Web Authentication Working Group Teleconference -- 16 Jan 2019

tony: can PLH catch us up

PLH: we are not done yet, buy we are so close.
... still need directors approval. we are only missing with saying we are OK with red man

tony: I have asked JeffH to ping Mike WEst
... he will poke him for a repsonse.

PLH: if he can say cred man spec is OK, then I can probalby get an approval tomorrow. if not then, Tuesday.
... there were a couple of changes by director, wanted to use a ??? for extensions.
... the other thing is , and not something to decide today, it is versioning of specification
... we have two chice, we can go recommendation. if you publish draft to Level 2, you have to point it to Level 2

tony my preference would be to point to recommendation.

scribe: want people to find that first.

JCj_moz: ... I can see it equally as it should pont to most recent working draft. both ways are valid.
... maybe this is thing where we say chairs should decide.

PLH: if we point to 2 we can have link to Level 1

tony: my concern, is people see we have Recommendation.

phl: I will make sure a few moths form now if yo want to change mind we can do that.

tony: OK.
... as we discussed there will be no press until Recommendation.

PLH: yes

tony: so this will probably be of interest to FIDO and various companies
... Mike Jones may do a blog post

PLH: rignt looking at finishing on Feb. 26th

AGL: what do we need Mike West to say so we don't have to roundtrip.

<plh> https://lists.w3.org/Archives/Public/public-webauthn/2019Jan/0049.html

PLH: I sent that to Mike in email.
... pointer above.

selfissue: Assuming with get M. West we get Proposed REcommendation tomorrow.

tony: yes. or today.
... I would like to move on to some PRs that are un-triaged.
... my view at this point is that PR is locked and I would like to take #1130 and #1131 and move them to Level 2

https://github.com/w3c/webauthn/pull/1130

https://github.com/w3c/webauthn/pull/1131

tony: OK. now lets look at issues....no open issues for PropRec.
... a few un-triaged issues.

PLH: I do have a question
... you mentioned communication on recommendation. The question I got was is WEb AuthN on used on the Web today.

AGL: yes, dropbox

tnoy: in Edge and our RPs use it.
... so it is in production.

PLH: thank you

AGL: we don't use it on our services today

tony: this is U2F keys

AGL: no web Authn

correction: no, it is web authn

JCJ_moz: 80 or 120 in release that is unique calls to create a credential creation.

PLH: I asked out system folks if we can deploy it.
... we cannot deploy right now.

tony: what is target date

PLH: they are using a third-party server...

<plh> privacyIDEA

yuriy: I can talk to the privacyIDEA

tony: it would nice to add that W3C has implemented it.

phl: it will not happen next month.
... we won't get it rolled out that fast. we have long list of things to do.
... we have U2F at the moment.

tony: we have a couple of non-triaged issues to look at - they won't make it to PropRec
... #1127 rolf looked at , Elundberg

https://github.com/w3c/webauthn/issues/1127

tony: it has to do with attestation keys
... also issue #1128

https://github.com/w3c/webauthn/issues/1128

tony: you can sitll have a web authN authenticator and not have it use FIDO2

yuriy: we should drop this. elundberg had modified the term. we should close. it is not an issue

jcj_MOZ: the macro in one of those issues. I will submit in irc

tony: #1132

https://github.com/w3c/webauthn/issues/1132

AGL: it is focused on SafetyNet. It is an Android thing. I will cc; in Anar.

yuriy: this is something in workign with SafetyNet attestation, I brought up as well

agl: text seems to suggest ....
... I can CC Anar, what info. do we need. ....OK I need to talk to Anar. I don't have the answer

tony: look at outstanding PRs
... next question. since we have pretty much closed out Level 1. How do we want to handle the repository. Clone a new one
... continue on with this repository.

akshay: do an archive

tony: PLH are there any requirements. my recommendation is to keep writing in this repository.
... so we are set. feel free to rename Level 1 to Level 2

self issue: my request we don't tag version until we publish the proposed recommnedation.

scribe: I'd rather not branch until we actually finished.

PLH: I will make changes after the call.

tony: we have some open PRs on Level 2
... we have 16 open ones on Level 2
... we have #101

https://github.com/w3c/webauthn/pull/1010

tony: two people want to keep as defined attestation form and not put it into an extension.

akshay: it should remain in the spec as it is today.

jbradley: leave it as it is. down the road we might add something.

selfissued: it look like there is consensus to close this with no ation.

selfissue: four people have , actually 5 people who are opposed to it.

tony: so akshay, can you close it.

akshay: yes.

tony: #1050

https://github.com/w3c/webauthn/pull/1050

yuriy: in FIDO we discussed keeping SafetyNet in spec

tony: back to #1050. rolf had expressed some changes.

agl: it has been a long time since I looked at this.

tony: looks like ready to go

jeffH: I have not had a chance to review in detail
... I don't think there is any rus

tony: I am trying to move things along, not looking to merge
... another one we need eyeballs on is #909
... this would be some of the CAble stuff, which we will go into detail in FIDO Plenary at end of month
... this is another one people should be aware of.
... JeffH will also look. I would like JC to look and Akshay

https://github.com/w3c/webauthn/pull/909

JeffH: I added them as reviewers.

tony: open issues. quite a few of these authenticator selection criteria issues that Giri opened #445 446 447
... #446, #447

agl: no objection, but we will probably not implement

tony: is the selection too granular

agl: yes.
... I more worried in the consumer case.

jcj_moz: in our structures it could be part of metadata service, in extended extended attestation
... instead of RP attesting what it wants

tony: mixed on this one.

jcj_MOZ: worried about fragmentation.

akshay: instead of blanket statement, I would go look at each one.

tony: there are 4 -5 of these.

jcj_moz: it is not specified how we use these eitther. we may need to solicit input from the community on how they want this to work

tony: so keep this open

jbradley: most authenticators go through this evaluation . I agree we can leave it open, but I am not in favor of going too far down this road

yuriy: this is up to browser not the RP.

tony: how about we leave them open, but create a generis one that links those 4 together so we don't lose anything.

jcj_moz: i am fine with that

tony: look at system policy one. #911

https://github.com/w3c/webauthn/issues/911

tony: this is feature policy. people want to get this one done.
... where does features policy stand in web app sec

jeffH: I think it is going to be in soon.

jccj_moz: we are concerned with overlap of feature and policy

jcj_moz: we have implemented part of feature policy
... we want it to merge into one thing.

JeffH: I raised this concern earlier this year....and we may review the answers. might weigh in on that thread on ...JeffH will post URL

tony: no meeting in two weeks. Jan. 30, but we will have one next week

<plh> https://github.com/w3c/webauthn/pull/1134

<jeffh> https://discourse.wicg.io/t/relationship-of-permissions-feature-policy-origin-policy/2772

<jeffh> the above link is in issue https://github.com/w3c/webauthn/issues/911

selfissue: I reviewed it. it is a one-word change.

tony: mike will merge.

elundberg: was there conclusion on #1132?
... looks like it should not be one cert.

tony: adam will go back and ping
...
... team.
... Android team

add title: Web Authentication WG

rrsagent: add title, Web Authentication WG

<plh> Meeting: Web Authentication WG

trackbot, end meeting

- DRAFT -

Web Authentication Working Group Teleconference

16 Jan 2019

Attendees

Contents

Summary of Action Items

Summary of Resolutions

Scribe.perl diagnostic output