<wseltzer> scribenick: wseltzer
akshay: joint meeting between
biometrics, SPWG, and @@
... mostly about timelines
nadalin: 966
akshay: no update yet
... TPM specs are hard to read, but not WebAuthn's job to
demystify
... propse we close this
https://github.com/w3c/webauthn/pull/966
nadalin: any objection to close?
johnbradley: ok if nothing else is caught up in the same PR
akshay: nothing is
nadalin: Close 966
... 1300
agl: It's turned into the how to
FIDO doc
... so close 1300
nadalin: 1330
elundberg: I'll take another look
nadalin: 1402
... needs jeffh and akshay to look at it
agl: web exposure of largeBlob
[aside on large and small blobs]
<jfontana> OK
<jeffh> see also: https://en.wikipedia.org/wiki/The_Blob
nadalin: 1420
<jfontana> https://github.com/w3c/webauthn/pull/1420
<inserted> scribenick: jfontana
tony: mike jones have you looked
at it
... bradley
selfissue: I will read
bradley: i don't think we have anything right at the moment to fix it
selfissue: I will approve now.
tony: merge it
https://github.com/w3c/webauthn/pull/1424
agl: not ready to land, added
comments from last week
... exposeing HMAC secrets to the web - we quite an amount of
wrapping
akshay: I have not looked at it.
tony: would google implement this
agl: yes, maybe too late. we may
expose for extensions before we are done here.
... there are people who want to encrypt stuff with security
keys
akshay: I support this
https://github.com/w3c/webauthn/pull/1426
bradley: done
tony: needs approvals.
selfissue: I will do it right now
bradley: the examples are now correct.
selfissue: merged
https://github.com/w3c/webauthn/pull/1425
tony: recovery extension
... do we work on this? where does it fit in schdule
elundburg: catching up on
comments.
... how do you feel about this going forward. quantum
concerns?
agl: could work with quantum.
AAGUIDs a concern for us. not that complecated - if there is
demand we could plumb it through
... pairing and other stuff makes it more complicated.
elundburg: there will some stuff
to do on the RP side.
... that is a concern
bradley: on aaguid, we are not
deeply wedded to that.
... knowing the backup authenticator at the same time is an
advantage.
... could evaluate right there.
agl: if that was tied into CTAP in certain ways, we could maybe go there.
elundburg: this happens during a
get call
... maybe you could add parameters to this as well.
agl: difference here, its an
assertion, if we can control it
... narrow concerns here are addressable, wider is another
story
bradley: is there a better way,
or combos in other ways.
... we want a way
dwaite: could the aaguid mean client collected data rather than direct response from the key?
tony: still have issues in FIDO
land
... it looks like Yubcio has motivation to get this is level
2
bradley: not sure of that. we need it around to experiment with it. Level 2 seems abitious
tony: un-triaged for now
bradley: sure.
https://github.com/w3c/webauthn/pull/1428
jeffH: there are a couple of cleanup things I suggested. I want to get to those
https://github.com/w3c/webauthn/pull/1432
Nina: this is fine
tony: I will put you on the
reviewers list
... takes us through PRs
... issues
https://github.com/w3c/webauthn/issues/1396
tony: leaving this open
elundburg: don't need to assign this to any milestone, just some questions.
<nina> (merged https://github.com/w3c/webauthn/pull/1432)
https://github.com/w3c/webauthn/issues/1430
elundberg: looks like the are saying CTAP is inconsistent with web authn
bradley: I will have to look at this
selfissue: with this, are there different names that do not match
jeffH: need to look at this and figure it out
selfissue: so what is this about
akshay: this may be mismatch. doesn't say have to do cred protect.
elundberg: we'll look at how this is implemented in YubiKeys
selfissue: I think this not talking about a key
jeffH: what is called the entry
key, includes name of the extension in the object
... think term entry key is vague.
elundberg: I will look into this.
tony: I want to go back to #1396
https://github.com/w3c/webauthn/issues/1396
scribe: I thnk there are problems
here.
... thoughts
... is this a problem? or is this being forced on this
group?
bradley: lots of people trying to
force this around transaction confirmation
... interest is in payments, there is use confusion
tony: I think people want to use it for other things.
bradley: they don't seem to understand the issues that surround this
tony: thye want a general signing mechanism.
bradley: and they want it displayed.
jeffH: there is some liability shifting
nickS: this feels like it is being pushed on this group
bradley: most of the first party
cases, is around the web browser security
... hard argument to make
... I don't buy the three party use case.
jeffh: ideas the payment handler
could do this.
... and you can hash in the challenge, and you wouldn't need to
change anything to make that happen
... but in discussion I've been it, there is some distrust with
the payment handler
tony: this is not a first party
thing.
... we can look from a three-party angle
... this could be done by the payment handlers, do we feel this
group is going to do something to help.
bradley: what are the browsers
willing to display
... we could look at this and other things later.
tony: still not hearing what we
want to do
... we owe an answer on this
bradley: need agl and JC to weigh in on this
selfissue: how do we
display?
... it doesn't sound like we have general purpose solution to
this.
tony: this is something that we are interested in or not. then work on specific proposals or not
selfissue: is there someone to write it.
tony: Visa may be the only champion on this. can leave it out here. It is getting attention, so I think we need some answer
bradley: we need to continue with the web payments folks
akshay: can we narrow it down to one problem, instead of all the problems?
tony; AOB
tony: AOB
... adjourn
chairs: Nadalin, Fontana
*web page updated with minutes
rrsagent: draft minutes
This is scribe.perl Revision of Date Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: i|tony: mike|scribenick: jfontana Default Present: nmooney, wseltzer, elundberg, agl, akshay, bill, davidturner, jeffh, nadalin, nina, selfissued, eric Present: nmooney wseltzer elundberg agl akshay bill davidturner jeffh nadalin nina selfissued eric Found ScribeNick: wseltzer Found ScribeNick: jfontana Inferring Scribes: wseltzer, jfontana Scribes: wseltzer, jfontana ScribeNicks: wseltzer, jfontana Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2020Jun/0019.html Found Date: 03 Jun 2020 People with action items: WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]