W3C

- DRAFT -

Web Authentication WG

30 Oct 2019

Agenda

Attendees

Present
jfontana, selfissued, jeffh, Akshay, David_Turner, elundberg, Eric, john_bradley, jcj_moz, nadalin, rolf, sbweeden, nsteele, nmooney
Regrets
Chair
Nadalin, Fontana
Scribe
jfontana

Contents

<wseltzer> present=

thank you, Wendy!

tony: reminder, web payments working group task force. we are setting up calls
... pull requests and issues, then talk about going to WD-02

https://github.com/w3c/webauthn/pull/1276

jeffH: ready to land.

tony: need Akshay to respond

jeffH: I linked to cred man, my comment there. this is ready to go. I want this in next working draft in web authn.

jcj_moz: I approve, I went through it.

jeffH: thanks.

akshay: there is a PR open, do we need to finish that.

JeffH: I am now the cred man editor. If you want to review in cred man, do it.

tony: can you merge today . when akshay approves

https://github.com/w3c/webauthn/pull/1330

jeffH: is elndberg on the call, he can expllain

tony: #1330 has been delayed to 03
... #13000 has already gone to wd03

akshay: so move this to wd03

elundbergL I don't think this is realted to 1300

tomy: this one needs to move to 023

elundberg: yup.

https://github.com/w3c/webauthn/pull/1332

shane: I just want the platforms to do something with web auth without violating the specs

tony: can yo merge shae.

https://github.com/w3c/webauthn/pull/1333

jeffH: I think it is basically OK, from my perspective.
... I was thinking it might be good idea to have AGL look at it

akshay: I also want to look

tony: so what are we doing with this one. let's decide later.

https://github.com/w3c/webauthn/pull/1334

self-issue: it is terminology one? yes.
... I will review.

tony: can you pull the trigger if you agree

https://github.com/w3c/webauthn/pull/1335

elundburg: ready to go

jeffH: I should merge it.

tony: leaves us with, with 1334, i think mike will approve.
... leaves us with 2 issues.

jcj_moz: I have a pull request that has not been triaged.
... I proposed removing image fields, I have not finished my look at web IDL

tony: is it OK to merge

jcj_moz: potential someone could come back on us, but I feel safe merging
... i will fix and merge.

https://github.com/w3c/webauthn/issues/334

tony: punt

https://github.com/w3c/webauthn/issues/1105

jcj_moz: i am tempted to close this with no action.
... concept was different but the rational was the same.
... are we saying iFrame be visible. this doesn't seem to have a practical effect.

akshay: so lets close this one and discuss #1303

https://github.com/w3c/webauthn/issues/1147

akshay: move to level 3

https://github.com/w3c/webauthn/issues/1174

tony: punt

https://github.com/w3c/webauthn/issues/1207

tony: jeffH, what do you say.

jeffH: we can punt

https://github.com/w3c/webauthn/issues/1208

jeffH: punt

https://github.com/w3c/webauthn/issues/1303

jcj_moz: trying to get consensus
... I feel like we need a different approach beyond just iFrame being visible.
... may we should re-raise interaction despite opposition

jeffH: there are flow that get messed up.

jcj_moz: plenty will get messed up if we go to Web push. want to avoid the dark patterns
... trying to learn from web push WG

jeffH: I need to look that up

jcj_moz: web push is moving browser to have some interaction before things fire.
... helpful in some scenarios but encourages more pop ups.

tony: what I'm hearing is , carry this on?

jcj_moz: I'm close to agreeing we can't change visability, we can't test it.
... but still core problem, super cookie case. discuss in #1336

akshay: I will look at this.

tony: do we believe this needs to be made clear in 02 - 1

#1302

jcj_moz; #1303, needs to be handled before 03

Jeffh: should we hold off on merging the feature policy.

jcj_moz: don't see reason for this working draft. I won't break feature policy

tony: call issues closed for wd02 .pull requests in wd02 have been met.
... if we get #1333 and #1334 and #1337 mergered that leaves us with ... and #1226. these are the ones we need to get closed.
... before the next meeting.
... that would close all open PS and issues for wd02
... are we comfortable in producing an WD-02 draft?

jeffH: sure.

tony: any objection once PRs are closed
... not hearing any objections.

<Rolf> do you mean 1226 or 1336?

tony: hope to do by next week call. should have wd-02.
... and working toward wd-03.

jcj_moz: additional topics. #1336

https://github.com/w3c/webauthn/issues/1336

jcj_moz: I have a different scenario. in simple way we can figure out how to describe
... use Web Authn to show this is same person just in new browser profile.
... provide a cross account identified. which is a little scary.
... up side. can avoid by prohibiting cross origin iFrames.
... if we don't have feature policy now, we are not breaking anything.
... just a restriction on the new feature coming through wd-02
... look at simplified threat model and see if we are crazy.
... and second. see if you agree this is dangerous and could resolved with restriction on create credential

jeffH: thanks for writing this up.

akshay: this is not supported right now. no cross origin iFrames.
... we said you need a user gesture, i hope this is two things.
... I don't see a scenario where we would allow this.

jcj_moz: you dont see a create credential scenario
... yes.
... I see some possibility for abuse

akshay: there are benefits to dis-allowing it.

jcj_moz: take a look at this.
... I don't think this is breaking, we should remove the label.

akshay: I don't think it is breaking

tony: I do, if it goes through, it is breaking

<Rolf> Couldn't the RP already disallow create via feature policy?

jeffH: there is intent to implement for cross -origin iFrames and chrome has it implemented.
... the code is written.

jcj_moz: we say breaking after the document is released.
... could be working draft.

jeffH: think we can leave the label.

akshay: jeffH have you implemented?

jeffH: I think so. we have feature policy implemented. have to wire up web authn.
... it might be change but not sure

akshay: you may have implemented something, so I see where you are coming from. discuss next week

elundberg: reasoning here seems to be sound.

jcj_moz: thanks emil

tony: anything else?
... adjourn.

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2019/10/30 20:51:19 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Present: jfontana selfissued jeffh Akshay David_Turner elundberg Eric john_bradley jcj_moz nadalin rolf sbweeden nsteele nmooney
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2019Oct/0307.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]