<weiler> from PR 558: " authenticators should never return userid (or any account info for that matter) when a signature was requested using a CredentialID [this means it's being used as a second factor]. "
https://github.com/w3c/webauthn/pull/730
<weiler> akshay: RP sending a list of credid's....
yes. \
akshay: using the credential ID as the user handle. yes
elundberg: trying to resolve statement by Christiaan. ...never return a user ID
reference is to 558 PR
akshay: we said everything related to user ID handel should be random
jbradley: think christiaan was saying...if handle was leaked it could leak to someone else.
<jeffh> christiaan's comment that @emlun is referring to: https://github.com/w3c/webauthn/pull/558#issuecomment-331537953
jbradley: think this is a CTAP thing
skay: we agreed at that time you will not storing in the user handle anything privacy related
akshay
jbradley: if this user ID is established by an RP how is it giving it back to that RP leaking info. inte get credential case?
elundberg: it relates to stealing the authenticator
skshay, no. no. no...
scribe: II am not giving the credential ID on their own
jbradley: isf some steals your
token and goes to a site they can get PII
... not sure that imporves the user situation
jbradley, if it is MFA device you are not going to get anything anyway
jbradley: threat is key is lost,
and does not have pin protection or 2FA and thief knows
password on pin, they can get the user ID out
... but they have to break into the account. we may be over
complicating things. if the threat does occur than you have
bigger problems.
elundberg: OK. maybe we should close this along with ???
akshay: let's postpone it right now.
<elundberg> along with #720
tony: OK
... is this still a CR issue
akshay: this should not have been
an issue at all
... wait til Christaan is back.
elundberg: if this iis not accurate, lets change it.
akshay: right now with U2F as a second factory, I don't see any issue giving this credential ID back for a user handle.
akshay,: if someone has an issue, they can do a pull
<Rolf> what is user handle?
<Rolf> the keyHandle?
Akshay: I am fine with this.
https://github.com/w3c/webauthn/pull/479
tony: this is Rolf
Rolf: I am on the line
... the only thing I can say , there have been some changes
requests. I have addresses
addressed
agl: what is motivation of moving this from extension to core
rolf: it is much better to have all the authenticator selection in one place
agl: I'm not sure Google would implement this in Chrome
JeffH: we are creating this
selection criteria as we go along
... reasonalble to keep discussing this...
tony: OK, we can do that
... we have giri's biometric
jeffH: I am still questioning him
https://github.com/w3c/webauthn/pull/623
JeffH: I have comments in here that have not been looked at.
tony: akshay can look at this
akshay: yes.
https://github.com/w3c/webauthn/pull/664
jeffH: angelo has not gotten back to us.
Jeff: I think we should close this
<Rolf> Rolf: I agree
tony: we need angelo to get back to us on this
JeffH: yes
tony: close this. no action.
https://github.com/w3c/webauthn/pull/666
JeffH: I will read recent changes, just some things to polish
tony: rolf has signed off on it.
https://github.com/w3c/webauthn/pull/687
elundberg: we were postpining until 705 was merged.
tony: 705???
jeffH: it is ready to go
tony: akshay can you look at this
akshay: yes
<jeffh> https://github.com/w3c/webauthn/pull/705
tony: does nayone from Google want to look at this 705
agl: sure thing
JeffH: it is pretty simple
tony: if AGL signs on it and akshay signs off, Jeff you can go ahead and do it
https://github.com/w3c/webauthn/pull/708
<gmandyam> Re: https://github.com/w3c/webauthn/pull/510. Have tried to address JeffH's comments in last PR. Still have not seen response.
jeffH: looks good to me
akshay: need more clarification
what is going on here with external authenticator and RP
... what are we breaking if we have this option in the get
assertion
elundberg: not breaking.
uneccessary
... reasoning, is that eventually user has option to use the
platform or the authenticator
akshay: I think this PR is good to go 708
https://github.com/w3c/webauthn/pull/709
tony: waiting for angelo to sign
off
... akshay look at this
akshay: OK
rolf will look and approve
https://github.com/w3c/webauthn/pull/717
<jeffh> https://github.com/w3c/webauthn/pull/717
selfissued: if this is correct, it should be merged
JeffH: do you want to merge
https://github.com/w3c/webauthn/pull/718
assigned to selfissued
https://github.com/w3c/webauthn/pull/723
agl: one larger open question. do weave ID into rest of spec.
app ID
tony: where do we stand
jeffH: we need to re-review with that in mind.
https://github.com/w3c/webauthn/pull/724
<gmandyam> Cannot join telco; tried to address jeffH comments in latest PR revision
https://github.com/w3c/webauthn/pull/726
selfissued: this should be merged
tony: if others need to be added. add them Mike (selfissued
selfissued: i think this can be merged.
tony: OK
https://github.com/w3c/webauthn/pull/728
jeffH: it is dead simple, it is
tiny
... but we should have someone else look at it.
tony: akshay will look at it, Jeff H will merger if it is OK
https://github.com/w3c/webauthn/pull/729
jeffH: small but needs a look
akshay: will look
tony: jeff H will merger 728
selfissued. I just approved it
tony: OK
... this takes us through the open PRs
selfissued: we have not looked at
470
... depends on how urgent we think this is. I can just fix it.
or wait for angelo
tony: i don't know when angelo is
back
... that gets us through the pull requests.
... we still have some open issues. but only a few minutes
left. Are there any issues we need to talk about now
selfissued: i just asked for definition of blinding. do we mean something specific
tony: this is 694?
<jeffh> https://github.com/w3c/webauthn/issues/694
selfissued: yes
tony: mike you will look at this
selfissued: yes.
agl: i can cook up a definition of blinding
selfissued: that would be
great.
... specific is better than a definition
tony: we will not have meeting next week. We will resume on Jan. 3 2018
<jeffh> bye
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/writing/storing in the user handle/ Present: elundberg apowers weiler jeffh selfissued akshay nadalin JBradley wseltzer agl jfontana Rolf gmandyam No ScribeNick specified. Guessing ScribeNick: jfontana Inferring Scribes: jfontana Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Dec/0229.html WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Found Date: 20 Dec 2017 People with action items: WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]