IRC log of webauthn on 2017-04-26

Timestamps are in UTC.

16:55:10 [RRSAgent]: RRSAgent has joined #webauthn
16:55:10 [RRSAgent]: logging to http://www.w3.org/2017/04/26-webauthn-irc
16:55:12 [trackbot]: RRSAgent, make logs public
16:55:12 [Zakim]: Zakim has joined #webauthn
16:55:14 [trackbot]: Zakim, this will be
16:55:14 [Zakim]: I don't understand 'this will be', trackbot
16:55:15 [trackbot]: Meeting: Web Authentication Working Group Teleconference
16:55:15 [trackbot]: Date: 26 April 2017
16:56:30 [weiler]: agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0385.html
16:56:38 [weiler]: weiler has changed the topic to: agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0385.html
17:00:26 [weiler]: present+ weiler, selfissued
17:00:34 [jcj_moz]: present+ jcj_moz
17:00:47 [jeffh]: jeffh has joined #webauthn
17:01:17 [mkwst]: present+ mkwst
17:01:19 [jeffh]: present+ jeffh
17:01:57 [weiler]: present+ nadalin
17:05:16 [jyasskin]: present+
17:05:23 [weiler]: present+ angelo, jfontana, vgb
17:06:28 [alexei-goog]: alexei-goog has joined #webauthn
17:06:39 [vgb]: vgb has joined #webauthn
17:06:42 [angelo]: angelo has joined #webauthn
17:06:43 [vgb]: present+
17:06:45 [weiler]: scribenick: vgb
17:06:48 [vgb]: scribenick:vgb
17:06:56 [jyasskin]: present+ alexei-goog dirk
17:07:34 [vgb]: Tony: No meeting on May 10 due to the FIDO plenary.
17:08:00 [vgb]: ... trying to close on WD-05, let's look at the PRs
17:08:14 [jeffh]: q+ jeffh
17:08:41 [alexei-goog]: q+
17:09:25 [vgb]: jeffh: the open PRs are not enough to declare WD-05. There are many places where the spec is broken as stands, and we should fix those.
17:10:02 [vgb]: angelo: Want to get to WD-05 because we have implementers working on this and stuff seems to be working.
17:10:26 [vgb]: jeffh: In that case the ambiguities must have been resolved in the implementations, we should at least document the choices.
17:11:27 [vgb]: angelo: ok. of course there will be other WDs, we just want to mark a point in time snapshot that is close enough.
17:12:16 [vgb]: alexei-goog: Google is also developing, and we shouldn't take shortcuts purely for expediency. We may have to redo some work and that's ok.
17:14:57 [jyasskin]: q+
17:15:14 [jyasskin]: ack jeffh
17:15:15 [vgb]: jeffh: Tony: seems like we're all in rough agreement
17:17:07 [vgb]: jyasskin: Agree with jeffh. Implementers need to file issues on ambiguities and document choices. Also want to caution that WDs change so we should not get too tied to WD-05.
17:17:21 [vgb]: Tony: Yes, but implementations have their momentum too.
17:17:55 [jyasskin]: ack jyasskin
17:18:00 [jyasskin]: ack alexei-goog
17:18:05 [vgb]: alexei-goog: want to talk about PR #409
17:18:26 [vgb]: ... it was merged last week, let's put it on the agenda
17:18:31 [vgb]: Tony: ok, on to #378
17:19:49 [vgb]: angelo: believe the text is there. consider this a bugfix. don't think of this so much as authenticator selection as a thing to make getAssertion more reliable for RPs.
17:20:33 [vgb]: ... could also create a dictionary to capture the dimensions of filtering requested
17:21:07 [vgb]: alexei-goog: btw this flag seems like it wants something that "takes resident keys and has room for one more"
17:21:28 [vgb]: ... for the use case where RP will call getAssertion without a credential ID on the allowList
17:22:09 [vgb]: ... what should happen if no such authenticator exists? Should it be NotFoundError?
17:22:18 [vgb]: angelo: possibly, open to ideas.
17:22:21 [RRSAgent]: I have made the request to generate http://www.w3.org/2017/04/26-webauthn-minutes.html weiler
17:22:56 [vgb]: alexei-goog: so this seems very similar to platform vs. roaming authenticator. So should organize it better as jeffh suggests.
17:23:26 [vgb]: ... How were you planning on giving the user feedback about this, e.g. in the case the authenticator is out of space?
17:24:29 [vgb]: ... and how would the user remediate?
17:25:30 [vgb]: angelo: Were mainly thinking of highly capable devices such as phones which can store lots of keys, and U2F style devices.
17:25:51 [vgb]: alexei-goog: But what about the middle case, with limited slots. How does the management UX work?
17:27:35 [vgb]: angelo: Makes sense. So either the RP says get another authenticator or create a non-resident key. Imagine that this is the way the RP gracefully degrades the UI in this case.
17:28:01 [vgb]: alexei-goog: May be other solutions, but should think this through before merging the PR.
17:29:58 [vgb]: angelo: this PR recognizes the possibility of resident keys. Can we separate that from fleshing out the full story?
17:30:14 [vgb]: jyasskin: Maybe we should discuss this on the PR
17:30:38 [vgb]: ... call is less efficient way of doing this
17:31:14 [vgb]: ... Want to see a uniform treatment of authenticator selection.
17:31:32 [vgb]: ... Should get to consensus on that in PR.
17:32:27 [vgb]: angelo: Let's talk about authenticator selection. Could either let RP choose in isPlatformAuthenticatorReady, or in makeCredential.
