W3C

- DRAFT -

Web Authentication WG

13 Jun 2018

Agenda

Attendees

Present
wseltzer, gmandyam, jfontana, selfissued, John_Bradley, elundberg, apowers, akshay, jeffh, nadalin, weiler, christiaan, Rolf
Regrets
plh
Chair
nadalin
Scribe
jfontana

Contents

<jeffh> scribenick?

Got it.

should I scribe this housekeeping

?

tony: need to get a new CR out.
... see agenda for schedule

<wseltzer> [schedule in the Agenda message]

<weiler> interop report by sept 4, to get PR in mid-Oct. spin new CR in mid-july

christiaan: all the changes we are making, how do we get that stuff in.

tony: we could start a new branch and start work on that
... w3c thinks some of thechanges we made have to go through another CR
... PR target has been Oct.
... we lost 3-4 weeks with all the changes and still more changes.
... they may cause problems. But we have to be choosy, changing things in implementation has consequencs

christiaan: quick question. can we in parallel work on RC for 1.1?....or do we have to do this is serial

selfissue: we need more attention on getting things done.
... our run rate of issues in increasing not decreasing. so we need to foucs

akshay: can we order things.

tony: but we still need to get out a new CR.

akshay: can we say a particular issue is not needed at this time

tony: we have been trying to go through issues and assign to right milestone.
... if you're not on the right milestone you need to speak up

akshay: those people who are assigned, look at those things again and maybe we can redue (issue) erros
... I want people to say whether or not they can deal with issue

tony: by July 24th we have to have anything that is normative completed, if we want to make the dates in the agenda
... we have changed quite a bit of stuff, changed some error codes

agenda: https://lists.w3.org/Archives/Public/public-webauthn/2018Jun/0193.html

<apowers> it was ESP -- I'm just waiting for this topic to die down before I ask about the test tool conversation

tony: they are minor editorial, I would say. but w3c says they are exclusion calls.

wseltzer: the call for exclusions is under the patent policy.
... part of patent policy if the rec changes then there is an exclusion call

<Zakim> wendy, you wanted to answer mike re: exclusion period

christiaan: if we are doing something that is change in implementation, does that open the gate again.

tony: no that would require new testing.

christiaan: sounds like we are chanign things with this new PR

tony: if it wasn't for the exclusion... this is trying to satisfy w3c recommendations

sam: meeting yesterday was testing requirements to get to PR
... one thing I heard was that we wouldn't have CTAP2 for July.
... the need for a separate PR was a separate thread. want it because of patent stuff?
... was not an invitation to change more


.tony: we have to prioritize changes
... there may be more effort needed to get other changes done first.

sam: if you make case for transports, I am not going to stop you

christiaan: if this causes more delays and we add months... we feel this might have been an oversight on our part.
... we don't want to see a delay of months

sam: what if we get to PR with two implementations of transport ?

christiaan: I don't want to cause problems down the road

<selfissued> Another clarification question: Sam used the term "JCL". I assume that this isn't the IBM OS-360 Job Control Language. What is it?

akshay: i want the transport, but I want these specs to go out and then we can work on it

christiian. lets figure out how to work with it

scribe: i dn't want devices in the market that don't give me information that is critical to my implementation

tony: other questions

jbradley: this should also be part of ctap discusision
... if you want the tokens to produce this information we need to do it as non-breaking change to CTAP
... its premature to put changes in web authn until we address ctap

christiian: i am talking about if device supports usb, nfc, ble

jbradley: solve at CTAP before we change web authn
... I would table it at this level and bring it up in FIDO

tony: anymore questions on this or what we need to get done?
... other questions we do have date of testing and when it needs to be done - Sept. 24

apowers: test tools. are the news tests we need, changes to coverage

tony: don't know yet.
... we'll have to document why we believe the tests are complete and how the tests actually go.
... they can be anonymized.

apowers, the web platform tests?

tony: could include some of the mobile browsers, I don't know.
... just need to capture and report the results.

