W3C

- DRAFT -

Web Authentication Working Group Teleconference

31 Oct 2018

Attendees

Present
weiler, ken, jeffh, selfissued, nadalin, jfontana, wseltzer, jcj_moz, JohnBradley, ketan, Akshay
Regrets
Chair
nadalin, jfontana
Scribe
jfontana

Contents


Tony: TPAC overview.met on Monday, some of tuesday. some other sessions in breakouts
... went over PR states, letter was sent from FIDO to W3C about extensions
... wendy acknowledged and will get back if needed.
... tony talked with PHL and put him in touch with Yuriy at FIDO to run the interop tests.

correction PLH

scribe: waiting for anything else to come up on PR, issues, etc.
... we went over L2 discussions . we were deciding what was on board for L2
... went over repostoriy L2 , device loss recovery, emil and dirk both gave presentations. went over authenticator enhancements
... we talked a bit about blockchain and DID Auth
... can web authn solve many of the DID solutions out there today.

Ken: sovergn, this is of great interst to us. we want to take what has been done in WEb authm and apply it to what we want to do

tony: it was good input we got from Sovergn and DIDs folks

selfissued: question. web authn is about pont to point with authentications. blockchain is distrubuted.

tony: related in a way of authentication...how public keys are used for authentication purposes.
... not 100% that web authn is point to point. it is domain based. we will look at if we have to change our scope and domain checking.

Ken: we think there is lot of synergy.

selffissue: in blockchain what authenticates to what

tony: DID auth is asking... who owns the private key, who created this DID doc
... there are some current issues with how DIDs are represented and does it have relationship to private key.

jc_jones: no synergy between distributed ledger and DID auth
... you would use it as an additional field, attestation
... it has been my problem how this is relevant for DID auth. from perspective of using an authenticator as CA, seems to be what they are looking for

jbradley: in the conversation we need to separate some of this DID auth gets thrown around.
... knowing what DID auth is, is a bit slippery
... can the authenticator sign the DID that goes in the blockchain?
... using web authn ot authorize/authenticate on the DID itself is likely step on

one

scribe: two is makign the same key that is used to do the DID transaction is having a third-party key for the DID. enabled some sort of selection of violation of our origin principle.
... web authn says you can't correlate sites.
... we have to figure out how to do something useful with DID before cross transactions

selfissues: we need clear use cases on what we can achieve in that space
... DID and DID auth are more concepts.

tony: part of the process these guys want to go through is look at those issues. what is possible.

Ken: that is our objective

tony: anymore on this topic DID auth, blockchain

jeffH: I second on Mike's (third?) on use cases. they should be sent to the mailing list

tony: this is all work that could be done in this group
... we talked about silent authenticators, privacy issues that have come up in FIDO land as far as the FIDO2 authenticators are concerned. intertwined. we will look at use cases
... we talked about UAF signature formats. can we can encapsulate in Web Authn. is it possible?

jeffH: it is possible. spec updates have been sitting in PF

tony: we wen tover this

jeffH: is it political

tony: there are some technical issues.

jeffH: I disagree

tony: talked about attestation. EATS
... interest in looking at this in IETF
... did some policy work on domain issues. doesn't look like there will be additional work in Cred Man
... we talked with Mike West about Feature Policy, using this to go outside our top-level domain issues.

jc_jones: I am going to write the PR

tony: talked about syncing platform atuhenticators
... talked same origin and trust anchors.
... discussed transport information during registration. google pushing for
... extended charter to sept. 2019
... we will work with sam to accomplish that.
... we did have 3 issues that came up from Apple. #1095 #1096 #1097 , editorial issues and decided they were OK, assigned to Mike

self-issue: #1095 is not in this group.

tony: yes, it was #1096 #1097 #1098 issues.
... #1098 is taken care of.
... that was the bulk of our discussions.
... had some demos. Yubico and Google

jbradley: one other thing. presentation on device loss.

tony: yes, we did mention it before you came on the call.
... it was backup, primary, etc. slides are available. Links are in the TPAC agenda to the presentations.

JeffH: meeting was the 22nd. I am going to put a link to the minutes in IRC

tony: add agenda.

<jeffh> minutes of TPAC webauthn session: https://www.w3.org/2018/10/22-webauthn-minutes.html

<wseltzer> TPAC WebAuthn Agenda

<jeffh> -> TPAC WebAuthn Agenda: https://docs.google.com/document/d/1snGmQJ_EO3LR3EKAY19w1V08OEPemD_po0R5kU2PXak/edit#

tony: tuesday we met with web payments people. looking at their authentication issues. it looks like good fit in Web Payments. need to work on the top level domain issue
... if we can fix it with Feature Policy we will be good to go
... card companies were interested in Web Authn
... need some linkage web payments processes
... they had an unconference day on Wednesday. some discussion on blockchain.

<wseltzer> TPAC breakout day grid

Ken: the purpose of one of those sessions was about establishing a WG around DIDs

<wseltzer> Workshop on Strong Authentication & Identity

Ken: the consensus there was interest in spinning up a working group

selfissue: when and where

Ken: I don't have details.

wseltzer: I shared in IRC a link to the workshop in dec. in Seattle.
... there is more discussion to come before a charter comes forward
... we hope to share a draft after the workshop (dec. 10-11) and if there is a draft to take it up to W3C for review

<wseltzer> https://www.w3.org/Security/strong-authentication-and-identity-workshop/cfp.html

tony: it is an invite.

wseltzer: there are forms to send a message of interest, or suggest a talk.

selfissue: deadline for papers?

tony: soon,
... still working on format for meeting and agenda.
... discussions on going with committee
... some discussion on balancing the meeting between un-conference and paper presentation.
... position papers
... that's all I had on the agenda for today.

Sweiler: I think the FIDO document might be grossly inefficient, we should have a backup

tony: I think we will push for normative
... on the extensions.
... group feels extensions should be optional, normative
... anything else.
... no meeting next week. It is IETF week.

sorry, I am working over you. you can take it from here.

<weiler> eh, the bot doesn't mind. :-)

Add title, Web Authentication WG

trackbot, end meeting

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2018/10/31 17:56:03 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Default Present: weiler, ken, jeffh, selfissued, nadalin, jfontana, wseltzer, jcj_moz, JohnBradley, ketan, Akshay
Present: weiler ken jeffh selfissued nadalin jfontana wseltzer jcj_moz JohnBradley ketan Akshay
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Found Date: 31 Oct 2018
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)


[End of scribe.perl diagnostic output]