W3C

- DRAFT -

Web Authentication Working Group Teleconference

14 Jun 2017

See also: IRC log

Attendees

Present
battre, gmandyam, wseltzer, Rolf, nadalin, apowers, jeffh, jfontana, selfissued, dirk, christiaan
Regrets
weiler, angelo, jyasskin
Chair
nadalin
Scribe
wseltzer

Contents

TPAC 2017

nadalin: WebAuthn meets Thursday

476 and 477

nadalin: we acknowledged Qualcomm's objection and pushed them to v2
... I've worked with Sam on a re-charter to extend the group
... proposing that v2 of the spec looks at authenticator options
... that's L2WD

gmandyam: need clarification whether these issues will be addressed prior to Rec

nadalin: no, they'll be addressed in v2

gmandyam: we should record an organization-by-organization consensus

nadalin: the objections were recorded in last week's minutes

selfissued: proposed consensus is that these issue are post-recommendation

gmandyam: then we'd re-raise the issues at CR, and possibly at charter review

nadalin: 479

jeffh: Rolf proposed some changes

Rolf: my recollection on last week's call, strong objection to all three PRs
... I'm happy to work on them, but only if they're going somplace

nadalin: this one is still marked WD06

dirk: I was happy with this functionality in extension

<jeffh> dirkbalfanz: is happy with having #479 functaionality as an extension, not as a normative part of the spec

<jeffh> rolf: notes that browsers feel that extensions are optional and thus it is unlikely at this time it wold be implemented

gmandyam: can any authenticator mechanism be re-proposed as extensions?

nadalin: if accepted by the group
... so authenticator selection has been pushed off to Level 2, but if you'd like to see them as extensions, someone can write them up and propose per normal process

gmandyam: Qualcomm suggests that we pursue that for all authenticator selection criteria not in the spec now
... draft them as client extensions

nadalin: 484

https://github.com/w3c/webauthn/pull/484

gmandyam: we can put in normative requirement that authenticator follow FIDO criteria?

jeffh: I wouldn't do that

gmandyam: I wasn't expecting this to be approved as-is, but
... with what's there now, an authenticator without rate-limiting would be ok

jeffh: there are multiple kinds of authenticators and criteria

gmandyam: jeffh, why don't you write up a proposal?
... Trust path
... I don't know if you want to do it as a client-directed extension
... if RP won't accept self-authenticated, not sure it makes sense to offer

jeffh: I haven't looked at the trust path
... we don't need rate limiting

gmandyam: can you create a PR?

christiaan: if as an RP, we decide not to support osme kind of attestation
... I'd think the right thing is to tell the user
... "not accepted by your RP"
... so even if we (Google) only accepted certain attestations, we'd say bring everything to us so we can give intelligible user message

jeffh: we're more inclined to accept any authenticator that accepts protocol, better than username-password

selfissued: from MS, I agree with jeffh
... still better than username-password

gmandyam: if trust anchor is going to be verified at RP, then not a client-directed extension
... I don't mind dropping this
... I want to hear more on rate-limiting

nadalin: close the trust path part; if the rest is still open, discuss next week

gmandyam: and close Issue 461, to which the trust path responds
... call it wontfix

<jeffh> we have a label of "declined"

nadalin: 487

jeffh: just do it
... editorial
... 475, make the spec officially Level 1
... matching credential Management

<jeffh> https://github.com/w3c/webauthn/issues/475

nadalin: will you do that Jeff?

jeffh: happy to

Milestone WD06

https://github.com/w3c/webauthn/milestone/10

nadalin: 20 issues

jeffh: we should decide whether these all need to be done for WD06

nadalin: we wanted to get to stage where next draft was CR

selfissued: start by looking at the renames?

https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+label%3Asubtype%3Arenaming

nadalin: 79

jeffh: under 358
... editorial cleanup, sloppiness in the spec
... 393 and possibly 430 for WD06
... 488

Rolf: 480
... I think the algorithm is wrong

jeffh: I agree

Rolf: does everyone agree on solution

jeffh: no. I have to think about it
... I believe our intent was just to invoke the authenticator once with the list

<jeffh> adios

[adjourned]

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/06/14 18:00:52 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/criterial/criteria/
Succeeded: s/agre/agree/
Present: battre gmandyam wseltzer Rolf nadalin apowers jeffh jfontana selfissued dirk christiaan
Regrets: weiler angelo jyasskin
No ScribeNick specified.  Guessing ScribeNick: wseltzer
Inferring Scribes: wseltzer
Found Date: 14 Jun 2017
Guessing minutes URL: http://www.w3.org/2017/06/14-webauthn-minutes.html
People with action items:
[End of scribe.perl diagnostic output]