W3C

- DRAFT -

Web Authentication Working Group Teleconference

23 Jan 2019

Attendees

Present
elundberg, jcj_moz, ken, nsteele, selfissued, jeffh, jfontana
Regrets
Chair
nadalin, fontana
Scribe
jfontana

Contents

test

tony: from posting last week, we did get PR out the door
... the draft is out for review.
... JeffH has watermarked the repository
... so let's look what is in Level 2
... looking at end of feb. for recommendation as long as no issues pop up
... thanks everyone. it is a good milestone. I thank W3C helping out and getting us through the extensions.
... would like to move to some of issues we have.
... lets go and look at PRs. that need attention, un-triaged

#1140

https://github.com/w3c/webauthn/pull/1140

elundberg: there was a weird workaround for UV, we fixed that
... I think it came from a mis-undestading around CTAP

toney: I have added some reviewers.

selfissue: is it our intent to merge this to Rec. or is it level 2 c hange?

tony: no.
... no. no. no.
... it is re-classified as level 2

https://github.com/w3c/webauthn/pull/1141

elundberg: this aligns with #1127, it looks like we have large batches for attestation

yuriy: previous wording had a MAY,
... the wording is correct now.
... better

akshay: we should not over specify here.

yuriy: this doesn't suggest a bad behaviour

akshay: looks good

https://github.com/w3c/webauthn/pull/1142

elundberg: fix for Android SafetyNet
... also has to do with attestation

https://github.com/w3c/webauthn/pull/1143

coupled with issue #1034

elundberg: this is a corner case, but it does result in incorrect value. so this PR fixes that

tony: https://github.com/w3c/webauthn/pull/1144

elundberg: this one builds on top of last one. could be controversial
... proposed to always let it return true
... I have written why this might be a good thing. #1143 is straight up fix. #1144 is companion
... this doesn't change much. The RPs need to do this already.

tony: but that makes it a normative change.

akshay: what is issue..when you have not used appid

elundberg: the issue is false positives

akshay: why do we return true if it is not used.

elundberg: that is how it is specified.
... I don't expct a conclusion on tis one right now. look at it and see if you agree or not

self issue: is this a breaking change.

elundberg: arguably yes.

selfissue: should we close it
... it is breaking change
... I will put comment that this looks like a breaking change

elundberg: I would argue in practice, this is already what RPs kind of have to do

agl: all RPS know if a credential is registered with u2f, webauthn
... they will be fine with this

tony: https://github.com/w3c/webauthn/pull/1145

elundberg: it geos with issues #1136
... we have in step 16, there are cases for different attestation type, but missing non-attestation
... this is attestation typles not formats

tony: that takes us through un-triaged PRs
... issues #1135

elundberg: open question. should we dplicate saftey net verification, but refer to S.Net documentation

agl: I would agree, the web authn stuff has not been kept up to date in s.Net documentation

elundberg: OK

jbreadley: better to point to source material, as long as it is correct.

elundberg: argument against, will it be hard to find or understand

yuriy: I was trying to say...I would keep current state of s.net documentation, but we should not refer to it

tony: #1136

https://github.com/w3c/webauthn/issues/1136

elundberg: move to level 2, connected to PR#1145

tony: want to ask the group what they think about some issues #1125

https://github.com/w3c/webauthn/issues/1125

elundberg: this looks out of scope

agl: there are a few proposals around this

akshay: think it still trying to discover what is acceptable to the user

elundberg: looks like they are trying to bolt Oauth on to Web Authn

tony: https://github.com/w3c/webauthn/issues/1124

agL: this is moot. implementation can support curves this person likes.

tony: selfissue are you registering these curves

selfissue: yes, for COSE and JOSE and calling out the curves
... this is ongoing. some are not registered.

tony: those are the ones I had for this week.
... are there other things to discuss?

jeffH: we are going to talk next week. I am fine to bail out

tony: do we need face to face at RSA time.
... there will F2F at FIDO plenary
... F2F at RSA.

?

jbradley: it is not a bad idea to do that at RSA

tony: OK, anyone opposed to me working on it.
... who will attends jeffH? agl? jc?
... I will work on it. and get a room and a date.

<jeffh> yes JeffH, perhaps AGL

tony: and let W3C know about it.
... thanks

call ends

trackbot, end meeting

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2019/01/23 18:46:43 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Default Present: elundberg, jcj_moz, ken, nsteele, selfissued, jeffh
Present: elundberg jcj_moz ken nsteele selfissued jeffh jfontana
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Found Date: 23 Jan 2019
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]