path 17:31:05 ... I don't know if you want to do it as a client-directed extension 17:31:38 ... if RP won't accept self-authenticated, not sure it makes sense to offer 17:32:40 jeffh: I haven't looked at the trust path 17:33:03 jeffh: we don't need rate limiting 17:33:11 gmandyam: can you create a PR? 17:33:48 christiaan: if as an RP, we decide not to support osme kind of attestation 17:33:57 ... I'd think the right thing is to tell the user 17:34:07 ... "not accepted by your RP" 17:34:38 ... so even if we (Google) only accepted certain attestations, we'd say bring everything to us so we can give intelligible user message 17:35:53 jeffh: we're more inclined to accept any authenticator that accepts protocol, better than username-password 17:36:02 selfissued: from MS, I agree with jeffh 17:36:14 ... still better than username-password 17:36:37 gmandyam: if trust anchor is going to be verified at RP, then not a client-directed extension 17:37:00 ... I don't mind dropping this 17:37:33 gmandyam: I want to hear more on rate-limiting 17:37:49 nadalin: close the trust path part; if the rest is still open, discuss next week 17:37:58 gmandyam: and close Issue 461, to which the trust path responds 17:38:03 ... call it wontfix 17:38:17 we have a label of "declined" 17:38:41 nadalin: 487 17:38:48 jeffh: just do it 17:39:02 ... editorial 17:39:37 jeffh: 475, make the spec officially Level 1 17:39:45 ... matching credential Management 17:39:48 https://github.com/w3c/webauthn/issues/475 17:40:01 nadalin: will you do that Jeff? 17:40:03 jeffh: happy to 17:40:12 Topic: Milestone WD06 17:40:28 https://github.com/w3c/webauthn/milestone/10 17:40:35 nadalin: 20 issues 17:42:40 jeffh: we should decide whether these all need to be done for WD06 17:43:13 nadalin: we wanted to get to stage where next draft was CR 17:44:46 selfissued: start by looking at the renames? 17:45:09 https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+label%3Asubtype%3Arenaming 17:45:48 nadalin: 79 17:48:00 jeffh: under 358 17:48:37 jeffh: editorial cleanup, sloppiness in the spec 17:48:50 ... 393 and possibly 430 for WD06 17:49:32 ... 488 17:53:08 Rolf: 480 17:53:17 ... I think the algorithm is wrong 17:53:21 jeffh: I agre 17:53:25 s/agre/agree 17:55:35 Rolf: does everyone agree on solution 17:55:40 jeffh: no. I have to think about it 17:57:17 ... I believe our intent was just to invoke the authenticator once with the list 17:58:27 rrsagent, draft minutes 17:58:27 I have made the request to generate http://www.w3.org/2017/06/14-webauthn-minutes.html wseltzer 17:58:36 rrsagent, make logs public 17:58:37 adios 17:58:41 [adjourned] 17:58:44 rrsagent, draft minutes 17:58:44 I have made the request to generate http://www.w3.org/2017/06/14-webauthn-minutes.html wseltzer 18:00:13 chair: nadalin 18:00:16 rrsagent, draft minutes 18:00:16 I have made the request to generate http://www.w3.org/2017/06/14-webauthn-minutes.html wseltzer 18:00:39 present+ christiaan 18:00:47 rrsagent, draft minutes 18:00:47 I have made the request to generate http://www.w3.org/2017/06/14-webauthn-minutes.html wseltzer