W3C

- DRAFT -

Web Authentication Working Group Teleconference

20 Jun 2018

Attendees

Present
elundberg, wseltzer, gmandyam, weiler, jeffh, apowers, akshay, nadalin, selfissued, jfontana, angelo, christiaan, JohnBradley
Regrets
Chair
nadalin, jfontana
Scribe
weiler, jfontana

Contents

<weiler> scribenick: weiler

https://github.com/w3c/webauthn/pull/899

emil will delete one bullet and merge

https://github.com/w3c/webauthn/pull/941

merge it.

https://github.com/w3c/webauthn/pull/952

wait for jeff to sign off; emil will then merge

<jfontana> I can scribe

giri: why is alg separated from data being returned by authenticator?

<scribe> scribenick: jfontana

tony: don't know the answer, to gmandyam question
... if some attestation fo not carry it why would we care?

https://github.com/w3c/webauthn/pull/956

replaces #842

elundberg: most of th commits are still in here. we want it broken out

selfissue: there are huge number of changes, seems like re-write

tony: last week we asked for this to be re-done

jeffH: I think this is reasonable. needs polish and to ship

elundberg: if you approved #842 then the commits from there are in here.

jeffH: I have done detailed review.

selfissue: if you know what changed you have my proxie

<jeffh> https://github.com/w3c/webauthn/pull/956#issuecomment-398683756

elundberg: i added a link to the changes I add on top of previous PR selfissue approved

slefissue: let me look at the diffs
... this seems fine, thanks for the diff

elundberg: still work in progress, collaborating with JeffH
... other things to do

selfissue: what?

elundberg: previous PR has lots of comments.

selfissue: can we finish this shortly, the big PRs are harder to review.

https://github.com/w3c/webauthn/pull/961

tony: jeffH is a reviewer

jeffH: should I merge.

tony: yes.

https://github.com/w3c/webauthn/pull/962

tony: do we have anyone from Google?

silence

tony: I guess not
... do we need emil to do this if jeffH approves
... do we need sign off

elundberg: yes, and I can merge if that comes through.

tony: jeffH and one of the google guys
... let's go back to #951

https://github.com/w3c/webauthn/pull/951

tony: akshay have you looked

akshay: I don't think I am the right expert for this.
... angelo

tony: I am adding angelo

the number is 951

tony: any other Pull requests to talk about?
... we have 501

https://github.com/w3c/webauthn/pull/501

jeffH: we might want to provide link to sample code

angelo: this PR is really big, has many changes. I would rather not touch this anymore. I will open another

jeffH: to add a link

angelo: yes.

https://github.com/w3c/webauthn/pull/878

jeffH: this will give way to 951
... can the chair reach out to Mozilla and tug sleeves
... someone should be here to cover for mozilla

tony: I can reach out.

JeffH: thanks

angelo: I was just looking at the spec, in the use cases section there is reference to sample code

tony: so you can close?

close no action

angelo: yes, I just closed it

tony: go to issues.

https://github.com/w3c/webauthn/issues/873

jeffH: sitll on my list

https://github.com/w3c/webauthn/issues/950

tony: this is still open

elundberg: the PR only address part of this issue

tony: can yo split this one out?

apowers: yes

tony: keep this one for a reference. and we will look at the new one.

https://github.com/w3c/webauthn/issues/963

jeffH: we have to review this.

tony: assign jeffH?

jeffH: yes

tony: leaves us with two un-triaged; on to issues.

https://github.com/w3c/webauthn/issues/334

angelo: we discussed this.. we have a use case section that does address where we are going.

tony: so I will ask christiaan to review. if no longer needed, close it

jeffH: this should be referenced by 956

#956

jefH: we have use cases in many places including #956. We have to agree on the use cases before we do anything

tony: OK, let's go to review on #334

christiaan: maybe. we should review

tony: Look at and put in your comments

christiaan: OK
... I thought this could be addressed separately and not in this spec

https://github.com/w3c/webauthn/issues/349

https://github.com/w3c/webauthn/issues/349

angelo: On this one, CTAP spec is ready. do we need to do this?

akshay: I don't think we need it

angelo: close

akshay: yes.

jeffH: actually, I wouldn't close this, or I will have to re-open.
... we hav tlalked to browser makers lately and there are usability issues. this would be helpful to do this.

akshay: you can't have this if the authenticator is not there.

jeffH: we really want to go to passwordless
... so when we say user verifying, we want to say fingerprint
... we don't think it is good user experience to fall back to PIN

tony: that is preference on your part.

jeffH: I am letting you know

akshay: the situations where you say fingerpirnt is good, others bad, there wil be extention

JeffH: the user experience flows are sub-optimal
... our product people will talk to you. I am channeling now

akshay: you are saying...

jeffH: I thing specifically fingerprint, we want passwordless experiene, with fingerprint only.
... talk to them
... biometrics good. passphrase, PIN out.
... people convert to fingerprint

akshay: we should talk more.

jeffH: agreed

jbradley: what if there was platform authenticator on......that did not have FP reader

jeffH: I don't know what we would do diffferntly

akshay: lets address in V2

jeffH: we will reach out to you

tony: I can tell you this won't make the dates.

jeffH: leave open and put new dates on this
... we can open a new issue with this request

<weiler> scribenick: weiler

akshay: jeff will you open new issue? close this one.

https://github.com/w3c/webauthn/issues/876

angelo: we're returning null today. not sure re: chrome. interop in a month... might answer this?

selfissued: reminder that substantive changes need to go in fast because of W3C IPR rules.
... ~1 week

angelo: I'll accellerate this.

giri: is this big enough?

[we haven't looked at this one in depth]

sam: angelo, can you resolve this in the next week?

angelo: probably.

jfontana: we need to confirm whether this needs to be included in the new CR

sam: adding myself as assignee to answer that

https://github.com/w3c/webauthn/issues/837

<jeffh> https://github.com/w3c/webauthn/issues/837#issuecomment-373114084

sam: try opening a PR to https://github.com/tabatkins/bikeshed/tree/master/bikeshed/boilerplate/webauthn

scheduling

jfontana: plan on meeting next week, given the timeline
... and July 4 the week after
... despite Identiverse.

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/06/20 17:59:00 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Present: elundberg wseltzer gmandyam weiler jeffh apowers akshay nadalin selfissued jfontana angelo christiaan JohnBradley
Found ScribeNick: weiler
Found ScribeNick: jfontana
Found ScribeNick: weiler
Inferring Scribes: weiler, jfontana
Scribes: weiler, jfontana
ScribeNicks: weiler, jfontana
Found Date: 20 Jun 2018
People with action items: 

WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]