W3C

- DRAFT -

Web Authentication WG

22 Jan 2020

Attendees

Present
nsteele, wseltzer, akshay, elundberg, nadalin, rmondello, jcj_moz, coffee, agl, jeffh, nina, christiaan, Jiewen, dwaite, ketan, jfontana, jfontana_
Regrets
Chair
Nadalin, Fontana
Scribe
wseltzer, jfontana_

Contents

<inserted> scribenick: wseltzer

No meeting Feb 5

nsteele: we should be able to have dial-in for the F2F

Open PRs

nadalin: 909 on hold
... 966?
... 1300, 1330

jeffh: work in progress

nadalin: 1333

elundberg: please re-review

nadalin: 1353?

jcj_moz: I think I know how to implement this in FF

nadalin: jcj_moz should merge when complete
... 1354?

agl: awaiting John Bradley

nadalin: No untriaged PRs

Open Issues

nadalin: Untriaged
... 1356

elundberg: I don't think we can deliver without undermining privacy

agl: I'd be inclined to write a polite follow-up and close

nadalin: any objection?

https://github.com/w3c/webauthn/issues/1356

nadalin: 1358

https://github.com/w3c/webauthn/issues/1358

akshay: I'll report back on what edge does
... how many production servers are there with an IP address?

jcj_moz: if it's working in FF, that's a bug

akshay: agree it shouldn't be an option in production

jcj_moz: IP addresses aren't stable for certs or secure context
... if I file a bug, I'll link it in the issue
... I don't think we want to permit IPs

agl: they're not unique names

nadalin: 1362

elundberg: another request for the spec to do something different from what it does

jcj_moz: you answered the question re CBOR

[discussion whether CBOR is necessary for more than attestation]

jcj_moz: should be split into different concerns
... ArrayBuffer will get better, talk to WebIDL folks if you like
... but perhaps the CBOR is worth considering

agl: want to listen to web devs about things that could make their lives better

nadalin: should we close this and open up a new CBOR issue?

agl: I can do that

nadalin: other issues people want to discuss?

<inserted> scribenick: jfontana_

jcj_moz: nothing to talk about

tony: jeffH you will roll up #1360 CTAP

jeffH: yes

tony: #1436 is still blocked

<wseltzer> https://github.com/w3c/webauthn/issues/1294

<inserted> scribenick: wseltzer

nadalin: should we close, remove lightning?

Jiewen: sounds good

nadalin: see JBradley's last comment
... I'll see if I can get his agreement

agl: I'll craft a PR to remove it

<jfontana_> I can't get audio, but let's talk to john B before we scrap this

<jfontana_> please

nadalin: 1293

<jfontana_> OK, thanks. having connection issues.

https://github.com/w3c/webauthn/issues/1293

<inserted> scribenick: jfontana_

agl: changes this somewhat terrifies us.

tony: apple?

what do you think

we are on #1293

jcj_moz: this is potential for abuse here.
... can understand scary, but we need to move the ecosystem together
... think it shoujld apply to cross-origin iF

iframes

scribe: not wure how to make a value judgment
... i am more concern with cross origin iframes.

jiewen: i think this an issue, providing a system level UI,

jcj_moz: if you took over the screen...
... as you said this is how it works on Android presently.
... OK, think this is still valid issue.

agl: I think we should move together
... browser vendors

aksahy: need time to tihink in over

jcj_jones: would we split this?
... should we split this?

jcj_moz: let me look at what full-screen has done

agl: I think you will disappointed

tony: so we keep this as one.

jcj_moz: yes. should stay in level 2

agl: would input from the payments guy would be interesting here.

jeffH: they seem to want delegated authentication and they want to minimize interaction.

agl: dont' think they will get that

tony: OK. what do we want to do with #1147
... this is mainly an enterprise attestation.
... this is issue
... this is enterprise attestation. talk about it next week.

jeffH: it is in draft for CTAP2

tony: is this still blocked

agl: not in web authn
... our desire to have it in web authn is still there. I can craft up a PR for web auhtn

akshay: I think we should do that.

tony: and discuss next week.
... anything else to talk about?
... adjourn

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2020/01/22 20:55:55 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: i|jcj_moz: nothing|scribenick: jfontana_
Succeeded: i|No meeting Feb 5|scribenick: wseltzer
Succeeded: i|should we close,|scribenick: wseltzer
Succeeded: i|this somewhat terrifies|scribenick: jfontana_
Present: nsteele wseltzer akshay elundberg nadalin rmondello jcj_moz coffee agl jeffh nina christiaan Jiewen dwaite ketan jfontana jfontana_
Found ScribeNick: wseltzer
Found ScribeNick: jfontana_
Found ScribeNick: wseltzer
Found ScribeNick: jfontana_
Inferring Scribes: wseltzer, jfontana_
Scribes: wseltzer, jfontana_
ScribeNicks: wseltzer, jfontana_

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]