Web Authentication WG

09 Oct 2019



jfontana, jeffh, nsteele, wseltzer, Akshay, jcj_moz, elundberg, eric, Jiewen, rmondello, sbweeden, dturner, agl, nina


<jfontana> Agenda

<jfontana> https://lists.w3.org/Archives/Public/public-webauthn/2019Oct/0041.html

<scribe> scribenick: jcj_moz

jfontana: Charter is still out for review. Hopefully we'll know more in the coming days/weeks.
... Tony's not here today, he's tied up in Minnesota
... so let's run through the pull requests and issues
... We're hoping we can get WD-02 in the next three weeks. So let's see what we think we can get done, and if something looks like it needs to get punted, we can move it to -03
... so let's start with the PRs - 653

· https://github.com/w3c/webauthn/pull/653

jeffh: This is ongoing and we don't need to spend time on it today. Donno if it should go to -03

jcj_moz: I think it's ok to go to -03 because until we actually can do new web platform tests, we can't enforce it

jfontana: 1250. Akshay's on this, looks ready to merge

Akshay: This looks fine, but we'll open a new issue related

jfontana: 1276...

· https://github.com/w3c/webauthn/pull/1276

jeffh: I'm working on the credential management spec first, and then we can deal with this. Trying to handle in the -02 timeframe

jfontana: https://github.com/w3c/webauthn/pull/1299

jeffh: We can merge this

jfontana: 1307
... Emil, you have approval on this, are there roadblocks?

jeffh: Mike's working on this, and I had 1 suggestion for rewriting a sentence and moving it ...
... other than that I guess it's okay
... comment indicates there's a change to CBOR
... don't know if that affects anything we're doing at this time
... as far as I know this text is correct but I'm not 100% positive

jfontana: Emil, did you review it?

Emil: I don't know. I looked at the editorial

Akshay: Let's wait for Mike to come back

jfontana: Sounds logical. He's assigned to it.
... 1310 - was merged and closed?

jeffh: yes

jfontana: 1312 https://github.com/w3c/webauthn/pull/1312

agl: I just ticked approve, looks good to me

emil: We might be good to merge?

jcj_moz: looks good

jeffh: looks good

Emil: we merge it?

jfontana: yeah
... https://github.com/w3c/webauthn/pull/1313

Emil: This probably needs a bunch of reviews from a bunch of different perspectives. It doesn't really change anything, but maybe? It covers what happens if you make a credential with UV and use it without UV, and get basic assumptions into writing

agl: I think this reflects reality

jeffh: I will review it

jcj_moz: I will also

jfontana: that's all the PRs, so onto the issues
... a lot of these are editorial, Jeff I guess that means you.

jeffh: I'd suggest we look at technical labeled ones for WD-02
... and don't worry about the editorial ones


jeffh: it looks like there are 11 technical issues, 2 have aPR open
... so I'd start with 1285 and work up from there

jfontana: 1285 then

jcj_moz: will get to this PR next week

jfontana: 1260
... wait 1286


Akshay: I'll have a PR by next week

agl: https://github.com/w3c/webauthn/issues/1294

jeffh: The Apple folks have written in here their perspective of what we agreed on at TPAC
... so we're holding this open
... and we'll wait to see what develops

jfontana: https://github.com/w3c/webauthn/issues/1296

agl: PR next week

jfontana: You think it can still come down to WD-02?

agl: It's plausible, and if it doesn't, it doesn't matter

Shane: ditto 1297


jeffh: Boris

jcj_moz: This is 3rd in line for me prioritize

jeffh: there may be no spec changes

jcj_moz: we probably just need a test, and then we all fix it
... maybe we need a label and a PR for updating web platform tests

Nina: Working to improve that situation

jeffh: cool

jcj_moz: I don't think this matters what draft it goes into, but it does need to happen
... Do we want to make a label for Web Platform Tests?

jeffh: sure
... You're doing that?

jcj_moz: no I am scribing

jfontana: https://github.com/w3c/webauthn/issues/1303

<wseltzer> jcj_moz: Mozilla and I worry about invisible iframes confusing the user

jcj_moz: I have this in draft form locally

agl: I'm not sure what utility making them visible yields
... they can make htem white on a white background and what is the point

jeffh: another ask

agl: make the argument that this is disabled-by-default

jbradley: This may come from payment issues, and could prompt something worse for privacy like the facet list again
... The main place where this might be used is payments in Europe where a merchant needs to collect an authentication from the bank, and they don't want to display the bank's page or can't because of EU banking regulations
... but they still need to do strong customer auth as the law requires
... otherwise they want to destroy the non-correlatability and instead embed webauthn directly in the merchant's site so it's correlatable

jfontana: Let's go back to the editorials

agl: We had one un-triaged
... 1314


Emil: This is something that confused me among all the extensions
... I think if you look closely it's unambiguous so it's not high priority
... so if someone could confirm my understanding, then we can
... confirm or punt

jeffh: will review

agl: Who authored the extension?

<wseltzer> https://github.com/w3c/webauthn/issues/1314

agl: I think it is unambiguous, but ...

jeffh: it's (passed as) essentially a blob

agl: if you imagine the CBOR type that is represented by this WebIDL type then it's essentially correct but ...
... it seems okay to me --ish, aside from that annoyance about the types
... Emil, do you want to close this, make the changes?

Emil: I can make the changes if someone can confirm that I have the correct understanding
... I can try to check with whoever authored the extension to make sure I have the correct understanding

jfontana: I'd say punt to -03

agl: alright

jfontana: Did we tackle 1260?
... This is the editorial, https://github.com/w3c/webauthn/issues/1260?

jeffh: This is just among the low-priority editorial items

jfontana: That's kind of what we have left

jeffh: I don't think we need to walk through them
... nobody seems to be screaming about any of them
... I submitted most of them, and in a perfect world we'd fix them, but nobody's screaming about them so we don't need to talk about them

jfontana: I think then we're pretty much done
... Thanks everybody

[[ closing out ]]

<Jiewen> Thank you.

jfontana: What about https://github.com/w3c/webauthn/issues/1292

jcj_moz: That's the one Ricky and I were planning to address with a simplified interface

Ricky: Yeah

jeffh: moved to WD-03

jfontana: thanks

nina: PR on the wpt repo to add the webdriver API to the tests

[[ feedback loop ]]

Nina: They should at least run in Chrome for now

<Jiewen> Sorry, not sure what was going on...

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2019/10/09 19:44:52 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Present: jfontana jeffh nsteele wseltzer Akshay jcj_moz elundberg eric Jiewen rmondello sbweeden dturner agl nina
Regrets: Nadalin
Found ScribeNick: jcj_moz
Inferring Scribes: jcj_moz

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2019Oct/0041.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report

WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)

[End of scribe.perl diagnostic output]