W3C

- DRAFT -

Web Authentication Working Group Teleconference

15 Aug 2018

Attendees

Present
elundberg, weiler, wseltzer, agl, christiaan, nadalin, akshay, jeffh, gmandyam, jfontana, John_Bradley, Ketan
Regrets
Chair
nadalin
Scribe
jfontana

Contents

<trackbot> Meeting: Web Authentication Working Group Teleconference

<trackbot> Date: 15 August 2018

<wseltzer> i/San Diego/https://www.w3.org/Privacy/permissions-ws-2018/cfp.html

test

<wseltzer> nadalin: We held interop end of June

<wseltzer> ... thanks Google for hosting

tony: interop results will be available and we will fold them in when we go to PR

<wseltzer> ... good number of authenticators and RPs

tony: we had some ggod success. I did not see any major issues.
... does anyone have something to add?
... shane is just picking up the spec and implementing, so he had good feedback.
... we will use this info to add to write up for testing requirements
... FODO has an interop on Monday. The is there requirements for WebAuthN. They will get some certifications out of that .
... pull requests
... none that are un-triage

https://github.com/w3c/webauthn/pull/1031

https://github.com/w3c/webauthn/pull/1032

tony: adam had some comments.

adl: terminology is for the ??? spec. I think it is pretty nailed down

agl

scribe: there is time

https://github.com/w3c/webauthn/pull/1036

tony: emil opened this up. JeffH and selfissue need to look at it
... agl gave link to terminology. does this solve your issue.

selfissue: I will look later today
... back to 1036

tony: emil opened

https://github.com/w3c/webauthn/pull/1041

tony: emil opened up and asked for comments. JeffH, Akshay, others...
... that's it for PR

https://github.com/w3c/webauthn/issues/1022

tony: what do we want to do here. agl?

agl: I am looking for someone to take a look.

https://github.com/w3c/webauthn/issues/1034

tony: we understand what is implemented. what do we need to do here?
... move it into a future thing

elundberg: may be something we can punt

agl I don't think thet appID should have an output.

selfissue: the whole extension architecture requires each extension to have an output
... that's how you know it was acted upon

elundberg: we could always set it to true. I am just bringing this up now.

tony: I would like to punt if AGL does not have issue

agl: happy with that. will say chrome does not have this issue.

tony: akshay, what about edge

akshay: looking at that now.

tony: can you fill in what you find

elundberg: this is probably just an issue in the spec (and it's likely that implementations actually do what the spec meant to express)

tony: i moved it to level 2, but you can look at it now if you want.

https://github.com/w3c/webauthn/issues/1035

tony: I don't like to impose FIDO restrictions on this spec where it is not necessary
... do we believe this test is part of generic validation or something specific that FIDO would do.

gmandyam: seems like time stamp if flawed in FIDO context

rony: RP will make decision what to accept
... the device is what it is.

AGL: does this require round trip phone home.

jbradley: I think there can be a cache, but can be timestamp

gmandyman: think time stamp is out of scope for webauthn

jbradley: from google perspective when they do these things on Android they expect time to be accurate

gmandyam: what if you have android running on a TV.

christiaan: today I think all clocks are accurate...if it is connected to the internet.

gmandyam: why do we have to say this in webauthn spec

christiaan: it's not expiration. if you don't set time, none of these devices work

tony: point is he is asking for this validation step.

akshay: it does not need to be there. webauthn does not need to worry about this

tony: think we close, no action.... do anyone disagree

https://github.com/w3c/webauthn/issues/1037

tony: this is back to UV bit
... I have two thumbs up on this one

jbradley: any devices that does not set UP is broken by definition.

akshay: we can close this

https://github.com/w3c/webauthn/issues/1039

tony: this is a big one. I am tempted to say....all the info. is there I don't want to hold the spec up for this restructure unless the group thinks it should be done

jeffH: it is on the implementers.
... if you think we can live without this polish than we move it to L2

elundberg: this is a nice to have, I'm fine if we decide to close it

tony: it does not get closed. it goes ot L2

akshay: I think we can take this on

tony: christiaan any comments?

christiaan: I don't have a strong feeling here

agl: I would not call this a must from us.

tony: I will move to LW, emil if you can work on it that would be great.

elundberg: so if time, this would be nice to do

tony: yes .

gmandyam: if we try to work this back in, it could trigger another privacy review.