17:32:46 [vgb]: ... use cases for both.
17:33:57 [vgb]: ... Could do a dictionary with all the criteria. Not sure if there is another idea? Guessing we don't want to do an extension.
17:33:57 [jeffh]: jyasskin: I will submit such apres call
17:33:58 [jeffh]: :)
17:34:12 [selfissued]: selfissued has joined #webauthn
17:34:24 [vgb]: jeffh: Maybe look at how UAF does this.
17:34:51 [apowers]: apowers has joined #webauthn
17:34:54 [vgb]: ... Has arrays of bit flags denoting properties, RP specifies these at makeCredential time.
17:35:05 [vgb]: ... UA uses platform-specific methods to honor this.
17:35:09 [RRSAgent]: I have made the request to generate http://www.w3.org/2017/04/26-webauthn-minutes.html weiler
17:35:16 [vgb]: ... Let's move on to other PRs and not rathole.
17:35:31 [dmitriz]: dmitriz has joined #webauthn
17:35:31 [apowers]: present+
17:36:23 [vgb]: ... The current approach is ad hoc, in that it adds language to the spec every time an authenticator selection criterion is added. We should make it a real extension point to be systematic.
17:36:58 [selfissued]: I agree that we should discuss the other priority:Implementation PRs
17:37:12 [vgb]: Tony: ok, now take it to the list.
17:37:18 [vgb]: ... now #350
17:38:17 [weiler]: https://github.com/w3c/webauthn/pull/350
17:40:14 [vgb]: angelo: This is not a focus for me right now.
17:40:56 [vgb]: selfissued: Why don't we just accept jeffh's comments and merge it so we can close out the simple issues?
17:41:08 [vgb]: jeffh: happy to do this if angelo gives permissions to his clone
17:41:17 [vgb]: Tony: #423
17:41:39 [vgb]: selfissued: Fixing an omission in a previous merge. Should be easy to fix.
17:41:59 [vgb]: ... Can jeffh review and we can revise and merge?
17:42:18 [vgb]: jeffh: Naming ok with everyone? If so yes we can take care of this.
17:42:30 [vgb]: Tony: #425
17:43:09 [vgb]: selfissued: finishing up the fixups on the extension sections. Thanks to jyasskin for noting the issues and for all the help.
17:43:35 [vgb]: ... Extensions don't work if we don't do this, can we address the outstanding comments and merge?
17:43:46 [vgb]: ... More reviews welcome of course.
17:45:14 [vgb]: ... The basic issue is that at some point the flow of extension info to the RP and authenticator was lost. This fixes that.
17:45:34 [vgb]: dirk: so this is not about transparently passign all extensions through?
17:45:50 [vgb]: selfissued: no, this is much more basic for extensions to work at all.
17:46:18 [vgb]: ... this fixes an embarrassing omission, we should just fix it
17:47:23 [vgb]: Tony: #427
17:48:44 [vgb]: jeffh: made some technical fixups in response to jyasskin's issue. Would appreciate reviews.
17:48:59 [vgb]: ... this is another that should be fixed.
17:49:13 [vgb]: Tony: ok, address if no complaints by Monday.
17:49:19 [vgb]: Tony: ok, now #409
17:50:12 [vgb]: alexei-goog: This is something that was merged last week. Adds a bit to authenticatorData that says the credential requires user verification (i.e. more than a TUP).
17:50:57 [vgb]: ... Issue is that we have so few flag bits left that we should be more careful about using them up. This seems like something that could be in the attestation.
17:51:08 [vgb]: ... which could also give more detail about this.
17:51:34 [vgb]: ... (i.e. could say what type of user verification is done)
17:53:58 [RRSAgent]: I have made the request to generate http://www.w3.org/2017/04/26-webauthn-minutes.html weiler
17:54:19 [weiler]: chair: nadalin
17:56:09 [vgb]: jeffh: #409 postulates the RP doesn't know exactly what the authenticator can do, so authnr tells it after the fact. Other notion is that the RP just knows (out of band, maybe from attestation) what an authnr does after makeCredential.
17:56:22 [vgb]: dirk: Believe the overall philosophy of the API is the latter.
17:56:37 [vgb]: ... so unless there is a very good reason we should do that.
17:58:39 [vgb]: jeffh+dirk+alexei-goog: there may be use cases where an authenticator sometimes does user verification and sometimes not (e.g. PIN, or cached verification)
17:59:13 [vgb]: jeffh: we may need both: better authenticator selection and feedback on user verification per assertion
18:00:08 [vgb]: dirk: can't imagine that makeCredential asked for a user verifyign credential and the authenticator decided at getAssertion time not to bother.
18:00:12 [vgb]: jeffh: ok by me
18:01:00 [vgb]: alexei-goog: gotta run. can angelo continue the discussion in email or PR?
18:01:13 [RRSAgent]: I have made the request to generate http://www.w3.org/2017/04/26-webauthn-minutes.html weiler
18:01:17 [vgb]: jeffh: object to the curretn state.
18:01:27 [vgb]: all: call ended
18:01:37 [RRSAgent]: I have made the request to generate http://www.w3.org/2017/04/26-webauthn-minutes.html weiler
18:23:27 [weiler]: weiler has joined #webauthn
18:57:41 [weiler]: weiler has joined #webauthn
20:32:14 [Zakim]: Zakim has left #webauthn
21:08:37 [dmitriz]: dmitriz has joined #webauthn
21:22:47 [apowers]: apowers has joined #webauthn
21:56:26 [apowers]: apowers has joined #webauthn