W3C

– DRAFT –
Web Authentication Working Group Teleconference

08 August 2018

Meeting Minutes

<elundberg> weiler: Chrome on my phone doesn't want to load the call URL in the agenda email

you had a mic for a bit and it was echoing

tony: yes, we did get updated CR draft out there
… published
… as far as IPR is concerned should be no issue going forward
… we can get things closed in time for PR submission.
… any qustions.

@weiler no comments on it. I have not looked at time tool.

tony: I think we can keep up if we can get thse PRs and issues closed.

https://‌github.com/‌w3c/‌webauthn/‌pull/‌1021

tony: akshay has singed off on this.
… no to enough acess rights , Mike can you do it. Yes.

https://‌github.com/‌w3c/‌webauthn/‌pull/‌1023

tony: we need emil to sign off on this. Mike has signed off
… can we give Jeff same authority he had before.

@weiler that should be fine.

toney: jeffH can you merge

jeffH: I can do it.

@weiler on time line. should I send out snippet of timeline to everyone.

https://‌github.com/‌w3c/‌webauthn/‌pull/‌1024

tony: this is ready to go. Dominic? he does not have rights.

jeffH: I can do it

tony: we don't have PRs without milestones, lets look at issues.

tony: https://‌github.com/‌w3c/‌webauthn/‌issues/‌876
… we had a decision on this.
… we have 3 technical issues
… #294, #1004, 876
… #1014 also

selfissue: can I go back to 876. we can 't close until credman is fixed.
… who can do PR

JeffH: I can

selfissue: I will add that

jeffH: i proposed it last week. I have work to do in credman and I will get to it next week.

https://‌github.com/‌w3c/‌webauthn/‌issues/‌1014

tony: not sure this is an issue

agl: we looked at this last week

tony: it is tagged an technical and i can't see it

jeffH: i think we agree we can pull technical tag

tony: i think that gets us down to the last 3 technical issues.
… we have #334, I don't think Christiaan is on the call today.

jeffH: there needs to be some clarification. And work I did with Emil on authenticator taxonomy. One could say it has been addressed to some degree, but it needs review or more detail

tony: who is good to review
… akshay?

akshay: sure.

assigned to akshay and christiaan

https://‌github.com/‌w3c/‌webauthn/‌issues/‌358

tony: assume jeffH is lookng at this

jeffH: we are not going to fix everything for PR, we have been chipping away at it

https://‌github.com/‌w3c/‌webauthn/‌issues/‌403

jeffH: this is on my list to address

https://‌github.com/‌w3c/‌webauthn/‌issues/‌462

tony: this goes along with the duplicates.
… you chipping away

jeffH: yes.

elundberg think there is some we can eliminate in # 462

https://‌github.com/‌w3c/‌webauthn/‌issues/‌578

tony: elundberg did you cover this with taxonomy

elundberg: I don't think so.

tony: would seem this might be a place this gets described also. can you look and this and incorporate?

elundberg: yes. will look at authenticator operations

https://‌github.com/‌w3c/‌webauthn/‌issues/‌585

tony: is it possible we wind up looking at server spec in FIDO re: RPs

jeffH: can we reference the server spec from FIDO.

tony: it should be public

heffH: someone can add a reference for it and we can wait for it to appear.

tony: I will make sure that goes public - FIDO server.
… it is out for IPR review
… we will make it a public document

apowers: the server spec is published

jeffH: we can reference it

<apowers> manu: https://‌fidoalliance.org/‌specs/‌fido-v2.0-rd-20180702/‌fido-server-v2.0-rd-20180702.html

<apowers> doh

https://‌github.com/‌w3c/‌webauthn/‌issues/‌704

jeffH: this is just editorial

https://‌github.com/‌w3c/‌webauthn/‌issues/‌733

jeffH: waiting for feedback from the accessibility people

tony: can we get a message to them, sam

@weiler: I can figure it out.

https://‌github.com/‌w3c/‌webauthn/‌issues/‌764

elundberg: not much was can do here

tony: not sure there is much we actually would want to do here. I can cause other issues
… I suggest this winds up getting closed.

selfissue: closed or V2

tony: it comes down to authenticator selection, we can push it off or we can close it now.

agl: on the surface, this person is looking at silent authenticators, I am in favor of closing.

tony: I would agree on close

jeffH: close it with noted rational.

