12:57:32 <RRSAgent> RRSAgent has joined #websec
12:57:32 <RRSAgent> logging to http://www.w3.org/2016/09/19-websec-irc
12:58:41 <weiler> weiler has joined #websec
12:59:39 <bhill2> bhill2 has joined #websec
13:00:53 <bhill2> bhill2 has joined #websec
13:01:06 <bhill2> present+ bhill2
13:03:33 <tara> tara has joined #websec
13:11:08 <bhill2> .
13:11:39 <hadleybeeman> Present+ hadleybeeman
13:11:59 <tara> present+ tara
13:12:02 <olivier> Present+ OlivierThereaux
13:12:10 <bhill2> TOPIC: Security IG status
13:12:17 <bhill2> scribenick: bhill2
13:12:40 <bhill2> vg: this is a place to discuss new topics in security not in other WGs
13:12:58 <bhill2> ... try to have regular calls
13:13:17 <bhill2> ... introduced new topics, new security review process, creating a group of security experts
13:13:19 <sangwhan> Present+SangwhanMoon
13:13:31 <bhill2> ... not a lot of security experts available to participate at this general level
13:13:48 <bhill2> ... maybe that means that w3c already addresses the specific needs (e.g. with WebAppSec & WebCrypto)
13:14:11 <bhill2> ... but still value in maintaining this group, so having quarterly meetings for people interested
13:14:24 <bhill2> ... summarize work happening in other groups and bring up new topics
13:14:47 <bhill2> ... recent new topics included overlap of security and accesibility
13:15:10 <bhill2> ... how to do security reviews across different w3c deliverables
13:15:25 <bhill2> ... still have the existing self-assessment questionnaire
13:16:13 <bhill2> ... charter about to expire, need to renew or extend
13:16:41 <bhill2> ... have to report the planned destiny of the group to the AC
13:17:22 <bhill2> ... w3c reorganizing; Sam is our contact for the week at least
13:17:42 <bhill2> ... do we need a new chair / co-chair?
13:17:57 <hadleybeeman> q?
13:18:19 <Kepeng> Kepeng has joined #websec
13:18:19 <hadleybeeman> q- chaals
13:19:34 <bhill2> ryan ware: question about questionnaire
13:19:42 <bhill2> vg: been around 1 year
13:20:04 <shigeya> present+ shigeya
13:20:10 <bhill2> rw: have groups doing the questionnaire found issues?
13:20:29 <bhill2> vg: some have said it was helpful, others still expect "expert" review
13:21:13 <bhill2> vg: mikewest has been the primary author, published through the TAG
13:21:37 <bhill2> mkwst: useful in its current state but either too detailed or not detailed enough
13:21:42 <brunoj> brunoj has joined #websec
13:21:46 <bhill2> ... in a middle ground where not clear how people should use it
13:21:57 <bhill2> ... PING has been interested in making it more useful
13:22:21 <bhill2> twhalen: different set of questions for people doing review vs. doing spec authoriing
13:22:28 <bhill2> ... we have found it useful
13:22:46 <bhill2> ... have interest in picking it up and working with it
13:22:52 <bhill2> vg: but privacy related
13:23:09 <bhill2> twhalen: yes, not general security but privacy specific
13:23:23 <hwlee> hwlee has joined #websec
13:23:43 <bhill2> hadleybeeman: TAG would love that, having something to help assist thinking about security and privacy is very useful
13:24:01 <bhill2> ... needs more work and attention, how we use the term privacy depends on the context / content vs. browser
13:25:32 <bhill2> ???: some other IGs are focusing more on gap analysis and spinning off WGs
13:25:47 <schuki> s/???/olivier
13:25:59 <wseltzer> present+ wseltzer
13:26:08 <schuki> present+ schuki
13:26:31 <bhill2> ... doesn't seem to be much of that here: because there isn't a gap or we're not in the right layer
13:26:31 <bhill2> vg: what I've been trying to do is to connect to new needs from members
13:26:32 <bhill2> ... but not much participation on the list about how to do that
13:26:35 <bhill2> ... major blocker on topics has been lack of contributors
13:26:43 <wseltzer> rrsagent, make logs public
13:27:37 <bhill2> ... is anyone willing to spend 10 hours maximum working on this questionnaire to improve it
13:29:02 <mkwst> mkwst has joined #websec
13:29:07 <rrware> I need to step out for 30 minutes.  Be back.
