See also: IRC log
<inserted> nadalin: This week we wanted to finish up work on #130, after that we will move on to Giri's extension proposal
<nadalin> Vgb giving overview of his pull request from last week
<weiler> scribenick: vgb
rbarnes: generally, #130 looks
okay
... a little concerned that we don't have privacy
considerations well fleshed out yet
nadalin: do people believe we have closure on PR #130?
JeffH: need to read more
rbarnes: agree
vgb: clarification - we did
discuss this in detail last week, this morning's commit was
wordsmithing in a non-normative context
... we had discussed last week about merging this in
aczeskis: yes, reviewed all commits in detail before merging it, but please do bring up any feedback or disagreements on the list
<nadalin> so please review the #130 merge and post to list if you agree or disagree
Rolf: last week we discussed
moving AAGUID from extension to attestation - would like to
create a new issue for doing that
... and would do a PR. Feedback?
JeffH/nadalin: go for it.
Rolf: how about issue #108 to remove attestation entirely?
JeffH/nadalin: work with the text as is, make progress and force the issue.
nadalin: any more questions on #130? if not, please read offline and reply to list if any thoughts.
JeffH: let's set a deadline
nadalin: let's say Monday
... 6/27
... On to Giri's request for loc extension
<Rolf> move AAGUID extension --> packed attestation now tracked in issue 132.
rbarnes: clarifying earlier
reaction as a general matter - specifying formats does seem
desirable
... strong concerns around user privacy and experience,
specifically with geolocation
... seems like there is already an existing method for
geolocation information, so it seems unnecessary to exacerbate
such issues by adding them into authenticators
... concern is that as we get into (even if perhaps useful)
things that go beyond basic device-based proof of possession,
that complicates our mission and makes it much harder to scope
issues
gmandyam: now that all extensions
are prompted, the client has a stronger role and the ability to
filter extensions
... also, there are many participants who want to go beyond
basic PoP and do more complicated things. This falls into that
bucket.
rbarnes: Note that our charter is written more narrowly, and does not explicitly cover such extended uses. It also seems feasible to carve off this additional scope and make it a separate mechanism.
gmandyam: Do you have a larger concern about extensions in general?
rbarnes: willing to be more flexible if there is some strong control. but yes, there is general concern that any extensions can be used in bad ways, so we should minimize this exposure.
Rolf: re: complexity, the
expectation is that the UA does the right thing by the user and
does not need to complicate the UX beyond what it already has
(e.g.. privacy settings).
... existing API mechanism gives the UA full control
... so given that the information is useful, we should be open
to it
Hubert: maybe we should add explicit text saying that UA should prompt user to include geolocation
JeffH: seems like we have work to
do regarding guidance on how to implement extensions and
privacy, etc, implication
... similar concerns apply to all extensions - UA should take
into account the user's preferences / settings
rbarnes: yes, this was the concern - we need to make sure we provide strong privacy guidance to clients around extensions.
gmandyam: the usual approach has
been to put in guidance and not place explicit requirements on
client UI
... getting rid of unprompted extensions gives the client tools
to protect the user
rbarnes: now the UA becomes more
complex, since the UA must ensure it has settings for all
extensions it supports.
... and potentially needs to check what the authenticator
supports
Rolf: believe most extensions we
have defined are not sensitive, and geolocation being prompted
makes that one safe as well.
... don't believe that RP would ask for all extensions, rather
than limiting themselves to things they can use and know the
authenticator can do
... browser can just drop extensions it feels unsure about
JeffH: yes
nadalin: Giri, are you proposing this as a separate extension doc, or to be merged in to the base spec?
gmandyam: to be merged in
<JeffH> ...as pre-defined extension
gmandyam: no obligations on UAs
to support or to pass through
... do agree that it is good to define location object
better
rbarnes: in that case would push
back even harder on implying that pre-defined extensions should
be passed through by clients
... things that are sensitive need concomitant user opt-in
<JeffH> ...specificaly Rolf's proposed build on the new extsn text, see branch: https://github.com/w3c/webauthn/tree/rolf-extension-opt
gmandyam: since all extensions are prompted, should we add guidance saying that we recommend the UA prompt the user when an extension is requested?
rbarnes: that is probably more detail than we need
nadalin: have to go - fire alarm in building
gmandyam: interpret conclusion as - this extension should not be merged without also adding privacy guidance. will propose some text around that.
RobTrace: share Richard's concerns around privacy, looking forward to seeing that etxt
JeffH: We should also discuss Rolf's proposed build on the PR#130 change. Should discuss on list and maybe create new issue.
Rolf: can withdraw that
rbarnes: propose to cancel calls
on 6/29 and 7/20 due to conflicts with other
conferences/meetings
... hearing no objections, those calls are cancelled
... no other business, adjourned
This is scribe.perl Revision: 1.144 of Date: 2015/11/17 08:39:34 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/#110/#108/ Succeeded: i|Vgb giving overview|nadalin: This week we wanted to finish up work on #130, after that we will move on to Giri's extension proposal Succeeded: s/vgb_/vgb/G Succeeded: s/vgp/vgb/ Found ScribeNick: vgb Inferring Scribes: vgb WARNING: No "Topic:" lines found. Default Present: wseltzer, JeffH, Rolf, rbarnes, gmandyam, apowers, vgb, weiler, Hubert-PayPal, nadalin, RobTrace Present: Hubert-PayPal JeffH RobTrace Rolf apowers gmandyam nadalin rbarnes vgb weiler wseltzer aczeskis Found Date: 22 Jun 2016 Guessing minutes URL: http://www.w3.org/2016/06/22-webauthn-minutes.html People with action items: WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report[End of scribe.perl diagnostic output]