IRC log of crossdevicesec on 2021-10-20

Timestamps are in UTC.

06:19:16 [RRSAgent]
RRSAgent has joined #crossdevicesec
06:19:16 [RRSAgent]
logging to
06:19:18 [dom]
RRSAgent, stay
06:19:21 [dom]
RRSAgent, make log public
13:28:18 [dwaite]
dwaite has joined #crossdevicesec
13:52:47 [dj2]
dj2 has joined #crossdevicesec
13:53:38 [Kristina]
Kristina has joined #crossdevicesec
13:54:28 [dwaite]
dwaite has joined #crossdevicesec
14:01:13 [wseltzer]
wseltzer has joined #crossdevicesec
14:01:33 [Ian]
Ian has joined #crossdevicesec
14:01:54 [Rolf]
Rolf has joined #crossdevicesec
14:02:09 [kleber]
kleber has joined #crossdevicesec
14:02:21 [weiler]
weiler has joined #crossdevicesec
14:02:48 [Zakim]
Zakim has joined #crossdevicesec
14:03:51 [yigu]
yigu has joined #crossdevicesec
14:04:09 [wseltzer]
scribenick: wseltzer
14:04:10 [kris_chapman_]
kris_chapman_ has joined #crossdevicesec
14:04:13 [russStringham]
russStringham has joined #crossdevicesec
14:04:43 [bmay]
bmay has joined #crossdevicesec
14:05:37 [Ian]
(Noting for the record that there is not a desire to record)
14:05:57 [j_pascoe]
j_pascoe has joined #crossdevicesec
14:06:13 [wbaker]
wbaker has joined #crossdevicesec
14:06:14 [wseltzer]
timcappalli: [shows a screen with linking devices via QR code]
14:06:25 [wseltzer]
... cross-device flow
14:06:34 [wseltzer]
... user has a phone and a laptop/desktop
14:06:48 [wseltzer]
... try to access desktop resource, are presented with a QR code
14:07:01 [wseltzer]
... TLS cert validation has succeeded for origin in their browser
14:07:08 [wseltzer]
... User opens phone (camera or wallet)
14:07:52 [wseltzer]
... thinking generically of "wallet"
14:08:01 [Ian]
[Payment apps are another instance of wallet]
14:08:14 [wseltzer]
... bucket of credentials
14:08:34 [wseltzer]
... QR could contain request or point the device to a request object elsewhere
14:08:43 [Kristina]
SIOP stands for self-issued openid provider
14:08:47 [wseltzer]
... could be like OIDC
14:08:53 [Kristina]
14:09:30 [wseltzer]
... wallet needs to get user consent: "do you want to respond to this request?"
14:10:08 [wseltzer]
... today, browser posts back, without binding
14:10:20 [wseltzer]
... that's where the security model has a gap
14:10:48 [wseltzer]
KristinaYasuda: mitigations we've been discussing with different communitieis
14:11:14 [wseltzer]
... OpenID foundation, Mobile Driving License (MDL), OAuth flows
14:11:45 [wseltzer]
.. First mitigation: when user is asked for consent, show user from where request comes, where it goes
14:12:09 [wseltzer]
... if bad acto phishes the request, won't match. Up to the user to note the mismatch
14:12:52 [wseltzer]
... Next consideration: use proximity to check
14:13:01 [wseltzer]
s/.. First/... First/
14:13:20 [wseltzer]
... make sure QR code and scanning device are close enoug
14:13:24 [dwaite]
+1 Ian - I'd say WebAuthn, payments, mDL, OIDC/WebID2020, OAuth Device flow. Payments, authn, and derivatives (authz, attributes)
14:13:48 [wseltzer]
... IP addresses aren't necessarily useful
14:14:04 [wseltzer]
... enterprise could say "both devices on trusted network"
14:14:24 [wseltzer]
... limitation, e.g., if onboarding new device; on public network
14:14:34 [wseltzer]
... user cooperating with attacker, in proximity
14:15:25 [wseltzer]
... using WebAuthn, assuring user has control of private key,
14:15:51 [dwaite]
WebID2020 -> Federated Credential Management API (forgot the name there for a moment)
14:16:07 [wseltzer]
... Another, something shared, PIN or OTP
14:16:22 [wseltzer]
... user sees something on screen, types it on mobile
14:16:28 [weiler]
14:17:07 [wseltzer]
... biometrics, where device displaying QR captures biometric
14:17:21 [wseltzer]
... locally, device compares for match
14:17:58 [wseltzer]
... Just some ideas for sharing, want to open for discussion
14:18:29 [wseltzer]
ack weiler
14:18:49 [wseltzer]
weiler: can you restate problem statement?
