<inserted> scribenick: wseltzer
plh: Two issues to resolve
... extensions: do we have adequate implementation experience
from FIDO
... spoke yesterday with Yuriy
... FIDO ran tests on those extensions at their interop
... Director would like to see updated transition request with
that information
... I am hopeful we can pull that together for the
Director
... will include FIDO in the communication loop
... Aiming to send before the end of the week
... to resolve the extension issue.
... Tests.
... in wpt
... we were able to generate test results for 4
implementations
... many failures; reasons could vary
... 1- I failed to run the tests properly
... 2- implementation is wrong
... in many cases, accepting something it shouldn't
... 3- test is wrong
... 4- spec is wrong
... 5- spec is unclear
scribe: if the spec is unclear,
we can clarify
... if the spec is wrong, we have more work to do
... Have implementers gotten to look at the test results, to
help explain if these are significant results?
plh: "less than 2" is tests that
have fewer than 2 implementations passing
... these are wpt
@@: I've mostly been ignoring the tests because they're not very good
plh: some of them are likely bad
tests
... I'm trying to figure out whether the tests are
reasonable
<inserted> scribenick: jfontana
agl: I am not willing to sign off that the tests are nonsense, but we should look into it.
JCjones: some of these failing tests, we know they are not perfect. most that failon on FF are upstream issues in web platfomr, not web authn issues
jc_jones: some of these are
WebIDL
... my point , there are a few tests to fix, but they are not
easy fixes because some issues are not in the FF webauthn impl
but rather are in other portions of Gecko.....
PLH: to be lcera it would be nice if this did not stop us from moving forward
jc_jones: I would not say tests
are perfect, but particularly we had trouble with extensions
working well
... it does not mean we are implementing incorrectly, likely we
need TCL on tests
jbradley: who maintains tests
jc_jomes A.Powers and mine (jc)
plh: I don't have the spec experience. i am not expert on evaluating the tests.
jc_jones: it does need to be a community effort.
plh: if yo try to use the same
key on windows and a mac - it is not going to work.
... A USB fob
jbradley, I do it all the time.
scribe: tht means that vhrome has
not implemented pin support
... thatt is not a windows, mac thing.
plh: no let me finish.
chrome and Ffox will not require pin on key - it will work without. on windows if you don't have a pin it will ask yo to set one.
jbradley: it is not a mac issue per se. it is code chrome has not implemented
tony: it is not a interop issues.
plh: I said this is outside scope
jbradley: so far only one browser
that has implemented PIN support
... depends on how RP asks for credential
plh: it would be nice to understand, do we consider the tests bugs, or do we need to dig into it.
agl: not a bug, it is working as specificied.
jbradley: it's not the
implementation of ctap2 that is incomplete
... a browser that supports Web authn. it is not required to
support all ctap2 - you can return error codes
tony: we would like list of failures yo found. and we can determine if faillures or incomplete
jc_jones: how confident do we need to be for the director to be confident.
plh: at minimum, need test going forward???
jc_jones: not sure how to do tests at scale for every vendor
tony: can yuriy help with this
yuriey: how.
tony: as far as the results are concerned.
jc_Jomes: we need to look at
every test and see if they are/are not working properly
... i know the extensions tests are not good. we need to
re-write. those failing is not indication we are doing
extensions wrong or right
Yuriy: I have seen some of the tests , they seem similar to what we do in FIDO Alliance
plh: we need two implementations.
a lot of the failures, the test is trying to see a ???
credential and looking to fail.
... the spec may need som eclarificaiton, but at the end of the
day we can't expect some thing to wowrk.
jc_jones: I can't dedicate staff to this until mid-jan.
plh: we can eliminate tests that are not relevant
yuriy: we should have some collaborative effort.
jbradley: most of these are errors and a lot may be coming from CTAP.
tony: how long is this going to take
yuriy: I think less than we think
tony: so we liley won't get anything done by the end of the year.
agl: maybe we get more
done...people are on vacation and not distracted.
... we should have in next call a discussion. I will endeavor
to have a more informed opinion on failures in Chrome
yuriy: I will look into the tests
tony: what is date of next call
agl: next week probably not. the following week, maybe
tony: probably off the next two
weeks and then back on second week of Jan.
