Web Authentication WG

19 Feb 2020



elundberg, jfontana, jeffh, nsteele, wseltzer, jbarclay, nadalin, akshay, davidwaite, davidturner, jcj_moz, Jiewen, johnbradley, sbweeden, christiaan, agl, mikejones, nina
Nadalin, Fontana


<scribe> Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2020Feb/0035.html

Meeting name: Meeting Web Authentication WG

tony: face to face next wed.
... make sure you register
... Nick will send out note with WebEx instructions
... I have been working in ISO land, request for PAS submission SE17
... as far as I undestand as log as WG agrees we can make this submission
... it is one way, we still have control .
... PAS is a publicly available standard.
... so they can reference it in other specs
... they also want to use CTAP, for mobile drivers license specs
... for readers.
... they want to be able to use FIDO authn for their purposes and need to reference an ISO document
... this would be a ....we can ask for it to be a free standard.
... this is not going to be any different...

wendy: we have copyright and change control on the doc. it is giving it an ISO number.
... can still get it for free from W3C
... ctap will be addressed in FIDO land

agl: for CTAP we will need to work with translators, a lot of nuance to understand

tony: is there any objection to proposal to start PAS submission
... any objections. just need consensus
... no objections, wendy we will contact yo on starting this process
... any other questions on F2F or PAS
... move to PRs


akshay: let me review and I if I approve I will merge it.

tony: yes.


jeffH: I am working on that.
... I have comments from IANA
... I will get this dealt with before next IETF


tony: jeffH will take over and look at this


elundberg: I thnk this is review.


akshay: can i talk about #1333 again
... we re looking at remote desktops and those scenarioes
... use FIDO keys
... there is also some info. around proximity , any comments on remote pieces

agl: chrome remote desktop only supports security keys
... the attacker has to have something physically compromised close to the user.
... we noodled with putting something in client data json

aksay: I am fine with the changes and I approve this and I can merge

agl: at most it says consider the effects.

tony: issues.
... untriaged issues first

agl: #1370, write a PR

shane: #1372



shane: the history to not being facet IDs forward, pre-dates me
... to not bring forward
... is there resistance from the browser vendors.

jeffH: there is nothing standardized.
...dwaite: this is not http post
... lets you share data between windows

jc_moz: can pass back resulting attestation
... we didn't do facets for the same reason the domain boundaries WG at IETF did not have an answer

jeffH: we can take that offline

agl: we are saying iframes available behind flag and we want to know why they are not efficient.

shane: cross-domain trust mechanism is something we prefer

jeffH: if there was way for onee party to generate credentials and second party can validate...would that solve your use case.

tony: web auth and web payments discussed this today
... yes, wait for what they come up with.

christiian: iframes is a web construct
... we think the iframe we have done will be of great value

shane: my question is different

tony: payment guys are saying this is inadequate at this time.
... some of the fintechs have issues.
... my suggestion is to leave this open and see what comes from fintechs.
... and banks

agl: need details on why they cannot use iframes

shane: one thing is RP deployment complexity.
... didn't say it wasn't possible, it is a complexity issues. complexity is undesirable

jc_moz: we might have to invent a new mechanism

tony: leave this untriaged until we have another meeting with payments people.


shane: take browser vendors as authority on this one.
... if there is no movement on UV extensions, or see them implemented, why include in spec

agl: we do support UVM on android, but lot in the specs no one intends to implement

shane: we have dropped some things based on our practical knowledge
... someone coming to this may think these things are available and that might not be the case

agl: I agree that some of these can be dropped

jc_moz: would be nice to do a simplification pass
... I have not gathered consensus

agl: we might find objection if things start dying off
... current wording might be a doc that has what people want to see from their prespective.

nick: either delete or delete this issue

agl: will someone make a PR then leave open, if not - close

dwaite: I would look into a PR

nick: maybe wait for the face to face.

jc_moz: can we put this one the agenda for next week.

tony: yes.

jeffh: #1373 is not about this, there is chrome issues and UV extension, I think we should close issue

tony: we can close and next week discuss a purge of issues.
... are there other issue we want to discuss

agl: I say IP addresses
... #1358 is the issue

akshay: we should consider this behind a flag to test it out.
... but I don't think user willl understand

agl: we think the spec says they are not allowed and others say that, then this issue should close

jc_moz: we need web platform tests.

agl: jc will you write the tests.
... nina might want to help

nina: I would be glad to review

agl: i will do doc pull requests if you do tests.

jc_moz: Ok
... i will mark that this needs a web platform test.

tony: agl what do you want to do about #1363

agl: seems like nice idea, not currently a burning priority.

tony: keep it going
... ?

agl: leave it open for now, and let someone come along and look at it.


tony: this is waiting to be addressed

akshay: some RP the other day was trying to find out how it works
... people are looking at it

agl: I see that people are looking, but what do we do

akshay: another thing we are hearing about is what do we call it.
... not sure the right answer.

jc_moz: maybe this is something we should push to the authnticator, sounds easier to get it done that way.

akshay: i have seen this come up as a requirement. see what we can do here.

jbradley: joins the call
... I will make the three word change on #1354

tony: any other issues.

jbradley: I have one that came up on web authn - web payments call
... residential vs. discoverable credentials.
... does not seem to differentiate

akshay: I have replied on this one.
... we did not have discoverable at that time.
... what is RP trying to do.

jbradley: the spec allows any authenticator to make creds resident and discoverable.

agl: we have tighten it and CTAP, it is #661 issue

jeffH: we are using multiple terms.

agl: resident has an overlap with stateful, discoverable is more what it means.
... current CTAP spec if a mess on this

jeffH: resident and discoverable is what we have now. needs cleanup

jbradley: need to say if RK is not true than the key is not considered resident even if it is stateful

agl: hope #661 clears this up.

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2020/02/19 21:04:27 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/is/is not/
Succeeded: s/aying/saying/
Default Present: elundberg, jfontana, jeffh, nsteele, wseltzer, jbarclay, nadalin, akshay, davidwaite, davidturner, jcj_moz, Jiewen, johnbradley, sbweeden, christiaan, agl, mikejones, nina
Present: elundberg jfontana jeffh nsteele wseltzer jbarclay nadalin akshay davidwaite davidturner jcj_moz Jiewen johnbradley sbweeden christiaan agl mikejones nina
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2020Feb/0034.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report

WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)

[End of scribe.perl diagnostic output]