<jfontana> tony: Getting close to wrapping up WD-07
<elundberg> https://github.com/w3c/webauthn/pull/688
<jcj_moz> scribenick: jcj_moz
nadalin: Still getting PR 688 IPR
handled
... some discussion of moving this out of WD-07
angelo: IPR issue is because he's not a member?
nadalin: Correct. Adding him as
an invited exper
... expert
... I'm OK with moving this to CR
angelo: I recommend that we publish this by 5pm PT tomorrow
nadalin: I moved PR 688 to
CR
... Moving to issues 700 / 701 which has PR https://github.com/w3c/webauthn/pull/702
angelo: Before we move to other PRs, can I bring attention around publication?
nadalin: Yes
angelo: I plan to deal with the
publication of the 7th draft Thursday afternoon-ish
... I plan to send an email today, and if you think there's
some issue out there that needs resolved before the draft is
published, respond
jeffh: Sounds fine
nadalin: Any objections?
{{silence}}
nadalin: If there's no more, let's move on to https://github.com/w3c/webauthn/pull/702
jeffh: I've addressed them
... the issues emil brought up
nadalin: Christiaan, have you reviewed this?
<SamSrinivas> permission+
<jeffh> https://github.com/w3c/webauthn/pull/702
jeffh: Can I give some
background?
... So Credman changed while we were at IETF to add another
param to the internal methods
... and this caused a change, and this adapts the WebAuthn spec
to it
... that's #700
... and #701 had a few loose ends with incorrect argument list
references which this fixes
... so this will help WD-07 to be more polished
agl: CredMan has a flag now to see whether something is allowed outside of a top level browsing context...
jeffh: What the PR does right now
is checks to see if that bool is true, and if it's true, we
continue, and if it's false, we error out
... which permits use in nested browsing contexts if they're
same origin all the way
... I believe we were leaning towards allowing nesting if it's
same origin all the way up the stack
agl: People thought same origin
all the way up the stack would be OK, but were unclear about
cross-origin
... I have no strong opinions now
Ibrahim: This came up because of Payments and authentication with iframes
Christiaan: I think in the short
term 3D secure won't roll out at scale, but in the long term we
have to have a solution
... {{ discussion about feature policy stuff }}
... but absent Feature Policy
... we should err cautiously
Angelo: First part of TPAC we agreed to ... do this
Christiaan: I don't think we should allow webauthn in an iframe without Feature Policy
Angelo: We should make a note
that right now we don't allow this, but we're waiting on
Feature Policy to be stable
... This is also used by Payment Requests API
jeffh: I'll amend the PR to add a
note
... and I'll fix another bug Emil just found
nadalin: Once we have signoff,
we'll merge this
... and hopefully this will get done today and angelo it will
let you do your magic for WD-07
... This brings us to Jeff's comments about the agenda
... we need reviewers for the editorial changes
jeffh and jcj_moz: we will review
scribe: Any issues we want to talk about? 27 of them ... 18 are editorials
nadalin: regarding security considerations section
jeffh: We should reference the
voluminous security considerations for FIDO
... that would help us get to CR faster
nadalin: weiler, can we reference the FIDO docs?
weiler: As long as it's public
jeffh: We already do reference it, but this will be much more explicit
wseltzer: Yes, fine to me. As long we also consider distinct considerations beyond FIDO
nadalin: That's all I have on the
list today. If people want, we can start going through the
technical open issues
... https://github.com/w3c/webauthn/issues/204
jcj_moz: I think this goes in to
the privacy considerations
... as authentication and privacy have a complex
relationship
nadalin: https://github.com/w3c/webauthn/issues/227
-- waiting on giri
... https://github.com/w3c/webauthn/issues/362
selfissued: This might be obsolete at this point. We're registering the COSE algorithms registry
agl: I don't understand it
selfissued: We've redone the whole crypto section since
nadalin: Please leave a comment to have opener respond or close it
emil: re - https://github.com/w3c/webauthn/issues/227
... I think the discussion about privacy authenticator
discovery is obsolete with hotplugging
... so maybe it's no longer necessary
nadalin: https://github.com/w3c/webauthn/issues/368
jeffh: I have a proposed fix in on that
<jeffh> https://github.com/w3c/webauthn/issues/368#issuecomment-296282872
nadalin: https://github.com/w3c/webauthn/issues/374... did this get fixed?
