W3C

- DRAFT -

Web Authentication WG

20 Mar 2019

Agenda

Attendees

Present
jfontana, nsteele, jbarclay, pranjal, elundberg, ken, jeffh, christiaan, agl, sweeden, akshay, sbweeden, jcj_moz, Callum_May, nadalin, wseltzer
Regrets
Chair
nadalin, jfontana
Scribe
jfontana

Contents

tony: Next week. No meeting.
... the time change poll closed on Monday.
... looks like there was some objection to move it to noon, but it was only two people.
... only person we might lose in a tim echange would be Rolf.
... we don't want to lose Rolf. but we will move the call to noon PDT in two weeks.

elundberg: can I reserve the right to change?

tony: yes.

<wseltzer> [+2 hours from current time]

wendy: if needed we will send new webex

tony: who is in prague next week?

jeffH: I will be

prague is IETF meeting

https://github.com/w3c/webauthn/pull/909

Tony: assume we are on hold here. some CTAP work to do here, it's on hold.

https://github.com/w3c/webauthn/pull/1095

jeffH: I need to do some work here.

tony: should reviewers look at this or are you re-doing

jeffH: mumble

tony: should we spend time on this
... JC, Akshay can you look at this?

jeffH: it is nominally the same, but I have not looked at it in a while.
... if there is huge rush, AGL has signed off on this and we can merge.

Akshay: I will look at it

https://github.com/w3c/webauthn/pull/1159

tony: needs review

aksay: will look this week.

https://github.com/w3c/webauthn/pull/1161

alexie: looking at this

tony: adam and akshay have looked at this.

audio issues

agl: #1161. JC comments on are valid, the link does not exist yet. so this is not ready yet.

tony: trying to dial back in

jcj_moz: this is not chicken and egg thing, this link. just need web master to file link to webauth-2

<jcj_moz> we're looking for https://www.w3.org/TR/webauthn-2/ to become real

wendy: I will poke at W3C to get the link

jeffH: we need the first level 2 working draft

wendy: without the draft, we can't have a link to it.

jcj_moz: OK, I will not fight about it.
... does not look like it will be a stale patch. the rest of the links are all good

https://github.com/w3c/webauthn/pull/1161

agl: jc ha sapproved this. akshay do you want to loook

akshay: yes.

alexei: I want to merge #1170
... I just fnisihed it it is basically de-dupe instruction to verify safety net. says go to official safety net page. It is Adam's suggestion

HeffH: this is un-triaged.

tony: let's put it into this working draft.

jeffH: alexei is assigned to this.

alexei: I am merging.

tony: what was the other one #1185?

agl: yes it should be in the list. it was tagged incorrectly.

jcj_moz: it is approved by 4 people and should be merged.

https://github.com/w3c/webauthn/pull/1168

tony: emil do you have something on this one.

elundberg: the steps for verifying android keys is missing
... it clarifies where things come from
... looking at the Diff. yes, just clarification

jeffH: looks good to me.

tony: move it into first draft

jeffH: yes.

tony: need some more reviewers. AGL look at it.

agl: I approved it given its small size.

jeffH: I looked at it

https://github.com/w3c/webauthn/pull/1184

akshay: ready to merge?
... still on 1168

elundberg: I will merger #1168

back to #1184

jeffH: I would like to review
... can't do it on the call.

agl: tagging this QD-01

WD-10

WD-01

tony: this takes us through the PRs we had.
... issues.

https://github.com/w3c/webauthn/issues/863

agl: kim is working on it

tony: can you see when ETA is?

agl: yes

https://github.com/w3c/webauthn/issues/872

https://github.com/w3c/webauthn/issues/973

tony: akshay have you looked at h=this.

akshay: will look.

https://github.com/w3c/webauthn/issues/978

elundberg: PR is open

jeffH: did we already talk about the PR. then we dont need to talk about the issue

https://github.com/w3c/webauthn/issues/991

shane: there is question on the proposal. my comment, we can encapsulate the requirement from Christiaan, ....JeffH might weigh in on this.

