W3C

- DRAFT -

Web Authentication Working Group Teleconference

28 Nov 2018

Attendees

Present
gmandyam, weiler, Ken_Ebert, elundberg, Christiaan, nadalin, John_bradley, Pasan, Ketan, SarahSquire, jfontana, NickSteele, selfissued, jeffh, agl
Regrets
Chair
nadalin, fontana
Scribe
jfontana

Contents

test

sam: talked to Yuiry
... we found testing does not necessarily prove interop
... what FIDO has cannot be shared.
... it might be conformance testing is sufficient, but not obvious at first glance.

elundberg: there is a bunch of pull requests not assigned to any milestone. there is #1085 think ready to merge.
... also #1092 arguably editorial but changes the algorithms

<weiler> Yuriy said he'd generate a mapping between WebAUthn extensions and parts of the conformance test plan, where they exist. I also pointed out that the conformance test plan they sent, v1.1, is new, hence not an artifact contemporaneous with actual conformance testing.

elundberg: if we do it I think we need to get confirmation or approval fro the browsers.

agl: you want approval, looks like you have JC, I can go off and check chrome and aksay can look at edge.

<weiler> [also: Yuriy was missing much backstory, like that we were looking for interop evidence for ALL of our extensions, not just txAuthSimple and Generic)

elundberg: also #1094 that I thin we can merge right now.

Tony: you want this .... talking about #1094, it is sort of a normative change.

elundberg: it does add normative language , but doesn't change anything normative.

agl: if it is IDL this does not appear to change anything, i think we can merge.

tony: I don't have a problem merging #1094 now, if people feel it is oK. I looked at IDL.
... I am good if others are OK

elundberg: then we are merging #1094 then

selfissue: I want to return to #1092

<jeffh> i think merging 1092 is fine

selfissue: it is correct, we have google, mozilla and msft to say it should be merger.

tony: still missing some actions.

selfissue: it is wrong the way it is.

agl: I am looking at it now. and....

selfissue: it was a cut and paste error on my part
... lets hold on #1092
... it say authenticator parameters instead of client parameters.

tony: I will send akshay a note this week
... so can I get someone to review #1085
... going to merger #1085

elundberg: merging

tony: where do we stand with #1093

https://github.com/w3c/webauthn/pull/1093

christiaan: Looking at #1093
... I will look at this.

tony: #1113

https://github.com/w3c/webauthn/pull/1113

agl: I thnk this is OK

tony: wold like agl and mike to look at it

selfissue: i just approved it

tony: if adam apprvoes I assume we can...

agl approved, jeffH approved.

tony: go ahead and merge this one.
... takes us down to what we can close today.
... as far as #1095 is concerned.

jeffH: i had been involved in editing and I went looking for notes.... I need to re-do the editing.

elundberg: mike has also noted more experts need to review in detail

tony: agreed

jeffH: agreed

agl: I will look at this one.

tony: I will add akshay
... and #1082

https://github.com/w3c/webauthn/pull/1082

tony: jeefH is this something you need to work on

jeffH: yes

tony: just have #1092 to finish
... i'll send akshay a note on that one
... those are the outstanding PRs
... any issues, we have some...#1078

elundberg: think handled by PR #1082

tony: looking at #1088

jeffH: #1088 is behind PR #1095
... do we need to attach milestones to any of these

tony: yes.
... we also have #1107

elundberg: talks about completely new feature

jeffH does this go to Level 2

tony: yes.
... want to make sure Christiian is looking at #1093
... once we loo at #095, we will look at where this onther one fits.
... does anyone want to look at any other issues?
... or PR for PropRec

elundberg: I also assigned #1082 to PropRec

tony: any issues anyone wants to look at on Level 2

agl: we are still keyed on the transport thing. #1050
... lets you know which trasports are supported when you register a key

https://github.com/w3c/webauthn/pull/1050

agl: i don't knwo what we will do with Level 2 and work there. or keep these things around and land them.

christiaan: there are quite a few things we have agreed upon, but if we leave them for too long..

tony: if we want to create a branch, i am ok on that.
... the extension issue may drag out..

JeffH: you are talking about PR on level 2 and apply them into one branch

tony: yes

jeffH: but you might want to have continuous integration going on

tony: it is a lot to have going on .

agl: if it is a pain, we can wait
... is PR weeks or months.
... if we wanted to we could say it is done and say the extensions are not normative.

christiaan I would vote for extensions non-normative.

scribe: and be done with it.

agl: I am unclear what the reality of that would be.

tony: if we mark non -normative we get worse interop , if people see non-normative they may not follow it.
... do we want people to follow or just look at this as guidance.

christiian: few browsers implement these properly and...

tony: I wold dispute, there are many smaller browsers out there.

christiian: not many people building browsers from scratch.
... this is really between the browser and the RP. I don't see the downside.

agl: I tend to agree.
... if we have chromium and mozilla we get all the other browsers.

jbradley: what would be non-normative, some of optional extensions, but the framework would be normative.
... it would be location. etc.

selfisue: transaction confirmation would fall in that bucket. non-normative.

jbradley: we have not tested in web authN because nobody has wanted them

selfissue: how far are we from resolving the current situation

tony: we probalby solved it but having trouble convincing W3C of it.

sam: I think you have been providing the wrong thing

call is breaking up - hard to understand

sam: the FIDO person who has been passing us the information, they do not understand the problem
... i have ben asking for months about non-normative and now we are talking about it.
... i don't see the harm

Christiaan: I don't see the harn .
... RPs are not going through the testing? just the browsers

elundberg: also the authenticatiors

christiaan: that is FIDO2, this is about browsers in my mind

jbradley: issue is non of the browsers support those extensions.

christiaan: how do you get browsers to write good code. I thnk we are only talking about browsers.

jbradley question is, if you do implement, is is normative or non-normative.

christiaan: even if it is normative and the browser guys want to do something different they will
... if this was for authenticators i would agree

elundberg: i don't see how this is not about authentiators. 6 or 9 extensions are authenticator

christiaan: is that being done in CTAP
... that is nothing to do with W3C

agl: in practice nobody has built what we thought was the way people would do this.

chritiaan: if we want to make authenticators do something, that is over in FIDO tha tis not here
... I don't se the down side of non-normative.

agL: as browser vendors we don't look at normative and non-normative.

elundberg: we talked about dropping extensions and picking them up somehwere else.

selfissue: I don't think that is a good idea

jeffH: i am with christiaan and agl as non-normative.

elundberg: i could agree to that.

selfissue: but only the ones we have not done interop on .
... we have done AppID

tony: we talked about HMAC

jbradley: but that is separate.

tony: soright now , it's just appID
... what do we want to do.

jbradley: normative is better, but not gettin this done would be worse.
... delaying for normative might not be worth struggle.

christiaan: it does not matter to browser vendors.

sam: couple of suggestions. could ask the list. take a poll. another thing, it is to punt consensus to co-chair.

tony: we have to put it to list. it would be a week before we get a decision.

elundberg: so do we announce it now

tony: i will put it out to the list and see if anyone objects.

rssagent: draft minutes
... add title

rssagent, draft minutes

rssagent, stop

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2018/11/28 19:59:35 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Present: gmandyam weiler Ken_Ebert elundberg Christiaan nadalin John_bradley Pasan Ketan SarahSquire jfontana NickSteele selfissued jeffh agl
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Found Date: 28 Nov 2018
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]