W3C

- DRAFT -

Web Authentication Working Group Teleconference

14 Mar 2018

Agenda

Attendees

Present
weiler, jfontana, nadalin, gmandyam, akshay, agl, jeffh, christiaan, Rolf, angelo, elundberg, Ralph, apowers
Regrets
jcj_moz
Chair
nadalin, jfontana
Scribe
jfontana

Contents

<weiler> fontana: <updates us on transition>

<weiler> ... need exit criteria.

<weiler> ... test tools will be baked, but those need more work. also mentioning that we have interop.

<weiler> ... I'll alert Ralph; no need to resubmit doc.

<weiler> nadalin: does he need updated doc?

<weiler> weiler: don't need new doc for review, but will need one for CR

<weiler> jeffh: this sounds like a WD-09, but formatted as CR

<weiler> ... what about PR835?

<weiler> weiler: except that we don't publish the WD-09

<jeffh> weiler: wrt publishing a CR -- we need to run bikeshed to produce CR-formatted HTML output

<weiler> https://github.com/w3c/webauthn/issues/837

<jeffh> weiler: we need to create an include file that (ostensibly) contains the "CR exit criteria"

<weiler> example: https://www.w3.org/TR/wake-lock/

<jeffh> weiler: see also issue #837

<jeffh> weiler: see the examples in #837

<jeffh> weiler: to do this need new include file, probably ought to put the file in the webauthn repo, do a PR to put it there

<jeffh> weiler: run BS, package up the output into tarball, send to Weiler, he works with w3c web team to post it in TR namespace

<jeffh> weiler: now discuss CR exit criteria...

<jeffh> tony: extensions are optional

<jeffh> weiler: we will be safest by documenting we are not doing interop testing on the extensions

<jeffh> mikejones(mbj): <suggests specific text wrt extensions & interop testing>

<jeffh> weiler: not sure what mbj said will fly...

<jeffh> angelo: web crypto did it...

<jeffh> weiler: they said those things were "at risk"

<jeffh> weiler: will go down the hall and check with folks on this....

<weiler> https://github.com/w3c/webauthn/pull/839

<Rolf> what about attestation formats and types?

<jeffh> mbj: approves pull #839

<gmandyam> Note that the topic of extension interop was raised during TPAC 2016. Harry (representing W3C) stated "re extensions as long as there's no MUST/SHOULD normative text and it's clearly marked as extensions, should be fine"

<gmandyam> See https://www.w3.org/2016/09/20-webauthn-minutes.html

<weiler> thanks, giri. let me see

jeffH if it is clearly marked as extensions it should be OK

tony: these are the only issues we have left. correct

selfissue we need to do #835

tony: i don't see it
... that the one self issued did

selfissue: I will put it under CR

jeffH: i thnk we need to address this

selfissue: this is left over. this sentence was deleted, it said it was in the sta structure and it is not in the structure
... it is a one sentence change
... the rest is instructions for processing steps

jeffH: we probably need to have a hyperlink to cross reference what we are talking about

selfissue: I will call it a dictionary of client extensions
... we stil hav eto have thisl
... i will fix the language here in real time.

weiler: cna we go back to criteria for extensions
... we normally interop the extensions. we can mark the extensions as at risk for now, if we don't have at PR time we mark them as...

tony: they are not intended to be interop.

ralph: OK if you have two implementations of these extensions.

tony: I don't know anyone who will implement the others.

<jeffh> weiler: we should mark the extensions all except appid as "at risk" expecting at PR we will mark them as informative

weiler: we should amke everytig expcet appID as 'at ridsk' and put then in the exit criteria, expecting at PR we need to mark them as informative when we publish.

tony: I would like ot argue that pont I wold not say they are at risk
... I don't want to say they are infomrative when we go PR

giri: I was told extensions would be a special case and not a candidate for implementaion

weiler: ralph said we don't have to show interop, but we have to show it is used. there is some form of implementation experience.

giri: need to be one implementation if we don't want to makr it as informative?

wieler: ralph is grimacing at that.

giri: if we mark as informative,

tony: informative mark hurts us not helps us.

weiler: key I hear is implementation experience.

tony: why do we have to do for each extensions?
... if they all use the same framework, we say this is all compatible.

weiler: i would suggest marking as 'at risk' for now and sort it out over the next three months

selfissue. i disagree marketing appID as at risk.

tony: goal is to not have to come to PR and be told we have to make these informative

jeffH: because some may bet implemented. liek transaction confirmation
... tonu met implement now; it could be in the future
... we are pusing back on w3c prcoess a bit, this is an odd-ball spec, maybe w3c spec review needs to be updated to accommodate protocol specs

weiler: I don't se ethe difference between API and protocol, I see labing something that does not have interop.
... i don't think you can label vaporware.
... maybe extensions have to sit as we move to PR

tony: but this is one spec.
... I want to push back on process

jeffH: i agree. we have an extensible protocol here.
... at IETF we run things up standards track that are extensions

ralph: if there is a framework that demonstrates the interop....if you can't show that someone is using extensioins. then how do we know they are ready to be declared a standard

<jeffh> ralph: demo of impl expr of framework is good baseline. wrt extns, if there is not impl experience of some of them, how can we declare them as part of a std ?

ralph: speculating, maybe the mechanism is patterns after things that are proven in a diff context.
... the w3c kprocess shows that someone actually wants to use this. it doesn't have to be a shipping product.
... want to make sure something wasn't overlooked

tony: current plan is to mark the extensions 'at risk' accept for appID and we will work though it so these are not made informative
... thanks Ralph
... Mike will write sentence about this is framework and the extensions are optional to implement...

selfissue: can say extensions all optional to implement
... but say we expect to have at least one implementation to validate the framework.

tony: Angelo will merge the new language.

angelo: after I get language

<weiler> put it in https://github.com/w3c/webauthn/issues/837

weiler: as soon as you submit changes on 835, we will send exit criteria text separate in email.

<weiler> send a note to Ralph once 835 is done. send him the exit criteria text in email separately, even before the CR doc is done.

https://github.com/w3c/webauthn/pull/835

jeffH: it has been evaluated and I will merge.

selfissued: we never merge #839 removing Johan
... I will do it

<weiler> mention 839 in the note to Ralph. it won't surprise him.

jeffH: saying turn the crank and produce the draft, turn the crank
... on a cR

tony: angleo can you produce a wd09

angelo: yes. whiy?

tony: just for process, so we can say we have working draft, and then do the tar ball for sam

weiler: marking them as at rick now, gives us all the outs we could possibly want

tony: I don't wnat to get in battle and not get to CR

<apowers> thx

tony: goal is not to have extensions separate, or made informative and we will work on process change so we can proceed without the at risk.

weiler: i wil put propsoed text in the draft.

selfissued: I thik 'at risk' goes in the draft , so we need a PRl

weiler: think it can go in the include file.

selfissue: OK put it there
... extensions all are optional, and all are at risk excpet appID

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/03/14 18:01:12 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Present: weiler jfontana nadalin gmandyam akshay agl jeffh christiaan Rolf angelo elundberg Ralph apowers
Regrets: jcj_moz
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2018Mar/0086.html
Found Date: 14 Mar 2018
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]