13:29:59 <bhill2> vg: ongoing activity, feel recharter is more appropriate than extension
13:29:59 <bhill2> bhill2 has joined #websec
13:37:12 <bhill2> (my connection is too unreliable to continue scribing, I think, as is my jetlagged brain)
13:37:20 <wseltzer> drogers: bridging the security research community to W3C
13:38:17 <wseltzer> [volunteers to work on the Security Questionnaire earlier: rrware, Kepeng, schuki/GSMA ]
13:39:09 <wseltzer> vg: other ideas we heard, domain security; trheat modeling
13:39:56 <hadleybeeman> drogers: Where is our boundary, re domain/DNS security?
13:40:12 <hadleybeeman> ???:  Not sure.  Wide range of technologies.
13:40:22 <hadleybeeman> drogers: misplaced trust in the domain name.
13:40:27 <schuki> s/???/yoshiro
13:40:41 <hadleybeeman> virginie: Having a focused discussion on that during a call would be helpful.
13:41:30 <hadleybeeman> ????: Re threat modelling. Started from the IETF protocols. There were problems in establishing this primary agreement, it was the source of vulnerabilities.
13:41:46 <rrware> back
13:41:50 <hadleybeeman> ...If we are reviewing specifications, there could be some broader context integrated into the view.
13:42:07 <hadleybeeman> drogers: Right. Security protocol verification is IETF's.
13:42:30 <hadleybeeman> ????: For W3C context; what the user is presented? What visual marks on the browser might they see?
13:42:45 <hadleybeeman> drogers:  The security model of the web (which isn't written down)
13:42:56 <shigeya> s/????/kaorumaeda/
13:43:04 <hadleybeeman> ????: Sometimes this isn't standardised. The browser vendors decide for themselves.
13:43:11 <hadleybeeman> ...Something safer
13:43:17 <hadleybeeman> drogers: there are a lot of academic papers on this
13:43:40 <hadleybeeman> mikewest: Chrome is going to negative signals of insecurity. You should expect to be secure; we'll tell you if you're not.
13:43:56 <hadleybeeman> ...We'll be affirmatively marking an HTTP page with a password field as BAD.
13:44:18 <hadleybeeman> ...You shouldn't have to detect green (meaning secure); you'll look for red. (Meaning: not)
13:44:39 <hadleybeeman> virginie:  This relates also with what's going on with Permissions. Direct interaction with the user.
13:44:55 <hadleybeeman> ...How do they treat this interaction... how to inject the security balance into this interaction.
13:45:30 <hadleybeeman> [Discussion about Adrienne Porter-Felt's research. Tech lead for Chrome Security UI]
13:45:56 <hadleybeeman> drogers: So there is security usability, within the general task of writing down the Web security model
13:46:06 <hadleybeeman> ...Problem: there is no guidance for anybody.
13:46:16 <hadleybeeman> ...We talked about this before, on webplatform.org.
13:46:49 <wseltzer> q+
13:47:07 <hadleybeeman> virginie: to sum up... wseltzer, if we were to design a new charter: being the place where you drink tea and talk about security, PLUS being the place where education around vulnerabilities on the open web platform,
13:47:21 <hadleybeeman> ...discussion about usabilitiy
13:47:35 <hadleybeeman> wseltzer: I'll work with W3T to share a proposed draft charter.
13:47:55 <hadleybeeman> ...I think we want to be specific enough to give people the info so they can tell us if they will send people to do the work
13:48:08 <sangwhan> RRSAgent, draft minutes
13:48:08 <RRSAgent> I have made the request to generate http://www.w3.org/2016/09/19-websec-minutes.html sangwhan
13:48:19 <sangwhan> RRSAgent, make minutes public
13:48:19 <RRSAgent> I'm logging. I don't understand 'make minutes public', sangwhan.  Try /msg RRSAgent help
13:48:21 <hadleybeeman> ...With my strategy hat on, it's interesting to hear the ideas about incubating new work. We don't need to be so specific there, but we can say "might include usability, anti-spoofing, etc"
13:48:31 <hadleybeeman> ...Because one of our goals in incubation is to help groups to iterate.
