Web Authentication Working Group Teleconference -- 09 Aug 2017

<weiler> present?

<wseltzer> https://github.com/w3c/webauthn/issues/527

<CR01> selfissued: making isPlatformAuthenticatorAvailable an attribute doesn't work as it cannot have UI then.

There are very few controversy around isPlatformAuthenticatorReady.

<CR01> Thanks.

<jeffh> sorry, there's a fair bit of controversy re how isPlatformAuthenticatorReady is specified

<CR01> not resolving a promise doesn't seem to be a good approach

Sorry I am getting caught up on the scribe

<CR01> porposal: merge 523 and fix the example

Kim: I am in agreement with resolving https://github.com/w3c/webauthn/pull/523

JC: I am in agreement with https://github.com/w3c/webauthn/pull/523

JeffH: 523 isn't too well written.

Tony: Mike, can you take a look at the grammar issue

<CR01> Close but don't merge 528

Mike: I will take a look at the grammar side.

We will close https://github.com/w3c/webauthn/pull/528.

We're looking at https://github.com/w3c/webauthn/pull/525

525 registers numbers for the 3 RSA signature algorithms instead of strings

In 525, one of the algorithm becomes -255

JeffH: I haven't read the PR yet but I count on MikeJones who is the expert on the COSE and IANA registry
... In a PR that was recently merged, we changed algorithm identifer from WebCrypto identifiers to typedef identifiers

In COSE spec, you are allowed to use either small integer or small string to register algorithms

MikeJ: I agree there's a testing thing with using strings

John: I am generally in supportive of making strings into integers

JC: Are we adding constants? Would browsers have to handle it?

MikeJ: we probably want to do that in the future

Tony: everyone seems in agreement with merging 525

After the two PRs (https://github.com/w3c/webauthn/pull/525 and https://github.com/w3c/webauthn/pull/528), I will start publishing WD06

We're starting to look at WD07

We are looking at https://github.com/w3c/webauthn/pull/498, which is a pull request for WD07

Tony: I am wondering whether it would make into WD07

JeffH: Yes, I believe so. There's a standing PR on CredMan.

498 is a possible breaking change

JC: I am not sure if this is a breaking change.

<jeffh> jeffh: folks have had to already workaround/address the issues in pr #489 and credman

jc: oh yeah there's an old conversation around whether we want to make it an valid domain or an origin.

Angelo: I will take a closer look at 489 later this week.

<CR01> all 498 not 489?

<jeffh> above discussion wrt PR #498

<jeffh> angelo: now issues discussion - want to discuss issue #458

<jeffh> angelo: domains change on web or are nominally equivalent from the perspective of the domains admins eg google.com and youtube.com

angelo: I am hoping people can propose ideas to help address problems in 458

<CR01> Digital Asset Links (https://developers.google.com/digital-asset-links/v1/getting-started) are similar to original FIDO TrustedFacets lists.

JeffH: At U2F and UAF era, we didn't want to do federal identity management

<CR01> FIDO decided at that time to stay out of federation - and hence do not allow credentials to be shared across domains.

JeffH: if one of the implementers wants to do something for their special deployment, that's fine. But the problem is how we want to standardize in W3C
... the user of digital asset links is also not available on the credman spec but only with Chrome's implementation.

<jyasskin> 1+

Before, people's favored solution has been to use federation.

<CR01> small companies sometimes prefer a more lightweight method than federation

<jeffh> jyasskin: olddomain.com has creds there, visit newdomain.com, get redirected to olddomain.com, get cred, then redirect back to newdomain.com

One of the possible solutions is to use OpenID connect.

<jeffh> angelo: <relates use case(s) where using federation to address domain changes is troublesome>

<jeffh> jbradley: in fed world have seen use of federation to address these cases. tho have had discussions with google about a priori mapping of domains....

Another challenge is if IDPs themselves decide to change their domain

Another challenge is if IDPs themselves decide to change their own domains

<jeffh> christiaan: sounds like a federation issue to me

<jeffh> angelo: foo.com federates to login.live.com, bar.com feds with google.com, but same IDP controls both, want to merge everything into one domain. dont want old domains to remain and confuse users. so eventually have live.com to point to the right place.

<wseltzer> https://github.com/w3c/webauthn/issues/458

Perhaps we can talk about this another day. Federation seems to be the commone issue here.

I am not a fan of digital asset links myself but I was hoping someone can propose some ideas that could work better than those

Akshay created a PR in FIDO-2 world to address CTAP and U2F compat

MikeJ: The intention for that PR is to address the compat. Other folks on the call who are also part of that WG should review this.

In the WebAuthn spec, the authenticator model is very hand-wavy. The CTAP spec has the concrete model.

JC: why do I have to look at WebAuthn?

The CTAP WG and U2F WG are merged together.

jc: I am just worried I may have implemented the wrong thing.

JeffH: that's not well thought out yet. Having the implementers writing code would help work this through.

- DRAFT -

Web Authentication Working Group Teleconference

09 Aug 2017

Attendees

Contents

Summary of Action Items

Summary of Resolutions

Scribe.perl diagnostic output