correction: date is testing done by Sept. 4

tony: I would say main point is to show ctap 2 and secondary U2f

gmandyam: confused botu the CTAP conversation, not w3c

apowers: some parts of CTAP2 only work with browsers, we have to know browsers handling that in same way
... it is a code path that gets executed with ctap browsers

gmandyam: I don't think w3c has test like this before.
... why is this different, seems like deviation. can you post something on the mailing list

sam: don't thing we are testing CTAP , testing against it.

gmandyaM: taking testing to another level with CTAP

sam: what I am hearing here sounds reasonable to me. turn out something useful

gmandyam: we need to be clear what interop is before we get out of PR
... not saying this is a bad thing, but this is not how w3c has done this before.

sam: I am inclined to do what we think is the right thing

selfissue: can we move to issues.

tony: I have to let this run. Have to understand the dates.

salfissue: I am talking about testing

tony: it does affect the dates.

jbradley: where we are at. on edge side confidence that spet. 4 won't be problem. Google?

christiian: I think we are ok with that. this is private implementation. I think we are OK.

tony: I doubt it would be anything Mozilla has time to do. they are out for a bit.
... make sure it works between chrome and edge.

christiian: what is the delta

?

scribe: is it just they are not speaking ctap 2 yet.

jbradley: Firefox missing lot of low-level CTAP, some issues in displaying a pick list. It needs some work.

christaan: still a valid web authn implementation

jbradley: what are the published APIs to pass the test.

gmandyam: we still have a disconnect

jbradley: this testing should be about the web authn api
... what is required for a browser to pass

wseltzer: we need a test for each feature.
... no requirement that all features be implemented in a single product

christiian: what if there are features that only one vendor implements.

wsletzer: mark it as at risk
... at w3c recommendation it would be non-normative

sam: with new CR we can mark things at risk
... not a cost in CR. If we don't mark at CR, then we can't get to PR.

christiaan: want the testing folks to come up with testing list...then we can determine dates we can hit.

sam: coming up with testing list is up to the WG

tony: we need to get al list of what to test and get it to implementers.
... lets move on to milestones PR

https://github.com/w3c/webauthn/pull/941

tony: need mike to look at it.

selfissue: I can review

tony: we have some PRs that AGL needs to merge that have been approved.

https://github.com/w3c/webauthn/pull/899

elundberg: ongoing discussion, but close to being ready

sam: I could review. would that be helpful

tony: yes

<jeffh> am off mute AFAIK

<apowers> we don't hear you

https://github.com/w3c/webauthn/pull/884

elungberg: looks like it is ready to go
... I can do it. I can merge it.

<jeffh> please tell tony I've been trying to speak up....

jeffH: I am still in progress on #842

tony: jeffH you still have #899
... that takes us through PR
... issues , still a few. there are some issues with no milestones. #938 needs cleanup

selfissue: I willl create a PR for that

tony: icon format, #930

https://github.com/w3c/webauthn/issues/930

akshay: I think we can close this

https://github.com/w3c/webauthn/issues/929

akshay: I need to work on this

tony: next week I want to make sure we triage the ones that are assigned to PR and look through them, we have to work on hitting July date/

sam: if something is at risk, flag it now

tony: we can compare those to the things on apowers testing list

<weiler> chair: nadalin, fontana

<weiler> trackbot, end meeting

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/06/13 18:07:49 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/publication/PR/
Succeeded: s/thes/this/
Succeeded: s/a  risk/at risk/
Succeeded: s/implemented in each feature/implemented in a single product/
Default Present: wseltzer, gmandyam, jfontana, selfissued, John_Bradley, elundberg, apowers, akshay, jeffh, nadalin, weiler, christiaan, Rolf
Present: wseltzer gmandyam jfontana selfissued John_Bradley elundberg apowers akshay jeffh nadalin weiler christiaan Rolf
Regrets: plh
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana
Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2018Jun/0193.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]