13:48:41 <sangwhan> RRSAgent, minutes are public
13:48:41 <RRSAgent> I'm logging. I don't understand 'minutes are public', sangwhan.  Try /msg RRSAgent help
13:49:05 <hadleybeeman> ...To do that, we may spawn off some community groups, add use cases to existing community groups.  Bring back promising stuff to a WG to standards-track dev with patent policies, etc.
13:49:23 <hadleybeeman> drogers: is it unusual for IGs to have general presentations on topics of interest?
13:49:36 <hadleybeeman> wseltzer: No, that's appropriate. Web Payments IG have done some of that.
13:50:23 <hadleybeeman> hadleybeeman: Can be woolly without some direction.
13:50:45 <hadleybeeman> drogers: In security, we can be responding to topical issues; working out how we need to respond.
13:50:53 <hadleybeeman> ...Patching specs, new specs, etc.
13:51:24 <hadleybeeman> virginie: Wendy is going to lead the strategy. Ideas to her.
13:51:41 <hadleybeeman> jeffjaffe: [Introduces himself]
13:51:50 <hadleybeeman> ...Started a Security Research Group at IBM research in the 1980s
13:52:01 <hadleybeeman> ...Spent a few years running IBM's security and networking business
13:52:16 <hadleybeeman> ...In various other jobs, I keep trying to understand how to make things secure and haven't yet figured it out. But it's important.
13:52:45 <hadleybeeman> virginie:  Re Authentication of individuals... 5-min presentation
13:53:24 <kaorumaeda_> kaorumaeda_ has joined #websec
13:53:42 <hadleybeeman> Kepeng: [referencing slides]
13:53:50 <hadleybeeman> ...Real name authentication
13:54:59 <hadleybeeman> ...Security threats in biometric authentication. Inject into the template. During the transmission, it could  be lost/stolen
13:55:37 <hadleybeeman> ...We use anti-spoofing detection. This is about making some movements or gestures to avoid a static information.  You can move your hands, open/close your mouth, blink your eyes — to prove you're not a picture.
13:56:23 <hadleybeeman> ...In Alibaba, we use fingerprint authentication, face recognition and iris.  We have 100million users. We use for payment, egovernment and e-commerce.
13:56:49 <hadleybeeman> ...This is a framework. We have a mobile device side and a server.
13:57:57 <sangwhan> q+
13:58:01 <hadleybeeman> ...We have process flows. local and remote verification
13:59:57 <hadleybeeman> ...The user can request authentication verification. Goes to the server, and the server asks for a specific kind of biometric info, like a fingerprint.
13:59:57 <hadleybeeman> ...The user can then send it for verification. The server sends back a result.
13:59:58 <hadleybeeman> virginie:  The process flow is implemented in mobile devices and you want to bring it to the web?
13:59:58 <hadleybeeman> kepeng: yes
13:59:58 <hadleybeeman> ...Work happening at the Internet Finance Authentication Alliance. Related to FIDO.
13:59:58 <hadleybeeman> ...Standardisation opportunities at the W3C for interactions with the browser
14:00:00 <hadleybeeman> ...and which WG? WebAuth? WebSec? Any CGs?
14:00:12 <hadleybeeman> virginie: any feedback?
14:00:14 <sangwhan> q?
14:00:15 <Sebastien> q+
14:00:29 <wseltzer> q- later
14:00:33 <wseltzer> ack sangwhan
14:00:41 <sangwhan> q+
14:00:58 <wseltzer> q=sangwhan, Sebastien, wseltzer
14:01:06 <wseltzer> queue=sangwhan, Sebastien, wseltzer
14:02:00 <wseltzer> ack sangwhan
14:03:14 <wseltzer> sangwhan: how do you address the problem of coercion for biometrics?
14:03:30 <wseltzer> ... you can't so easily refuse to give up a fingerprint
14:03:40 <wseltzer> drogers: see also the sleeping parent attack
14:04:09 <keiji> keiji has joined #websec
14:04:25 <wseltzer> Sebastien: there's a database in India
14:04:54 <wseltzer> drogers: does gov give you the daabase, or API?
14:05:18 <hadleybeeman> Natasha: That’s no different to coercing someone to give you their password.
14:05:18 <hadleybeeman> dodgers: like the “sleeping parent” problem in iOS.
