W3C

- DRAFT -

Web Authentication WG

31 Jul 2019

Agenda

Attendees

Present
wseltzer, agl, jeffh, david_waite, david_turner, elundberg, jcj_moz, jfontana, nadalin, sbweeden, nmooney, jbarclay, nsteele, Akshay, john_bradley, selfissued
Regrets
Chair
Nadalin, Fontana
Scribe
jfontana

Contents

tony: register for TPAC. Sept. 16-20

<wseltzer> https://www.w3.org/2019/09/TPAC/

https://github.com/w3c/webauthn/pull/653

tony: still on hold. on-going

https://github.com/w3c/webauthn/pull/909

jeffH: waiting on CTAP

https://github.com/w3c/webauthn/pull/966

akshay: can we move to next draft.

tony: OK. WD-03
... we will create new milestone.

https://github.com/w3c/webauthn/pull/1219

akshay: the proposals are not clear. I would say close it down.

agl: we may do this at some point. we could bring it back.

akshay: let's punt.

jcj_moz: thanks for all the hard work. it is a good idea.

akshay: I will close for now.

<jcj_moz> jcj_moz: "I could go on record as, three years ago 'you told me so' we'd want this, but I stood in the way"

https://github.com/w3c/webauthn/pull/1244

jeffH: we think it is ready to go.

akshay: looks fine to me.

jcj_moz: I have looked at it.
... I can bless it. I have not nit-piked it.
... I will merge.

https://github.com/w3c/webauthn/pull/1250

elundberg: I will look at it next week.

https://github.com/w3c/webauthn/pull/1256

hjeffH: still needs some polishing.
... I need to re-review.

https://github.com/w3c/webauthn/pull/1259

agl: this should be closed two weeks ago.

https://github.com/w3c/webauthn/pull/1264

agl: perhaps others should weigh

bradley: I have reviewed. I asked Mike to review.

selfissue: I am looking at it.

jcj_moz: since we don't define enumeration, do we have to add on to the end.

jeffH: we are adding another value

bradley: I changed the order, but tried to logically group

selfissue: I reviewed and approved.

agl: I still think this is a good change to land now and we can go back if need be.

jcj_moz: by definition Web IDL needs to throw an error

tony: who will submit that issue.
... so merge and open up a different issue

jeffH: yes, one way to do it.

https://github.com/w3c/webauthn/pull/1266

elundberg: I will look at it next week.

tony: i will leave it open until then
... with issues Aksay was going to look at #334

https://github.com/w3c/webauthn/issues/334

akshay: will look into it

https://github.com/w3c/webauthn/issues/1039

elundberg: I will work on this

tony: still shooting for next version?

elundberg: yes

https://github.com/w3c/webauthn/issues/1044

jcj_moz: close no issue

tony: close

https://github.com/w3c/webauthn/issues/1099

tony: close

https://github.com/w3c/webauthn/issues/1105

tony: same thing
... ?

JeffH: mention it at this point, later we can get fancy if need be.

jcj_moz: I will make a comment

https://github.com/w3c/webauthn/issues/1133

jeffh: will work on it.

https://github.com/w3c/webauthn/issues/1149

agl: we are leaning to closing this issue, no action

jefH: are we waiting for Christiann

agl: I am fine with closing .

jeffH: OK

tony: he coul dre-open or submit something.

https://github.com/w3c/webauthn/issues/1174

tony: what happens with edge

akshay: we should have a single ??? with cross platform browser
... couple of things. need consistent behavior on every platform

agl: we don't want to expose any incognito fucntion.
... we have not worried about this.
... we want consistency. but we are still having issues on chrome

akshay: if decide the other way totally. will we have random noise.

agl: any immediate error wil likkely disclose icognitio with low noise.

akshay: I would like the consistent behavior across platform, browser.

agl: I would be fine with Jeff's language.

wendy: private browsing could give requirements if people wanted.

agl: I claim it is non-normative . I am uncomfortable with normative

akshay: I agree

wendy: that make sense to me

tony: we need to update this issue and then open a PR

agl: I can summarize in the issue
... I cna't do PR now

tony: lets keep it open. and put a note in it.

https://github.com/w3c/webauthn/issues/1201

jeffH: on the to do list

https://github.com/w3c/webauthn/issues/1204

jeffH: on the list

https://github.com/w3c/webauthn/issues/1206

jeffH: same

https://github.com/w3c/webauthn/issues/1207

tony: same editorial issue.

https://github.com/w3c/webauthn/issues/1208

tony: editorial

https://github.com/w3c/webauthn/issues/1231

tony: editorial

https://github.com/w3c/webauthn/issues/1236

tony: PR open

https://github.com/w3c/webauthn/issues/1257

tony: editorial

https://github.com/w3c/webauthn/issues/1261

agl: should be resolved.

https://github.com/w3c/webauthn/issues/1218

akshay: not sure we want to do this

agl: not sure either

akshay: close it

tony: close

jeffH: with a brief explanation, sure

tony: we are through the list. anything else that was not on the list

agl: I want totalk i-frames.
... do we want to allow create or just stay with get
... what ideas are out there.
... other question. this will allow webauthn call to appear in an i-frame.

tony: we shall consult with EMVco stuff

jcj_moz: I had not considered a flag to make embedding OK. but makes sense
... I like this. I don't have opinion on create

James: this is how we dealt with this
... we have to use a pop-up for registration and assertion
... it is one reason we still support U2F

agl: what use would you have for an i-frame

james: if user was on DUO prompt and wanted to add a new credential, we use a pop-up. the only way it will work

agl: wha tis example of top level origin with i-frame

nick: DUO explaining how its platform works.

agl: shoiuld create not be allowed in i-frame

bradley: it should be controlable.

jcjc_moz: is feature policy the right place?
... let the vendor make the decision

agl: we are saying both parties have to. top level origin and embedded i-frame

jcj_moz: I was thinking a specific flag for create.

agl: the flag would be on the get and create calls separately, but the embed-er may have an opinion on creating credentials

bradley: sounds like compromised may be embed-er can do web authn, and the embed-ee can do create

tony: why not just make it usable no matter what, and pin down the create.
... is there reason for separate agreement on get

breadley: yes, I can see service providers having issues, may open up attacks.

tony: maybe we take this to the Web Payments people.

agl: I will make a PR for next week

tony: that's good.
... adjourn

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2019/07/31 20:24:45 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/jfontana_/jfontana/G
Present: wseltzer agl jeffh david_waite david_turner elundberg jcj_moz jfontana nadalin sbweeden nmooney jbarclay nsteele Akshay john_bradley selfissued
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2019Jul/0153.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]