Web Authentication Working Group Teleconference -- 29 Nov 2017

<jfontana> tony: Getting close to wrapping up WD-07

<elundberg> https://github.com/w3c/webauthn/pull/688

<jcj_moz> scribenick: jcj_moz

nadalin: Still getting PR 688 IPR handled
... some discussion of moving this out of WD-07

angelo: IPR issue is because he's not a member?

nadalin: Correct. Adding him as an invited exper
... expert
... I'm OK with moving this to CR

angelo: I recommend that we publish this by 5pm PT tomorrow

nadalin: I moved PR 688 to CR
... Moving to issues 700 / 701 which has PR https://github.com/w3c/webauthn/pull/702

angelo: Before we move to other PRs, can I bring attention around publication?

nadalin: Yes

angelo: I plan to deal with the publication of the 7th draft Thursday afternoon-ish
... I plan to send an email today, and if you think there's some issue out there that needs resolved before the draft is published, respond

jeffh: Sounds fine

nadalin: Any objections?

nadalin: If there's no more, let's move on to https://github.com/w3c/webauthn/pull/702

jeffh: I've addressed them
... the issues emil brought up

nadalin: Christiaan, have you reviewed this?

<SamSrinivas> permission+

<jeffh> https://github.com/w3c/webauthn/pull/702

jeffh: Can I give some background?
... So Credman changed while we were at IETF to add another param to the internal methods
... and this caused a change, and this adapts the WebAuthn spec to it
... that's #700
... and #701 had a few loose ends with incorrect argument list references which this fixes
... so this will help WD-07 to be more polished

agl: CredMan has a flag now to see whether something is allowed outside of a top level browsing context...

jeffh: What the PR does right now is checks to see if that bool is true, and if it's true, we continue, and if it's false, we error out
... which permits use in nested browsing contexts if they're same origin all the way
... I believe we were leaning towards allowing nesting if it's same origin all the way up the stack

agl: People thought same origin all the way up the stack would be OK, but were unclear about cross-origin
... I have no strong opinions now

Ibrahim: This came up because of Payments and authentication with iframes

Christiaan: I think in the short term 3D secure won't roll out at scale, but in the long term we have to have a solution
... {{ discussion about feature policy stuff }}
... but absent Feature Policy
... we should err cautiously

Angelo: First part of TPAC we agreed to ... do this

Christiaan: I don't think we should allow webauthn in an iframe without Feature Policy

Angelo: We should make a note that right now we don't allow this, but we're waiting on Feature Policy to be stable
... This is also used by Payment Requests API

jeffh: I'll amend the PR to add a note
... and I'll fix another bug Emil just found

nadalin: Once we have signoff, we'll merge this
... and hopefully this will get done today and angelo it will let you do your magic for WD-07
... This brings us to Jeff's comments about the agenda
... we need reviewers for the editorial changes

jeffh and jcj_moz: we will review

scribe: Any issues we want to talk about? 27 of them ... 18 are editorials

nadalin: regarding security considerations section

jeffh: We should reference the voluminous security considerations for FIDO
... that would help us get to CR faster

nadalin: weiler, can we reference the FIDO docs?

weiler: As long as it's public

jeffh: We already do reference it, but this will be much more explicit

wseltzer: Yes, fine to me. As long we also consider distinct considerations beyond FIDO

nadalin: That's all I have on the list today. If people want, we can start going through the technical open issues
... https://github.com/w3c/webauthn/issues/204

jcj_moz: I think this goes in to the privacy considerations
... as authentication and privacy have a complex relationship

nadalin: https://github.com/w3c/webauthn/issues/227 -- waiting on giri
... https://github.com/w3c/webauthn/issues/362

selfissued: This might be obsolete at this point. We're registering the COSE algorithms registry

agl: I don't understand it

selfissued: We've redone the whole crypto section since

nadalin: Please leave a comment to have opener respond or close it

emil: re - https://github.com/w3c/webauthn/issues/227
... I think the discussion about privacy authenticator discovery is obsolete with hotplugging
... so maybe it's no longer necessary

nadalin: https://github.com/w3c/webauthn/issues/368

jeffh: I have a proposed fix in on that

<jeffh> https://github.com/w3c/webauthn/issues/368#issuecomment-296282872

nadalin: https://github.com/w3c/webauthn/issues/374... did this get fixed?

jeffh: Yes, this will be closed

nadalin: by 702
... Okay - https://github.com/w3c/webauthn/issues/396

jeffh: There's a PR, 683

nadalin: https://github.com/w3c/webauthn/issues/420

<weiler> scribenick: weiler

https://github.com/w3c/webauthn/issues/396

closing PR and issue. https://github.com/w3c/webauthn/pull/683

https://github.com/w3c/webauthn/issues/420

jeffh: I will review - looks complicated.

nadalin: I added Emil - he had comments before.

https://github.com/w3c/webauthn/issues/455

nadalin: we've been through canonical cbor stuff... we left this one open.

jeffh: we need to point to ctap spec for definition.

nadalin: this is just editorial now.

selffissued: can someone send me to link to a public ctap spec for this?

jeffh: it's referenced in webauthn spec now.

agl: there is a review draft 4

nadalin: labeling is confusing

selfissued: I want a URL...

https://github.com/w3c/webauthn/issues/491

jeffh: I'll look at it.

https://github.com/w3c/webauthn/issues/570

nadalin: this is just editorial.

selfissued: OK.

[we're looking at tech issues for CR milestone]

<jeffh> https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3ACR+label%3Atype%3Atechnical

https://github.com/w3c/webauthn/issues/626

jcj: there is a breaking change to the WebIDL; we can push it, since it's extensions.
... at least two PRs left on this.

nadalin: any concerns? will anyone support this ext?

selfissued: some ext's are underspec'ed. I'll look at extensions in a bit. I looked at the general mechanism before, but didn't dig into the individual ext's before -those need to be fixed.

jcj: [explains the WebIDL breakdown]

selfissued: map of maps is used both for extensions in the browser and extensions in the authenticator.

jcj: that's okay in CBOR, but not in JS.
... intent is to make is so JS side deals with this as an opaque blob
... if not much to gain from defining how to do from JS to CBOR map and back. Simplifying.

selfissued: natural expression is JS is a dict; not sure why we'd do otherwise.

jcj: problem is deinfing the transform.

jeffh: not taking away structure; cbor just jammed into a buffer. intermediaries don't need to look at it. only RP.

selfissued: maybe I need to dig deeper

jcj: want to avoid complexties fo conversion. everything is using cbor.

angelo: thanks mike.
... for wd07, add a note in ext section ... @@

selfissued: no. general ext mechanism is well defined.

angelo: add note that individual mechanisms might change

selfissued: no point in speculative editorial comments in draft.
... kept that in the issue tracker. no need to equivocate in the spec.
... for 626, I want to see the PR JC is proposing to change the type structure.

nadalin: JC will create PR?
... call next week at usual time. 07 out this week. interop plans/timeline?

John_Bradley: we're interested

akshay: January.

christiaan: during monterey fido plenary?
... nothing before then.

Jan 22-25

fontana: fido seminar fri 19th in bay area.

nadalin: or monday 22nd?

christiaan: Friday 26 Jan?

<apowers> +1

[26 Jan seems happiest]

- DRAFT -

Web Authentication Working Group Teleconference

29 Nov 2017

Attendees

Contents

Summary of Action Items

Summary of Resolutions

Scribe.perl diagnostic output