14:05:24 <hadleybeeman> ...Citizens register their biometric data, so that’s held in another place. The majority of biometric stuff happening in the GSMA world is not leaving the device
14:05:35 <hadleybeeman> Hadleybeeman: this would be illegal in European Union countries.  It would violate the Data Protection laws.
14:05:55 <hadleybeeman> wseltzer: This is out of scope for the chartered WebAuth group.  This would be a good place to discuss what to do with these ideas.
14:06:21 <hadleybeeman> drogers: so your questions here are about access to the biometric sensor? So you need an API to the biometric sensor?
14:06:23 <lukasz> lukasz has joined #websec
14:06:27 <lukasz> hello!
14:06:34 <hadleybeeman> virginie: I suggest we put these into discussion for the WebSec IG
14:06:39 <Sebastien> q-
14:07:16 <Yoshiro> Yoshiro has joined #websec
14:07:21 <lukasz> oh hey hadleybeeman
14:08:24 <wseltzer> q-
14:08:39 <hadleybeeman> topic: Hardware Based Secure Services CG
14:08:49 <wseltzer> s/dodgers/drogers/
14:09:08 <hadleybeeman> natasha: This is different for very large companies, who can have contracts with existing databases.
14:09:08 <hadleybeeman> virginie: might be different use cases ,depending on the business and the local laws.
14:09:19 <wseltzer> drogers: [see slides]
14:10:08 <wseltzer> ... HBSS workshop in London, hosted by MoFo, brought in good expertise
14:10:48 <wseltzer> ... since then, group has been working, led by Sebastien
14:11:54 <wseltzer> http://googleforwork.blogspot.pt/2016/09/pushing-the-boundary-of-Chrome-OS-Security-with-Verified-Access.html
14:12:10 <wseltzer> mkwst: I'll look into this
14:12:43 <wseltzer> drogers: there seems to be increasing interest in hardware security; our aim is to identify and prioritize
14:13:29 <wseltzer> vg: we have some demonstrations
14:13:44 <wseltzer> ... objectives, to discuss next steps for the CG work
14:14:02 <wseltzer> ... CG developed a report explaining use cases: egovernment, ebanking
14:14:14 <wseltzer> ... security sensitive operations, e.g. signing documents
14:14:27 <wseltzer> ... work to describe API for 2 techncial features
14:14:50 <wseltzer> ... secure management of credentials for cryptographic operation in hardware-based technology
14:15:07 <wseltzer> ... 2d, secure transaction confirmation
14:15:19 <wseltzer> ... over to you, Sebastien
14:16:03 <Sebastien> https://rawgit.com/w3c/websec/gh-pages/hbss.html
14:16:26 <wseltzer> -> https://rawgit.com/w3c/websec/gh-pages/hbss.html CG Report: Hardware Based Secure Services features
14:16:50 <wseltzer> Sebastien: aim to enable use and management of secure services, hardware-based solution
14:17:46 <wseltzer> Sebastien: [summarizes report's goals]
14:19:06 <wseltzer> ... question about request validation by the end user
14:19:24 <wseltzer> ... bridge between low-level API and Web
14:20:11 <wseltzer> ... replace management by extensions or Java plugins
14:20:27 <wseltzer> ... for pre-existing keys
14:21:26 <wseltzer> ... Give the end-user enough information to know what they're signing or authorizing, not just a binary blob
14:21:51 <wseltzer> ... Transaction confirmation: give user something readable to understand and accept = user consent
14:22:21 <wseltzer> ... e.g. if end-user is requested to accept a withdrawal from an account
14:22:38 <wseltzer> ... non-repudiation message
14:22:57 <wseltzer> ... sign operation, with non-repudation message and binary data
14:24:17 <wseltzer> ... these need to generate requirements on operating system environment
14:24:34 <wseltzer> vg: CG goal to make minimal viable product for those APIs
14:24:45 <wseltzer> ... also capture what we can do, don't know how to do.
14:25:24 <wseltzer> Sebastien: second, key management
14:25:32 <wseltzer> ... classical crypto matters, based in secure element
14:25:56 <wseltzer> ... so it looks like webcrypto API plus implmentation paramater to say whether it's software or hardware
14:26:19 <wseltzer> vg: this part drafted by Aurelien from Gemalto, who couldn't be here
14:27:20 <wseltzer> Sebastien: Section 5, implementation requirements
14:27:56 <wseltzer> vg: report got CG review
14:28:07 <wseltzer> ... about 10 people actively reviewed
14:28:33 <wseltzer> ... goal here to get broader feedback. Is it workable?
