W3C

- DRAFT -

Web Authentication WG

17 Jul 2019

Agenda

Attendees

Present
jfontana, jcj_moz, elundberg
Regrets
wseltzer
Chair
Nadalin, Fontana
Scribe
jfontana

Contents

tony: Next week, no meeting. Any objection?

none

tony: we will skip next week's meeting.

https://github.com/w3c/webauthn/pull/966

tony: akshay, you were looking at the TPM

akshay: this is low priority. we can make it Level 3

tony: we will keep it low priority

https://github.com/w3c/webauthn/pull/1219

tony: we put this off last week

akshay: we don't know the right solution. question where is chrome in this whole thing
... MSFT will have what they need for windows next month. question now is what about older platforms.
... what id browser does not support API
... I want to hear other people's review

agl: the point of API is to improve future. eventually they get out in the world

shane: I made my point in the comments in GitHub. not against it. Challenge is what is lowest common denominator

tony: transition will be bumpy

jason: I think there are some who will not implement the API.

tonhy: that is fine.

akshay: we don't seem to have a clear consensus when all this is done.
... next big thing in my mind is Safari.

tony: if we do something now, it will probably be better than delaying

akshay: give me another week
... I will go and look at the other browsers.

tony: OK

https://github.com/w3c/webauthn/pull/1244

agl: wonderful idea

tony: looking for JCs opinion.
... we still need JC and Mike to look at it.

https://github.com/w3c/webauthn/pull/1248

tony: should be ready

eluncberg: anyone against merging.

<scribe> ...done

https://github.com/w3c/webauthn/pull/1249

elundberg: looks ready. merge?

tony: yes.

no objections

https://github.com/w3c/webauthn/pull/1250

akshay: I have not looked at this one.

elundberg: some comments from JeffH, be a few weeks til I get this.

https://github.com/w3c/webauthn/pull/1256

akshay: this is maybe beyond my expertise, need others to look

jeffH: need to respond to Emil, no ready to land.

https://github.com/w3c/webauthn/pull/1259

akshay: I am not in favor
... this is breaking change for me.

afl: in chrome if you don't set a value...

akshay: it is sisue between preferred and required.

christaan: want ot move to required.

akshay: want to move to default

christiaan: I could live with this.

akshay: I would go with clarification here.

bradley: my perspective, but long time for browsers to catch up if we change default.
... need RPs to ask what they want.

agl: does not sound like consensus
... RPs are not reading the WebAuthn spec. need to show why this is positive change.

tony: leave this open?

agl: if we leave it hanging around , it looks like we expect consensus in future.
... should cleanse this.

tony: any objections to losing this

jeffh: no

tony: thanks.

jeffH: close

agl: I will write stuff into issue and close issues.

tony: get to issues. 1258

https://github.com/w3c/webauthn/issues/1258

jeffH: it's not clear in spec. the spec could be more clear.

elundberg: this is also about the outputs.

agl: if you are setting an extension I assume you know what you are setting
... we need to triage this a put a tag on it.
... who wants to do the PR?
... if no takers tag in Level 3

akshay: I wouild not try to do this and put in next draft.

<sbweeden> https://github.com/w3c/webauthn/issues/1261

<sbweeden> ve7jtb: FIDO adding new transports for iOS in the FIDO TWG. WebAuthn should include these transports.

<sbweeden> agl: Suggested something other than "tunnel"

<sbweeden> ve7jtb: Will work on PR.

<sbweeden> https://github.com/w3c/webauthn/issues/334

<sbweeden> jeffH: on todo list

<sbweeden> https://github.com/w3c/webauthn/issues/1039

<sbweeden> agl: editorial, low priority

<sbweeden> https://github.com/w3c/webauthn/issues/1004

<sbweeden> jeffH: ongoing, skip

<sbweeden> https://github.com/w3c/webauthn/issues/1099

<sbweeden> jeffH: on todo list, low priority, editorial

<sbweeden> same with https://github.com/w3c/webauthn/issues/1100

<sbweeden> same with https://github.com/w3c/webauthn/issues/1105

<sbweeden> same with https://github.com/w3c/webauthn/issues/1133

<sbweeden> https://github.com/w3c/webauthn/issues/1147 - blocked on CTAP2 changes

<sbweeden> https://github.com/w3c/webauthn/issues/1149

<sbweeden> sbweeden: Hoping browser vendors would chime in as to why things don't already work this way.

<sbweeden> akshay: rules on CTAP require PIN for uv-protected authenticators, not entirely up to WebAuthn / browser.

jeffH: thi sissiue needs to wait until we nail down CTAP

agl: even if we do that, still not sure of the utility of it

akshay: this is more about the devices out there
... it is best to say discourage, but looking at finer details.
... why would an RP say I do no twant to create a credential
... I don't see why RPs would do this.

<sbweeden> akshay: suggests forbidden would not actually be used by RPs because they have to deal with older devices anyway.

<sbweeden> agl: agreed

<sbweeden> akshay: suggest close with no action. We have "discouraged" - should use that, and FIDO 2.1 devices will give the desired behaviour when they are prevalent.

akshay: this is more relevant a few years when there are more FIDO2 devices

jeffH: I can see closing with an explanation.

agl: I can write that and we can come back and review.

<sbweeden> agl: Discussed usage around "preferred" - will write an issue about soft use of preferred (e.g. don't create a PIN if not already on authenticator)

https://github.com/w3c/webauthn/issues/1174

<sbweeden> jeffH: This issue is calling out that there is different behaviour on different browsers

<sbweeden> akshay: want to make sure that RP's are not able to discover that the browser is in incognito mode

<sbweeden> akshay: will add questions to issue

<sbweeden> mtg concluded

Chairs: nadalin, fontana

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2019/07/17 20:40:40 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/Level 2/Level 3/
Present: jfontana jcj_moz elundberg
Regrets: wseltzer
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2019Jul/0090.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]