W3C

- DRAFT -

Web Authentication Working Group Teleconference

20 Dec 2017

Agenda

Attendees

Present
elundberg, apowers, weiler, jeffh, selfissued, akshay, nadalin, JBradley, wseltzer, agl, jfontana, Rolf, gmandyam
Regrets
Chair
SV_MEETING_CHAIR
Scribe
jfontana

Contents

https://github.com/w3c/webauthn/pull/730

<weiler> from PR 558: " authenticators should never return userid (or any account info for that matter) when a signature was requested using a CredentialID [this means it's being used as a second factor]. "

https://github.com/w3c/webauthn/pull/730

<weiler> akshay: RP sending a list of credid's....

yes. \

akshay: using the credential ID as the user handle. yes

elundberg: trying to resolve statement by Christiaan. ...never return a user ID

reference is to 558 PR

akshay: we said everything related to user ID handel should be random

jbradley: think christiaan was saying...if handle was leaked it could leak to someone else.

<jeffh> christiaan's comment that @emlun is referring to: https://github.com/w3c/webauthn/pull/558#issuecomment-331537953

jbradley: think this is a CTAP thing

skay: we agreed at that time you will not storing in the user handle anything privacy related

akshay

jbradley: if this user ID is established by an RP how is it giving it back to that RP leaking info. inte get credential case?

elundberg: it relates to stealing the authenticator

skshay, no. no. no...

scribe: II am not giving the credential ID on their own

jbradley: isf some steals your token and goes to a site they can get PII
... not sure that imporves the user situation

jbradley, if it is MFA device you are not going to get anything anyway

jbradley: threat is key is lost, and does not have pin protection or 2FA and thief knows password on pin, they can get the user ID out
... but they have to break into the account. we may be over complicating things. if the threat does occur than you have bigger problems.

elundberg: OK. maybe we should close this along with ???

akshay: let's postpone it right now.

<elundberg> along with #720

tony: OK
... is this still a CR issue

akshay: this should not have been an issue at all
... wait til Christaan is back.

elundberg: if this iis not accurate, lets change it.

akshay: right now with U2F as a second factory, I don't see any issue giving this credential ID back for a user handle.

akshay,: if someone has an issue, they can do a pull

<Rolf> what is user handle?

<Rolf> the keyHandle?

Akshay: I am fine with this.

https://github.com/w3c/webauthn/pull/479

tony: this is Rolf

Rolf: I am on the line
... the only thing I can say , there have been some changes requests. I have addresses

addressed

agl: what is motivation of moving this from extension to core

rolf: it is much better to have all the authenticator selection in one place

agl: I'm not sure Google would implement this in Chrome

JeffH: we are creating this selection criteria as we go along
... reasonalble to keep discussing this...

tony: OK, we can do that
... we have giri's biometric

jeffH: I am still questioning him

https://github.com/w3c/webauthn/pull/623

JeffH: I have comments in here that have not been looked at.

tony: akshay can look at this

akshay: yes.

https://github.com/w3c/webauthn/pull/664

jeffH: angelo has not gotten back to us.

Jeff: I think we should close this

<Rolf> Rolf: I agree

tony: we need angelo to get back to us on this

JeffH: yes

tony: close this. no action.

https://github.com/w3c/webauthn/pull/666

JeffH: I will read recent changes, just some things to polish

tony: rolf has signed off on it.

https://github.com/w3c/webauthn/pull/687

elundberg: we were postpining until 705 was merged.

tony: 705???

jeffH: it is ready to go

tony: akshay can you look at this

akshay: yes

<jeffh> https://github.com/w3c/webauthn/pull/705

tony: does nayone from Google want to look at this 705

agl: sure thing

JeffH: it is pretty simple

tony: if AGL signs on it and akshay signs off, Jeff you can go ahead and do it

https://github.com/w3c/webauthn/pull/708

<gmandyam> Re: https://github.com/w3c/webauthn/pull/510. Have tried to address JeffH's comments in last PR. Still have not seen response.

jeffH: looks good to me

akshay: need more clarification what is going on here with external authenticator and RP
... what are we breaking if we have this option in the get assertion

elundberg: not breaking. uneccessary
... reasoning, is that eventually user has option to use the platform or the authenticator

akshay: I think this PR is good to go 708

https://github.com/w3c/webauthn/pull/709

tony: waiting for angelo to sign off
... akshay look at this

akshay: OK

rolf will look and approve

https://github.com/w3c/webauthn/pull/717

<jeffh> https://github.com/w3c/webauthn/pull/717

selfissued: if this is correct, it should be merged

JeffH: do you want to merge

https://github.com/w3c/webauthn/pull/718

assigned to selfissued

https://github.com/w3c/webauthn/pull/723

agl: one larger open question. do weave ID into rest of spec.

app ID

tony: where do we stand

jeffH: we need to re-review with that in mind.

https://github.com/w3c/webauthn/pull/724

<gmandyam> Cannot join telco; tried to address jeffH comments in latest PR revision

https://github.com/w3c/webauthn/pull/726

selfissued: this should be merged

tony: if others need to be added. add them Mike (selfissued

selfissued: i think this can be merged.

tony: OK

https://github.com/w3c/webauthn/pull/728

jeffH: it is dead simple, it is tiny
... but we should have someone else look at it.

tony: akshay will look at it, Jeff H will merger if it is OK

https://github.com/w3c/webauthn/pull/729

jeffH: small but needs a look

akshay: will look

tony: jeff H will merger 728

selfissued. I just approved it

tony: OK
... this takes us through the open PRs

selfissued: we have not looked at 470
... depends on how urgent we think this is. I can just fix it. or wait for angelo

tony: i don't know when angelo is back
... that gets us through the pull requests.
... we still have some open issues. but only a few minutes left. Are there any issues we need to talk about now

selfissued: i just asked for definition of blinding. do we mean something specific

tony: this is 694?

<jeffh> https://github.com/w3c/webauthn/issues/694

selfissued: yes

tony: mike you will look at this

selfissued: yes.

agl: i can cook up a definition of blinding

selfissued: that would be great.
... specific is better than a definition

tony: we will not have meeting next week. We will resume on Jan. 3 2018

<jeffh> bye

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/12/20 18:58:55 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/writing/storing in the user handle/
Present: elundberg apowers weiler jeffh selfissued akshay nadalin JBradley wseltzer agl jfontana Rolf gmandyam
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana
Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Dec/0229.html

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 20 Dec 2017
People with action items: 

WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]