14:28:39 <wseltzer> [coffee break]
14:28:44 <wseltzer> rrsagent, draft minutes
14:28:44 <RRSAgent> I have made the request to generate http://www.w3.org/2016/09/19-websec-minutes.html wseltzer
14:28:57 <wseltzer> [return in 20 min]
14:32:45 <hadleybeeman> rrsagent, pointer?
14:32:45 <RRSAgent> See http://www.w3.org/2016/09/19-websec-irc#T14-32-45
14:42:53 <rrware> rrware has joined #websec
14:48:59 <shigeya> shigeya has joined #websec
14:50:25 <kaorumaeda> kaorumaeda has joined #websec
14:51:34 <kaorumaeda_> kaorumaeda_ has joined #websec
15:06:16 <chaals> chaals has joined #websec
15:14:31 <Yoshiro> Yoshiro has joined #websec
15:21:24 <wseltzer> [returned]
15:21:32 <wseltzer> [discussion of WebUSB]
15:26:29 <wseltzer> bhill2: FIDO UAF v1 had a whitelist capability
15:26:54 <wseltzer> ... signing over a DOMstring turns out to be really tricky because of fonts, unicode
15:27:02 <wseltzer> s/whitelist/transaction verification/
15:27:07 <wseltzer> ... then made it a bitmap
15:27:24 <wseltzer> Sebastien: but accessibility challenges with images
15:27:35 <wseltzer> bhill2: we had ASCII or image, not unicode
15:27:49 <wseltzer> JeffH: transaction confirmation is an optional extension in WebAuthn
15:27:59 <wseltzer> ... we changed the confirmation string
15:28:52 <wseltzer> vg: todo, liaise with WebAuthn
15:29:57 <wseltzer> Sebastien: back to the issues: attestation retrieval by issuing authority
15:31:09 <wseltzer> ... post-issuance of keys
15:31:13 <wseltzer> ... secure context
15:31:28 <wseltzer> vg: WebCrypto rcently decided to require secure contexts
15:32:01 <wseltzer> Sebastien: identity attributes
15:32:21 <wseltzer> vg: for futre development
15:32:44 <wseltzer> drogers: attribute based encryption... it's fairly new, suggest we don't go there now
15:33:50 <wseltzer> Ketan: don't you need user attributes for individual autentication?
15:33:59 <wseltzer> ... WebAuthn takes care of device authentication
15:34:49 <wseltzer> vg: Does API require attributes to be usable?
15:35:02 <wseltzer> Ketan: Gap is to do all the web API requirements at the hardware level
15:37:05 <wseltzer> ... we have webcrypto, what's missing is ability to address a key on a device
15:37:12 <wseltzer> ... as Sebastien pointed out
15:37:21 <wseltzer> vg: do you need discovery and user interaction?
15:37:36 <wseltzer> Ketan: you can provide API, or discovery function
15:37:54 <wseltzer> vg: do you believe it has to have discovery of keys, or of physical devices?
15:38:02 <wseltzer> Ketan: key-level
15:38:25 <wseltzer> ... user decides which key to use
15:39:01 <wseltzer> Sebastien: privacy issues pose problem with key discovery at API level
15:39:21 <wseltzer> ... need way to filter
15:39:36 <wseltzer> ... trusted UI presents filtered choice to user
15:42:15 <keiji> keiji has joined #websec
15:42:16 <wseltzer> Sebastien: todos, a few typos, implementation security requirements
15:43:14 <wseltzer> vg: next steps: what to do with this report and demo
15:43:32 <wseltzer> ... we need to talk to UA providers, see their interest in WG creation
15:44:10 <wseltzer> drogers: we should validate what we've written with those prior commments
15:44:23 <wseltzer> ... ID gaps with WebAuthn
15:45:20 <wseltzer>  ... we were asked to draft APIs, privde requiremens, demos
15:45:24 <wseltzer> ... you've done a great job
15:45:58 <shigeya> shigeya has joined #websec
15:46:16 <wseltzer> vg: next steps: improving, socializing, start drafting WG charter if there's interest
15:46:28 <wseltzer> drogers: deadline for feedback
15:46:49 <wseltzer> vg: one month?