https://‌github.com/‌w3c/‌webauthn/‌issues/‌796

tony: cleanup

https://‌github.com/‌w3c/‌webauthn/‌issues/‌876

tony: back to this, we are OK with this

https://‌github.com/‌w3c/‌webauthn/‌issues/‌972

agl: this is awkward one. fido spec shows the whole complex thing, we want to reference the spec , but the spec is kind of nonsense and nobody does it.
… I will take on PR and try to work that diplomatically

https://‌github.com/‌w3c/‌webauthn/‌issues/‌980

agl: might be some minor cleanup here. but in has AppID implications.

tony: we don't want to do that.
… not sure a clarification would be any good in extension

agl: I think there is some confusion here.
… would it help to clarify, but something in the issue
… I will add a comment in the issue for Shane (author)

jeffH: that sounds good

https://‌github.com/‌w3c/‌webauthn/‌issues/‌981

jeffH: on this one, in FIDO registry there is , i think, 4 certificate flavors
… this is kind of an interop thing. Shane has a good point here, what should RPs implement for?
… this has broadened out, it might be good to constrain

gmandyam: is algorithm re-specified in the cert chain?

agl: it's x509 tells you ..... can put anything in

elundberg: should we add a note to refeence this registry that jeffH mentioned and say these 4 algorithms should be added

jeffH: I am putting in a comment now

agl: we could nail down more here

jeffH: you may want to

agl: as browsers implementing this spec, we pass what the token gives us. this is kind of a FIDO thing

elundberg: it is also related to assertion signatures.
… could have any flavor for user keys, but need to support all key formats

agl: the assertion key is negotiated to some extent.
… it has to work.

gmandyam: I ask about this at IETF. we have definitive algorithms and cert rules, it is up to RP whether they want to interpret or ignore
… what else can you say

jbradley: which anything should I implement is the question from shane

gmandyam: fair enough, but jeff's concern in valid

agl: if you want interop, you do not force attestation

jbradley: the other thing is, this might be valuable in the FIDO metadata

jbradley: never mind this might be circular

tony: OK, any other discussion on #981

https://‌github.com/‌w3c/‌webauthn/‌issues/‌1012

tony: we have a PR open against, should be ok
… we discussed #1014
… and #1019 is just editorial

jeffH: elundberg is assigned.

tony: that takes us through the issues.
… we have couple of open issued for triage.

https://‌github.com/‌w3c/‌webauthn/‌issues/‌1011

gmandyam: the PR does not remove Safety Net , it is just for augmentation.
… we can close it, but it not something for L1 perhaps

tony: we can tackle in L2

gmandyam: sure
… in Level2 timeframe there will products in market will have trust on attestation....it seems we can find a solution to position this so it is not a choice or of or the other

https://‌github.com/‌w3c/‌webauthn/‌issues/‌1020

tony: is this in our scope

elundberg: I plan to add a comment. Hopefully there will be a fix.

JeffH: in could bring clarification in the spec

gmandyam: user can leverage what is in the browser

elundberg: we don't require implementers of web authn are not required to implement ctap
… so it does not require external authenticators

gmandyam: isn't that the point

jeffH: summarize at bottom on issue, and he discusses risk... we know this. RPs can to things to accommodate this

<elundberg> s/hopefully there will be a fix/hopefully this will be a wontfix/

jeffH: it goes back to use cases in #334
… his point may be moot. and we need to explain it better.

selfissue: can you add that to #334

jeffH: sure

tony: last one is 1022

https://‌github.com/‌w3c/‌webauthn/‌issues/‌1022

tony: looks like we are doing this today, but it is not document well

tony: agl I will assign this one to you
… that is all I have for today.
… anything else?

elundberg: I am a bit worried aobut lcient operations we have , we have 3-4 ways to abort and return error. I am worried we might not be clear.

tony: can you put it into level 2

selfissue: I have editorial question. the current CR is not listed in the set of previous versions

jeffH: we typically had to add that manually after the editor's draft.

selfissue: I will create an issue and assign it to...

tony: sam

@weiler: were there any working drafts issued between the two CRS

tony: not that i am aware of

@weiler: you want the editor's draft to show that?

tony: yes.

Minutes formatted by Bert Bos's scribe.perl version 2.41 (2018/03/23 13:13:49), a reimplementation of David Booth's scribe.perl. See CVS log.

Diagnostics

Failed: s/hopefully there will be a fix/hopefully this will be a wontfix/

No scribenick or scribe found. Guessed: jfontana