16:55:30 <RRSAgent> RRSAgent has joined #webauthn
16:55:31 <RRSAgent> logging to http://www.w3.org/2017/09/20-webauthn-irc
16:55:32 <trackbot> RRSAgent, make logs public
16:55:33 <Zakim> Zakim has joined #webauthn
16:55:35 <trackbot> Meeting: Web Authentication Working Group Teleconference
16:55:35 <trackbot> Date: 20 September 2017
16:58:19 <weiler> weiler has changed the topic to: agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Sep/0328.html
16:58:25 <weiler> agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Sep/0328.html
17:01:35 <jeffh> jeffh has joined #webauthn
17:01:48 <jeffh> present+ jeffh
17:02:39 <gmandyam> gmandyam has joined #webauthn
17:02:56 <gmandyam> present+ gmandyam
17:03:37 <wseltzer> present+
17:04:04 <weiler> present+
17:05:43 <weiler> no meeting next week.  tpac in november.
17:06:06 <wseltzer> zakim, who is here?
17:06:06 <Zakim> Present: jeffh, gmandyam, wseltzer, weiler
17:06:07 <weiler> jfontana: still need a couple of charter votes.
17:06:08 <Zakim> On IRC I see gmandyam, jeffh, Zakim, RRSAgent, jyasskin, mkwst, slightlyoff, battre, schuki, weiler, trackbot, adrianba, jochen___, jcj_moz, wseltzer
17:06:34 <Rolf> Rolf has joined #webauthn
17:06:52 <wseltzer> present+ akshay, battre, christiaan_goog, rolf, jbradley
17:07:05 <kpaulh> kpaulh has joined #webauthn
17:07:11 <kpaulh> present+
17:07:31 <jeffh> https://github.com/w3c/webappsec-credential-management/pull/100#issuecomment-327968338
17:07:34 <weiler> topic: 498
17:07:51 <wseltzer> jeffh: Webauthn 498, CredMan PR 100
17:08:05 <wseltzer> ... still need more review
17:08:15 <Rolf> .. by credman folks
17:08:24 <jeffh> https://github.com/w3c/webauthn/pull/498#issuecomment-329175945
17:08:39 <wseltzer> ... Please review in the CredMan issue on PR100
17:08:51 <wseltzer> ... still need to look at Rolf's comment
17:09:06 <wseltzer> ... and then, if correct, apply same changes to getAssertion algo
17:09:17 <apowers> apowers has joined #webauthn
17:09:18 <wseltzer> ... should be fairly smooth once nailed down.
17:09:38 <wseltzer> Rolf: my comment relates to multiple sigs authenticator might create
17:10:04 <wseltzer> ... how to disambiguate credentials
17:10:18 <wseltzer> ... there was one proposal on the table, authenticators should sign all assertions
17:10:37 <wseltzer> jeffh: could you edit your Aug 2 comment on #498 to add pointers to the issue
17:10:43 <wseltzer> Rolf: I'm looking at that
17:11:02 <wseltzer> jeffh: underway. We've made good progress
17:11:22 <wseltzer> ... and one Q from mkwst that I've asked about in PR 100
17:12:28 <wseltzer> Rolf: relates to a FIDO CTAP discussion. I added a comment
17:12:37 <wseltzer> jeffh: thanks
17:12:55 <wseltzer> Topic: 539
17:13:11 <wseltzer> Rolf: I think it's ready to be merged
17:13:14 <wseltzer> https://github.com/w3c/webauthn/pull/539
17:13:31 <wseltzer> ... I think I addressed comments
17:13:34 <wseltzer> ... jeffh?
17:14:54 <wseltzer> jeffh: I'll look after the call
17:14:59 <wseltzer> Topic: 544
17:15:18 <wseltzer> jfontana: Angelo is working on PR 544 and 545
17:15:40 <wseltzer> Rolf: comments addressed on 544; waiting for conflict resolution
17:16:36 <wseltzer> https://github.com/w3c/webauthn/pull/544
17:17:10 <wseltzer> Angelo: how we should abort when viewport is not visible
17:17:12 <wseltzer> ... on the way
17:17:50 <wseltzer> jfontana: 545? privacy issues with icon URL?
17:17:59 <wseltzer> https://github.com/w3c/webauthn/pull/545
17:18:37 <wseltzer> Angelo: JC was arguing to remove the icon
17:18:41 <wseltzer> ... gain privacy, lose complexity
17:19:07 <wseltzer> angelo: counter-argument, that it's better than old UI and not much privacy difference
17:19:45 <wseltzer> christiaan: gaining privacy because when you fetch icons, you fetch all at once, giving correlation possibility
17:19:59 <wseltzer> .... showing that all accounts are on the same authenticator
17:20:11 <wseltzer> Rolf: we discussed different ways of doing
17:20:20 <wseltzer> ... instead of putting remote URL, use image URI.
