W3C

- DRAFT -

Web Authentication WG

03 Apr 2019

Attendees

Present
nsteele, jbarclay, elundberg, jfontana, akshay, John_Bradley, nadalin, sbweeden, agl, arnar, selfissued
Regrets
=jeffh, jcj_moz
Chair
Nadalin, Jfontana
Scribe
elundberg, jfontana

Contents

<elundberg> nadalin: no meeting 2019-04-12 due to ???

<elundberg> scribenick: elundberg

nadalin: will give an update on AC meeting on webauthn
... anyone got anything we should say?
... hearing nothing
... let's get on to issues

<jfontana> #909

https://github.com/w3c/webauthn/pull/909

https://github.com/w3c/webauthn/pull/1095

scribe: on #909, waiting for input from google
... on #1095, JC away for a few weeks, might need to move on with this once Jeff reviews
... @selfissued please review

https://github.com/w3c/webauthn/pull/1161

<jfontana> tony: still issues with this one. Akshay has lookeda t

<jfontana> ...at it

elundberg: we can remove the "-2" link, merge this, then revert that removal once "-2" is valid

#1186 to remove "-2" https://github.com/w3c/webauthn/pull/1161

#1186 to remove "-2" https://github.com/w3c/webauthn/pull/1186

#1187 to revert #1186 https://github.com/w3c/webauthn/pull/1187

<jfontana> https://github.com/w3c/webauthn/pull/1186

<jfontana> elundberg: we can merge #1181 into #1186 if we want

akshay: #1181 has merge conflicts, let's wait

<jfontana> agl: we have arnar with us briefly today

<scribe> scribenick: jfontana

https://github.com/w3c/webauthn/pull/1182

tony: looks ready

akshay: looks fine to me

tony: any objections for merging?

https://github.com/w3c/webauthn/pull/1184

tony: looks like this one is pending.
... akshay has signed off on it. agl also
... can you go ahead and merge if you get review from ...

https://github.com/w3c/webauthn/pull/1191

tony: shane do you have anything

akshay: I want to talk with the right people on the call
... Christiaan is not on
... this is long thread.

when you create authnticator, the spec in CTAP says required ot have PIN this was earlier behavior

scribe: we have come to agreement on non-resident keys , dont' require PIN
... he does not want PIN, needs more discussion.
... shane wants to know when the cred is created , what kind is it
... RP wants to know this
... I have comments. certain authenticators will always do user verification
... that is one of the existing authenticators out there that do it, not many out there.
... not uniform across authenticators.
... my requirement is do not force them to not use user verificaiton
... don't force authenticators to support non-resident keys if they don't want to
... now as RP, when says I want to register a credential
... what is the third optino, crete non-reisdent keys like U2F, will solve Christiann's issue

Shane: this is my original proposal, go to top of thread #1191
... emil first brought this up.

<discussion> resident credentials, PIN, user verification

shane: second part of PR #1191 reports on what was actually done.
... I will put back the original proposal
... what akshay recommends and what I proposed are the same things to me.
... not certain if it satisfies Christiann's requirements. comes down to how the browsers work.

akshay: some browsers will always require a PIN. Christiann may not get what he wants.

elundberg: required, preferred, and discourage are three choices.

share: in the proposal, had a default value of discouraged. that has same semantics as what we had.
... default value

elundberg: I disagree.
... I want indifferent and discouraged

Akshay has to leave.

akshay: can we discuss later>

elundberg: sure.

agl: tony would you want to move on. You may wish to close this.

tony: go ahead now

agl: the term discouraged weirds me out. I care about if it can be returned in context.
... that is meaningful. best argument for discouraged, CTAP has some requirements, Web Atuhn should not make promises it can't keep.

elundberg: in practice CTAP model might allow it to act as if it was forbidden.

agl: I think ctap2 should be changed. it won't affect authenticators other than perhaps one software authenticator
... I don't think RP has any place to thing credential is stateful or not.

elundberg: we should be align description to be in allow lists rather than storage
... we could modify CTAP to align with authenticators

jbradley: one authenticator widely distributed that always created resident credentials, but it could be fixed.

agl: I would not worry too much

jbradley: if you are not specifying residential credentials then the authenticator can do what it wants.

shane: if there is a path forward here with respect to PR what do we want to do with these values.
... having more values is better, RPs don't want to settle on one.
... it is most likely the willuse discouraged or preferred, to make use cases broader.
... somewhat inclined to bring this back to not having forbidden

agl: think your flag is good, could make it about allow lists.
... I think we need three values.
... I thin we can get to consensus on what it is called.

jbradley: discourage may be defined if we define it. what is UV requirement on main credential
... if you say discouraged , then the user is not prompted for a PIN.

agl: i am more concerned about privacy.

jbradley: if we want to do that, we need to make a change to CTAP for it to work

agl: that is true

jbradley: we wold ned in CTAP explicit language, cred can't be returned without an allowed list.

agl: that flag is cred protect.

jbradley: cred protect is similar.

tony: see you in two weeks.

adjorn

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2019/04/03 20:01:06 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Present: nsteele jbarclay elundberg jfontana akshay John_Bradley nadalin sbweeden agl arnar selfissued
Regrets: =jeffh jcj_moz
Found ScribeNick: elundberg
Found ScribeNick: jfontana
Inferring Scribes: elundberg, jfontana
Scribes: elundberg, jfontana
ScribeNicks: elundberg, jfontana

WARNING: No "Topic:" lines found.


WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]