... is the WG OK with this delay
jc_jones: mozilla is
agl: not happy with delay. but can't ignore tests.
plh: i will continue to work with
director on the extensions questions
... keep in mind. focus on the implementations. The tests are
correct in some cases, but some other issues and the spec may
need to be changed. but then IP concerns
tony: it all depends on what the failure is.
agl: some of things are fine, hopefully we follow that pattern
tony: anything more on this
topic
... lets close this topic
... as far as interop is concerned.
... the other topic is the meetings for the next 2 weeks, but I
think we answered them
... there seems to be extended holidays
... my proposal is to cancel dec. 26 and Jan. 2.
meetings.
... anuy objections? none heard.
... I will send notices and assume everyone is Ok.
... we will meet on the 9th
... any other business .
Yuriy: can we discuss issues 1115
https://github.com/w3c/webauthn/issues/1115
yuriy: there is contradiction
here, no set length.
... should we change this?
... if not will RP do crazy things like empty buffer
... FIDO
Alliance needs to have an answer
agl: I think we are going to fix this.
yurity: should it be "must" browsers enforce 16bytes
christiaan: why is that a browser things
jc_Jones: I would argue its RP thing
16 bytes is a nice change.
scribe: why is 16 good, why not 8?
agl: 16 is canonical for this. I am fine with this.
Christiaan: it blocks other
things on FIDO side.
... may in the next ersion, but not a change at this late
stage.
jbradley: challenges does not go
over CTAP. Authenticator gets a hash and some other
things
... making it a must might not be the solution. I don't know if
we get much with a minimum length
elundberg: if there is nothing, RP may have to be more vigilant.
yuriy: so next version and discuss later.
jc_Jones: I don't know if we will
have more arguments later. unless we define the challenge
... the danger will persist
... the error possibility is very wide. think solution here is
we need to look at nonce construction and take that chunk and
drop it in here
jbradley: potentially we break implementations if we tightly control nonce
jc_jones: I would say we say this is out of scope. but is consideration for RP. I don't think we should mandate any number of bytes
jeffH: I agree with jc
agl: I do to, but tests says can't be zero.
plh: we may need to remove the
test and see if we have a different conclusion later.
... I would make a pull request to remove that test.
... double check if this is the correct test or something
else.
agl: there is an open pull request
https://github.com/w3c/webauthn/pull/1082
jeffH: can i re-review this afternoon.
tony: is it OK now?
... jc_jones?
jc_Jones: I am going to hit approve here.
tony: JeffH: re-approved
jeffH: I want to page this back it and it will take from time
jc_jones: I think it is fine the way it is, but your points are valid.
tony: so we won't finish this today
????: what is webframes?
jc_Jones: we will address in Level 2
elundberg: issue 1123 the UV and UP
<wseltzer> https://github.com/w3c/webauthn/issues/1123
elundberg: suggestion is to let
user presence ( UP) always be true
... can this be done in level1
tony: I think it would be a breaking change.
elundberg: that is what I expected.
agl: Chrome did not allow silent authenticaton
jeffH: there are related issues
to this.
... this is not first time this has been raised.
gmandyam: this is qualcom's last call. we are withdrawing from W3C.
qualcomm
gmandyam: it was a blast to work on this.
tony: thanks for your work on
this. sorry to see you leave.
... thank you . Have a good holiday.
This is scribe.perl Revision: 1.154 of Date: 2018/09/25 16:35:56 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/spec/test/ Succeeded: s/not easy tests/not easy fixes because some issues are not in the FF webauthn impl but rather are in other portions of Gecko..../ Succeeded: i/plh: Two issues/scribenick: wseltzer Succeeded: i/I am not willing/scribenick: jfontana Present: wseltzer elundberg gmandyam plh Rolf Found ScribeNick: wseltzer Found ScribeNick: jfontana Inferring Scribes: wseltzer, jfontana Scribes: wseltzer, jfontana ScribeNicks: wseltzer, jfontana WARNING: No meeting title found! You should specify the meeting title like this: <dbooth> Meeting: Weekly Baking Club Meeting Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2018Dec/0080.html WARNING: No date found! Assuming today. (Hint: Specify the W3C IRC log URL, and the date will be determined from that.) Or specify the date like this: <dbooth> Date: 12 Sep 2002 People with action items: WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]