apologies, I'm having to take the call in a noisy environment
<tara> runnegar: will work on privacy questionnaire this month
<jnovak> is the WoT document this one: https://www.w3.org/TR/wot-security/?
Yes
<tara> See also Web of Things document (link to come) - runnegar will review, wseltzer has made comments
<tara> Others invited to take a look and comment
<tara> https://www.w3.org/TR/webauthn/
request for privacy review, at TPAC we had a joint session with the WG with overview on plan and use cases, at the time it was under revision
document released in December
<weiler> https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3ACR
some identified privacy considerations around the keys and the ability to track using persistent identifiers, privacy CA
the WG would like comments
we can discuss today, or can submit directly
sam: a couple of issues including general issue around leaking users associations with different sites (relatively small batches)
one big known problem
but the document needs a detailed looked in case I have missed anything
jason: you raise a good point
a couple of other things that are similar
e.g. the idea in section 5.4 that a relying party can invoke the creation of a new credential with exclude credential flag
could be used to detect if credentials for a site or account
could be used to determines links
(same authenticator for two sites, A and B, determine owned by same person
sam: asking if different if something returned or not
jason: fail if already returned (the way i read it)
hoping Web Authenticator WG people were here because I have some questions
sam: maybe we reschedule this call so we can talk with them?
tara: I agree
could even do a specific call to move this forward
<weiler> jason, would you be up for filing a github issue on that one?
need to clarify some of the functionality to make sure we understand the privacy issues
(scribe cannot hear)
(scribes says thanks)
<jnovak> I’ll file a github issue on the cross-account linking
tara: yes, as much as possible, file comments in github
sam, active discussion of issues?
<jnovak> the other point was, roughly, section 6.2.1 states that requireUserPresence is always set to the inverse of requireUserVerification but it isn’t clear where that’s implemented
sam: yes, active discussion - but if we file something, we need to flag for this rev
tara: any changes to deadlines, timelines?
sam: no discussion about this
yesterday
... try to set up a meeting next week in this time slot
tara: can send a note after meeting to set a time
remember to send comments by email if cannot participate in call
<tara> https://w3c.github.io/mediacapture-image/
<tara> * Media Capture from DOM Elements API: https://w3c.github.io/mediacapture-fromelement/
<tara> MediaStream Recording API: https://w3c.github.io/mediacapture-record/
WebRTC looking for privacy reviews
not sure whether the WG will be able to participate today, but are enthusiastic
<tara> Jumping back a minute to WebAuthWG
sam: two issues open right now, 204 and 140, that seem to be on the topic you were talking about jason
<weiler> https://github.com/w3c/webauthn/issues/204
<weiler> https://github.com/w3c/webauthn/issues/140
sam: maybe do a plus 1 if that makes sense
(scribe could not hear jason)
<weiler> (he'll look at them)
<jnovak> Sorry about the audio issues — think I foudn the WebEx setting to fix it. I said I would look at the two issues
tara: any points we want to bring up today regarding the APIs
(scribe - jason could you type in your comments in IRC)
<npdoty> jnovak: should the spec leave open enforcement of origin separation, or should there be a standard way to enforce?
nick: I didn't review in great detail, but notice that the three docs have different security considerations sections
(lost npd)
the image capture just references getusermedia
media capture from DOM has origin separation requirements
recording seems to have no mention
any intention to align them? or should they? seems we could do better with that
tara: interesting observation
I can see some value in aligning those
<Zakim> npdoty, you wanted to comment on mediastream
nick: not sure if need to raise as an issue or whether to raise issues on the drafts that do not have much in the specs
will take an action item to raise some issues in github and maybe we could have a separate email re aligning
<npdoty> I can draft an email on aligning the security/privacy considerations sections, and I'll at least raise an issue on Recording
<npdoty> jnovak, I don't know if you wanted to raise an issue on from-DOM
<tara> Similar to what npdoty said about recording API, there is some additional fingerprinting surface exposed
jason: there is some additional fingerprinting issues with audio bits per second
nick: difference from getusermedia or part of it?
jason: did not see in getusermedia
nick: looks like it might be a separate user preference
<npdoty> well, maybe it's the calling application that specifies the preference ... https://w3c.github.io/mediacapture-record/#dom-mediarecorderoptions-bitspersecond
nick: either a separate issue or something that we can ask in that email, will add it to the email
jason: will take a pass at the analysis
tara: thanks jason
... AOB?
nick: do specture and meltdown have privacy issues?
spectre
<tara> christine: these are silicon/hw issues not web, as I understand it
but good question, would like to know more
jason: some browsers are implementing mitigations
<jnovak> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
christine: autofill browser issue
q_
<npdoty> a+ on permissions
<npdoty> https://github.com/w3c/permissions/pull/166
<tara> Permissions API moving forward
nick: the permissions API seems to be going forward on implementations, opened issues on privacy about 2 years ago, if have comments on pull request or issue, now would be a good time
also makes me wonder about whether we will have a workshop or event
now seems a particularly relevant time
sam: we want to, but nothing organised as yet
if have a host in mind, west coast us, that would be helpful
nick: will talk with sam about Berkeley
<npdoty> this was the original privacy issue that I raised: https://github.com/w3c/permissions/issues/52
sam: not a PING action item, but a general W3C item
<Zakim> npdoty, you wanted to comment on permissions
<jnovak> +q
jason: i thought web audio API asked for review, thought was on agenda, but don't recall exactly
tara: did reach out, but do not have a response as yet
correct, on our stack
tara: will follow up
... AOB?
special meeting, try to set up next week with Web Auth
february call
8?
tara: set for 8 February
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/+ h/+/ Present: weiler keiji tara christine jnovak npdoty Regrets: wseltzer No ScribeNick specified. Guessing ScribeNick: christine Inferring Scribes: christine WARNING: No "Topic:" lines found. WARNING: No meeting title found! You should specify the meeting title like this: <dbooth> Meeting: Weekly Baking Club Meeting WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth WARNING: No date found! Assuming today. (Hint: Specify the W3C IRC log URL, and the date will be determined from that.) Or specify the date like this: <dbooth> Date: 12 Sep 2002 People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option. WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]