IRC log of webauthn on 2021-04-07

Timestamps are in UTC.

17:59:19 [RRSAgent]
RRSAgent has joined #webauthn
17:59:19 [RRSAgent]
logging to https://www.w3.org/2021/04/07-webauthn-irc
17:59:21 [Zakim]
RRSAgent, make logs Public
17:59:23 [Zakim]
Meeting: Web Authentication WG
17:59:24 [wseltzer]
Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2021Apr/0019.html
19:02:04 [jeffh]
present+
19:02:58 [jfontana]
jfontana has joined #webauthn
19:03:29 [elundberg]
elundberg has joined #webauthn
19:03:47 [jfontana]
present+
19:04:43 [wseltzer]
present+ akshay, nadalin, agl, bill, rae, davidwaite, elundberg, sbweeden, johnbradley, timcappalli
19:04:52 [jfontana]
tony: we are passed the Rec and in red stage
19:04:57 [jfontana]
...when do we publish?
19:05:07 [jfontana]
wendy: Thursday - tomorrow
19:05:32 [dveditz]
dveditz has joined #webauthn
19:05:42 [jfontana]
agl: two implementation is resolved
19:05:44 [dveditz]
present+
19:05:47 [jfontana]
tony: yes
19:06:02 [jfontana]
...agree on publishing
19:06:11 [jfontana]
consensus is Thursday
19:08:07 [jfontana]
agl: level 2 and CTAP 2.1 are tidy up specs
19:08:20 [jfontana]
wendy: overall it makes the spec more secure
19:08:30 [jfontana]
tony: thanks to everyone.
19:10:04 [jfontana]
agl: have issue from fido2; credblob
19:10:23 [jfontana]
...we wanted to discuss it here
19:10:55 [jfontana]
...extension
19:11:26 [jfontana]
akshay: trying to figure out why this is necessary, it is in client extensions.
19:12:21 [jfontana]
selfissue: th point here is want to be consistent in the way extensions behave
19:13:05 [jfontana]
agl: it lets RPs determine if the browser supports extension even if authenticator does not
19:13:30 [jfontana]
tony: anything from FIDO land
19:13:42 [jeffh]
agl: if an extension is not exposed at the webauthn level, it would not need a client output....
19:13:44 [jfontana]
jbradley: nothing relevant
19:14:21 [wseltzer]
PROPOSED: Adopt Level 2 Rec as FPWD for Level 3
19:14:27 [wseltzer]
[no objection]
19:14:31 [nsteele]
nsteele has joined #webauthn
19:14:38 [jeffh]
jeffh: so moved
19:14:39 [nsteele]
present+
19:14:42 [jfontana]
tony: is there unanimous consent?
19:14:48 [nsteele]
(yes)
19:14:50 [wseltzer]
RESOLVED: Adopt Level 2 Rec as FPWD for Level 3
19:14:59 [jfontana]
tony: we can start the transition on Github
19:15:46 [jfontana]
tony: we are going from master to main
19:15:53 [jfontana]
tony: we can do it now or after the call.
19:16:22 [jfontana]
...objections? <hearing none>
19:16:42 [jfontana]
tony: all set to go Main.
19:17:07 [jfontana]
https://github.com/w3c/webauthn/issues/1591
19:18:09 [jfontana]
tony: ok
19:18:14 [jfontana]
https://github.com/w3c/webauthn/issues/1580
19:18:48 [jfontana]
jbradley: i left a note to close it
19:19:16 [jfontana]
tony: should we move to bi-weekly calls as we get going on Level 3
19:19:21 [jfontana]
...any support
19:20:06 [jfontana]
agl: I expect Level 3 to be more robust than L2
19:20:31 [jfontana]
...won't be too long, two months would be disappointing
19:21:31 [jfontana]
tony: meet in two weeks from today and go to that schedule.
19:21:54 [jfontana]
...we will go every other wednesday
19:24:59 [jfontana]
https://github.com/w3c/webauthn/issues/1590
19:25:50 [jfontana]
jeffH: spec says authenticator should implement signature counter feature, but in practice may not be much utility
19:26:52 [jfontana]
jbradley: some usefulness, signature counter to detect cloning
19:27:04 [jfontana]
...optional in FIDO certification above Level 2
19:27:14 [jfontana]
...above Level 1
19:27:23 [jfontana]
correction
19:28:31 [jfontana]
shan: there is nothing for cloning detection
19:28:45 [jfontana]
jbradley: counter is allowed to be zero
19:28:58 [jfontana]
agl: we might tweak that
19:30:55 [jfontana]
shane: having seen the counter in Chrome, I realized it was following the rules
19:32:47 [jfontana]
agl: global counter across all creds. if attacked can get into service they can follow counter
19:33:06 [jfontana]
...they can craft false signatures and slip them in where they are OK
19:33:16 [jfontana]
jbradley: but would have to be in real time
19:33:28 [jfontana]
...have to get the user to use the authenticator on the other site.
19:33:35 [jfontana]
...before they log in to legit site
19:33:47 [jfontana]
agl: it takes some juggling
19:34:10 [jfontana]
jbradley: real question, counter was intended for software
19:36:30 [jfontana]
jbradley: we should change this in the security requirements at FIDO
19:38:18 [jfontana]
agl: does not sound like we have consensus, I suggest closing it
19:38:34 [jfontana]
jbradley: there is some more things in here with counters.
19:39:55 [jfontana]
shane: I only see this when I use the conformance tool
19:41:34 [jfontana]
agl: our model is the authenticator never stops.
19:42:51 [jeffh]
s/authenticator/authentication/
19:43:20 [jfontana]
nsteele: the way we see this used with Apple devices, it is shared in os
19:43:48 [jfontana]
jbradley: Chrome on Apple or Safari
19:43:54 [jfontana]
nsteele: on chrome
19:44:22 [jfontana]
nsteele: sorry, it is safari
19:46:51 [jfontana]
jbradley: looks like we are closing this down, likely take it up in FIDO from a certification angle
19:47:19 [jfontana]
agl: looks liek chrome on map uses time stamp
19:48:09 [jfontana]
correction - that is chrome on mac
19:48:55 [jfontana]
tony: jeff, you will close this
19:48:58 [jfontana]
jeffH: yes.
19:49:04 [jfontana]
tony: anything else?
19:49:08 [wseltzer]
calendar: https://www.w3.org/groups/wg/webauthn/calendar
19:49:46 [wseltzer]
rrsagent, draft minutes
19:49:46 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/04/07-webauthn-minutes.html wseltzer
19:49:57 [wseltzer]
rrsagent, make logs public
20:09:53 [wseltzer]
rrsagent, bye
20:09:53 [RRSAgent]
I see no action items