W3C

- DRAFT -

Web Authentication Working Group Teleconference

12 Sep 2018

Attendees

Present
LukeWalker, Rolf, agl, jcj_moz, jeffh, jfontana, john_bradley, nadalin, weiler, akshay, gmandyam, kim
Regrets
Chair
SV_MEETING_CHAIR
Scribe
jfontana

Contents

<weiler> scribenick: jfontana

Tony: talk about paragon about concerns over ecdaa stuff and RSA PKCS1.5
... I don't see issues iwth RSAissues, using this for signatures.

jeffH: we have it in there mostly for backward compatibility

tony: yes, most of systems so this.
... the author is a bit confused on what is beign used and why it is being used.
... rolf can you fill us in

rolf: there is same pattern, there is some context knowledge missing. ..no clue about attestation
... on criticism we are using random numbers, but that is not uncommon
... I can kind of understand the argument to make typical implementation better.
... we cant simply take the message and has and use that to replace the random number
... it needs to be more complex, not as straight forward as researcher things.
... we may want to remove shorter curve, ...we might want to see longer curves .
... what are good curves for this purpose, we can have that discussion with others.
... I can't follow the compress and uncompress argument

agl: I can speak to pint compression. if you decompress point, you cannot forget to check those points on the curve
... there is IP fear around compression
... the question has been tied to type of curve.
... I don't see any strong reason to worry. I am pretty negative on this blog post overalll

tony: I don't think any of the W3C specs are affected by the blog post
... ther may be a slight change or note tha tFIDO has for attestation.

agl: I think we are in agreement there are no webauthn changes called for here.

tony: sam, do we need to do anything here, address in github

sweiler: would like to see someone from group post to mailing list with a technical evaluation of the findings.

gmandyam: may be good for FIDO to do this

rolf: discussion in FIDO was for short response on Twitter then start some talks privately
... could be more valuable for FIDO and W3C to have a conversation

sweiler: I don't want a press release. I would like to point to a public post. We don't think these points are warranted on a technical level

tony: if we come to agreement on something. we can have it as a note from WG, but not have a post.
... the problem is we are taking his words from his post and there is not a lot of detail
... we need more information about his concerns.
... worry about point by point that lacks detail

rolf: defending publicly doesn't lead anywhere.

tony: I think we can do a generic statement...that we determined changes are not needed.

sweiler: I would almost like to have the more detail but not WG response. but I am agreeable to what you are suggesting.
... a short response. either is fine with me.

agl: I will offer that to write up something technically, I can do that. but we have not plans around ECDAA

tony: so maybe others should come up with short response for WG mailing list.

akshay: do we really need to respond to every report? we can say we have evaluated and don't see an issue.

tony: yes, do simple post to mailing list, we looked over, we see no changes needed to webauthn

rolf: in favor of a generic response.

gmansyam: don't need more than a brief response. We have enough to do with the spec to worry about every comment.

jbradley: I am happy with what the group wants to do.

jeffH: I concur with thoughts stated here.

jc_jones: Mozilla has tendency to respond to these, but I am fine with our general consensus.

tony: anyone opposed to WG statement?
... I will try to put one together.
... OK, sam.

sweiler: I am fine following the WG here.

now to PRs

https://github.com/w3c/webauthn/pull/1052

tony: this is JeffH

jeffH: emil had issues and I just replied, don't some clarification.

https://github.com/w3c/webauthn/pull/1052

tony: jeff has some questions
... emil has to look at these. He will respond to comments.

https://github.com/w3c/webauthn/pull/1057

tony: ready to go, can someone merge

JeffH: yes.

https://github.com/w3c/webauthn/pull/375

JeffH: I can merge, ready to go

tony: if we are going to meet our deadline for PR we will have to punt some issues.
... are there issues here that some would be uncomfortable not closing out.

agl: I want to talk about 'n' on WebAuthn..