jeffh: Yes, this will be closed
nadalin: by 702
... Okay - https://github.com/w3c/webauthn/issues/396
jeffh: There's a PR, 683
nadalin: https://github.com/w3c/webauthn/issues/420
<weiler> scribenick: weiler
https://github.com/w3c/webauthn/issues/396
closing PR and issue. https://github.com/w3c/webauthn/pull/683
https://github.com/w3c/webauthn/issues/420
jeffh: I will review - looks complicated.
nadalin: I added Emil - he had comments before.
https://github.com/w3c/webauthn/issues/455
nadalin: we've been through canonical cbor stuff... we left this one open.
jeffh: we need to point to ctap spec for definition.
nadalin: this is just editorial now.
selffissued: can someone send me to link to a public ctap spec for this?
jeffh: it's referenced in webauthn spec now.
agl: there is a review draft 4
nadalin: labeling is confusing
selfissued: I want a URL...
https://github.com/w3c/webauthn/issues/491
jeffh: I'll look at it.
https://github.com/w3c/webauthn/issues/570
nadalin: this is just editorial.
selfissued: OK.
[we're looking at tech issues for CR milestone]
https://github.com/w3c/webauthn/issues/626
jcj: there is a breaking change
to the WebIDL; we can push it, since it's extensions.
... at least two PRs left on this.
nadalin: any concerns? will anyone support this ext?
selfissued: some ext's are underspec'ed. I'll look at extensions in a bit. I looked at the general mechanism before, but didn't dig into the individual ext's before -those need to be fixed.
jcj: [explains the WebIDL breakdown]
selfissued: map of maps is used both for extensions in the browser and extensions in the authenticator.
jcj: that's okay in CBOR, but not
in JS.
... intent is to make is so JS side deals with this as an
opaque blob
... if not much to gain from defining how to do from JS to CBOR
map and back. Simplifying.
selfissued: natural expression is JS is a dict; not sure why we'd do otherwise.
jcj: problem is deinfing the transform.
jeffh: not taking away structure; cbor just jammed into a buffer. intermediaries don't need to look at it. only RP.
selfissued: maybe I need to dig deeper
jcj: want to avoid complexties fo conversion. everything is using cbor.
angelo: thanks mike.
... for wd07, add a note in ext section ... @@
selfissued: no. general ext mechanism is well defined.
angelo: add note that individual mechanisms might change
selfissued: no point in
speculative editorial comments in draft.
... kept that in the issue tracker. no need to equivocate in
the spec.
... for 626, I want to see the PR JC is proposing to change the
type structure.
nadalin: JC will create PR?
... call next week at usual time. 07 out this week. interop
plans/timeline?
John_Bradley: we're interested
akshay: January.
christiaan: during monterey fido
plenary?
... nothing before then.
Jan 22-25
fontana: fido seminar fri 19th in bay area.
nadalin: or monday 22nd?
christiaan: Friday 26 Jan?
<apowers> +1
[26 Jan seems happiest]
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/Christian/Christiaan/ Present: Angelo Ibrahim agl akshay christiaan elundberg jbradley jcj_moz jeffh jfontana kpaulh nadalin selfissued weiler wseltzer SamSrinivas apowers Found ScribeNick: jcj_moz Found ScribeNick: weiler Inferring Scribes: jcj_moz, weiler Scribes: jcj_moz, weiler ScribeNicks: jcj_moz, weiler WARNING: No "Topic:" lines found. Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Nov/0618.html Found Date: 29 Nov 2017 People with action items: WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]