elundberg: probably fine to do this with this one options

shane: I can take a crack at it. I need permission

tony: you should have it.

jeffh: I can help Shane to put together a PR

shane: I need some advice on the processing algorithm for clients

jeffH: create a new branch in github and I will take a look

https://github.com/w3c/webauthn/issues/996

JeffH: this is just editorial

https://github.com/w3c/webauthn/issues/1004

jeffH: this stays open. need to work with CredMan

https://github.com/w3c/webauthn/issues/1060

elundberg: think this is dupe of #991

tony: what do you want to do with this.

jeffH: in reviewing #911, review this along with it.

tony: leave this open

jeffH: yes
... the issues are crosslinked, so we are not losing track

https://github.com/w3c/webauthn/issues/1088

tony: goes back to attestation

elundberg: also has a PR open

jeffH: skip

https://github.com/w3c/webauthn/issues/1099

jeffH: it is a minor to do editorial item

https://github.com/w3c/webauthn/issues/1122

jeffH: I have to see if this is addressed. need to verify

https://github.com/w3c/webauthn/issues/1147

jeffH: it is open and being discussed

agl: I thought this was in CTAP and not Web Authn land.
... feedback I got was individual attestation is preferred
... so pre reg. is aweb authn concept. need to decide it is a security key. need to track back to the chip.
... web authn change not required, need FIDO to figure out its stance on CTAP2

tony: leave it open and go from there.

https://github.com/w3c/webauthn/issues/1149

jeffH: related to #991

shane: if we put some data in resident key requirements....could satify Christiaan requirement.

jeffH: i linked back to #911

https://github.com/w3c/webauthn/issues/1153

elundberg: has a PR we discussed.

https://github.com/w3c/webauthn/issues/1166

jeffH: this is an editorial cleanup. we at least shold have note to describe this issue or fix Web IDL, but that would be breaking change
... this note that these are web authn extensitons, that encompass authenticator extensions. .
... put a note it if we do not want to break IDL.

https://github.com/w3c/webauthn/issues/1174

jeffH: I will fix the labels on this. and some implementation considerations.
... maybe some privacy...

https://github.com/w3c/webauthn/issues/1179

jeffH: editorial clean-up

https://github.com/w3c/webauthn/issues/1180

jeffH: just another editorial clean-up.

tony: that is last we had. any other questions.

jeffH: do we have some tri-age to do.

heffH: there are four to deal with

#1169

elundberg: looks like bug report for Fido 2 server

tony: don't think we have a label for this

jeffH: we need to copy this
... need an action item to copy over to FIDO land

elunberg: I can do that

#1175

jeffH: standardizing support for authenticators

elundberg: this is discussion in #1027

https://github.com/w3c/webauthn/issues/1175

adding link to previous https://github.com/w3c/webauthn/issues/1169

back to #1175

elundberg: so do we need any technical changes to the spec?

nick: I can respond to this person
... we have done some work here.

jeffH: so you will reply in the issue.
... that would be great.

https://github.com/w3c/webauthn/issues/1178

elundberg: has self assigned it and opened a PR.

https://github.com/w3c/webauthn/issues/1183

jeffH: it is labeled with process
... i have not looked at it.

jcj_moz: this is about tidiness
... important thing is the tools.

elundberg: if there has been a discussion, then OK.

RRAAgent, bye

<wseltzer> rrwsagent, draft minutes

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2019/03/20 18:17:13 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Default Present: jfontana, nsteele, jbarclay, pranjal, elundberg, ken, jeffh, christiaan, agl, sweeden, akshay, sbweeden, jcj_moz, Callum_May
Present: jfontana nsteele jbarclay pranjal elundberg ken jeffh christiaan agl sweeden akshay sbweeden jcj_moz Callum_May nadalin wseltzer
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2019Mar/0215.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]