16:54:49 RRSAgent has joined #webauthn 16:54:49 logging to http://www.w3.org/2017/05/24-webauthn-irc 16:54:51 RRSAgent, make logs public 16:54:51 Zakim has joined #webauthn 16:54:53 Zakim, this will be 16:54:53 I don't understand 'this will be', trackbot 16:54:54 Meeting: Web Authentication Working Group Teleconference 16:54:54 Date: 24 May 2017 16:55:48 agenda: https://lists.w3.org/Archives/Public/public-webauthn/2017May/0247.html 16:55:58 weiler has changed the topic to: agenda for 24 May: https://lists.w3.org/Archives/Public/public-webauthn/2017May/0247.html 16:59:40 selfissued has joined #webauthn 17:00:54 present+ weiler 17:01:18 present+ 17:02:48 present+ 17:02:58 selfissued has joined #webauthn 17:03:30 selfissued has left #webauthn 17:03:41 selfissued_ has joined #webauthn 17:03:52 present+ 17:05:06 present+ nadalin, KetanMehta, jcj_moz, AkshayKumar 17:05:55 Rolf has joined #webauthn 17:07:11 Ketan has joined #webauthn 17:07:22 jeffh has joined #webauthn 17:07:25 regrets+ angelo 17:08:18 present+ jeffh 17:08:21 present+ alexei 17:08:34 alexei-goog has joined #webauthn 17:08:41 scribenick: weiler 17:08:42 present+ 17:09:00 gmandyam has joined #webauthn 17:09:03 topic: https://github.com/w3c/webauthn/pull/375 17:09:09 nadalin: just editorial 17:09:09 present+ gmandyam 17:09:16 [we said the same thing last week!] 17:09:21 topic: https://github.com/w3c/webauthn/pull/379 17:09:44 [last week we were waiting for google] 17:10:23 nadalin: I'll talk w/ angelo to make sure he addresses. 17:10:30 topic: https://github.com/w3c/webauthn/pull/427 17:10:41 jeffh: queued for after 464 17:11:05 ... cover 464 out of order since we have limited time from jyasskin 17:11:14 topic: https://github.com/w3c/webauthn/pull/464 17:11:28 jeffh: have not addressed detailed comments from jyasskin yet 17:11:59 ... note on rpid definition, gopefulyl addressing 260 17:12:04 s/260/issue 260/ 17:12:25 ... jyasskin raises suborigins. I need to read this. is it implemented? 17:12:40 jyasskin: i think not. stalled for a while. may be some new activity. something to think about. 17:13:00 jeffh: punt on suborigins and go ahead and merge 464? 17:13:16 jyasskin: even we're revisiting ports, makes sense to merge this. 17:13:33 jeffh: we do NOT want to include the port. 17:13:43 ... we have to match HSVS and cookies; they are whole-host. 17:13:50 s/have/want/ 17:13:56 s/HSVS/HSTS/ 17:14:04 jyasskin: that answers my concern 17:15:02 nadalin: jyasskin will review? (even w/o jeffh hasn't finished w/ details) 17:15:25 jeffh: want to work more on it. want review of this AM's changes. goal to merge Friday/Monday. want to get this done and go back to 427. 17:15:37 nadalin: monday is holiday. goal of tuesday. 17:15:51 jyasskin: will et this reviewed. don't expect signifiant problems. 17:15:59 jeffh: *cackles* 17:16:10 s/et this/get this/ 17:16:26 ... more reviewers good. jc? 17:17:21 jeffh: 427 after 464. 427 largely done. jyasskin noticed some stuff that needs attn. 17:18:40 topic: https://github.com/w3c/webauthn/pull/442 17:18:52 nadalin: this is rolf's.... 17:18:56 zakim, who's here? 17:18:56 Present: weiler, wseltzer, jyasskin, selfissued_, nadalin, KetanMehta, jcj_moz, AkshayKumar, jeffh, alexei, alexei-goog, gmandyam 17:18:58 On IRC I see gmandyam, alexei-goog, jeffh, Ketan, Rolf, selfissued_, Zakim, RRSAgent, weiler, dmitriz, battre, mkwst, adrianba, jyasskin, wseltzer, jcj_moz, trackbot, schuki, 17:18:58 ... jochen___, slightlyoff 17:19:06 present+ Rolf 17:19:17 present- alexei 17:19:54 jyasskin: this needs more specification. need to be spelled out more - acronyms not great for readability. 17:20:37 ... by pulling in two more selection criteria, it starts interacting w/ user verification changes. may want to pull extra bits into user verification. at least make sure all is aligned. 17:21:05 .... this ties into 460. 17:21:34 .... @@ says this ties into biometric auth. 17:21:48 jeffh: 442/460 are linked. 17:22:31 giri: should we assume that @2 need to be separate PRs? 17:23:06 selfissued: should be able to evaluate these independently. each proposed selection criteria should be written up separately 17:23:16 ... so it's not an "all or none" decision to take them. 17:23:38 jeffh: +1 17:24:09 nadalin: who will split functionality of options out? (460) 17:24:40 @3: not 460, but 442. 