W3C

- DRAFT -

Web Authentication Working Group Teleconference

11 Apr 2018

Attendees

Present
elundberg, weiler, wseltzer, jeffh, jfontana, Ketan, apowers, Akshay, Rolf, selfissued, Christiaan
Regrets
Chair
nadalin, jfontana
Scribe
jfontana

Contents


<weiler> scribenick: jfontana

Tony: press releases and blog posts out about FIDO, W3C. Press has been fairly decent about it.
... widely spread

Wendy: we shared it with prospects and members...

Tony: there was some activity on the mail thread
... still looking how token binding, payments and PSD2 fits together. some chatter at IW about blockchain. None of this is fugured out

that was tony

JeffH: the web authN authentication composes with this stuff..need to figure that out.

jbradley: if they want to call a web site a wallet we can help with that.

jeffH: there is some careful work here. not easy

wseltzer: ... have to work with other groups at W3C to figure this out

tony: I think we should move on to tasks at hand

<wseltzer> wseltzer: dependencies need both specification and implementation, so interested folks should please work with WebAppSec and implementers

<wseltzer> ... on feature policy

thanks, Wendy. I was distracted.

tony: on to issues.

https://github.com/w3c/webauthn/pull/859

elundberg: I think consensus is to close this
... looks like JC and Akshay object

<apowers> DIDAuth demo from Veres One / Digital Bazaar: https://credential-repository.demo.digitalbazaar.com/ https://credential-issuer.demo.digitalbazaar.com/ https://credential-verifier.demo.digitalbazaar.com/

tony: this is untriaged PR

<apowers> or video for those that don't feel like click on a website: https://www.youtube.com/watch?v=bm3XBPB4cFY

Akshay: I don't think this is something we can decide at this point in time

elungberg: I think we should close this

jeffH: the intent is interesting
... helps RPS from shooting themselves in the foot.
... do we want to code into spec. that's question
... emil were you trying to do this

elundberg: yes.

rolf: it should become a security consideration.

jeffH: we have issue on that
... i am fine in closign this, but genral thrust we need to follow up on

elunberg 858 is a more conservative version of this. lets move to 858

JeffH. OK

tony: are these un-triaged things we need to put on list.

https://github.com/w3c/webauthn/issues/854

apowers: this is cbor and parsed json objects during authentication

JeffH; i am not in favor of making changes in this at this point.

apowers: one resolution. cobr in both and include javascript properties. concern: confused devs.

selfissued: truth is web authn implemetation will have to understand CBOR
... i think this is asking for a breaking change.

tony: it is a nasty breaking change

jeffH: I would not do this

tony: close . no action

apowers: I am fine with that.
... i just wanted to bring it up for discussion

https://github.com/w3c/webauthn/issues/862

elundberg: this is about CTAP

selfissued: CTAP is not web authN , it is one kind of authenticator, also platform and other native authenticators

elundberg: we have said this parametrs exists and is always set to true.

selfissued. in future we may want to be able to set to "not true" . we need to keep it

akshay: I say we keep this.

tony: it is doing no harm right now. there is no real technical reason
... close this one.

https://github.com/w3c/webauthn/issues/863

akshay: this is similar to FIDO issue.

tony: I will assign to you (akshay)
... it is not a PR milestone.

jeffH; that can be changed. it is our indication that we triaged it.

tony: OK I will set at L2
... let akshay come back

https://github.com/w3c/webauthn/issues/865

elundberg: I did my best to respond. I think we can close it. Or leave open for more comment.
... basically main point is with authenticators no way to backup credentials.
... most of thread is about that. It is more an idea for some kind of key management . that is out of scope.

selfissued. this is out of scope

scribe: close

christiaan: apple matches credentials and key chain. if we close this , someone can do this, but not in our scope.
... some situation where it might be feasible

rolf: this comment is already in there, it is up to app vendor.

tony: can you close this one.

selfissued: closed

https://github.com/w3c/webauthn/issues/866

tony: seems like fine editorial change

jeffH: I will take it.

tony: that takes us through the un-triaged issues we had, now back to Pull requests for PR
... skip 375

https://github.com/w3c/webauthn/pull/821

jeffH: needs merged from master.

tony: did rolf have unanswered question?
... can Giri sign off and then we can do the merge if JeffH and rolf agree

https://github.com/w3c/webauthn/pull/827

tony: think this has been approved

akshay: i think this can be merged.

https://github.com/w3c/webauthn/pull/829

jeffH: I need to review

elundberg: rolf had comment I did not understand.

jeffH: I can and will do it in writing in github

https://github.com/w3c/webauthn/pull/832

tony: jeffH had comments.

jeffH: comments are addressed.

elundberg: I am fine with it if jeffH is fine with it.

jeffH: merged.

selfissued: there is grammar that needs to be fixed.

jeffH: Ok

https://github.com/w3c/webauthn/pull/836

selfissued: you are on review list
... I have not looked at this

tony: JeffH can you merge if selfissue approves.

jeffH. sounds fine to me.

https://github.com/w3c/webauthn/pull/842

jeffH: work in progress.

https://github.com/w3c/webauthn/pull/849

eludberg: wiating for refiew.

aksay: I will look
... I am fine with it.

https://github.com/w3c/webauthn/pull/850

jeffH: need to review.

https://github.com/w3c/webauthn/pull/858

selfissued. I reviewed it looks fine

JeffH: I want to review. will merge if jeffH is ok with it.

https://github.com/w3c/webauthn/pull/860

jeffH: this is a good catch. some text disappeared and is getting stuck back in. is it same text.

elundberg: I have not checked.

jeffH: make sure it is right then pull trigger.

elundberg: I will

https://github.com/w3c/webauthn/pull/861

jeffH: needs review

tony: Open issues

akshay: IAMA pleased mike is taking care of this

selfissued: IANA. maanged to get RSA algorithms to get registers. also get elliptical curve registered. I will add web authn and as courtesy add FIDO ones.

apowers: thanks

slefissued. dropped

scribe: off call.

tony: https://github.com/w3c/webauthn/issues/116
... is this still ongoing.

jeffH: yes.

https://github.com/w3c/webauthn/issues/140

jeffH: need ot review against privacy considerations

https://github.com/w3c/webauthn/issues/151

jeffH: on could argue we need some implementation language.

tony: keep this one open, some of comments warrant this

elundberg: to me looks like roaming authenticators solve this

tony: we need some verification on this.
... elundberg would you like to do this.

elundberg: maybe this is related to authenticator taxonomy

jeffH: can you link it to that.
... next

https://github.com/w3c/webauthn/issues/294

jeffH: work with boris

https://github.com/w3c/webauthn/issues/301

tony: editorial

https://github.com/w3c/webauthn/issues/301

tony: i think this has been addressed. will check with self-issued.

https://github.com/w3c/webauthn/issues/334

tony: angelo not on, skip
... I will skip to 358

https://github.com/w3c/webauthn/issues/358

tony: No call next week.

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/04/11 18:04:01 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/lcose/close/
Present: elundberg weiler wseltzer jeffh jfontana Ketan apowers Akshay Rolf selfissued Christiaan
Found ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Found Date: 11 Apr 2018
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)


[End of scribe.perl diagnostic output]