W3C

- DRAFT -

Web Authentication Working Group Teleconference

26 Jul 2017

See also: IRC log

Attendees

Present
apowers, jeffh, gmandyam, wseltzer, AkshayKumar, Ibrahim, jcj, jbradley, jfontana, selfissued, ChsitiaanBrand, angelo
Regrets
Chair
nadalin, jfontana
Scribe
jcj_moz, angelo

Contents

<jcj_moz> scribenick: jcj_moz

Tony: We're sort of stalled, spinning on WD-06

We want these issues resolved for WD-06

We need to resolve things soon to make it to CR by TPAC

jeffh: I've got observations
... My understanding is that the implementing folks are doing WD-05
... so if there are issues coming up in WD-05, are they being filed in Github?

Tony: I think nothing impeding implementation yet

jeffh: WD-05 might have implementation issues because it's a draft, and we want to make sure we address that
... Please make sure as implementing, when issues come up, that they get submitted

jcj_moz: The 3 issues I filed are from implementation

Tony: Let's look at open PRs
... Regarding https://github.com/w3c/webauthn/pull/379... Angelo, are you updating this to resolve the comments?

angelo: Yes.

Tony: And now 460 - https://github.com/w3c/webauthn/pull/460

jeffh: Alexei signed up for this, but we moved this on to selfissued

Tony: This one (#460) is one develoeprs have pointed out

<angelo> hi jc, I can take it over from here

<angelo> 460 is valuable for U2F devices

<scribe> scribenick: angelo

JC: I haven't encountered the problem yet because I have been dealing with only U2F so far

<jcj_moz> jcj_moz: I want to make sure #460 is not an implementation issue for Mozilla

<jcj_moz> ... and it isn't, it affects CTAP devices

<jcj_moz> ... OK

MikeJ: I can start working on 460 now that IETF is mostly over

Giri: in the absence of require user verification, does that mean the authenticator can provide silent authentication?

Tony: i don't think it's for silent auth

We're talking about pull request 498, which is moved to WD05

<jcj_moz> https://github.com/w3c/webauthn/pull/498

We're talking about pull request 498, which is moved to WD07

For 498, it appears that usually implementers just figure out what to do. We still should polish it but it's not necessary at the moment.

For 505, since it's a simple typo, it's merged right away

We're discussing 510

We're discussing pull request 510

The nice thing about client extension is that the RPs can use extensions without necessarily changing the standard

biometricCriteria would be dictionary within a dictionary if it's added to authenticator selection

Because of so, it may be best to review a little bit about how client extensions are done.

<weiler> https://github.com/w3c/webauthn/pull/510

JC: Just looking at it, I think dictionary within dictionary would be fine. But I am not familiar with all the extensions so I will have to spend more time looking at it.

Giri: for 510, I don't think it'd be blocking for WD07. If anything, I'd consider it for CR target

JC: I am certainly not philosophically opposed to this. This is why we have extensions.

Tony: I will assign MikeJ to this pull request since he worked on the extension part

Giri: one more comment: I remembered we made a IANA registry. It'd be best if we can bring this extension into one of the pre-defined extensions in the IANA registry.

MikeJ: in practice, when a registry is published, the author (W3C) would make a recommendation to the IETF of what to do with extensions.
... almost always these recommendations are accepted.

Akshay: the default state of the authenticator is they are stored on the devices

JC: for U2F devices, the keys are always not resident

Akshay: for FIDO 2.0 devices, the keys are always stored on the devices.

MikeJ: I will take some time reviewing 502

Angelo: I am fine with making it higher priority but it shouldn't have to take too much time since this is really one line of code

Tony: if MikeJ review it, we don't have an issue with making it happen
... Let's go through the issues

for 393, i'd like to move it to WD07

https://github.com/w3c/webauthn/issues/393

https://github.com/w3c/webauthn/issues/182 moved to CR

JC: https://github.com/w3c/webauthn/issues/278 I don't think it's necessary to make them inherit from one thing

MikeJ: we should probably get Jeffrey to take a look because he's working on gatekeeping the Web IDL

Christiaan will talk to Jeffrey about reviewing 278

Tony will add a comment that 278 should be closed if no more action from Jeffrey

https://github.com/w3c/webauthn/issues/283 we can move this to CR. There may be some interop issue but I doubt it

https://github.com/w3c/webauthn/issues/292

https://github.com/w3c/webauthn/issues/292 is a potentially subtle interop issue but mostly a subtle issu

https://github.com/w3c/webauthn/issues/292 is a potentially subtle interop issue but mostly a subtle issue

JC: we will learn a lot more about we go through interop testing process

<jcj_moz> https://github.com/w3c/webauthn/issues/466

Tony: we can punt https://github.com/w3c/webauthn/issues/466 to a later timeline

https://github.com/w3c/webauthn/issues/473

Jeff: https://github.com/w3c/webauthn/issues/473 we can punt this to a later time

Tony: but this would change API names

MikeJ: let's decide a name and just do it

jeff: https://github.com/w3c/webauthn/issues/473 suggested names

mikeJ: we will make a PR for https://github.com/w3c/webauthn/issues/473

MikeJ was gonna create a PR for https://github.com/w3c/webauthn/issues/474

the text was already in the spec but https://github.com/w3c/webauthn/issues/474 is just about polishing it

After the PR is published, JeffH will review it

345 has a PR on it

https://github.com/w3c/webauthn/issues/485 has a PR on it too

https://github.com/w3c/webauthn/issues/488 is a naming issue too

https://github.com/w3c/webauthn/issues/488 mikeJ will create a PR for this

Tony: onces all the issues and pull requests for WD06 are done, we can publish WD06

WD07 is in september and the CR can happen at TPAC in Nov

JC: I've been testing the google demo site but so far I haven't been successful

<apowers> can everyone post their demo sites in IRC?

<jcj_moz> I'm pushing changes to "webauthndemo" to https://github.com/jcjones/webauthndemo/commits/mozilla-updates

<jcj_moz> the Mozilla demo site is https://webauthn.bin.coffee/

for edge: There's a public demo site targeted at WD03 on the public facing microsoft edge site. I coded up a demo site for WD05 but haven't had all of the hashing/crypto there.

my biggest concern so far is the hashing

JC: The same for us too.

Angelo: I know there're issues with some of the edge cases but I guess we will all encounter this kind of issue

<jeffh> apowers: have iop during 2nd wk sep?

<jeffh> jcj_moz: can meet up f2f wk of 11-

<jeffh> Sep

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/07/26 18:05:03 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Present: apowers jeffh gmandyam wseltzer AkshayKumar Ibrahim jcj jbradley jfontana selfissued ChsitiaanBrand angelo
Found ScribeNick: jcj_moz
Found ScribeNick: angelo
Inferring Scribes: jcj_moz, angelo
Scribes: jcj_moz, angelo
ScribeNicks: jcj_moz, angelo

WARNING: No "Topic:" lines found.

Found Date: 26 Jul 2017
Guessing minutes URL: http://www.w3.org/2017/07/26-webauthn-minutes.html
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report
[End of scribe.perl diagnostic output]