See also: IRC log
<kpaulh> you're welcome!
<weiler> scribenick: weiler
tony: thanks to angelo, mike, et. al for getting wd06 out.
hoping wd07 will be the last before CR. want all normative changes to be in wd07, so nothing major in cr.
target is cr at tpac.
one PR for wd07; alg fixups. Jeff
jeff: distracted working on ctap
<Zakim> weiler, you wanted to discuss wide review
<wseltzer> weiler: wide review -- if you want to go to CR in November, we shoudl get the word out to horizontal groups now
weiler: if we want cr at tpac, need to start review now
tony: but we'll be making normative changes
jeff: we have 100 open issues. sounds aspirational to me.
[jeff wants a shiny mode of transportation]
tony: no wide review yet. want wd07 and other issues resolved first
how long do they want?
weiler: 2-3 mo, I think.
tony: issue 349.
https://github.com/w3c/webauthn/issues/349
Add getAuthenticatorInfo to the Authenticator Model section
angelo: sent internal mail...
I don't have access
jeff: you need a fido acct
angelo: should be able to resolve many when
we have 349 resolved.
ctap spec is doing through some churn; maybe I should wait for it.
jeff: we'll need to specify it against the ctap spec.
giri: can you directly link it to ctap spec?
instead of copying here?
jeff: I'd specify getinfo in our api, explaining it, and reference public draft ctap spec. get the results from that call to ctap and map them.
giri: ctap spec is pretty clear as to return value. for platofrm authenticators, could potentially return richer info.
do you want to restrict to what we have or make it a superset?
jeff: I'd mock this up as a PR and work on it together. not sure how we'd pass back null fields. maybe as a blob or pointer to aribitrary obj? I'm sure there's a worked example out there.
angelo: I think I created this issued when I added one of the required @@ params. .... can only indicate this in the get authenticator info. very generic. web spec and protocol spec should be in parallel but we might have future protocol changes.
akshay: how do you handle mutiple devices?
jeff: clarify: authenticators. Not sure. what we're doing in getAssertion and makeCred is to hand wave and say platform has info on all avail authenticators
i could imagine that getinfo call in authenticator models (remember: that's abstract now) would say "for each avail auth, call getInfo"
Rolf: there's a good reason for this to be abstract. might be bound, platform-specific authenticators.
angelo: this is editorial
ok to punt issue 349 to cr.
jeff: I wouldn't punt. it's easy. we should just do it
mike: do what, specifically?
jeff: I think I should do this...
<angelo> This is the link: https://github.com/w3c/webauthn/milestone/13
<jcj_moz> scribenick: jcj_moz
tony: re #506
jcj_moz: I made this all zeroes
akshay: I proposed all zeroes in CTAP
tony: What's Google done?
kim: I believe it's just zeroed out right now
tony: Can you check, kim, and if
so we just zero this out and close it?
... I'll assign this to Kim to verify w/ Google
implemnetation
kim: OK
jeffh: The problem is that AGL's
comment is it gives back a unique identifier that could be used
for tracking, I'll try to comment on this later
... zeroes offhand seem fine to me
tony: now https://github.com/w3c/webauthn/issues/507
akshay: I think this should all be zeroes again; there's no counter from U2F devices
tony: jcj_moz -- we're using all zeroes
jcj_moz: We're using all zeroes. The counter isn't available yet, but we previously discussed maybe requiring a Sign to follow every Create so that we could convey a counter, but that's bad UX
Rolf: Original purpose of the counter was not anti-MITM/replay, it was for authenticator cloning prevention
jcj_moz: OK, cloning isn't as much an issue when we're first generating a new credential
Rolf: But it still matters to send this during make credential so we don't lose track
Akshay: How would we do this for U2F that doesn't do this?
Rolf: Some authenticators do support
Akshay: Does the counter come back in the make credential?
<angelo> counter is in https://w3c.github.io/webauthn/#sec-authenticator-data
jcj_moz: So the issue is that U2F wire protocol doesn't have a counter during make credential, so while WebAuthn supports a stronger situation where counters are given for both get assertion and make credential, in the U2F case...
jcj_moz ... the counter for make credential during U2F Attestation Statement Formats are going to be all zeroes
tony: Next issue: #393
https://github.com/w3c/webauthn/issues/393
jcj_moz: this is not a normative change to the WebIDL, right?
jeffh: No ... depends on how you wrote your code. Object currently not named.
tony: Now https://github.com/w3c/webauthn/issues/292 #292
angelo: This is related to #380
jeffh: I'll put a note in here
tony: Now #466 https://github.com/w3c/webauthn/issues/466
jeffh: That'll be closed by #498
tony: Then 472?
jeffh: I believe that's the same board, #498
tony: Then #472?
... Now on to #458 https://github.com/w3c/webauthn/issues/458
angelo: Mike Jones had some new info for this?
tony: We talked about federation last time
Mike: I talked to the Microsoft folks and said that federation is the right way to do this, and also the one-time basis of re-enrollling from one IDP to another
jeffh: I'll close an comment
Tony: That takes us to #524
https://github.com/w3c/webauthn/issues/524
angelo: This is related to GetAuthenticatorInfo, or how that process is done
tony: So related to #349
jeffh: There's problems in the
spec with the way this was added. I was going to analyze and
comment on this ; more news to come
... I'll assign myself. There's some flies in the ointment
here
tony: Onto #380
angelo: We talked about this already
jeffh: yeah we did
tony: Takes us through the open
issues
... for wd-07
... Does anyone else have anything they'd like to talk
about?
Mike: I have a question for jeffh
- you said earlier that there were issues with what parameters
we're passing -- the options parameters -- to CTAP
... You said there were some that we didn't have to pass, but I
replied that some authenticators may be dynamic
jeffh: That's #524
... There's no resolution on that yet. I'm going to dredge up
new thoughts on it
tony: Any other issues?
angelo: Perhaps at some point we should start going over the CR list of issues
tony: I agree. I want to get the
related ones into WD-07 also
... If no one else has things to talk about, we can give you 5
minutes back
jeffh: woohoo
tony: OK appreciate it, thanks you
<conference ends>
<weiler> trackbot, end meeting
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/this pr/this up as a PR/ Present: weiler jcj_moz jeffh wseltzer kpaulh gmandyam ChristiaanBrand jfontana John_Bradley selfissued Rolf nadalin angelo AkshayKumar apowers Found ScribeNick: weiler Found ScribeNick: jcj_moz Inferring Scribes: weiler, jcj_moz Scribes: weiler, jcj_moz ScribeNicks: weiler, jcj_moz Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Aug/0171.html Found Date: 16 Aug 2017 Guessing minutes URL: http://www.w3.org/2017/08/16-webauthn-minutes.html People with action items:[End of scribe.perl diagnostic output]