W3C

- DRAFT -

Web Authntication Working Group

08 Jan 2020

Agenda

Attendees

Present
jcj_moz, wseltzer, nsteele, jfontana, akshay, david_turner, kenrb, nina, rae, sbweeden, elundberg, selfissued, jeffh, jbarclay
Regrets
Chair
SV_MEETING_CHAIR
Scribe
elundberg

Contents

<scribe> scribenick: elundberg

jfontana: f2f on the 26th at Cisco

nsteele: RSVP to nsteele@cisco.com to get a badge
... start at 10:30, end at 17:00
... webex will be up for remote participants
... more info to come by email

akshay: agenda by mid-february?

nsteele: [yes] tony has the info

jfontana: issues!

https://github.com/w3c/webauthn/pull/653

jeffh: this is a process thing for chairs to figure out

https://github.com/w3c/webauthn/pull/909

jeffh: on hold, hopefully won't need it in the future

agl: why not close?

jeffh: will close

https://github.com/w3c/webauthn/pull/966

akshay: I will look again

https://github.com/w3c/webauthn/pull/1300

jeffh: progress will be made over the next couple of weeks

https://github.com/w3c/webauthn/pull/1330

jeffh: blocked waiting for 1300

https://github.com/w3c/webauthn/pull/1333

elundberg: I need to take another look at this

https://github.com/w3c/webauthn/issues/1353

agl: awaiting review

akshay: will review

jcjones: will review

https://github.com/w3c/webauthn/pull/1354

agl: I don't think this is ready, because I don't think it does what it's intended to do
... jbradley wants to not store the value, right?
... the wording says authnrs may truncate

jeffh: I pointed this out in review

agl: given previous versions of spec required it be stored, it's sensible to call out explicitly

jeffh: please add a comment to the issue

agl: will do

https://github.com/w3c/webauthn/pull/1357

elundberg: already merged; single word spelling correction

https://github.com/w3c/webauthn/issues/334

jeffh: PR #1300 will address

https://github.com/w3c/webauthn/issues/1105

jeffh: I will propose text for this

jfontana: any comments, jcjones?

jcjones: there's my wall of text [in the issue]

https://github.com/w3c/webauthn/issues/1147

jeffh: waiting on next CTAP version

agl: is this landed in CTAP?

tony: publication is pending

https://github.com/w3c/webauthn/issues/1174

jeffh: maybe we should prioritize things as we go along?
... this seems like low priority

akshay: I think this is good enough priority for L2-WD03

jeffh: I have a suggestion in the issue on how to address this

akshay: I think the later comment is what we want
... warn the user instead of blocking

https://github.com/w3c/webauthn/issues/1199

akshay: solved by feature detection?

elundberg: it was about to, but then we canceled feature detection

agl: since we killed feature detection, that kind of implies closing this

jcjones: I don't know how to do this without re-opening feature detection discussion

[consensus to close]

jfontana: closing

https://github.com/w3c/webauthn/issues/1204

jeffh: I think this should be handled by pointing to secure context spec
... this is low priority
... regardless of milestone I think we should prioritize issues

agl: why not close?
... we already ban IP addresses in the spec

jeffh: closing is ok
... I will take care of it

https://github.com/w3c/webauthn/issues/1257

jeffh: this is low priority

akshay: is #1208 also feature detection, can we close? https://github.com/w3c/webauthn/issues/1208

jeffh: no, I think this is still relevant

nina: #1208 is about how to detect if browser supports webauthn
... #1204 was about detecting webauthn features
... (features within webauthn)

jfontana: skipping low priority https://github.com/w3c/webauthn/issues/1291

https://github.com/w3c/webauthn/issues/1292

jcjones: no updates
... we should discuss this again
... I will follow up with ricky et al.

jeffh: please take another look at my comment

https://github.com/w3c/webauthn/issues/1293

agl: same state as #1292

https://github.com/w3c/webauthn/issues/1294

agl: I think this is clear to move forward
... but let's hear from Apple and Yubico

jfontana: shane, any comments?

sbweeden: I was asked to put the block label on it

tony: Apple asked to keep this open

John_bradley: it's not a technical blocker, it's communication with developers
... last I heard they didn't seem to care much

https://github.com/w3c/webauthn/issues/1303

jcjones: will discuss this with Mozilla at end of January
... agl had good comments about this being unnecessary for preventing abuse
... I'm leaning toward closing this
... I think issue #1336 is the key issue here
... about building tracking cookies
... I'm ok with closing #1303 in favor of #1336

jeffh: sounds good, but doesn't mean we agree with #1336 yet

jfontana: leave open another week?

jcjones: sounds good

https://github.com/w3c/webauthn/issues/1304

akshay: keep open, discuss again later

https://github.com/w3c/webauthn/issues/1314

elundberg: I assigned myself to do this; low priority

https://github.com/w3c/webauthn/issues/1331

jeffh: todo, low priority

https://github.com/w3c/webauthn/issues/1336

jfontana: already discussed

https://github.com/w3c/webauthn/issues/1346

jeffh: we should clean this up, but I think code is correct

elundberg: I think this is to do with how bikeshed renders things

jeffh: this might be a bug in bikeshed
... keep open

https://github.com/w3c/webauthn/issues/1347

agl: awaiting clarification from alanwaketan

https://github.com/w3c/webauthn/issues/1348

agl: I think example is valid, but that means the transport hints were incorrect
... this is a valid point for implementations to worry about, but we should not mandate they ignore the transport hints

jeffh: comment added to issue

https://github.com/w3c/webauthn/issues/1351

agl: PR open, discussed earlier on call

https://github.com/w3c/webauthn/issues/1352

agl: same

tony: anything else we need to address before the FIDO f2f?
... I don't think there is

akshay: I don't think so either

<nina> https://github.com/web-platform-tests/wpt/pull/20481

jfontana: meet again next week
... adjourn

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2020/01/08 20:55:56 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Default Present: jcj_moz, wseltzer, nsteele, jfontana, akshay, david_turner, kenrb, nina, rae, sbweeden, elundberg, selfissued, jeffh, jbarclay
Present: jcj_moz wseltzer nsteele jfontana akshay david_turner kenrb nina rae sbweeden elundberg selfissued jeffh jbarclay
Found ScribeNick: elundberg
Inferring Scribes: elundberg

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2020Jan/0010.html

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth


WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]