14:19:42 [dwaite]
14:19:43 [wseltzer]
Kristina: User tries to log in to device with QR code. Attacker could screenshot the QR code
14:19:46 [Rolf]
14:20:06 [wseltzer]
... log in to website, using laptop
14:20:09 [Ian]
ack dwa
14:20:10 [wseltzer]
ack next
14:20:12 [reillyg]
reillyg has joined #crossdevicesec
14:20:13 [wseltzer]
q+ Rolf
14:20:21 [kenrb]
kenrb has joined #crossdevicesec
14:20:37 [wseltzer]
dwaite: I'm on a device; the credentials or payment are released by another device
14:20:47 [reillyg]
14:20:48 [wseltzer]
... there's no channel (yet)
14:20:55 [kris_chapman_]
14:20:58 [wseltzer]
... so if the user doesn't verify htey're interatcting with the right site
14:21:10 [wseltzer]
... the credentials/payment could be sent to the wrong site
14:21:32 [wseltzer]
... in FIDO-land, CABle
14:22:04 [wseltzer]
... trying to understand commonalities, for single solution
14:22:05 [Kristina]
14:22:15 [wseltzer]
14:22:38 [wseltzer]
tim: New TC at OASIS looking at QR code phishing
14:23:11 [wseltzer]
Rolf: authenticate a session with a separate device
14:23:17 [wseltzer]
... need migration
14:23:27 [wseltzer]
... roaming authenticators in FIDO-land
14:23:54 [wseltzer]
... out-of-band authentication, many of the solutions are phishable
14:24:05 [wseltzer]
s/solutions/proposed solutions/
14:24:06 [dwaite]
CaBLE - cable-equivalent security for talking to CTAP 2 authenticators over BLE. The idea being then you have the same phishing resistance of WebAuthn when interacting with detached hardware
14:24:10 [Jemma__]
Jemma__ has joined #crossdevicesec
14:24:30 [wseltzer]
... you can't make QR codes unphishable for session authentication
14:24:49 [wseltzer]
... in payment situation, you typically see the transaction text
14:25:30 [Joshua_112]
Joshua_112 has joined #crossdevicesec
14:25:43 [weiler]
14:25:58 [Ian]
ack rolf
14:26:29 [wseltzer]
... caBLE tries to build communication channel back to browser
14:26:59 [wseltzer]
tim: another complicating dimension is there's no existing relationship between devices
14:27:24 [dwaite]
14:27:30 [wseltzer]
ack reillyg
14:27:53 [wseltzer]
reillyg: is caBLE the obvious solution?
14:28:09 [wseltzer]
tim: we think it is, want to hear the use cases
14:28:18 [wseltzer]
... caBLE v2 isn't yet a public spec
14:28:49 [wseltzer]
... talk about MDL, passports
14:29:03 [wseltzer]
Kristina: if you think caBLE v2 is the solution, let us know
14:29:06 [weiler]
[Where are the problem statement and use cases documented?]
14:29:25 [wseltzer]
Rolf: how many of the PCs these days support Bluetooth practically, enabled?
14:29:44 [wseltzer]
tim: don't know offhand
14:30:41 [Kristina]
14:30:42 [wseltzer]
... fragmentation in hardware and stack
14:30:48 [Kristina]
14:31:03 [wseltzer]
kris_chapman_: seen Salesforce clients with this situation,
14:31:18 [wseltzer]
... e.g. using QR codes for service appointments, to check-in
14:31:29 [wseltzer]
... Companies using for employee attendance or badges
14:31:37 [wseltzer]
14:31:39 [wseltzer]
ack kris_chapman_
14:31:53 [wseltzer]
tim: the reverse, taking the artifact with you?
14:32:09 [wseltzer]
kris_chapman_: the QR code will go to the client, they scan their own code at the appointment
14:32:23 [wseltzer]
ack weiler
14:32:35 [wseltzer]
weiler: where's the problem statement and use cases documented?
14:32:40 [Ian]
+1 to a use cases discussion
14:32:51 [wseltzer]
... that would help us to know as community
14:33:14 [wseltzer]
tim: we'll take that as one of the outcomes of this call
14:33:36 [wseltzer]
Kristina: where's a good place to host such a document?
14:34:04 [wseltzer]
tim: could be a github document
14:34:12 [wseltzer]
reillyg: or MSedge explainers
14:34:23 [Ian]
[No GitHub pref]
14:34:48 [wseltzer]
weiler: when you have something, you can poke the public-web-security mailing list
14:34:54 [Ian]
[Also send notice to for awareness of payments use cases]
14:35:05 [wseltzer]
dwaite: think about what makes it easy for people to contribute
14:35:08 [Kristina]
14:35:13 [wseltzer]
ack dw
14:35:24 [wseltzer]
dwaite: +1 to weiler re documenting use cases
14:35:29 [Ian]
[Payments folks have also had intermittent discussion of QR codes, see =>]
14:35:30 [bmay]
14:35:33 [wbaker]
14:35:43 [wseltzer]
... I'd be happy to help contribute
14:35:46 [wbaker]
14:35:56 [Jemma]
14:36:01 [Ian]
14:36:04 [wseltzer]
... is this payments, establish relationships, single transaction?
