16:44:13 RRSAgent has joined #webauthn 16:44:13 logging to http://www.w3.org/2017/08/16-webauthn-irc 16:44:15 RRSAgent, make logs public 16:44:15 Zakim has joined #webauthn 16:44:17 Meeting: Web Authentication Working Group Teleconference 16:44:17 Date: 16 August 2017 16:45:04 present+ weiler 16:45:29 agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Aug/0171.html 16:45:34 weiler has changed the topic to: agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Aug/0171.html 16:48:21 present+ jcj_moz 16:57:02 jeffh has joined #webauthn 17:00:26 jfontana has joined #webauthn 17:00:45 apowers has joined #webauthn 17:00:47 John_Bradley has joined #webauthn 17:00:55 present+ jeffh 17:01:21 present+ 17:02:29 chair: nadalin, jfontana 17:02:59 Rolf has joined #webauthn 17:04:00 kpaulh has joined #webauthn 17:04:18 present+ 17:06:18 gmandyam has joined #webauthn 17:06:32 present+ gmandyam 17:06:35 you're welcome! 17:07:05 scribenick: weiler 17:07:22 tony: thanks to angelo, mike, et. al for getting wd06 out. 17:08:06 hoping wd07 will be the last before CR. want all normative changes to be in wd07, so nothing major in cr. 17:08:13 target is cr at tpac. 17:08:27 q+ to discuss wide review 17:08:53 one PR for wd07; alg fixups. Jeff 17:09:00 jeff: distracted working on ctap 17:09:50 ack me 17:09:50 weiler, you wanted to discuss wide review 17:10:02 weiler: wide review -- if you want to go to CR in November, we shoudl get the word out to horizontal groups now 17:10:06 weiler: if we want cr at tpac, need to start review now 17:10:18 tony: but we'll be making normative changes 17:10:27 jeff: we have 100 open issues. sounds aspirational to me. 17:10:53 [jeff wants a shiny mode of transportation] 17:11:22 angelo has joined #webauthn 17:11:39 tony: no wide review yet. want wd07 and other issues resolved first 17:12:10 how long do they want? 17:12:15 weiler: 2-3 mo, I think. 17:12:26 tony: issue 349. 17:13:01 https://github.com/w3c/webauthn/issues/349 17:13:04 Add getAuthenticatorInfo to the Authenticator Model section 17:13:40 angelo: sent internal mail... 17:14:02 I don't have access 17:14:25 jeff: you need a fido acct 17:15:09 angelo: should be able to resolve many when 17:15:30 we have 349 resolved. 17:15:32 q+ 17:16:13 ctap spec is doing through some churn; maybe I should wait for it. 17:16:31 jeff: we'll need to specify it against the ctap spec. 17:16:40 giri: can you directly link it to ctap spec? 17:16:44 instead of copying here? 17:17:16 jeff: I'd specify getinfo in our api, explaining it, and reference public draft ctap spec. get the results from that call to ctap and map them. 17:17:47 giri: ctap spec is pretty clear as to return value. for platofrm authenticators, could potentially return richer info. 17:18:00 do you want to restrict to what we have or make it a superset? 17:19:15 jeff: I'd mock this pr and work on it together. not sure how we'd pass back null fields. maybe as a blob or pointer to aribitrary obj? I'm sure there's a worked example out there. 17:19:21 q- 17:19:31 s/this pr/this up as a PR/ 17:20:44 angelo: I think I created this issued when I added one of the required @@ params. .... can only indicate this in the get authenticator info. very generic. web spec and protocol spec should be in parallel but we might have future protocol changes. 17:20:53 akshay: how do you handle mutiple devices? 17:21:56 jeff: clarify: authenticators. Not sure. what we're doing in getAssertion and makeCred is to hand wave and say platform has info on all avail authenticators 17:22:39 i could imagine that getinfo call in authenticator models (remember: that's abstract now) would say "for each avail auth, call getInfo" 17:23:03 Rolf: there's a good reason for this to be abstract. might be bound, platform-specific authenticators. 17:23:12 angelo: this is editorial 17:23:28 ok to punt issue 349 to cr. 17:23:41 jeff: I wouldn't punt. it's easy. we should just do it 17:23:48 mike: do what, specifically? 17:24:05 jeff: I think I should do this... 17:25:33 topic: 471 https://github.com/w3c/webauthn/issues/471 17:26:35 rrsagent, draft minutes 17:26:35 I have made the request to generate http://www.w3.org/2017/08/16-webauthn-minutes.html weiler 17:27:06 rrsagent, make logs public 17:27:36 angelo has joined #webauthn 17:28:03 This is the link: https://github.com/w3c/webauthn/milestone/13 17:29:53 present+ ChristiaanBrand, jfontana, John_Bradley, selfissued, Rolf, nadalin, angelo, AkshayKumar, apowers 17:30:03 scribenick: jcj_moz 17:30:26 tony: re #506 17:30:46 jcj_moz: I made this all zeroes 17:31:06 akshay: I proposed all zeroes in CTAP 17:31:19 q? 17:31:20 tony: What's Google done? 17:31:46 kim: I believe it's just zeroed out right now 17:31:58 tony: Can you check, kim, and if so we just zero this out and close