W3C

- DRAFT -

Web Authentication WG

02 Sep 2020

Agenda

Attendees

Present
jfontana, wseltzer, selfissued, nsteele, sbweeden, agl, akshay, bill, davidwaite, davidturner, elundberg, jcj_moz, jeffh, jeremy, jiewen, nadalin, nina, rae, tim
Regrets
Chair
Nadalin, Fontana
Scribe
jfontana

Contents

Tony: TPAC coming up. a few weeks out.
... open to discussion on how we structure it
... anybody want more than weekly meeting? Or joint session

jeffH: payments folks

nsteele: anything from web payments, any interest.

tony: we have not seen any activity

Bendy: no requests.

Wendy: we can have meetings on work and collaboration.

<jeffh> i.e. other parties, such as web payments, might wish to meet with us, but we have not heard yet

<wseltzer> https://www.w3.org/wiki/TPAC/2020/GroupMeetings

wendy: web payments has a wiki.
... I see tentative meeting for web payments WG.

tony: if they ask , we should do something.

slef-issue: the DIDs schedule looks to be virtual face to face.
... I don't think they have any interest in meeting with us.

wendy: noting that the breakouts, scheduled over one day, something can be self organized.
... we can look to organize things when the schedule comes out.

tony: my question, should we NOT meet that week.
... or shoud we follow normal schedule

wendy: meetings that week, breakouts one hour each day

tony: we will keep an eye on this
... when will sked by finalized?

wendy: we are being encouraged to get things organized this week

tony: any other discussion
... look at open PRs

https://github.com/w3c/webauthn/pull/1470

<wseltzer> [TPAC breakouts will be 1400-1500 UTC, week of 26-30 October]

agl: jeffh has added some things and I will follow up

https://github.com/w3c/webauthn/pull/1472

tony: vitual authenticator

nina: i just replied to JC.

tony: akshay you are going to look at it.
... let it hang out until Akshay is ready.

JC_Moz: it's not as complicated as it looks.
... thanks Nina for your work

elundberg: why are we dnot kusing WEb IDL

jc_MOz: it is not a web IDL interface at all.

elundberg: ok, i think then this is a separate thing

tony: some untriaged.

https://github.com/w3c/webauthn/pull/1474

jeffH: Jeiwan submitted this. so issues with teh terminollgy, needs clarified
... I disagree with current approach here
... coming closer to agreement. may not finish to we see the PR from Apple on attestation

JTan: explaining Apple attestation

jbradley: how is this different from safety net attesation
... why a different definition
... is this internal to the authenticator

JTan: because anonymous does not work in a way that the current model is defined.
... there is no match to our attestation.

bBradley: is it a basic attestation and walk bsck to know root

jTan: that can be applied to the CA
... attestation will operate ??? in different places than authenticator
... platform and roaming authenticators can both be used eventually

jeffH: attestaton formats are different than types
... my initial motivate for #1422, we did not tease out all the definitions for the attestation types.
... all this discussion means I was right, not teased apart enough
... we should wait to see what this looks like and then finish teasing all this apart

JTan: should I in PR define something in attestation types

jeffH: i'm thinking presently that attestation CA , I could be wrong, that we can define this with more depth.
... apple anonymous could be part of a sub-section
... we need to see more in order to make these decisions

JTan: I don't expect to get into those details that you are suggesting. They are specific and we don't want to share.

jeffH: you are saying no further details

JTan: yes.

jeffH: which format are yo usign

JTZan: our own,
... maybe wee should continue the discussion after we upload something.

jeffH: TCG did not put that info. in the web authn spec. we read their docs and added the details ourselves. it's all publicly defined

JTan: I would appreciate for TCG to comment
... there is some confusion about how attestation should work.

elundberg: i was thinking it was some kind of proxy for attestation
... but that was incorrect
... we have been talking about attestation proxy, could we use that term

jeeffH: possibly

tony: one quesiton is are people comfortable doing this now

JTan: ys, I think we wait until my PR and then discuss

tony: do we handle in L2, yes.

JTan: yes

jeffH: is there an answer from apple lawyers

JTan: soon

tony" pull this into WD04

<jcj_moz> https://github.com/w3c/webauthn/pull/1476

thanks, JC!

jeffH: I have comments on it. I do have qustions for this PR
... we may close and do another one .

tony: do we leave where it is, or move it over

jeffH: leave it alone

https://github.com/w3c/webauthn/issues/1475

elundberg: some privacy concerns
... there could be a privacy leak and a securty issues - could see what acconts have web authn set up and those that do not
... some are saying privacy issues should apply to this
... we should crosslink this work
... I will assign this to myself

tony: not at issues .
... now at issues

https://github.com/w3c/webauthn/issues/1462

JC_moz: I am going to say this is out of scope
... it doesn't match the Web authn charter. needs to go to other group
... I will open that and get it done before any CR designation

agl: google thinks this is not something we will bother with

self-issue: i think it belongs in this working group
... I am on the hook to move this.

wendy: procedural: thee group can publish notes.
... it can indicate what the WG wants to see.

akdhay: our position is we like this extension
... we don't want to delays.
... we could come back to it on some other level.

tony: jc, I leave this up to you

https://github.com/w3c/webauthn/issues/1457

tony: this is the discoverable discussion

jbradley: I think we can probably close this. we have had thee discussions

tony: other views

shane: i would rather not ignore it
... we could bring back resident keys=forbidden

agl: I don't think this is useful.

shane: any thoughts from CG

nsteele: I have to look into this.

<nsteele> Thanks!

Line 13:47, the issue should be 1457

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version (CVS log)
$Date: 2020/09/02 19:57:38 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision of Date 
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/2 weeks/a few weeks/
Succeeded: s/1447/1457/
Present: jfontana wseltzer selfissued nsteele sbweeden agl akshay bill davidwaite davidturner elundberg jcj_moz jeffh jeremy jiewen nadalin nina rae tim
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2020Sep/0006.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]