Web Authentication Working Group Teleconference

25 Apr 2018



(no, one), gmandyam, elundberg, dmitriz, jeffh
weiler, wseltzer


<elundberg> has the call started?

having connection problems with audio. I can scribe.

scribe: if I can get audio going

<elundberg> looks like the call isn't up yet

<jeffh> did u or someone issue the commands doc'd here https://www.w3.org/2008/04/scribe.html?

<elundberg> not yet

trackbot, start telcon

<trackbot> Meeting: Web Authentication Working Group Teleconference

<trackbot> Date: 25 April 2018

<scribe> scribe: jfontana

<scribe> agenda: https://lists.w3.org/Archives/Public/public-webauthn/2018Apr/0200.html

<apowers> "the host has not yet joined the meeting"

<apowers> looks like we're waiting for sam?

<jeffh> sam unavailable he sent email to list

sam said he cannot attend today. Wendy, can you activate the call.

<jeffh> punt to next week?

<elundberg> or other telcon platform?

<apowers> I can start a GoToMeeting

<apowers> https://www.gotomeet.me/AdamPowers

<apowers> You can also dial in using your phone. United States: +1 (872) 240-3412 Access Code: 418-535-189

<selfissued> We are on Adam's gotomeeting - please join there

<jeffh> https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+no%3Amilestone

tony: untriaged issues


elundberg: this is issue we might need to consider now. Chrome has started implementing this

jeffH: good point!

tony: this gets into authenticator selection . that is why we flagged the other one as level 1

level 2

scribe: we extended charter to take on different authenticators. Add this to PR level?

gmandyam: it's not a was to provide ease to RP it is for a service. explanatory text would be useful

tony" want to leave this issue as is. Open up a new issue.

scribe: don't want to take this one in this current release. do it in level 2 where we have set up authenticator enhancements.

elundberg: Chrome not about adding options. It is how the browser will behave with what is already there.

tony: I don't read it that way

JeffH: there is also 863 and they are at odds with each other

Christiaan jons


jeffH: do we just want to comment further in these two issues 867 and ??

tony: we can continue discussion at level 2

863 is the other issue

tony: we are on issue 867


<jeffh> clarification: tony said he set the milestone for issues #863 and #867 to L2 -- and we can continue detailed discussion in those issues. if someone wants to propose editorial text for the PR milestone, go ahead and we'll evaluate it appropriately....

thank you for clarification.

christiaan: we (google) strongly object to doing nothing. I advise against tell the RP nothing

<jeffh> cbrand: chrome wants the behavior to remain "the same as it used to be" (?) -- need to give RP the info it needs....

tony: to soem extent this has to do with authenticator selection.

<jeffh> cbrand: tho current spec text is ambiguous ....

aksahy joins


tony: you were assigned to it.

akshay: two authenticators and user touches wrong one.
... if user does that, we says authenticator not there.

cbrand: clarify. use to be send creds down, and you make all authenticators visible, if user touches wrong one we say....
... in Web Authn there are local credentials.
... if i send credentials down and there are no matches.

akshay: returns invalid

cbrand: what happens if there is no credential registered on the platform?

akshay: this is limitation we have now.

cbrand: think about the way we send allowed creds down now. it might be possible to use one of those fields for bound or not bound
... what Kim has opened is important. What do you do?
... i don't think we can solve now

akshay: this can be a replacement for attachment property or something.

cbrand: should also go back to transports. there is not way tranpsort info. makes it into standard registration. we should fix that too.

jeffH: agl opended a pr in the last few hows.

cbrand: it is about this

<jeffh> https://github.com/w3c/webauthn/pull/882

akshay: we should discuss what to do with attachments.
... I think we missed that users can roam around and there is not local connection
... discuss in Amsterdam
... how much control does RP and how do we do that.
... does RP want...
... there is some gaps. it all points down to attachment property

cbrand: don't do any behavioral changes, leave it the way it is until Amsterdam so we can do through all the issues.

tony: keep in level 2 , yes.

gmandyam: why can't we say go to dev boards and say support this extension.

cbrand: this is a 90% use case, don't want to put that in an extension

gmandyam: I hate to say never, but it is an implementation solution

<jeffh> cf: https://www.w3.org/TR/webauthn/#authenticatorSelection

cbrand: I want RP to say I want this class of authenticator

tony: leaving these at level 2 and discuss more in Amsterdam FIDO meeting. We will have W3 people there.
... that takes us to 871


tony: who is matthew limpkin (sp) submitter?
... seems this is not appropriate issue.

jeffH: define appropriate.

tony: seems out of scope.

elundberg: they are suggesting only the global and ??what it covers
... don't think it would change any of the algorithms. it is abstract authenticator ..

tony: what do we do?

jeffH: signature counter are a deep topic. agl wanted to remove them
... i don't think we take this on. It influences the authenticator model

akshay: in some scenarioes, RP may want it. let's discuss in level 2.

selfissued: close it

tony: i would push out

jeffH: this discussion is more nuanced than just this issue

tony: push it out and we will discuss.

elundberg: not changign the API, just how to implement counters.

tony: that is a breaking change. don't want to take that one right now.

jeffH: adding note. selfissued put a note in
... also

gmandyam: is this a complexity issue?

elundberg: ...thinking about credential counters.

akshay: no certification issue here. both class of counters are allowed

tony: move on


JeffH: I need to look into this one. will tighten things to origin that has been lowered.
... this is arguing to scope cred to a domain lowered origin


JeffH: it is subtle but important distinction
... do not decide off hand, however

selfissue: need reviewer

JeffH: assign issue to me. done.

tony: leave it untriaged at this point come back next week


akshay: related to null not being allowed or base cred man spec

tony: if we go this route the Web App Sec would need to take up as well.

akshay: cred man has something that does not allow null

jefH: I nee to take a look at this. I thought we had figured out how to make this work at cred man level
... lets make it a Pr milestone now

tony: takes us through un-triaged issues
... any updates on pull requests that are outstanding.

elundberg: 882 is un-triaged


tony: moving this to milestone.

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/04/25 17:59:18 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Present: (no one) gmandyam elundberg dmitriz jeffh
Regrets: weiler wseltzer
Found Scribe: jfontana
Inferring ScribeNick: jfontana
Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2018Apr/0200.html
Found Date: 25 Apr 2018
People with action items: 

WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)

[End of scribe.perl diagnostic output]