15:47:07 <wseltzer> drogers: give Sebastien another week to finalize and publish report
15:47:16 <wseltzer> ... one month feedback period
15:47:22 <wseltzer> q+
15:47:38 <wseltzer> drogers: virginie and I will try to document the feedback
15:47:59 <wseltzer> ... by early Nov
15:48:19 <kaorumaeda_> present+ Kaoru_Maeda
15:48:21 <wseltzer> vg: reporing to the CG what's UA reaction to our proposal
15:48:50 <wseltzer> ... I'll give brief reprot at today's AC meeting
15:51:00 <shigeya> shigeya has joined #websec
15:52:26 <wseltzer> wseltzer: the CG should publish Final Specification to lock-in patent commitments
15:52:36 <wseltzer> ... and then go through evaluation with ecosystem
15:52:54 <wseltzer> drogers: so by December, be ready to go to AC, if that's the conclusion
15:53:48 <wseltzer> Topic: Wrap-up
15:53:56 <wseltzer> vg: security jam session Wednesday
15:54:23 <wseltzer> ... status update on W3C work, collect potential new security needs
15:54:43 <wseltzer> ... and I'll give update in AC meeting
15:57:30 <wseltzer> wseltzer: Thanks Virginie, and also David, Sebastien, Aurelien for working on the CG report
15:57:47 <wseltzer> schuki: you can also do presentation to IETF SAAG
15:59:08 <wseltzer> rrsagent, draft minutes
15:59:08 <RRSAgent> I have made the request to generate http://www.w3.org/2016/09/19-websec-minutes.html wseltzer
15:59:38 <wseltzer> Topic: Biometric Authentication (return)
16:04:28 <wseltzer> JeffH: consider the FIDO Alliance's work as a different way to do biometric verification
16:04:39 <wseltzer> ... it's bad for privacy to keep a public database of biometrics
16:04:59 <wseltzer> bhill2: recent paper showing that 3 photographs were enough to break biompetric proof of liveness
16:05:20 <wseltzer> Sebastien: and yet many countries are using biometrisc for ID verification
16:06:38 <wseltzer> bhill2: one you start shipping biometrics over the wire, you're opening up new attacks
16:07:47 <wseltzer> s/one/once/
16:08:30 <wseltzer> marta: more border crossings now using automated gates
16:09:26 <wseltzer> bhill2: still scale difference from the possibility of a data breach, biometrics aren't secret even if people would like to treat them as secret
16:09:57 <wseltzer> ... not every problem is a good idea to solve
16:11:33 <wseltzer> bhill2: I'm not saying the problems aren't legitimate; rather, as security experts, we have the responsibility to make sure we're solving them in a good way
16:11:40 <wseltzer> ... not creating privacy/security nuclear waste
16:12:21 <wseltzer> dsinger: if someone wants to claim "I'm the person whose ID was verified," we might want to find a better way to address
16:12:33 <wseltzer> kepeng: I agree that the solution raises some privacy issues
16:12:55 <wseltzer> ... password and verification codes also have some flaws
16:13:08 <wseltzer> ... this one is not perfect, but it works in China
16:13:24 <wseltzer> Ryan: this one is a flaw that we already know is trivially exploitable
16:13:45 <wseltzer> marta: and if biometric data is stolen, you can't change it
16:14:01 <wseltzer> JeffH: it's not a secret; we all are shairng our biometric data right here
16:14:15 <wseltzer> ... we need to figure out how to use it in a secure fashion
16:14:27 <wseltzer> bhill2: we have it because everyone wants to share photos
16:14:38 <wseltzer> ... and on the other side, theres the OPM data breach
16:15:11 <wseltzer> dsinger: further, photos have data about more than one person; we don't have good handle on the privacy and security issues that raises
16:16:20 <wseltzer> bruno: linking biometric to "real" identity, what does that mean?
16:17:38 <wseltzer> ... I think this is important work
16:17:58 <Sebastien> Sebastien has joined #websec
16:18:08 <wseltzer> Ketan: Why doesn't FIDO do this?
