W3C

- DRAFT -

Web Authentication WG

09 Sep 2020

Agenda

Attendees

Present
jfontana, elundberg, jbarclay, wseltzer, agl, akshay, davidturner, eric, jeremy, nadalin, rae, sbweeden, jeffh, nsteele, selfissued, jcj_moz
Regrets
Chair
Nadalin, Fontana
Scribe
jfontana

Contents


<wseltzer> jfontana: Tony and I talked about TPAC

<wseltzer> ... Oct. 7, Secure Payments IG

<wseltzer> ... Oct. 14 regular Webauthn

<wseltzer> ... Oct 19 or 20, joint meeting with Web Payments WG

<wseltzer> ... Oct. 21 regular WebAuthn

<wseltzer> ... note the FIDO plenary potential overlap

<wseltzer> Nadalin: only the joint meeting on 7 Oct.

<wseltzer> nadalin: WPSIG, Web Payments Security IG: W3C, FIDO, EMVCO

<wseltzer> agl: fine not to meet on 21 Oct.

<wseltzer> Akshay: timing of joint meeting?

<wseltzer> fontana: between 8-9am Pacific

<wseltzer> nadalin: we'll share a complete schedule

<wseltzer> nadalin: tentatively, cancel 7 and 21 Oct.

<wseltzer> ... if needed, we can reschedule

tony: get wd-04 done before end of month
... end of Oct. for CR
... completion

akshay: I am implementing ctap 2.1 for the platform
... should be end of month

tony: I don't know status of safari
... we need two interoperable implementations

JTan: we won't be ready

tony: left with edge and Chrome

bradley: do we do it with ctap 2.0 only

agl: we don't talk about 2.1, think just demonstrate what is in this spec.

endy: I can't predict the director response on the code base, and if it is two implelmentations

akshay: they can be behaving differently

tony: when w do the implementation w can write this into the interop report

bradley: firefox could be the other implemenation if we don't add 2.1 stuff.

tony: open PRs

https://github.com/w3c/webauthn/pull/1470

agl: I need to catch up

https://github.com/w3c/webauthn/pull/1472

agl: nina is not here

tony: seems ready to go

akshay: looks good to me. merge

tony: yes, merge

https://github.com/w3c/webauthn/pull/1474

jTan: still waiting for reply from lawyers.

tony: what do we do here

jeffH: wait.
... this is not essential, I think.

tony: leave open

https://github.com/w3c/webauthn/pull/1480

elundberg: good to go

akshay: what is solution here? are you saying RP should send fake credentials.

elundberg: this is an attack that effects users that don't use web authn
... there are other alternatives.

bradley: some discussion on this in the press. they said we were encouraging discovery of accounts to brute force

elunberg: why is the allow list empty?

bradley: the point is the attacker can look into different second factors

ellundberg, maybe say non-empty and failure

scribe: I will fix that

tony: are you OK making changes and merging
... any objections?

none

https://github.com/w3c/webauthn/pull/1476

tony: this is feature policy

jeffH: this has been split into #1479, do feature policies in another action

jc_moz: would rather see this are re-base

jeffH: this looks fine to me, let's figure out how to land this.

JC_moz: I think we can land this once it's in shape.

tony: includes 1479?

jc_moz: yes

tony: let's do this is two steps

https://github.com/w3c/webauthn/pull/1481

jc_moz: follow-up to move extension before PR
... remove extension
... need to see if we can publish a note out of this group, if not, we can move to WICG

tony: this is OK?

<wseltzer> https://wicg.io

wendy: we can publish a non-normative note. WICGis community group that works from github.

jc_moz: part of point, this is crypto function we should get wider review
... WICG is a good place to do this.

tony: everyone OK on moving forward?

bradley: prefer keeping the note inside the working group, and get wider input

selfissue: I agree. we control our own destiny

<wseltzer> nadalin: any objections to publishing as a note? hearing none.

tony: we have a few untriaged issues

https://github.com/w3c/webauthn/issues/1477

jeffH: dinosaur

tony: goal is to get this done by CR?

jeffH: this is background

https://github.com/w3c/webauthn/issues/1478

tony: this is to remove this. this can land in wd-04

https://github.com/w3c/webauthn/issues/1457

nsteele: this is in the community group

bradley: decided to keep this around to track the issue. no spec changes

https://github.com/w3c/webauthn/issues/1453

jtan: no update on this, apple attestation

https://github.com/w3c/webauthn/issues/1441

tony: john and mike, can you look at this

bradley: will be adding wording

tony: what about interoperable implementations

jc_moz: won't have ctap2

bradley: don't need to do ctap2

jc_moz: i'll have to get back to you on that.

tony: any more issues?
... adjourn

rrsagent: make logs public

rrsagent: draft minutes

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version (CVS log)
$Date: 2020/09/09 19:50:53 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision of Date 
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/Web Payments/Secure Payments IG/
Succeeded: s/@@/Web Payments WG/
Present: jfontana elundberg jbarclay wseltzer agl akshay davidturner eric jeremy nadalin rae sbweeden jeffh nsteele selfissued jcj_moz
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2020Sep/0048.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)


[End of scribe.perl diagnostic output]