17:20:38 <wseltzer> ... include the image directly, so you don't have the remote fetch
17:20:38 <jfontana> jfontana has joined #webauthN
17:20:52 <jfontana> jfontana has left #webauthn
17:21:09 <wseltzer> @@: that has implications for limited capability authenticator
17:21:48 <wseltzer> john_bradley: I take it that image would need to be stored on the key
17:21:49 <jfontana> jfontana has joined #webauthn
17:21:56 <wseltzer> ... which has impact on storage
17:22:15 <wseltzer> @@: alternative is just to drop it.
17:22:29 <wseltzer> ... and users use username to disambiguate account
17:22:43 <wseltzer> Rolf: and htat reduces complexity re updating images
17:22:47 <wseltzer> ... I'm fine with that
17:23:07 <wseltzer> @@: what I learned from identity people, account chooser UI is stronger because it has image
17:23:27 <wseltzer> john_bradley: depends which account chooser you're talking about
17:23:55 <wseltzer> @@: if someone wants to take iconURL out, feel free to do so
17:24:04 <wseltzer> ... the PR here is about ensuring it's secure
17:24:22 <wseltzer> ... so you don't end up with mixed content
17:24:41 <wseltzer> ... Maybe merge this PR, and Alexei, fi you wnat to take it out, make a new PR
17:25:09 <wseltzer> angelo: this PR is that URL must be secure
17:25:26 <wseltzer> ... so you don't end up with mixed content
17:25:50 <wseltzer> Rolf: Alexei's arguemnt is that if you want to guard against correlation by same RP, this doesn't help
17:25:54 <wseltzer> angelo: true
17:26:23 <wseltzer> john_bradley: won't browser cache so it won't go back every time?
17:26:41 <wseltzer> @@: probably, but platform specific
17:27:09 <wseltzer> Rolf: but if you move ext authenticator to external platform, there won't be a cache yet
17:27:19 <wseltzer> s/external/different/
17:27:47 <wseltzer> jfontana: how shall we proceed? merge and then have Alexei proceed with separate PR?
17:28:01 <wseltzer> angelo: that's what I'd suggest, leaving issue 139 open
17:28:11 <wseltzer> ... CTAP doesn't say you need stored image
17:29:00 <wseltzer> Alexei: fine
17:29:23 <wseltzer> jfontana: why don't you merge, and we'll come back to it at next meeting
17:29:28 <wseltzer> Topic: 538
17:29:48 <wseltzer> s/538/558/
17:30:01 <wseltzer> https://github.com/w3c/webauthn/pull/558
17:30:19 <wseltzer> christiaan: when making credential, you pass in a number of parameters
17:30:51 <wseltzer> ... including userid we though would be usable as reference
17:31:00 <wseltzer> ... unique index
17:31:13 <wseltzer> ... credential ID is not guaranteed to be unique
17:31:27 <wseltzer> ... and it's hard for us to change the indexes in our database to refer to crednetial ID
17:31:35 <apowers_> apowers_ has joined #webauthn
17:31:51 <wseltzer> ... we were hoping to get this in
17:32:23 <wseltzer> john_bradley: initially skeptical, but since it's provided by RP and going back to RP, problem overstaded
17:32:44 <wseltzer> ... I favor the PR. we may want to clarify that it's not a userid in the traditional sense
17:32:52 <wseltzer> ... but rather a correlation handle provided by the RP
17:32:57 <wseltzer> s/staded/stated/
17:33:36 <wseltzer> gmandyam: I understand the convenience; I'd hope that authenticators could create unique public keys
17:34:02 <wseltzer> Alexei: we looked at keyhandles we have in our DB
17:34:12 <wseltzer> ... (the U2F name for credential IDs)
17:34:17 <wseltzer> ... and we found collisions
17:34:38 <wseltzer> ... so while we might hope for uniqueness, there's not assured compliance
17:34:55 <wseltzer> ... Secondly, whenever you create secondary index for DB, you need global consistency
17:35:17 <wseltzer> ... you get more latency, another rpc
17:35:40 <wseltzer> ... Requiring this db index creates added complexity
17:35:47 <jyasskin> present+
17:35:53 <wseltzer> gmandyam: most concerning that you're finding clashes in public key
17:36:26 <wseltzer> @@: key handle isn't necessarily the public key
17:36:50 <wseltzer> alexei: nothing prevents people generating bad public keys
17:36:57 <wseltzer> ... I looked at raw values
17:37:23 <wseltzer> ... whatever you use, I think you have the same issue
17:37:57 <jeffh> s/public/private/ i believe -- eg u2f tokens place the private key in the keyhandle
17:38:17 <wseltzer> alexei: you can't make guarantees without a code audit
17:38:32 <wseltzer> ... we shouldn't build dbs depending on indices you don't control
17:38:39 <wseltzer> ... adds latency
17:38:56 <wseltzer> ... and causing reimplementation of dbs for everyone using spec
17:39:20 <wseltzer> @@MS: agree
17:39:31 <wseltzer> ... probably we should say some # of bytes
17:39:37 <wseltzer> ... e.g. 16 minimum
17:39:52 <wseltzer> ... re userid, beneficial for everyone to return to RP
17:40:01 <wseltzer> ... so I agree with Alexei
17:40:13 <wseltzer> gmandyam: not all client-side rngs are created equal
17:40:16 <apowers_> I joined late -- did we talk about how awesome the interop was yesterday?