tony: last week we said lowercase 'n'....emil will make that change.
... there is a few spots where capital 'n' used.
... I will make sure all instances are lowercase

this Issues is https://github.com/w3c/webauthn/issues/1056

jeffH: to speed this up
... I looked through mine and the ones that do not have PR open on them are ones we can move forward without addressing either credman , fetch or other minor things.
... that takes out about half.

https://github.com/w3c/webauthn/issues/403

heffH: pr oepon

585, 1020, 1042 1059 these are the ones we need to resolve.

tony: does anyone have any objections to move remaining issues to Level 2?
... I am following up on call for consensus and make sure no objection for request to go to PR
... caveat is that we close the 5 open PRs that we have.
... if we close, is anyone objecting to going to PR?
... resolving the remainng editorial changes in Rec or moving to level 2.
... not hearing any objections

we have consensus

close 483, 585, 1020, 1042, 1059, and if needed 1056

tony: so we will pull together the package to request PR, and present it next week Spet 18

https://github.com/w3c/webauthn/issues/1063

tony: this could be technical...

jbradley: i think it can wait til the next releaes.

https://github.com/w3c/webauthn/issues/1064

tony: agl has responded..

agl: my thoughts summarize as, sure, whatever.

tony: if someone does this fine, or it gets pushed to L2?
... it would only be a consideration and not a tech change to spec.

jeffH: agrees with this

akshay: i think we can move to L2

tony: any objection? none heard

https://github.com/w3c/webauthn/issues/1065

jeffH: this is a nit.

agl: I think you are correct about it

jeffH: it is quick and easy change

tony: ... can you do soon.

jeffH: yes. I will makes changes and merge.

tony: any objections?

none

tony: please merge.
... any other business

jbradley: one issues. I filed something on it. comes down to interpretation of intended functionality
... we have APP/ID extension. browsers interpret part of spec only applies to U2f only authenticators.
... noting in spec that lead me to this, but more than 1 browser interprets it this way.
... the intent is that when sitses from from u2f to webauthn the credential should continue to work.
... so the browser has implemented app/ID for only u2f authenticators

agl: I will say, it if does not work with FIDO2 Yubikey, we are working with Yubico to figure out. But we will figure it out.
... we were internally confused, but it is part of wider issue.
... hope to fix soon

jbradley: this is different from make cred issues in chrome

agl: we have a general difference around CTAP2 codees

Kim: we will fix. I do agree the spec does not call out how combo of specs works.

jeffH: if under specified, is there an issue somewhere.

?

jbradley: the appid is not in the ctap2 spec

akshay: we are doing... if you have appid you are bridging an old world and new world. use appid for u2f interface in new we used AppID

jbradley, which had unintended consequence if you have hybrid authenticator, it means that when google goes to webauthn not all of your credentials will work

jbradley: there is a fix in an upcoming version....

akshay: lets put it in to spec and close it down

gmandyam: i don't see it in the spec.

jbradley: if all browser vendors understand the right way, then we will be fine. maybe we need to add clairifcation so we can end this conversation.
... I can open an issue.

tony: on other thing gmaydyam, has agreed to write up our extensions at risk. so we can move forward with extensions that are already in the spec without them being pulling

gmandyam: I have had some conversations with w3c leadership. I will work with Mike and Jeff, and then have something at TPAC.
... want to makes sure PHL is in the room

tony: OK, anything else.

akshay: I want to talk to Adam about . #1050. the level of transport
... christiaan there? no.

agl: no

akshay: want to understand some use cases. create platform cred on android and you want to tell RP you can use it for other transports.
... think that underlying use case on this PR

agl: not quite what we have in mind. create a cred on android using fingerprint. when that cred is challenged by spec ...the authenticator will say it will not work
... it presents confusion for the user.
... we are looking at transport to sovle the issue I just talked about.

tony: adjorn.

adjourn

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/09/12 18:33:18 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Present: LukeWalker Rolf agl jcj_moz jeffh jfontana john_bradley nadalin weiler akshay gmandyam kim
Found ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.


WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 12 Sep 2018
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]