<scribe> scribenick: elundberg
agl: while we wait for our chairs, any comments on https://github.com/w3c/webauthn/issues/799?
akshayku: let me get back to you on this
agl: ok, I will double check to
confirm my suspicion is correct
... in the course of answering #799, I think I may have
discovered that FF and Chrome are doing this wrong
... right now our authenticators are U2F, which use ASN.1
formatted signatures
jeffh: someone with the perms should re-open #799, I can't
nadalin: noone has the perms right now
akshayku: our impl also starts
with three zero(s?)
... I will look it up and follow up at the end of this day
agl: I will check too; if all 3 impls do this we should probably change the spec to this
akshayku: if this turns out to be an issue we should fix it in CR
apowers: we discovered this because U2F and CTAP give signatures in different formats
agl: yes, we have to unify these 2 versions of CTAP
gmandyam: will that impose a req on authnrs?
agl: no, I think the browsers can just recode the signatures in either direction
nadalin: so this looks like the only issue left in CR
jeffh: no, there's #800 and #801
gmandyam: on the topic of https://github.com/w3c/webauthn/issues/800
the loc extension retrieves data straight from the GPS modem
scribe: as a result, there's not
an exact correspondence between this data and the geolocation
API
... where we get hung up is accuracy
... which is required in geoloc
... the accuracy we get may not match that of the OS
... so I'm not sure it's possible in practice to get
@selfissued's desired 1-to-1 correspondence
nadalin: ok, I'll discuss this with @selfissued
gmandyam: if we can close this, I may need to introduce CDDL and CBOR examples back in
jeffh: @agl also submitted https://github.com/w3c/webauthn/pull/802 this morning
agl: I'm standing in for Kim
nadalin: I'll see if we stand on this, if we can do it in CR
agl: at least noone on Google has told me this is an absolute must-do for us
nadalin: given we get #800 and
#801 resolved, we'll move forward to get a do generated
... repo is locked right now, which is the reason for the perms
issue noted earlier
jeffh: I suggest #799 is reopened as soon as possible
agl: I'm not sure #799 is imminently critical, if all impls have done the same thing
nadalin: #798, #799 and #800 will
be assigned to CR
... there are some other issues/PRs outstanding for PR
release
... we have https://github.com/w3c/webauthn/pull/666
jeffh: I think we should still do this
https://github.com/w3c/webauthn/pull/501
jeffh: I think this messes the
spec up, and we shouldn't do this
... basically he just got rid of the use cases section, which I
don't think is the right thing to do
https://github.com/w3c/webauthn/pull/653
nadalin: I believe this is ongoing
jeffh: yes
nadalin: ok, nothing to do right now
https://github.com/w3c/webauthn/pull/688
nadalin: it doesn't look like
Johan is joining the WG
... I'm going to close this, and if anyone wants to reopen it
they can do so
... unless @weiler has any new information
weiler: no new information
nadalin: so we'll close this, and someone else can submit the change
jeffh: yes, we all thought it was a good idea
nadalin: we have no issues/PRs
without milestones
... we have 50 issues in the PR milestone
https://github.com/w3c/webauthn/issues/24
jeffh: I have illustrations, I need to update them to the current state of the spec
nadalin: ok, this will remain open
https://github.com/w3c/webauthn/issues/80
jeffh: this is a subset of #358
https://github.com/w3c/webauthn/issues?page=2&q=is%3Aopen+is%3Aissue+milestone%3APR
jeffh: I would close this, but I need to double check
https://github.com/w3c/webauthn/issues/96
jeffh: this may be closable
https://github.com/w3c/webauthn/issues/116
jeffh: this is still valid
https://github.com/w3c/webauthn/issues/140
elundberg: I think this isn't quite the same as the recent privacy cons, this seems more like a worry about authnrs encoding PII into credential IDs
nadalin: isn't there a note saying credId should be random?
