W3C

- DRAFT -

SV_MEETING_TITLE

04 Jan 2018

Attendees

Present
weiler, keiji, tara, christine, jnovak, npdoty
Regrets
wseltzer
Chair
SV_MEETING_CHAIR
Scribe
christine

Contents


apologies, I'm having to take the call in a noisy environment

<tara> runnegar: will work on privacy questionnaire this month

<jnovak> is the WoT document this one: https://www.w3.org/TR/wot-security/?

Yes

<tara> See also Web of Things document (link to come) - runnegar will review, wseltzer has made comments

<tara> Others invited to take a look and comment

<tara> https://www.w3.org/TR/webauthn/

request for privacy review, at TPAC we had a joint session with the WG with overview on plan and use cases, at the time it was under revision

document released in December

<weiler> https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3ACR

<weiler> https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3ACR+label%3Asubtype%3Aprivacy

some identified privacy considerations around the keys and the ability to track using persistent identifiers, privacy CA

the WG would like comments

we can discuss today, or can submit directly

sam: a couple of issues including general issue around leaking users associations with different sites (relatively small batches)

one big known problem

but the document needs a detailed looked in case I have missed anything

jason: you raise a good point

a couple of other things that are similar

e.g. the idea in section 5.4 that a relying party can invoke the creation of a new credential with exclude credential flag

could be used to detect if credentials for a site or account

could be used to determines links

(same authenticator for two sites, A and B, determine owned by same person

sam: asking if different if something returned or not

jason: fail if already returned (the way i read it)

hoping Web Authenticator WG people were here because I have some questions

sam: maybe we reschedule this call so we can talk with them?

tara: I agree

could even do a specific call to move this forward

<weiler> jason, would you be up for filing a github issue on that one?

need to clarify some of the functionality to make sure we understand the privacy issues

(scribe cannot hear)

(scribes says thanks)

<jnovak> I’ll file a github issue on the cross-account linking

tara: yes, as much as possible, file comments in github

sam, active discussion of issues?

<jnovak> the other point was, roughly, section 6.2.1 states that requireUserPresence is always set to the inverse of requireUserVerification but it isn’t clear where that’s implemented

sam: yes, active discussion - but if we file something, we need to flag for this rev

tara: any changes to deadlines, timelines?

sam: no discussion about this yesterday
... try to set up a meeting next week in this time slot

tara: can send a note after meeting to set a time

remember to send comments by email if cannot participate in call

<tara> https://w3c.github.io/mediacapture-image/

<tara> * Media Capture from DOM Elements API: https://w3c.github.io/mediacapture-fromelement/

<tara> MediaStream Recording API: https://w3c.github.io/mediacapture-record/

WebRTC looking for privacy reviews

not sure whether the WG will be able to participate today, but are enthusiastic

<tara> Jumping back a minute to WebAuthWG

sam: two issues open right now, 204 and 140, that seem to be on the topic you were talking about jason

<weiler> https://github.com/w3c/webauthn/issues/204

<weiler> https://github.com/w3c/webauthn/issues/140

sam: maybe do a plus 1 if that makes sense

(scribe could not hear jason)

<weiler> (he'll look at them)

<jnovak> Sorry about the audio issues — think I foudn the WebEx setting to fix it. I said I would look at the two issues

tara: any points we want to bring up today regarding the APIs

(scribe - jason could you type in your comments in IRC)

<npdoty> jnovak: should the spec leave open enforcement of origin separation, or should there be a standard way to enforce?

nick: I didn't review in great detail, but notice that the three docs have different security considerations sections

(lost npd)

the image capture just references getusermedia

media capture from DOM has origin separation requirements

recording seems to have no mention

any intention to align them? or should they? seems we could do better with that

tara: interesting observation

I can see some value in aligning those

<Zakim> npdoty, you wanted to comment on mediastream

nick: not sure if need to raise as an issue or whether to raise issues on the drafts that do not have much in the specs

will take an action item to raise some issues in github and maybe we could have a separate email re aligning

<npdoty> I can draft an email on aligning the security/privacy considerations sections, and I'll at least raise an issue on Recording

<npdoty> jnovak, I don't know if you wanted to raise an issue on from-DOM

<tara> Similar to what npdoty said about recording API, there is some additional fingerprinting surface exposed

jason: there is some additional fingerprinting issues with audio bits per second

nick: difference from getusermedia or part of it?

jason: did not see in getusermedia

nick: looks like it might be a separate user preference

<npdoty> well, maybe it's the calling application that specifies the preference ... https://w3c.github.io/mediacapture-record/#dom-mediarecorderoptions-bitspersecond

nick: either a separate issue or something that we can ask in that email, will add it to the email

jason: will take a pass at the analysis

tara: thanks jason
... AOB?

nick: do specture and meltdown have privacy issues?

spectre

<tara> christine: these are silicon/hw issues not web, as I understand it

but good question, would like to know more

jason: some browsers are implementing mitigations

<jnovak> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

christine: autofill browser issue

q_

<npdoty> a+ on permissions

<npdoty> https://github.com/w3c/permissions/pull/166

<tara> Permissions API moving forward

nick: the permissions API seems to be going forward on implementations, opened issues on privacy about 2 years ago, if have comments on pull request or issue, now would be a good time

also makes me wonder about whether we will have a workshop or event

now seems a particularly relevant time

sam: we want to, but nothing organised as yet

if have a host in mind, west coast us, that would be helpful

nick: will talk with sam about Berkeley

<npdoty> this was the original privacy issue that I raised: https://github.com/w3c/permissions/issues/52

sam: not a PING action item, but a general W3C item

<Zakim> npdoty, you wanted to comment on permissions

<jnovak> +q

jason: i thought web audio API asked for review, thought was on agenda, but don't recall exactly

tara: did reach out, but do not have a response as yet

correct, on our stack

tara: will follow up
... AOB?

special meeting, try to set up next week with Web Auth

february call

8?

tara: set for 8 February

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/01/04 17:55:20 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/+ h/+/
Present: weiler keiji tara christine jnovak npdoty
Regrets: wseltzer
No ScribeNick specified.  Guessing ScribeNick: christine
Inferring Scribes: christine

WARNING: No "Topic:" lines found.


WARNING: No meeting title found!
You should specify the meeting title like this:
<dbooth> Meeting: Weekly Baking Club Meeting


WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth


WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.


WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)


[End of scribe.perl diagnostic output]