W3C

- DRAFT -

Web Authentication WG

01 Jul 2020

Agenda

Attendees

Present
jfontana, wseltzer, Nadalin, agl, Aksay, Bill, DavidTurner, elundberg, JeffH, jcj_moz, JeremyErickson, nsteele, JohnBradley, Rae, sbweeden, Eric, selfissued
Regrets
Chair
Nadalin, Fontana
Scribe
jfontana

Contents

https://github.com/w3c/webauthn/pull/1424

agl: updated as discussed, ready to land

tony: need review from JBradley

jbradley: no objections

https://github.com/w3c/webauthn/pull/1440

tony: let's come back to this one.
... look at un-triaged PR.

jeffH: I closed it.

https://github.com/w3c/webauthn/issues/1444

tony: leave this open another week. elundberg not answering

shane: I think it is a spec issue.
... why not close. it is a use-ability error
... I have seen this many time. UV not used properly. Almost certainly the case.

agl: I agree.

jeffH: maybe ask on FIDO dev

nsteele: point them to the community group

https://github.com/w3c/webauthn/issues/1446

agl: this person is correct, not sure we can do anything about it

tony: not necessarily ours

agl: we have clarified this.

jbradley: not just a super simple fix. how do curves and algorithms relate?
... there has not been demand for this.

elundberg: you can express these in COSE
... we would have to add more parameters if we adopt it

jeffH: that is the suggestion
... I think there are practical issues with adding too many options.

agl: I don't see the value

akshay: can't be done with CTAP changs

jbradley: COSE would need new algorithm identifiers

agl: this would have to be level 3. Web Authn is feature locked.

tony: we can move it to L3 and leave it open.
... people can look at it.

https://github.com/w3c/webauthn/issues/1447

agl: we might want to consider this

jcj_moz: banning these might make sense
... compression points

tony: do this for Level 2?

jeffH: arguably this is a spec bug

https://github.com/w3c/webauthn/issues/1449

jbradley: some issue with restricted credentials i.e not restricted
... proposal is to add extensions, say ask to have key restricted. '
... could be used by platform and authenticator

agl: did we feature freeze

jbradley: this could be in L3. I want to track the issue.

agl: more friction

jbradley: would allow the platform to guide user to appropriate authenticator
... appropriate credential
... the proposed add to CTAP, would be in get info

agl: does this work with current authenticators

jbradley: not a hard request. should look at match-return
... we have lot of authenticators, hard reject would be a bad user experience.

akshay: I don't want to check MDS on this; are keys restricted
... what about the phone

jbradley: a hint is not effective if there is not additional info in geet info

akshay: looks lik ebig change to me

agl: this is L3
... RPs may come away with more concern; and a bad user experience

jbradley: some may have legislation to consider.

agl: concerned RP may default to what they see as more secure bits

jbradley: allowed AAGUID list could be kind of messy, it would be a long list

akshay: maybe not a thing we want with list,

jbradley: RP supplies
... keep this issue open for L3 and see how it plays out.
... seee if people implement backing up credentials.

tony: that takes us through un-triage; any more issue to talk about
... is selfissue on the call now?

selfissue: yes

https://github.com/w3c/webauthn/pull/1440

selfissue: the top level name has changed
... i think the othere changse will do the job

rtony: can you look and merge if no issue

selfissue: yes

https://github.com/w3c/webauthn/issues/1105

tonhy: is there any progress

jcj-MOZ: jeffH will add, but don't hold up WD03 for it

jeffH: I went through them all.
... they are all puntable, but I need to discuss with wider group.

tony: lets do that now.

jcj_moz" puntable on 1105

https://github.com/w3c/webauthn/issues/1207

jeffH: puntable

https://github.com/w3c/webauthn/issues/1208

jeffH: puntable

tony: any objections? No

https://github.com/w3c/webauthn/issues/1291

elundberg: punt

tony: these things would move to wd04

https://github.com/w3c/webauthn/issues/1331

jeffH: puntable

tony: no assignee
... will anyone work on this
... punt. if no one works on it, it won't make it

https://github.com/w3c/webauthn/issues/1389

jeffH: don't hold up anything for this
... i think we should do something here, don't know where the time comes from

tony: mark puntable

jeffH: align with how to fido doc

https://github.com/w3c/webauthn/issues/1406

jeffH: I am working on this.

tony: hold up RD-03 for this?
... that is WD-03

https://github.com/w3c/webauthn/issues/1421

jeffH: punt

nsteele: apple is sending in PR for privacy Ca

https://github.com/w3c/webauthn/issues/1422

jeffH: punt

tony: any issues with this one
... no on assigned

no one assigned

https://github.com/w3c/webauthn/issues/1441

jeffH: jbradley was going to look at adding wording. but don't hold for wd0-3

jbradley: don't hold it up

https://github.com/w3c/webauthn/issues/1445

elundberg: mike was working on this

selfissue: I am creating a PR. I do not want to punt this.

tony: want to close wd-03 in a couple of weeks

https://github.com/w3c/webauthn/issues/1447

jeffH: author replied
... and language to prevent curve attacks.

tony: does it need to get into wd-03

agl: i can do this by next week.

jbradley: we should check to see where we are pointing for valid curve.

agl: we are pointing at COSE

selfissue: yes.

tony: left for wd-03 to get out door. PR for #1406, PR for #1445. PR for #1447
... I would like to shoot for somewhere around 20th of July
... for wd-03 draft
... any issue to shoot at July 20
... could try 21st

agl: think we can call it in two weeks

tony: any other issuse

jbradly: RPIDs may relate to #1406
... we allow sub-domain in RPID, correct
... yse

jeffH: this is domain lowering and mapping to a domain...

jbradley: can't use sub-domian from host you are making thee call from
... maybe we should create an issue about multi-domain

tony: adjourn

Chairs: Nadalin, Fontana

*minutes updated

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version (CVS log)
$Date: 2020/07/01 20:08:50 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision of Date 
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Default Present: jfontana, wseltzer, Nadalin, agl, Aksay, Bill, DavidTurner, elundberg, JeffH, jcj_moz, JeremyErickson, nsteele, JohnBradley, Rae, sbweeden, Eric, selfissued
Present: jfontana wseltzer Nadalin agl Aksay Bill DavidTurner elundberg JeffH jcj_moz JeremyErickson nsteele JohnBradley Rae sbweeden Eric selfissued
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2020Jul/0000.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]