jeffh: we'll just need to
check
... leave this open
... this may just be something to add to privacy
considerations
https://github.com/w3c/webauthn/issues/151
jeffh: this raises questions we
may want to cover in implementation considerations
... we don't have a section for it now, they're sprinkled as
notes throughout the spec
https://github.com/w3c/webauthn/issues/180
jeffh: I intend to do this, leave open
https://github.com/w3c/webauthn/issues/294
jeffh: I think this may be
addressed, given the major surgery we've done on the
algorithms
... this is specifically about an extension though
... we may get feedback on this as people take a hard look at
the CR release
https://github.com/w3c/webauthn/issues/301
jeffh: I think this is what
Angelo wanted to do in #501
... I approve, but not of removing the use cases section
https://github.com/w3c/webauthn/issues/303
gmandyam: we made a collective
decision not to [couldn't hear] we have no expert review
... I recommend leaving this open, @selfissued and I will
resolve it
...warning: this came up in webRTC when we opened an IANA
registry there
weiler: I'm wondering why this needs a physical meeting
nadalin: it's AD sponsored
... we'll submit to the AD in March
https://github.com/w3c/webauthn/issues/334
jeffh: leave open for now
https://github.com/w3c/webauthn/issues/349
jeffh: just something to do if people want to do this
<weiler> weiler: I'm trying to break the dependence on physical meetings - we know who the new AD is - we could ask him now (or ask the continuing Sec AD)
jeffh: basically it's to materialise the getAuthenticatorInfo function in the web API
https://github.com/w3c/webauthn/issues/358
jeffh: this is ongoing
https://github.com/w3c/webauthn/issues/360
jeffh: the Fetch PR 325 addresses this
gmandyam: will that be backported to XHR, or are we forced to use fetch to get token binding?
jeffh: I guess that's up to browser vendors
agl: sorry, no idea
https://github.com/w3c/webauthn/issues/364
nadalin: this should stay open, we'll validate with browser vendors
https://github.com/w3c/webauthn/issues/373
jeffh: I noticed Bluetooth and NFC have guides on how to mention their brands and such
akshayku: what is being proposed?
nadalin: have someone read
through the spec and see if we follow the guidelines
... so that hopefully they don't come after us after we
publish
akshayku: this just looks unactionable to me
weiler: I think people will get it even if we get it wrong
wseltzer: W3C legal is not particularly worried
https://github.com/w3c/webauthn/issues/382
nadalin: let's double-check this, might be closable now
https://github.com/w3c/webauthn/issues/403
https://github.com/w3c/webauthn/issues/410
jeffh: I think we decided to not
do this
... because we don't want to assume all authnrs use CTAP
nadalin: so close with no action?
jeffh: it's probably worth redigesting jyasskin's comments
https://github.com/w3c/webauthn/issues/422
jeffh: it seems to me the spec
lacks this
... I took a swipe at it in the issue
... this is all implied right now
... only implied
nadalin: ok, remains open
https://github.com/w3c/webauthn/issues/433
nadalin: I thought we'd taken care of this
akshayku: I'll look at it
https://github.com/w3c/webauthn/issues/452
agl: this is still valid
https://github.com/w3c/webauthn/issues/454
agl: it may be reasonable to fold this into the general privacy considerations, and close this
https://github.com/w3c/webauthn/issues/462
jeffh: this is ongoing
https://github.com/w3c/webauthn/issues/493
jeffh: leave this open
https://github.com/w3c/webauthn/issues/517
jeffh: leave open
https://github.com/w3c/webauthn/issues/529
nadalin: this is assigned to selfissued, we'll leave it open
https://github.com/w3c/webauthn/issues/540
jeffh: we should just close that, I don't think we should do that at this point
https://github.com/w3c/webauthn/issues/575
jeffh: this is related to the
other timeout issue
... reference this to #364
nadalin: ok, time's up
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Present: elundberg weiler apowers AGL Akshay Dmitriz gmandyam jeffh jfontana Rolf nadalin John_Bradley wseltzer Regrets: jcj_moz Found ScribeNick: elundberg Inferring Scribes: elundberg WARNING: No "Topic:" lines found. Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2018Feb/0367.html Found Date: 14 Feb 2018 People with action items: WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]