W3C

- DRAFT -

Web Authentication Working Group Teleconference

14 Feb 2018

Agenda

Attendees

Present
elundberg, weiler, apowers, AGL, Akshay, Dmitriz, gmandyam, jeffh, jfontana, Rolf, nadalin, John_Bradley, wseltzer
Regrets
jcj_moz
Chair
nadalin, jfontana
Scribe
elundberg

Contents

<scribe> scribenick: elundberg

agl: while we wait for our chairs, any comments on https://github.com/w3c/webauthn/issues/799?

akshayku: let me get back to you on this

agl: ok, I will double check to confirm my suspicion is correct
... in the course of answering #799, I think I may have discovered that FF and Chrome are doing this wrong
... right now our authenticators are U2F, which use ASN.1 formatted signatures

jeffh: someone with the perms should re-open #799, I can't

nadalin: noone has the perms right now

akshayku: our impl also starts with three zero(s?)
... I will look it up and follow up at the end of this day

agl: I will check too; if all 3 impls do this we should probably change the spec to this

akshayku: if this turns out to be an issue we should fix it in CR

apowers: we discovered this because U2F and CTAP give signatures in different formats

agl: yes, we have to unify these 2 versions of CTAP

gmandyam: will that impose a req on authnrs?

agl: no, I think the browsers can just recode the signatures in either direction

nadalin: so this looks like the only issue left in CR

jeffh: no, there's #800 and #801

gmandyam: on the topic of https://github.com/w3c/webauthn/issues/800

the loc extension retrieves data straight from the GPS modem

scribe: as a result, there's not an exact correspondence between this data and the geolocation API
... where we get hung up is accuracy
... which is required in geoloc
... the accuracy we get may not match that of the OS
... so I'm not sure it's possible in practice to get @selfissued's desired 1-to-1 correspondence

nadalin: ok, I'll discuss this with @selfissued

gmandyam: if we can close this, I may need to introduce CDDL and CBOR examples back in

jeffh: @agl also submitted https://github.com/w3c/webauthn/pull/802 this morning

agl: I'm standing in for Kim

nadalin: I'll see if we stand on this, if we can do it in CR

agl: at least noone on Google has told me this is an absolute must-do for us

nadalin: given we get #800 and #801 resolved, we'll move forward to get a do generated
... repo is locked right now, which is the reason for the perms issue noted earlier

jeffh: I suggest #799 is reopened as soon as possible

agl: I'm not sure #799 is imminently critical, if all impls have done the same thing

nadalin: #798, #799 and #800 will be assigned to CR
... there are some other issues/PRs outstanding for PR release
... we have https://github.com/w3c/webauthn/pull/666

jeffh: I think we should still do this

https://github.com/w3c/webauthn/pull/501

jeffh: I think this messes the spec up, and we shouldn't do this
... basically he just got rid of the use cases section, which I don't think is the right thing to do

https://github.com/w3c/webauthn/pull/653

nadalin: I believe this is ongoing

jeffh: yes

nadalin: ok, nothing to do right now

https://github.com/w3c/webauthn/pull/688

nadalin: it doesn't look like Johan is joining the WG
... I'm going to close this, and if anyone wants to reopen it they can do so
... unless @weiler has any new information

weiler: no new information

nadalin: so we'll close this, and someone else can submit the change

jeffh: yes, we all thought it was a good idea

nadalin: we have no issues/PRs without milestones
... we have 50 issues in the PR milestone

https://github.com/w3c/webauthn/issues/24

jeffh: I have illustrations, I need to update them to the current state of the spec

nadalin: ok, this will remain open

https://github.com/w3c/webauthn/issues/80

jeffh: this is a subset of #358

https://github.com/w3c/webauthn/issues?page=2&q=is%3Aopen+is%3Aissue+milestone%3APR

jeffh: I would close this, but I need to double check

https://github.com/w3c/webauthn/issues/96

jeffh: this may be closable

https://github.com/w3c/webauthn/issues/116

jeffh: this is still valid

https://github.com/w3c/webauthn/issues/140

elundberg: I think this isn't quite the same as the recent privacy cons, this seems more like a worry about authnrs encoding PII into credential IDs

nadalin: isn't there a note saying credId should be random?