16:18:30 <Sebastien> (face spoofing: https://www.youtube.com/watch?v=ohmajJTcpNk#t=206)
16:18:31 <wseltzer> JeffH: it's out of scope. We self-assert all the time; for the vast majority of transactions, that's sufficient
16:19:06 <wseltzer> Bruno: bank is acting as identity provider
16:20:30 <wseltzer> JeffH: Kantara initiative has done work on identity proofing
16:21:01 <wseltzer> dsinger: about singular identity; bank is only confirming that the user of the credit card is the person to whom they issued it
16:21:07 <wseltzer> ... I don't have a singular identity
16:21:25 <wseltzer> hadleybeeman: that's more complicated when talking about money laundering regulation
16:21:40 <wseltzer> drogers: preregistration fraud
16:22:02 <wseltzer> ... e.g., someone who lives in a village suddenly gets a passport and doesn't know it, and someone else is traveling on it
16:22:17 <wseltzer> bhill2: what can we do in W3C? create interesting primitives and let others work with them
16:22:27 <wseltzer> ... e.g. attestable sensors on a device
16:23:18 <wseltzer> ... would let someone else build proof of liveness from two cameras
16:23:48 <wseltzer> marta: can we standardize what should be forbidden?
16:24:05 <wseltzer> ... to tell people not to do it
16:24:15 <wseltzer> mkwst: WG note or TAG Finding
16:24:54 <wseltzer> hadleybeeman: TAG findings need to be based n architecture of the web
16:25:23 <wseltzer> drogers: one of the strengths of FIDO is that the biometric remains on the device
16:25:50 <wseltzer> ... attestation, we know that the device is happy with the situation, not what the biometric scanned was.
16:26:27 <wseltzer> bhill2: I'm a FB user, I lost my device, how do I log in? Solution isn't just "take a selfie and send it over the wire"
16:26:37 <wseltzer> ... it's a real use case
16:26:53 <wseltzer> ... putting together measures from attested sensors is a more interesting solution
16:27:26 <wseltzer> ... W3C makes voluntary reocmmentaitons, not certification. FIDO certifies, and can say "shalt not"
16:27:43 <wseltzer> mkwst: data from attested sensors can be biometric too
16:28:14 <wseltzer> bhill2: hypothetical attested camera wouldn
16:28:24 <wseltzer> ... wouldn't be ok in FIDO
16:29:36 <wseltzer> JeffH: you get attestation of the device as a public-private key set up at manufacturing time; sign message with the private key, metadata service gives attributes aobut the authenticator
16:29:40 <wseltzer> ... if you care
16:29:57 <wseltzer> mkwst: in many cases, you care about continuity, not identity
16:30:16 <wseltzer> JeffH: WebAuthn (FIDO is only the certification)
16:30:38 <wseltzer> ... registration, create a new public-private key
16:30:45 <wseltzer> ... user verification is local, abstracted away
16:31:13 <wseltzer> ... WebAuthn relying parties don't see the means of local authenticaiton;but keys minted on a per relying party basis
16:31:24 <wseltzer> vg: there's still work to do
16:31:38 <wseltzer> ... on the security and privacy considerations, and on what the Open Web platform needs
16:31:55 <wseltzer> bhill2: I share the use case, we'd love to solve it correctly
16:32:19 <wseltzer> vg: Wednesday's session will be bread
16:32:22 <wseltzer> s/bread/broad/
16:32:36 <wseltzer> [adjourned]
16:32:58 <wseltzer> vg: look for follow-up in WebSec IG and HBSS CG
16:33:04 <wseltzer> Ketan: follow-up?
16:33:16 <wseltzer> vg: we'll have some debriefs on HBSS
16:33:22 <wseltzer> s/[adjourned]//
16:33:30 <wseltzer> [adjourned]
16:34:06 <wseltzer> rrsagent, make minutes
16:34:06 <RRSAgent> I have made the request to generate http://www.w3.org/2016/09/19-websec-minutes.html wseltzer
17:24:25 <kaorumaeda> kaorumaeda has joined #websec
19:17:56 <bhill2> bhill2 has joined #websec
19:18:58 <bhill2> bhill2 has joined #websec
21:00:29 <kaorumaeda> kaorumaeda has joined #websec
21:48:24 <bhill2> bhill2 has joined #websec
21:50:09 <bhill2> bhill2 has joined #websec
21:56:26 <keiji> keiji has joined #websec
22:26:59 <keiji> keiji has joined #websec