W3C

- DRAFT -

Web Authentication Working Group Teleconference

16 Aug 2017

Agenda

See also: IRC log

Attendees

Present
weiler, jcj_moz, jeffh, wseltzer, kpaulh, gmandyam, ChristiaanBrand, jfontana, John_Bradley, selfissued, Rolf, nadalin, angelo, AkshayKumar, apowers
Regrets
Chair
nadalin, jfontana
Scribe
weiler, jcj_moz

Contents

<kpaulh> you're welcome!

<weiler> scribenick: weiler

tony: thanks to angelo, mike, et. al for getting wd06 out.

hoping wd07 will be the last before CR. want all normative changes to be in wd07, so nothing major in cr.

target is cr at tpac.

one PR for wd07; alg fixups. Jeff

jeff: distracted working on ctap

<Zakim> weiler, you wanted to discuss wide review

<wseltzer> weiler: wide review -- if you want to go to CR in November, we shoudl get the word out to horizontal groups now

weiler: if we want cr at tpac, need to start review now

tony: but we'll be making normative changes

jeff: we have 100 open issues. sounds aspirational to me.

[jeff wants a shiny mode of transportation]

tony: no wide review yet. want wd07 and other issues resolved first

how long do they want?

weiler: 2-3 mo, I think.

tony: issue 349.

https://github.com/w3c/webauthn/issues/349

Add getAuthenticatorInfo to the Authenticator Model section

angelo: sent internal mail...

I don't have access

jeff: you need a fido acct

angelo: should be able to resolve many when

we have 349 resolved.

ctap spec is doing through some churn; maybe I should wait for it.

jeff: we'll need to specify it against the ctap spec.

giri: can you directly link it to ctap spec?

instead of copying here?

jeff: I'd specify getinfo in our api, explaining it, and reference public draft ctap spec. get the results from that call to ctap and map them.

giri: ctap spec is pretty clear as to return value. for platofrm authenticators, could potentially return richer info.

do you want to restrict to what we have or make it a superset?

jeff: I'd mock this up as a PR and work on it together. not sure how we'd pass back null fields. maybe as a blob or pointer to aribitrary obj? I'm sure there's a worked example out there.

angelo: I think I created this issued when I added one of the required @@ params. .... can only indicate this in the get authenticator info. very generic. web spec and protocol spec should be in parallel but we might have future protocol changes.

akshay: how do you handle mutiple devices?

jeff: clarify: authenticators. Not sure. what we're doing in getAssertion and makeCred is to hand wave and say platform has info on all avail authenticators

i could imagine that getinfo call in authenticator models (remember: that's abstract now) would say "for each avail auth, call getInfo"

Rolf: there's a good reason for this to be abstract. might be bound, platform-specific authenticators.

angelo: this is editorial

ok to punt issue 349 to cr.

jeff: I wouldn't punt. it's easy. we should just do it

mike: do what, specifically?

jeff: I think I should do this...

471 https://github.com/w3c/webauthn/issues/471

<angelo> This is the link: https://github.com/w3c/webauthn/milestone/13

<jcj_moz> scribenick: jcj_moz

tony: re #506

jcj_moz: I made this all zeroes

akshay: I proposed all zeroes in CTAP

tony: What's Google done?

kim: I believe it's just zeroed out right now

tony: Can you check, kim, and if so we just zero this out and close it?
... I'll assign this to Kim to verify w/ Google implemnetation

kim: OK

jeffh: The problem is that AGL's comment is it gives back a unique identifier that could be used for tracking, I'll try to comment on this later
... zeroes offhand seem fine to me

tony: now https://github.com/w3c/webauthn/issues/507

akshay: I think this should all be zeroes again; there's no counter from U2F devices

tony: jcj_moz -- we're using all zeroes

jcj_moz: We're using all zeroes. The counter isn't available yet, but we previously discussed maybe requiring a Sign to follow every Create so that we could convey a counter, but that's bad UX

Rolf: Original purpose of the counter was not anti-MITM/replay, it was for authenticator cloning prevention

jcj_moz: OK, cloning isn't as much an issue when we're first generating a new credential

Rolf: But it still matters to send this during make credential so we don't lose track

Akshay: How would we do this for U2F that doesn't do this?

Rolf: Some authenticators do support

Akshay: Does the counter come back in the make credential?

<angelo> counter is in https://w3c.github.io/webauthn/#sec-authenticator-data

jcj_moz: So the issue is that U2F wire protocol doesn't have a counter during make credential, so while WebAuthn supports a stronger situation where counters are given for both get assertion and make credential, in the U2F case...

jcj_moz ... the counter for make credential during U2F Attestation Statement Formats are going to be all zeroes

tony: Next issue: #393

https://github.com/w3c/webauthn/issues/393

jcj_moz: this is not a normative change to the WebIDL, right?

jeffh: No ... depends on how you wrote your code. Object currently not named.

tony: Now https://github.com/w3c/webauthn/issues/292 #292

angelo: This is related to #380

jeffh: I'll put a note in here

tony: Now #466 https://github.com/w3c/webauthn/issues/466

jeffh: That'll be closed by #498

tony: Then 472?

jeffh: I believe that's the same board, #498

tony: Then #472?
... Now on to #458 https://github.com/w3c/webauthn/issues/458

angelo: Mike Jones had some new info for this?

tony: We talked about federation last time

Mike: I talked to the Microsoft folks and said that federation is the right way to do this, and also the one-time basis of re-enrollling from one IDP to another

jeffh: I'll close an comment

Tony: That takes us to #524

https://github.com/w3c/webauthn/issues/524

angelo: This is related to GetAuthenticatorInfo, or how that process is done

tony: So related to #349

jeffh: There's problems in the spec with the way this was added. I was going to analyze and comment on this ; more news to come
... I'll assign myself. There's some flies in the ointment here

tony: Onto #380

angelo: We talked about this already

jeffh: yeah we did

tony: Takes us through the open issues
... for wd-07
... Does anyone else have anything they'd like to talk about?

Mike: I have a question for jeffh - you said earlier that there were issues with what parameters we're passing -- the options parameters -- to CTAP
... You said there were some that we didn't have to pass, but I replied that some authenticators may be dynamic

jeffh: That's #524
... There's no resolution on that yet. I'm going to dredge up new thoughts on it

tony: Any other issues?

angelo: Perhaps at some point we should start going over the CR list of issues

tony: I agree. I want to get the related ones into WD-07 also
... If no one else has things to talk about, we can give you 5 minutes back

jeffh: woohoo

tony: OK appreciate it, thanks you

<conference ends>

<weiler> trackbot, end meeting

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/08/16 22:53:00 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/this pr/this up as a PR/
Present: weiler jcj_moz jeffh wseltzer kpaulh gmandyam ChristiaanBrand jfontana John_Bradley selfissued Rolf nadalin angelo AkshayKumar apowers
Found ScribeNick: weiler
Found ScribeNick: jcj_moz
Inferring Scribes: weiler, jcj_moz
Scribes: weiler, jcj_moz
ScribeNicks: weiler, jcj_moz
Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Aug/0171.html
Found Date: 16 Aug 2017
Guessing minutes URL: http://www.w3.org/2017/08/16-webauthn-minutes.html
People with action items:
[End of scribe.perl diagnostic output]