it? 17:32:15 q+ 17:32:21 tony: I'll assign this to Kim to verify w/ Google implemnetation 17:32:22 rrsagent, draft minutes 17:32:22 I have made the request to generate http://www.w3.org/2017/08/16-webauthn-minutes.html weiler 17:32:27 kim: OK 17:33:20 jeffh: The problem is that AGL's comment is it gives back a unique identifier that could be used for tracking, I'll try to comment on this later 17:33:47 jeffh: zeroes offhand seem fine to me 17:33:52 q- 17:34:14 tony: now https://github.com/w3c/webauthn/issues/507 17:34:46 akshay: I think this should all be zeroes again; there's no counter from U2F devices 17:35:39 tony: jcj_moz -- we're using all zeroes 17:37:08 jcj_moz: We're using all zeroes. The counter isn't available yet, but we previously discussed maybe requiring a Sign to follow every Create so that we could convey a counter, but that's bad UX 17:37:27 Rolf: Original purpose of the counter was not anti-MITM/replay, it was for authenticator cloning prevention 17:37:53 jcj_moz: OK, cloning isn't as much an issue when we're first generating a new credential 17:38:14 Rolf: But it still matters to send this during make credential so we don't lose track 17:38:33 Akshay: How would we do this for U2F that doesn't do this? 17:38:46 Rolf: Some authenticators do support 17:39:14 Akshay: Does the counter come back in the make credential? 17:39:29 counter is in https://w3c.github.io/webauthn/#sec-authenticator-data 17:42:55 jcj_moz: So the issue is that U2F wire protocol doesn't have a counter during make credential, so while WebAuthn supports a stronger situation where counters are given for both get assertion and make credential, in the U2F case... 17:43:15 jcj_moz ... the counter for make credential during U2F Attestation Statement Formats are going to be all zeroes 17:44:01 tony: Next issue: #393 17:44:08 https://github.com/w3c/webauthn/issues/393 17:45:53 jcj_moz: this is not a normative change to the WebIDL, right? 17:46:06 jeffh: No ... depends on how you wrote your code. Object currently not named. 17:46:45 tony: Now https://github.com/w3c/webauthn/issues/292 #292 17:46:51 angelo: This is related to #380 17:46:57 jeffh: I'll put a note in here 17:47:29 tony: Now #466 https://github.com/w3c/webauthn/issues/466 17:47:36 jeffh: That'll be closed by #498 17:47:42 tony: Then 472? 17:47:53 jeffh: I believe that's the same board, #498 17:48:30 tony: Then #472? 17:48:56 tony: Now on to #458 https://github.com/w3c/webauthn/issues/458 17:49:53 angelo: Mike Jones had some new info for this? 17:49:59 tony: We talked about federation last time 17:50:30 Mike: I talked to the Microsoft folks and said that federation is the right way to do this, and also the one-time basis of re-enrollling from one IDP to another 17:50:36 jeffh: I'll close an comment 17:50:44 Tony: That takes us to #524 17:50:51 https://github.com/w3c/webauthn/issues/524 17:50:58 angelo: This is related to GetAuthenticatorInfo, or how that process is done 17:51:04 tony: So related to #349 17:52:21 jeffh: There's problems in the spec with the way this was added. I was going to analyze and comment on this ; more news to come 17:52:36 jeffh: I'll assign myself. There's some flies in the ointment here 17:52:42 tony: Onto #380 17:52:51 angelo: We talked about this already 17:52:53 jeffh: yeah we did 17:53:01 tony: Takes us through the open issues 17:53:06 ... for wd-07 17:53:18 ... Does anyone else have anything they'd like to talk about? 17:53:38 Mike: I have a question for jeffh - you said earlier that there were issues with what parameters we're passing -- the options parameters -- to CTAP 17:53:57 ... You said there were some that we didn't have to pass, but I replied that some authenticators may be dynamic 17:54:00 jeffh: That's #524 17:54:34 .... There's no resolution on that yet. I'm going to dredge up new thoughts on it 17:54:44 tony: Any other issues? 17:54:56 angelo: Perhaps at some point we should start going over the CR list of issues 17:55:05 tony: I agree. I want to get the related ones into WD-07 also 17:55:34 tony: If no one else has things to talk about, we can give you 5 minutes back 17:55:38 jeffh: woohoo 17:55:45 tony: OK appreciate it, thanks you 17:55:53 17:56:11 I have made the request to generate http://www.w3.org/2017/08/16-webauthn-minutes.html jcj_moz 19:36:40 Zakim has left #webauthn 21:13:13 weiler has joined #webauthn 22:34:32 weiler has joined #webauthn 22:52:33 rrsagent, goodbye 22:52:33 I'm logging. I don't understand 'goodbye', weiler. Try /msg RRSAgent help 22:52:46 trackbot, end meeting 22:52:46 Zakim, list attendees 22:52:54 RRSAgent, please draft minutes 22:52:54 I have made the request to generate http://www.w3.org/2017/08/16-webauthn-minutes.html trackbot 22:52:55 RRSAgent, bye 22:52:55 I see no action items