17:41:00 <wseltzer> jfontana: do we have an agreement yet?
17:41:08 <wseltzer> jeffh: I'd like to review it, not for a few days
17:41:39 <wseltzer> jyasskin: some discussion at end of thread re restricting to multi-factor authenticator
17:42:05 <wseltzer> ... either call out in privacy considerations, or restrict to those that actually check the user
17:42:36 <wseltzer> ... if it's being used as a second factor, you can't just use it to login
17:42:55 <wseltzer> alexei: what any sane RP will do is store not "userid" in that field, but add a nonce, encrypt it
17:43:11 <wseltzer> ... so every time you call same "userid" will get different result
17:43:24 <wseltzer> @@: should displayname be there....?
17:43:27 <wseltzer> ... No
17:43:49 <wseltzer> jeffh: note that consideration as a separate isseu, implementation and securtiy considerations
17:44:21 <wseltzer> christiaan: if it doesn't have pin unlock
17:44:46 <wseltzer> @@: I'll file a new issue to put that into privacy considerations
17:45:21 <wseltzer> john_bradley: should we use another name to say people shouldn't put userid directly into that field?
17:45:28 <wseltzer> @@: agree
17:45:43 <wseltzer> john_bradley: give that advice
17:45:45 <wseltzer> jeffh: agree
17:46:02 <wseltzer> jyasskin: I'm currently typng an issue
17:46:18 <wseltzer> jfontana: we'll continue this discussion
17:46:43 <wseltzer> jeffh: in webauthn spec side, it's just called ID
17:47:04 <wseltzer> john_bradley: that's fine. just need appropriate privay consids re what you put in that field
17:47:18 <wseltzer> jeffh: it gets called user.id in some places
17:47:24 <weiler> JBradley: will you open an issue to add that?
17:47:56 <wseltzer> Topic: 571
17:48:06 <wseltzer> jfontana: 571, Dirk isn't here
17:48:20 <wseltzer> https://github.com/w3c/webauthn/pull/571
17:48:28 <wseltzer> christiaan: this is about cleanup
17:48:54 <wseltzer> ... think it's ready to be merged
17:49:35 <wseltzer> jeffh: fine by me
17:49:39 <wseltzer> jfontana: let's merge
17:49:44 <wseltzer> Topic: 572
17:49:52 <wseltzer> https://github.com/w3c/webauthn/pull/572
17:50:16 <wseltzer> christiaan: minor
17:50:49 <wseltzer> jeffh: without investigating details, looks fine to me
17:51:13 <wseltzer> jfontana: go ahead and merge
17:51:17 <wseltzer> Topic: 573
17:51:28 <wseltzer> https://github.com/w3c/webauthn/pull/573
17:51:34 <wseltzer> christiaan: another clarification
17:51:49 <wseltzer> jeffh: fine to me
17:51:56 <wseltzer> jfontana: merge
17:52:07 <wseltzer> Topic: Any open issues to discuss?
17:52:24 <wseltzer> jfontana: hearing none
17:52:43 <wseltzer> ... remember to have your AC reps cast votes for revised ccharter
17:52:54 <wseltzer> apowers: did we talk about interop?
17:53:07 <wseltzer> ... We had a bunch of people get togheter to test WD05
17:53:14 <wseltzer> ... good interop between browsers and servers
17:53:35 <wseltzer> ... we have a new version of WPT tools that haven't been checked in yet
17:53:40 <wseltzer> ... hoping to do PR soon
17:53:50 <wseltzer> ... good milestone, good implementations are in the works.
17:54:03 <wseltzer> [adjourned]
17:54:09 <wseltzer> rrsagent, make logs public
17:54:16 <wseltzer> rrsagent, draft minutes
17:54:16 <RRSAgent> I have made the request to generate http://www.w3.org/2017/09/20-webauthn-minutes.html wseltzer
17:55:22 <wseltzer> present+ apowers, alexei
17:55:26 <wseltzer> chair: jfontana
17:55:29 <wseltzer> regrets+ nadalin
17:55:33 <wseltzer> rrsagent, draft minutes
17:55:33 <RRSAgent> I have made the request to generate http://www.w3.org/2017/09/20-webauthn-minutes.html wseltzer
17:55:50 <weiler> present+ Ibrahim
17:56:03 <weiler>  rrsagent, draft minutes
17:56:03 <RRSAgent> I have made the request to generate http://www.w3.org/2017/09/20-webauthn-minutes.html weiler
20:30:19 <Zakim> Zakim has left #webauthn