14:36:21 [wseltzer]
... e.g. MDL presentation, is brand new set of prompts every time
14:36:59 [wseltzer]
... payments, authentication, delegated authz, VC,
14:37:05 [Kristina]
14:37:16 [wseltzer]
... trust relationship between devices, sometimes transactional
14:37:27 [wseltzer]
... could be possiblity of other use cases like info-sharing across sessions
14:37:30 [Rolf]
14:37:40 [wseltzer]
ack bm
14:38:02 [wseltzer]
bmay: in lots of groups using github
14:38:10 [Kristina]
14:38:30 [wseltzer]
Rolf: use cases: for me it's transactional things, e.g. sharing health data with hospital X
14:38:41 [wseltzer]
... description that user can undersatnd, bound to the approval
14:38:46 [wseltzer]
... different from session identifier
14:38:53 [reillyg]
The MSEdgeExplainers repository is a GitHub repository:
14:38:58 [Jemma]
+1 for using w3c github
14:39:12 [wseltzer]
... security considerations different
14:39:17 [wseltzer]
ack wb
14:39:26 [wseltzer]
wbaker: IPR protection aspect is the value
14:39:52 [wseltzer]
... are we covered in what will happen eventually
14:40:21 [wseltzer]
... value in making sure IPR is traceable
14:40:29 [wseltzer]
14:40:41 [weiler]
14:40:55 [weiler]
wendell: GH is great. tying it to w3c IPR is the value.
14:40:56 [wseltzer]
wbaker: tying to W3C IPR policy is valuable
14:41:05 [Kristina]
14:41:07 [Jemma]
+1 to wbaker
14:41:11 [weiler]
... don't walk about it here and then move it elsewhere, where coverage is ambiguous.
14:41:15 [weiler]
14:41:42 [weiler]
tim: any precedence for a use case doc?
14:41:46 [Ian]
scribenick: Ian
14:41:52 [weiler]
wendy: fine use case for.a CG.
14:42:01 [weiler]
14:42:15 [wbaker]
Wendy stewards ADBG with is full of use case documents!
14:42:16 [weiler]
wendy: that has CLA and IPR tracking, and can go to other w3c groups or elsewhere.
14:42:35 [weiler]
tim: I fear mtg fatigue and spinning up CGs. We can do a CG w/o mtgs?
14:42:43 [weiler]
wendy: yes
14:43:00 [Kristina]
14:43:06 [wseltzer]
14:43:08 [wseltzer]
ack Rolf
14:43:23 [weiler]
tim: others like CGs?
14:43:28 [weiler]
[resounding yes]
14:43:46 [Kristina]
14:43:52 [weiler]
14:44:03 [Kristina]
14:44:09 [bmay]
14:44:40 [Jemma]
good question, Ian.
14:44:40 [wseltzer]
Ian: where can we learn more about caBLE v2, when would it become public?
14:44:50 [wseltzer]
tim: it's in private development, woudl come to FIDO Alliance
14:45:29 [dwaite]
14:45:42 [wseltzer]
Ian: we have Web Payments Security IG, not publicly minuted. If you'd like a payments-focused audience, I invite you to share there
14:45:44 [Ian]
Ian: Ping me for WPSIG review of a use cases doc
14:46:02 [wseltzer]
tim: will communicate on public-web-security
14:46:03 [weiler]
14:46:07 [wseltzer]
14:46:29 [wseltzer]
Kristina: next step, to compile use cases document
14:46:44 [wseltzer]
bmay: is there a link for more background?
14:46:56 [wseltzer]
tim: not concisely
14:47:10 [wseltzer]
... caBLE v1 is in WebAuthn GH issue
14:47:32 [wseltzer]
dwaite: caBLE is about channel, not CTAP specific
14:48:03 [Kristina]
14:48:18 [dwaite]
14:48:26 [wseltzer]
ack bm
14:48:27 [Kristina]
14:48:32 [weiler]
14:48:38 [Ian]
[The Web Security IG is closed but apparently the list lives on => ]
14:48:52 [Kristina]
14:49:27 [Sarah]
Sarah has joined #crossdevicesec
14:50:17 [wseltzer]
rrsagent, draft minutes
14:50:17 [RRSAgent]
I have made the request to generate wseltzer
14:50:22 [wseltzer]
rrsagent, make logs public
15:03:52 [Sarah_]
Sarah_ has joined #crossdevicesec
15:13:12 [j_pascoe]
j_pascoe has joined #crossdevicesec
15:26:33 [reillyg]
reillyg has left #crossdevicesec
16:28:39 [dom]
RRSAgent, bye
16:28:39 [RRSAgent]
I see no action items