@weiler: I don't think they are that sensitive.

https://github.com/w3c/webauthn/issues/1040

jeffH: it is just cleanup.

tony: OK

https://github.com/w3c/webauthn/issues/294

jeffH: we are going to punt, hopefully

agl: I did look at this. not entirely sure chrome wants to define its behavior, but if the spec nails it down that's OK
... can write up what we do now, but can't guarantee what is does tomorrow.

jeffH; you can write it up and say that

https://github.com/w3c/webauthn/issues/334

tony: this was akshay and christiaan

jeffH: need to look at this is new use cases I added with Emil
... need some clarification. some assumptions.

eludberg: I made some changes, but then ended up cutting them.

akshay: we will look at it

https://github.com/w3c/webauthn/issues/358

tony: ongoing

https://github.com/w3c/webauthn/issues/360

JeffH: I am not sure what we are going to do with this in the near future.
... I need to circle back around

https://github.com/w3c/webauthn/issues/403

jeffH: I still need to do this

https://github.com/w3c/webauthn/issues/462

tony: longterm thing

https://github.com/w3c/webauthn/issues/462

Pr open

https://github.com/w3c/webauthn/issues/578

followup

https://github.com/w3c/webauthn/issues/876

tony: hope to punt on this

https://github.com/w3c/webauthn/issues/936

tony: is this one done,, closed

elundbeg: I will take another look at it now...

https://github.com/w3c/webauthn/issues/972

tony: what are people doing today

agl: I looked this morning and most browers don't implement it
... I think the only browser that is implementing is edge. what they find may be the answer

akshay: I will look at it

tony: looks like we could get rid of this one quickly

https://github.com/w3c/webauthn/issues/981

tony: I think we have views on this one
... akshay says we should potentially close this one

agl: we could subset this

tony: will that restrict the RPs
... it is RPs at end that....

eludberg: think this is set of things recommended as minimum

gmandyam: if you start to bound this, have to be careful you don't exclude potential use cases in the future.

akshay: I say close this down

gmandyam: we support closing

jeffH: should there be catalog of algorithms if there is that much variance. not that strong an idea

tony: I am going to close if no one minds

https://github.com/w3c/webauthn/issues/1004

tony: jeffH had this one, quite a bit of discussion

agl: my postion, credman should fix the spec and we should not do anything.

tony: boris said he would come back and agree with that

jeffH: keep it open until we fix credman

JeefH: I am still working on credman. I can work on this.

tony: after we can lcose 1004

jeffH: sure.

https://github.com/w3c/webauthn/issues/1014

tony: PR open on this on.

one

elundberg: #936 we are going to close

tony: sign-up for TPAC

@weiler: do we have an interop report from the informal interop?

scribe: will there be a written report

tony: we will do one for the W3C but there won't be one coming out of interop itself - just the results. we won't write up our interpretation. We will do that for W3c
... for W3C staff for the process, but no public report

@weiler why

tony: those that put on the interop are not interested in doing that.
... looks like selfissue is fine with #1032

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/08/15 17:55:39 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

FAILED: i/San Diego/https://www.w3.org/Privacy/permissions-ws-2018/cfp.html
Succeeded: s/finishing the spec/an issue in the spec (and it's likely that implementations actually do what the spec meant to express)/
Succeeded: s/close it/this is a nice to have, I'm fine if we decide to close it/
Present: elundberg weiler wseltzer agl christiaan nadalin akshay jeffh gmandyam jfontana John_Bradley Ketan
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Found Date: 15 Aug 2018
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]