W3C

- DRAFT -

Web Authentication WG

29 Apr 2020

Agenda

Attendees

Present
jfontana, elundberg, wseltzer, agl, akshay, bill, davidturner, eric, jbarclay, nina, rae, sbweeden, jeffh, selfissued
Regrets
Chair
Nadalin, Fontana
Scribe
jfontana

Contents

tony: we should discuss what to do with locking in features for L2
... is this proper time. Do we need more L2 features
... are there new features that need to be introduced

selfissue: Bradley says remove some unused stuff
... ECDAA we should punt it. no one has used it

agl: I have a couple of extensions in mind that could be level 2 one is a secret key and the other blob stuff

elundberg: I have some recovery, backup stuff

Nsteele: we are interested in the blob stuff

tony: when do we say feature complete.
... do we give it another month

agl: viable

tony: saying end of may could be feature loc

agl: so does that mean landed or PR

jeffH: we do have a label called feature proposal
... I hear tony saying use that label of its too late at end of month?
... curious about the mechanics

tony: includes adding and eliminating stuff
... give it to end of may

akshay: yeah

tony: objections?

jeffH: spwg update

bradley: no comment :-)

jeffH: going to land enterprise attestation in the spec
... FIDO is going to have to figure out how to deal with it.

tony: go to PRs

https://github.com/w3c/webauthn/pull/1366

tony: all approved

jeffH: done

tony: no objections

https://github.com/w3c/webauthn/pull/1375

agl: believe it is good to go
... jc had one comment, I will follow up.

jeffH: I took care of it.

https://github.com/w3c/webauthn/pull/1392

jeffH: trying to finish a review. JC is using the term unset - is that not present or someting else.

agl: what is difference not present and does not exist

jeffH: they are the same.
... this needs more cleanup

https://github.com/w3c/webauthn/pull/1395

agl: I have one round of updates, I need another implementation.

https://github.com/w3c/webauthn/pull/1330

tony: blocked
... no untriaged PRs

Issues

tony: nothing on network tranport

https://github.com/w3c/webauthn/issues/1406

jeffh: this is not like a browser extension

agl: do we want this in the official spec

nickS: authenticates to the extension?

agl: we add some data into the extension

jeffH: we should say something in a note

selfissue: i support this

agl: if ctap references this for RP ID , we should note it

bradkley: in facovr with note on why this is secure

agl: if a note went into detail it would be a mistake.
... maybe a URL with an explicit default

selfissue: I agree with that. no deep explanation, just say it can be a URI

bradley: does not have to be in-depth, just that broswer validates it.

elundberg: there is some risk of confusion. there exists documentation specifically talking about RP ID being just a domain name.
... related to APP ID extension, might cause some confusion
... not a big problem, somethign to think about

https://github.com/w3c/webauthn/issues/1409

tony: thi is terminology we ewnat to cleanup
... those are major technical issues that are left

https://github.com/w3c/webauthn/issues/1410

bradley: it is kind of pointless

selfissue: this is not usable without an algorithm identifier

elunberg: was registration in this WG or FIDO

nickS: we started a community group about web authn and we have another meeting.

bradley: I will do a PR on #1410 and remove the algorithm
... we still have activity on web payments side to combine Web payments and web authn

<wseltzer> WebAuthn Adoption CG

<nsteele> Thanks Wendy!

<wseltzer> email re poll for call times

agl: I have talked with payments folks, some vague out line with routing

bradley: taking info. from browser and using a hash

agl: we could provide a route not with JavaScript. not clear by maybe someone desires that

bradley: could work on some hash in the browser and what is displayed

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2020/04/29 21:39:03 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/lacks some documentation/there exists documentation specifically talking about RP ID being just a domain name/
Present: jfontana elundberg wseltzer agl akshay bill davidturner eric jbarclay nina rae sbweeden jeffh selfissued
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2020Apr/0142.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]