jeffh: we'll just need to check
... leave this open
... this may just be something to add to privacy considerations

https://github.com/w3c/webauthn/issues/151

jeffh: this raises questions we may want to cover in implementation considerations
... we don't have a section for it now, they're sprinkled as notes throughout the spec

https://github.com/w3c/webauthn/issues/180

jeffh: I intend to do this, leave open

https://github.com/w3c/webauthn/issues/294

jeffh: I think this may be addressed, given the major surgery we've done on the algorithms
... this is specifically about an extension though
... we may get feedback on this as people take a hard look at the CR release

https://github.com/w3c/webauthn/issues/301

jeffh: I think this is what Angelo wanted to do in #501
... I approve, but not of removing the use cases section

https://github.com/w3c/webauthn/issues/303

gmandyam: we made a collective decision not to [couldn't hear] we have no expert review
... I recommend leaving this open, @selfissued and I will resolve it
...warning: this came up in webRTC when we opened an IANA registry there

weiler: I'm wondering why this needs a physical meeting

nadalin: it's AD sponsored
... we'll submit to the AD in March

https://github.com/w3c/webauthn/issues/334

jeffh: leave open for now

https://github.com/w3c/webauthn/issues/349

jeffh: just something to do if people want to do this

<weiler> weiler: I'm trying to break the dependence on physical meetings - we know who the new AD is - we could ask him now (or ask the continuing Sec AD)

jeffh: basically it's to materialise the getAuthenticatorInfo function in the web API

https://github.com/w3c/webauthn/issues/358

jeffh: this is ongoing

https://github.com/w3c/webauthn/issues/360

jeffh: the Fetch PR 325 addresses this

gmandyam: will that be backported to XHR, or are we forced to use fetch to get token binding?

jeffh: I guess that's up to browser vendors

agl: sorry, no idea

https://github.com/w3c/webauthn/issues/364

nadalin: this should stay open, we'll validate with browser vendors

https://github.com/w3c/webauthn/issues/373

jeffh: I noticed Bluetooth and NFC have guides on how to mention their brands and such

akshayku: what is being proposed?

nadalin: have someone read through the spec and see if we follow the guidelines
... so that hopefully they don't come after us after we publish

akshayku: this just looks unactionable to me

weiler: I think people will get it even if we get it wrong

wseltzer: W3C legal is not particularly worried

https://github.com/w3c/webauthn/issues/382

nadalin: let's double-check this, might be closable now

https://github.com/w3c/webauthn/issues/403

https://github.com/w3c/webauthn/issues/410

jeffh: I think we decided to not do this
... because we don't want to assume all authnrs use CTAP

nadalin: so close with no action?

jeffh: it's probably worth redigesting jyasskin's comments

https://github.com/w3c/webauthn/issues/422

jeffh: it seems to me the spec lacks this
... I took a swipe at it in the issue
... this is all implied right now
... only implied

nadalin: ok, remains open

https://github.com/w3c/webauthn/issues/433

nadalin: I thought we'd taken care of this

akshayku: I'll look at it

https://github.com/w3c/webauthn/issues/452

agl: this is still valid

https://github.com/w3c/webauthn/issues/454

agl: it may be reasonable to fold this into the general privacy considerations, and close this

https://github.com/w3c/webauthn/issues/462

jeffh: this is ongoing

https://github.com/w3c/webauthn/issues/493

jeffh: leave this open

https://github.com/w3c/webauthn/issues/517

jeffh: leave open

https://github.com/w3c/webauthn/issues/529

nadalin: this is assigned to selfissued, we'll leave it open

https://github.com/w3c/webauthn/issues/540

jeffh: we should just close that, I don't think we should do that at this point

https://github.com/w3c/webauthn/issues/575

jeffh: this is related to the other timeout issue
... reference this to #364

nadalin: ok, time's up

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/02/14 19:00:11 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Present: elundberg weiler apowers AGL Akshay Dmitriz gmandyam jeffh jfontana Rolf nadalin John_Bradley wseltzer
Regrets: jcj_moz
Found ScribeNick: elundberg
Inferring Scribes: elundberg

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2018Feb/0367.html
Found Date: 14 Feb 2018
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]