Privacy Interest Group Teleconference

11 Jan 2018


weiler, jeffh, agl, nadalin, christine, jnovak, SusanPandy, MaryHodder
weiler, christine


<weiler> scribe: weiler

Review of Web Authentication specification

<scribe> Meeting: Privacy IG special meeting to review Web Authentication specification

<jeffh> https://w3c.github.io/webauthn/

<jeffh> fido priv principals: https://fidoalliance.org/wp-content/uploads/2014/12/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf

<christine> jeff giving an overview of the FIDO principles re privacy

<christine> point 5 relates to linkability

<christine> point 8 relates to users viewing and managing authenticators

<christine> facilitated by protocol but up to implementators to take advantage of that

jnovak: suggest adding a statement to the spec that these principles are guiding it.

<christine> jason - may be helpful to indicate in spec that these principles are guiding development of the spec so know to go look at doc

<christine> jeff submitting issue, should if does not

<christine> tony : privacy considerations is still work in progress

<christine> will clean up before CR

<christine> tests available to make sure did not violate privacy principles of FIDO

<christine> jeff: FIDO has a certified compliance program

<christine> tony: note FIDO has further restrictions not relevant to this spec

<christine> tony: this effort to get APIs acceptable by major browser vendors so could deliver javascript

<christine> as far as the privacy issues, FIDO is currently addressing in implementation in field

<christine> taking that experience to apply here

<christine> here a set of use cases deemed within scope of APi

<christine> we do have things like attestations and identifiers that we have privacy considerations

<christine> major privacy concern is linkability

<christine> adopted basic credential interface from credential api from webappsec

<christine> main interface into credential object

<jeffh> s/#create-passwordcredential//

<christine> jason: re linkability and attestations - re attestations types

<christine> tony: does not exclude others from being defined

<christine> jason: questions about basic attestation and self attestation and privac properties

<jeffh> "large anonymity set"

<christine> is there a mininium number of authenticators with attestation to get privacy property?

<christine> adam: 100,000 and FIDO says will disable tokens if don't

<christine> jason: why not in spec?

<christine> adam: questions of jurisdictions?

<christine> consider separate from W3C work

<christine> tony: where FIDO certification would take place

<christine> jason: UAs would maintain own list of authenticators above 100,000

<christine> adam: block list rather than white list

<christine> FIDO also has a metadata service

<christine> jason: re self-attestation

<christine> in my read, authenticator uses private key to generate attestation signature - could there be linkability issues?

<christine> jeff: credential private key, is specific to relying party so no linkability across relying parties - attestation is optional

<christine> default is none

<christine> recently added to spec

<christine> clarifying, relying parties can indicate whether or not to receive attestation, default is not to receive

christine: when we have cred w/ private key generating attestation sig... is unique to the RP.... is there any issue of linkability across sites within one RP?

agl: cred private keys should be freshly generated for every reg. a givien RP can query whether a token recognizes a credential. browsers will have to mitigate this.
... could discover that same token has creds for two accounts and try to get the other one.

christine: sounds like you're trying to minimize this risk with timeouts. should that risk be documented?

agl: an implementation could subtlely get this wrong and not notice.

christine: valuable to document

weiler: +1

christine: should 100k be in the spec? could have devices that aren't fido devices trying to use this? should we add non-normative guidance?

agl: no objection to mentioning that.

jnovak: we've been talking about linkability across RPs; not sure we've talked about linkablity across accounts on same authenticator

<christine> jason: we have been talking about linkability across relying parties, but what about linkability across accounts on a single authenticator with a single replying party

<christine> (handing over scribing to you sam)

jnovak: issues 204 and 140.

<christine> adam: linkability we discussed earlier, re-probing

<christine> adam: RP probing credential associated with it, but a user it does not know

<christine> need to be careful not to distinguish by timing

<christine> jason: additional questions re state of spec and certain ideas are trending

<christine> allowing for siltent authenticators? that a user does not have to interact with to release the credential, some issues open and discussion about whether in V1 or V2

<christine> if allowed, raises issues of user knowledge and trackability

<christine> tony: majority of group and probably browser vendors think a bad thing to do in Web, but FIDO has another piece that may allow it to work

<christine> jeff: they are in the wild in UAF, implemented by Intel, user notification, in this deployment and implementation, alerted by RP

<christine> want to ascertain whether still you periodically, and are you okay with that? an example for, say, fraud reduction

<christine> adam: not part of spec

<christine> jeff; not now

<christine> tony: microsoft not consider now

<christine> jason: would we allow for cross-origin iframes to call for authenticator

<christine> perhaps impact is changed if silent authenticators not in play for web at moment

<christine> jeff: they are orthogonal but intersect

<christine> rpid is the effective top level domain of the entity that created the top level context

<christine> etld plus 1

<christine> jason: ...

<christine> jeff: handled at credential management level

<jnovak> -q


<christine> sam: in same vein as silent authenticators, location extension - does it need separate user consent? e.g. on things on location

<christine> adam: geolocation API at W3C - would not let it leak silently, same level of consent for any other way to get location

<christine> sam: other things sensitive?

<christine> jeff: I think we have it covered

<christine> adam: signature counter, fairly minor

<christine> jeff: specifically call out user consent for location extension in 11.2

<christine> sam: not in the extension section

<christine> jeff: if not, need to add to other one, please file an issue

<christine> sam: asking new faces to look at spec, Google, Microsoft etc. good for fine tooth comb

<christine> jason: thanks everyone

<christine> hope to better understand interplay require user verification and user presence - section 6.2.1

<christine> not sure where see necessarily enforced, false in 6.2.7 (e.g.)


<christine> what is the enforcement relation and mechanism?

<christine> adam: don't see explict reject, could add a step, if two are equal could abort, would address concern?

<christine> jason: yes, I think it would

<christine> jeff: this is a nuanced thing, don't think we have clarify, could be seen as subset as under verification, would not reject

<christine> adam: but defined that way

<christine> jeff: had concern about defn

<christine> adam: could change definition to address

<christine> jeff: sounds like an issue to file

<christine> potentially related to other issues

<christine> adam: will see if fits an existing issu

<scribe> chair: christine

<tara> Thank you also (from late arrival)!

<christine> takeaways - some things to add to privacy considerations, some open issues already to address the things we noted in the discussion

<christine> some things to reference, e.g. privacy principles, size of authenticator batch, etc. (see minutes)

<christine> jeff: ground breaking spec - perhaps a note for implementation kind of things, scattered in spec, whether leave as is or move, or do both

<christine> for discussion in WG

<scribe> scribe: christine

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/01/11 18:01:29 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

FAILED: s/#create-passwordcredential//
Succeeded: s/register/metadata service/
Present: weiler jeffh agl nadalin christine jnovak SusanPandy MaryHodder
Regrets: wseltzer
Found Scribe: weiler
Inferring ScribeNick: weiler
Found Scribe: christine
Scribes: weiler, christine
Found Date: 11 Jan 2018
People with action items: 

WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)

[End of scribe.perl diagnostic output]