W3C

- DRAFT -

Web Authentication Working Group Teleconference

06 Dec 2017

Attendees

Present
jeffh, weiler, elundberg, gmandyam, akshay, battre, elungberg, selfissued, jcj_moz, jfontana, JBradley, Rolf, apowers, angelo, agl
Regrets
wseltzer
Chair
jfontana
Scribe
elundberg

Contents

scribenick elundberg

jfontana: Let's continue the discussion about editors on the mailing list
... Freeze for CR is dec 20th, so we'll need to be efficient

correction: dec 18th

jeffh: Dec 18th seems very aspirational

<weiler> jeffh++

https://github.com/w3c/webauthn/issues/106

jfontana: I'm in a conversation with wseltzer, not much more to do here for now

https://github.com/w3c/webauthn/issues/184

there's a PR open for #184: https://github.com/w3c/webauthn/pull/687

selfissued: It's not clear what changes are requested

https://github.com/w3c/webauthn/issues/227

#687 is also related to this: https://github.com/w3c/webauthn/pull/687

akshay, elundberg: With hot plugging this is no longer an issue

selfissued: Does this need normative spec text or just some implementation guidance?

akshay: Probably just implementation guidance

gmandyam: I'm assuming a client that supports this extension will fail the makeCredential when an authenticator with the AAGUID is not available?

akshay: Right now we don't have a full implementation, but with hot plugging the extension can't fail the makeCredential before the timeout expires
... I think we can close this right now

jfontana: Let's leave it open and move to L2

https://github.com/w3c/webauthn/pull/362

jeffh: I agree with the intent, but I think we should ditch the "recognized algorithm name" term

jyasskin: That term is used in the DOM

agl: I think in practice all clients will pick SHA-256 and RPs will always expect SHA-256 and break horribly if other algs are used
... I think what we'll do in Chrome is pick algorithm by coin flip, so RPs are forced to support all algs

jbradley: I agree signaling is a nice theory, but not effective in practice

weiler: My interest in algorithm agility is the opportunity to upgrade to something we don't know today

gmandyam: @jyasskin: What was your issue with the COSE algorithm names?

@jyasskin sorry, I didn't catch your response

jyasskin: I think action now is stick to SHA-256

agl: And strip out the "recognized algorithm name" stuff because noone seems to like that

jeffh: There's some editing to do, let's do the work before we close the issue

agl: I can do this

https://github.com/w3c/webauthn/issues/491

agl: @jeffh points out the appId extension won't quite work if allowCredentials contains more than one credential
... There's quite some work to do here, and it's an important extension
... I think sites with U2F won't be able to move to webauthn without this

jcj_moz: I agree we need this

<jyasskin> elundberg: The issue with COSE algorithm names (listed in https://www.iana.org/assignments/cose/cose.xhtml#algorithms) is that there aren't any hash algorithms there now, just signing and encryption algorithms. https://www.iana.org/assignments/jose/jose.xhtml also doesn't have them.

thank you @jyasskin

jeffh: We need to resolve this for UAF as well

agl: I could do the surgery needed here for U2F, but not UAF

jeffh: I think we should settle for solving U2F for now

elundberg: Could you have the client try both RP ID hash and AppID hash if AppID is given?

jfontana: Seems like consensus is to focus on the U2F case for now

agl: I'll take this one too

https://github.com/w3c/webauthn/issues/543

jfontana: @selfissued is assigned, but no longer present

jeffh: We need to get @agl into the WG so we can assign him the issues

@weiler https://github.com/agl

angelo: There's no clear action to take here

jeffh: I need to take another look at this. If I recall correctly, it's about raising awareness to spec readers about COSE_Key
... Leave this for now

https://github.com/w3c/webauthn/issues/599

gmandyam: This is assigned to Christian who is out for a while, so we may want to reassign it

correction: that was Rolf, not gmandyam

agl: I can highlight this to some people at Google who might be familiar, but don't know if there'll be any tangible result

jcj_moz: If we have to kick this to PR we probably can

https://github.com/w3c/webauthn/issues/626

jcj_moz: I'm working on this, should have it done by the weekend

gmandyam: Related there's https://github.com/w3c/webauthn/pull/695 which has been approved, can we merge that?
... It's marked for PR but I think we can get that in now

jcj_moz: I agree, #695 is a pure improvement

https://github.com/w3c/webauthn/issues/685

there's a PR open: https://github.com/w3c/webauthn/pull/686

#686 needs review

jeffh: I'll review

jcj_moz: I'll review

jfontana: We're running out of time

gmandyam: I think there are some quick ones

https://github.com/w3c/webauthn/issues/589

Rolf: We can close this because it has been addressed

https://github.com/w3c/webauthn/issues/588

Rolf: The PR #677 addressing this has been merged already
... We should close this

https://github.com/w3c/webauthn/pull/709

related to #579

Rolf: This needs review

https://github.com/w3c/webauthn/pull/116

angelo: We planned to replace this section with a reference to CTAP

jeffh: The webauthn spec already indicates that it's an abstract model, but could perhaps be more clear on that
... CTAP isn't going to be the only client backend API
... So we still need this to be in the spec and keep it quite abstract
... The spec _may_ be good enough now, but we might need some editorial changes

angelo: I think we should move this to PR or L2, and look at this if we have time after CR

jcj_moz: That's fine with me

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/12/06 19:02:21 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/agl: @jyasskin points out/agl: @jeffh points out/
Present: jeffh weiler elundberg gmandyam akshay battre elungberg selfissued jcj_moz jfontana JBradley Rolf apowers angelo agl
Regrets: wseltzer
No ScribeNick specified.  Guessing ScribeNick: elundberg
Inferring Scribes: elundberg

WARNING: No "Topic:" lines found.

Found Date: 06 Dec 2017
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.


WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]