W3C

- DRAFT -

Web Authentication WG

04 Sep 2019

Attendees

Present
Regrets
wseltzer
Chair
Nadalin, Fontana
Scribe
jfontana

Contents

04 09 2019

tony: One more meeting, then two skips. 18th, 25th
... status of charter changes.
... it is out for review by AC reps. we are extended to 30th of Oct.
... this allows charter process to run its course.
... vote to approve the charter if yo are AC rep
... any questions on TPAC agenda, please post to list
... if you are in Japan, you can join.
... if you have any adds to agenda send to Tony. demos, etc, Sign up for meeting.
... couple of invited guests have been approved.

https://github.com/w3c/webauthn/pull/653

tony: won't go over.

https://github.com/w3c/webauthn/pull/909

skip

https://github.com/w3c/webauthn/pull/1250

tony: need akshay to review

akshay: yes

https://github.com/w3c/webauthn/pull/1256

tony: nina you won't be in Japan
... this will come up at face to face

nina: I won't be there.

tony: jeffH can you represent

jeffH: yes.

tony: akshay, need to push to close by before or during face to face

akshay: I will do it

tony: agl have you signed off.
... please look at it before face to face
... jeffH has approved.

agl: if nina thinks this is good, I think it is good.

tony: put that on reviewer list

https://github.com/w3c/webauthn/pull/1270

tony: ready to go?

elundberg: not ready. JeffH has some comments

jeffH: it will be fine. work in my comments
... I am putting it on elundberg

tony: elundberg, please look at this one.

elundberg: OK
... only thing is term bootstrap. we could merge and continue that discussion later

jeffH; some editorial. but thanks for the other clean-up

scribe: it improves issues #344

elundberg: we could merge this now.

jeffH: later clean-up is fine

elundberg: I will merge

https://github.com/w3c/webauthn/pull/1276

tony: this needs additional reveiw

akshay: I need more detail

jeffH: further changes needed in Cred Man
... I will shoot to finish before TPAC
... this helps cross origin I-frames via feature policyt
... real meat will be in cred man spec

tony: how will the RPs know what to do

jeffH: way feature policy works, there is default allow list. this is same origin as ancestors by default
... does not changing exisiting default behavior
... but somebody could explicitly engage cross origin I-frame
... boolean will be true

tony: how will RPs know what to look for

jeffH: it will be in the spec
... it covers RPs
... we are making changes from level 1. we should explian how it works.
... as opposed to level 1

jbradley: this should only effect people who have turned it on.

https://github.com/w3c/webauthn/pull/1284

tony: still in progress. no review

jeffh: real simple. a small change
... i landed the change in feature policy world, in terms of list of defined feature policies.

agl: this should be able to land now
... please review

akshay: looks good to me. I signed off on itt.

https://github.com/w3c/webauthn/pull/1288

elundberg: any objections to merging?

tony: jeff H and akshay have approved.

https://github.com/w3c/webauthn/pull/1289

agl: part of the steps need to remain.
... you should stop and think about extensions
... this change seems fine.

shane: do you have proposal for more words

agl: perhaps a note, add info. about extension actions.

shane: I can add something like that

tony: but this will be change in behavoir. willit break

elundberg: will they have to accept extensions they don't know about.
... but extension note is given, should they accept it?

shane: the whole point. could the RP open or fail closed.
... practical use that it should not always do that.

elundberg: these are probably well known extensions

shane: no one knows cred protect. it is not public yet.
... what is right answer here. maybe it should not be injected.

DWaite: our RP had issue with this.
... we were saying it was not compatible with new YubiKeys, but it was browser issue with compliance
... it is an extension, that RP don't understand this now.
... RPs don't seem to have the knowledge.

agl: this is why we are doing this chamnge

tony: shane, do you have what you need.

shane: need approvers

tony: agl, jeffH, elundberg on the list

alexei: If I may...
... related questions. arbitrary extensions from authenticators, is this still a thing. I thought we didn't want this.

jbradley: chrome added it

agl: this was about what was rejected. if it is problem we could change our stance.

jbradley: i suspect that we want to allow the user to have control via browser or authenticator

akshay: can we reject these things. I would say let it play out and see what happens.

jbradley: I don't know of any scenarioes now, but maybe down the road.
... the concern for RP, if extension that meanings are different and it changes security context
... I think this is pretty low risk.

akshay: ultimately it is for the RP to decide.
... should be case by case basis

shane: another example may be cred ??? extension
... cred prop
... cred props. new to level 2. deals with resident keys

akshay: looks like we have different points of view for different scenarioes.

shane: all add note and see if reviewers can approve or not.

tony: akshay, take a second look.

akshay: yes.

moving to issues

#1282 lcosed

#1283 closed

https://github.com/w3c/webauthn/issues/1285

agl: still some conversation

tony: this is not ready yet.

akshay: does not seem anyone is using icons at this time

agl: we do not store icons on authenticator
... expectation some authenticators will be larger, maybe then can store data URLs, not yet.

jeffH: like built-in platform authenticators

thttps: //github.com/w3c/webauthn/issues/1286

akshay: look at it before TPAC

tony: any open issues for discussion.
... any questions, concerns, updates.
... at TPAC, we will look at issues for WD-02. we may have to react before all the editorial ones land

jeffH: the list is going to change between now and TPAC

tony: that is todayt's agenda.
... OK, meeting next week, then off for two weeks on call (TPAC starts on Sept. 16)

Date 04 09 2019

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2019/09/04 19:51:14 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)


WARNING: No "Present: ... " found!
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy
        <amy> Present+

Regrets: wseltzer
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.


WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]