W3C

- DRAFT -

Web Authentication WG

05 Jun 2019

Agenda

Attendees

Present
wseltzer, jfontana, nadalin, elundberg, akshay, selfissued, rolf, jcj, agl, alexei, jeffh, nsteele, jbarclay
Regrets
Chair
Nadalin, Fontana
Scribe
jfontana

Contents

present

<wseltzer> nadalin: Level 2 Draft 1 has been published, https://www.w3.org/TR/webauthn-2/

https://github.com/w3c/webauthn/pull/1232

rolf: waiting for review

tony: rolf do want to review

rolf: yes

elundberg: how does this help

rolf: new, how does web browser pass assertions through

elundberg: what happens when UAF response comes back

rolf: it depends on how you see. now describing GET assertion
... mans UAF is already registered

elundberg: OK. would also require different implementation from RP

agl: since chrome likely wont do this, we might specify format
... but probably not going to fly

lost Tony

<elundberg> akshay: how would the browser communicate with the UAF device?

<elundberg> rolf: the UAF device will speak CTAP

<elundberg> ...BLE with smartphone authenticator to desktop browser for example

bradley: the phone will let you be ctap provider to another device

rold: yes.

bradley: won't that get confused

rolf: if phone supports ctap that is fine, so no need for another interface.

akshay: I have a simliar issue. I pass and parse , then how do I pass it apporpriately

agl: you are proposing a ctap authenticator that does not follow protocol

rolf: the assertion is just slightly different.
... if different we have to flag that. and that is what this PR is trying to do.

tony: so it is just passing this through

alexei: we have said browsers have to understand extensions. do we remember

rolf: those things are not written in the spec

akshay: what is in the spec, not asking for an extensiond, don't return
... possibly we can say it is a UAF extension.

alexei: if we use extensions, browsers should not blindly pass through.
... this will become way to get things through browser
... either fully define or pass through - that is scary

agl: do we pass through without structure

jcj_moz: seems bad to mozilla, we don't want to pass things we don't understand.

agl: you already do.

jcj_moz: we strip attestation by default

alexei: because one source of leakage, we should create more

agl: but this is already the case. we threaten them at time

bradley: I am skeptical this will catch on
... it is a fair amount of work
... putting it in a extension isn't very much harder

rolf: revise making it an extension rather than full assertion

jcj-moz: maybe
... saying this could be some other assertion, where does a user of spec go to learn the full amont of things they request of use

rolf: make it binding and the idea is to only mention UAF here. that reference has been added
... I heard concern in supporting new arbitrary assertions

jcj_moz: if it were extension we would have to define actions

rolf: that is the other alternative
... we can specify new extension, this is UAF and get back an assetion in correct syntax

bradley: there are UAF extensions that are not in web authn

rolf: at this stage. i would happy if we only had extensions in web authn world and not add new ones

selfissue: what are we trying to achieve.
... no UAF devices that use web authn today. right
... we would need to write and deploy new code. then why not return FIDO2 assertion

rolf: the assertion is something you could do on a software level
... use support in web browser

selfissue: all the web authn client code would be needed
... i am against doing this at all. we made a decision not to do this

rolf: i think there is one use case , where cleint is on one device and UAF sits on another device
... there is a web authn stack
... that speaks ctap

selfissue: but this is not an easy eco system change to update every web authn client
... that is horrible thing to do
... get a software update to get them to talk web authn natively, not change all web authn clients.

bradley: what phone would this work on. Android has a platform with principal support. is it for old android phones
... are we talking 100s of phones or 10s of phones.

selfissue: that really matters. i am adding note that this is bad for eco system and we should not do this.

bradley: i don't understand who would do this.

tony: rolf could you come back with some more information. and how to enable.

rolf: yes.

https://github.com/w3c/webauthn/pull/909

akshay: need ctap stufgf

https://github.com/w3c/webauthn/pull/966

akshay: this is for me. I will look at it.

https://github.com/w3c/webauthn/pulls?utf8=%E2%9C%93&q=is%3Apr+is%3Aopen+1219

alexei had some comments

agl: I think more webby people will have issues with this

akshay: we write once and it works is where we are.

agl: i understand the motivation. makes sense. what are we going to do to move forward
... can we make the call ourselves.
... yes.

akshay: I would propose to add one more API, say what issues are

alexei: looking at comments now

akshay: debating on best way to do this.
... think this is best

agl: want to avoid collision with our web people. how about I point them to this and see there reaction.
... if no one kicks up a fuss,....

wseltzer: you can raise an issue in the TAG on that question. that is home for design, architectural issues

<inserted> TAG repo for design reviews

tony: any more discussion.

alexei: I will post my questions.

tony: we could do it now

alexei: wants to drop language in regards to transports

this is ctap2

alexei: we need meaningful statements, what things do.
... if it is there it better be user verifying
... I don't understand why these transports are there.

elundberg: if you have BLE transport , it doesn't say anything about device.

bradley: i think intention was to turn off ctap

alexei: we need a crisp case.
... I don't get it.

akshay: we can do that.

alexei: and then another one. is UV supported.
... why do we need that plus UV platform authenticator

akshay: one is for external devices.

alexei: trying to understand particular parameters.

akshay: let me list all the questions we are looking for

alexei: that is good to do
... then we know motivation

elundberg: adding this. would this invite fracturing the eco system
... would be excuse not to support all the parts of the spec

jcj_moz: this makes it easier for those that want to use user agents.

https://github.com/w3c/webauthn/pull/1222

elundberg: editorial
... first step toward PR 1223
... jeffH take a look

tony: jeffH and mike look at it

https://github.com/w3c/webauthn/pull/1225

editorial

https://github.com/w3c/webauthn/pull/1226

tony: tied to 1122

elundberg: also editorial. adds language to spec

agl: there is change in ctap2 that requires key never leave authenticator
... we have to do something about recovery at some point

eludnberg: I'll keep it at hand wavvy.

https://github.com/w3c/webauthn/pull/1230

elundberg: this is guidance.

jeffH: I have pointed web authn list to the 1230 discussion

agl: i think this is good and we should do more to clarify this extension

tony: we will meet next week..

adjourn

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2019/06/05 20:13:39 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/gub//
Succeeded: i|any more discussion.|TAG repo for design reviews
FAILED: s/<... addccccccekcfhrbhkhhbleebkrjvrhvjhcifkvldctjh>/<Bradley:>/
Default Present: wseltzer, jfontana, nadalin, elundberg, akshay, selfissued, rolf, jcj, agl, alexei, jeffh, nsteele, jbarclay
Present: wseltzer jfontana nadalin elundberg akshay selfissued rolf jcj agl alexei jeffh nsteele jbarclay
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2019Jun/0028.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]