Web Authentication Working Group Teleconference -- 09 Jan 2019

test

Toy: where does PR stand, talked to PLH over the holiday, he can update.

<plh> https://www.w3.org/2019/01/webauthn-extensions.html

PLH;extensions. good news is the info. presented over holidays, I met with director and provisionally he said it looks like you have everything

scribe: I put in link to document that is public (see above).
... it is very vague in terms of implementation but that is because of confidentiality
... the FIDO Alliance provided a list of tests and those mapped to extensions
... Tony provided implementation that was passing those tests - so we have multi-implementations of those extensions
... location extension is not tested by the UAF test.
... the location extension uses the Coordinates
... so I believe that closes the extensions work.

jeffH: so the answer is we addressed the extensions?

tony: yes.
... there is one last hurdle and that is the platform tests.

PLH: I tested, and AGL started to look at platforms results. I would be more comfortable if someone else looks at these.

tony: this is from a post by AGL on Dec. 19th. It is on the mailing list

<plh> https://lists.w3.org/Archives/Public/public-webauthn/2018Dec/0091.html

christiaan: AGL is not here, but I excahnged email with him, he thinks the analysis is correct

<plh> https://lists.w3.org/Archives/Public/public-webauthn/2018Dec/0089.html

tony: I will ask JC about it . and I will ask Akshay
... JC can you find this particular note. I will review all those tests. I have not done that yety.
... so Google believes that AGLs post is correct.

PLH: we did not find anything incorrect in the specification

tony: so this comes down to the implementations themselves, so we fix the bugs there.
... in the implemetations.

PLH: as soomn as we have verfication, i will clean results and respond to the request from the director.

tony: so what is the next date

PLH: so we hit PR, we ask for reveiw from membership

tony: what is date of that approval from diretor

PLH: director is waiting for me.
... then he can say 'yes"
... a few days after. we have 20 days for advisory committee.
... and assuming this review goes well, within a week after that we should can go to recommendation.
... I have been putting our comm folks on all the communications
... if we do a press release, I would expect our comm team to do outreach
... review is 28 days

tony: the extensions will stay normative; like they are in the spec today
... that was the delay. we needed to get the testing information in order

PLH: it would be a month and a half to have it a recommendation.

tony: need to get the tests results in from JC and Akshay

PLH: hopefully they can get that done on Friday.

JCJ_MOZ: I can look at thi son Friday.

tony: need to look at some issues we have on Level 2
... level one looks wrapped up and we should be in recommendation in a month and half.
... we do have #1082
... Mike Jones can you look at this also.
... if the approvals come in , does anyone have issue with merging this

JeffH: I have said lets merge and clean up at level 2

tony: any issues for merging after reviews are in.

jeffH: I guess in september, I was waiting for any disagreement with the work
... so I am clearing it.

tony: so elundberg can you merge it
... this is just editorial

PLH: should i take my snapshot after the merge

tnoy: yes.

tony: #1126 and #1120 also have some editorial issues
... looks like #1120 is approved

https://github.com/w3c/webauthn/pull/1120

https://github.com/w3c/webauthn/pull/1126

selfissue: I am going to merge this #1082

https://github.com/w3c/webauthn/pull/1082

tony: #1120 and #1126 have been merged.

JeffH: looking at #1118. I have to think about this. If this is just for clarity - lets do it later.

tony: I believe this closes the last of the PRs

<plh> https://github.com/w3c/webauthn/milestone/11

PLH: we have two issues for PropRec
... #1088 #1122
... we can take care of these

jeffH: elundberg can we address these in level 2
... #1088 #1122

elundberg: yes, I think this is taken care of.

jeffH: so do we punt it to level 2

tony: what is your opinion , jeff

JeffH: yes, we can punt it.

tony: so what will we do with #1088

elundberg: talking about #1095

selfissue: let's assign to level 2

tony: done.
... so this should clear us

<plh> https://github.com/w3c/webauthn/issues/1117

PLH: what about #1117

elunberg: this goes along with #1118

PLH: OK

tony: we have others for level 2, #1125, #1124
... those are issues

<plh> https://github.com/w3c/webauthn/issues/996

tony: we don't have any pull requests, a few that are not classified

PHL: and #996
... in my spare time I am working on this.

jeffH: so we have no more un-assinged Issues, should we do the same with PR

tony: we have two PRs not assigned.
... so punting this to level 2
... #653 also moving to level 2. it is process issue

Yuriy: #1093 - that was moved to level 2, but it is just a typo.

jeff: so that is an argument to just merge it.

tony: OK. does anyone have any issues with it.

selfissue: it is normative. if it is wrong we should fix it.

jcj_moz: it is wrong but it is referred to it in the spec
... hold on, we are not actually linking
... this is fix that....it is normative and we are wrong.

selfissue: so JC can you merge it?

jbradley: the google documentation is wrong, we have it right

yuriy: I am looking at there documentation, they mention nonce but not what type it is
... the respone from this is base64

selfissue: we shoujld merge it.

christiaan: we should merge it.

selfissue: who is doing the merge
... JC is doing it.

PHL: is this testable? the fact if you use base 64 you willbe using the wrong one?

jcj_MOZ: it won't be easy to write a web test for this

yuriy: I don't think it will hard to have SafetyNet checks.
... only issue to to decode the JOWT and the body of the JOT

PHL: not asking to write a test here, just want to know if it is possible.

self-issue: i want to discuss #1004, it is marked PR

<plh> https://github.com/w3c/webauthn/milestone/12

tony: mike it is closed.
... no there are notes.

self-issue: it is REC milestone.

yuriy: it is PR that was closed.

selfissue: #1004 is open.

jeffH: we are delaing with this in credman spec. this was just open as our tracking that credman is dealing with thsi

selfissue: what is status

jeffH: it is moving along.
... I need to make a few changes in CredMan and I will work on it
... sorry I haven't done that yet

selfissue: when we hit REC, credman has to be in sync

jeffH: right. so we need to spend time to bring CredMan up to Candidate Rec. that is our intention

selfissue: thanks

tony: any other concerns, Mike.

selfissue: looking

PHL: can we close #106

tony: I will close

selfissue: #876, I want to talk about it because it is normative

tony: I think that is also a CredMan thing

JeffH: nothing needs to be changed on the webauthn side

selfissue: I believe the rest of things in Rec milestone are level 2, except for those identified as CredMan

PHL: are there blocking issues for REC - those in CredMan
... I want to understand

JeffH: does Cred Man need to be at CR in order to do to Rec in Webauthn

PHL: yes, if there are some things you need in specification, but a statement from the other working group will need input.

jeffH: so the latter approach, a comment from WebApp Sec (Cred Man) is OK

PHL: yes.
... need a statement from them.
... get it on the record. that would be great.

JeffH: you bet

tony: closes meeting.

<scribe> chair: Fontana

add title: Web Authentication WG

trackbot, end meeting

- DRAFT -

Web Authentication Working Group Teleconference

09 Jan 2019

Attendees

Contents

Summary of Action Items

Summary of Resolutions

Scribe.perl diagnostic output