17:26:19 [see: https://github.com/w3c/webauthn/pull/442#issuecomment-303794031 17:26:19 ] 17:26:51 giri: don't get too hung up on Q4.... merge the PR, fix normative processing reqs for UA. 17:27:14 jyasskin: hard to understand selection criteria w/o a sketch of the process rules/algorithm. 17:27:53 giri: agree, but alg. doesn't need to be final to merge the PR. in favor if merging AAGUID criteria w/ understanding that once user verficiation is merged, need to look at alg in totoal 17:28:14 jyasskin: 442 has no alg for aaguid; needs something even if imperfect. 17:28:19 giri: ok 17:28:37 alexei: can we go back to 460? 17:28:50 topic: https://github.com/w3c/webauthn/pull/460 17:29:04 alexei: can objectors please explain themselves? 17:29:34 jyasskin: just doing user verification doesn't guarantee same suer created/using cred. 17:29:46 ... needs to be passed to authenticator. need to say was authenticator does w/ it. 17:30:09 alexei: I keep forgetting that we're specifying authenticator behavior here in the web spec. 17:30:22 ... I'll clarify authenticator behavior. 17:30:59 selfissued: desc of alg @5 is wrong. assumes authenticator can do this, but client doesn't have this knowledge. 17:31:13 ... may need to send req through to authenticator and see what happens. 17:31:38 alexei: client needs to call getinfo whenever authenticator shows up 17:31:47 selfissued: specs don't say that 17:32:03 alexei: implementation issue. need to figure out how to get that into the specs 17:32:22 jeffh: i would characterize this as an implementation consideration. advice to implementor. 17:32:43 alexei: we're writing pseudocode in the spec .... if we're gonna do that, I'll just add this. 17:33:08 selfissued: we do want this functionality. just that right now we're making assumptions 17:33:27 rrsagent, draft minutes 17:33:27 I have made the request to generate http://www.w3.org/2017/05/24-webauthn-minutes.html weiler 17:33:49 topic: https://github.com/w3c/webauthn/pull/470 17:34:09 selfissued: I took action item. other things have been higher priority. i'll write a PR 17:34:20 chair: nadalin 17:34:43 topic: wd-06 issues 17:35:40 https://github.com/w3c/webauthn/issues/466 is the first we haven't covered - opened 5 days ago. 17:36:08 https://github.com/w3c/webauthn/issues?page=1&q=is%3Aopen+is%3Aissue+milestone%3AWD-06 17:36:43 topic: https://github.com/w3c/webauthn/issues/416 17:36:47 rpID seems to have changed meaning a bit 17:37:00 jeffh: will be closed by PR464 17:37:29 nadalin: origins stuff from last week: 259/255 will get wrapped up in that. and 260 17:38:06 jeffh: 167 just goes away. confirm from jyasskin/mike west / @6? 17:38:32 issue 393: rename "attestation data" to be "attested credential" 17:38:50 jehhf: re: issue 393: we should do that.... just needs to be cranked out. 17:41:06 Talking about issue #283 17:41:12 Not assigned to anyone yet. 17:41:17 scribenick: Rolf 17:41:47 according to JeffH: that one can wait 17:42:10 Now on 285: Will that one be picked up after credman merge? 17:42:48 Assigned to JeffH+jyasskin 17:43:44 jyasskin has identified 4 items -- simple editing change to be done 17:44:37 Now 292: 17:45:16 might be related to Issue 316 (cancel operation) 17:45:51 lower priority? 17:46:16 326 is fixed 17:47:16 by PR 464 17:48:21 Now 329 17:49:08 Only 2 items left: attachment+transport 17:49:49 Seems simple to do. 17:50:24 Now 351: 17:51:06 Simple do it as proposed in the comments of that issue 17:51:37 Now 362: 17:52:25 More complicated. 17:52:34 Needs more thinking 17:53:05 392 already discussed. Now 393: 17:53:31 Simple - just do it. 17:53:36 Now 414: 17:54:13 JeffH is working on it 17:54:28 zakim, who's here? 17:54:28 Present: weiler, wseltzer, jyasskin, selfissued_, nadalin, KetanMehta, jcj_moz, AkshayKumar, jeffh, alexei-goog, gmandyam, Rolf 17:54:30 On IRC I see gmandyam, alexei-goog, jeffh, Ketan, Rolf, selfissued_, Zakim, RRSAgent, weiler, dmitriz, battre, mkwst, adrianba, jyasskin, wseltzer, jcj_moz, trackbot, schuki, 17:54:30 ... jochen___, slightlyoff 17:54:34 present+ dirk 17:55:05 Now 416: 17:55:15 Will be fixed by PR 464 17:55:22 rrsagent, draft minutes. 17:55:22 I'm logging. I don't understand 'draft minutes.', weiler. Try /msg RRSAgent help 17:55:23 rrsagent, draft minutes 17:55:23 I have made the request to generate http://www.w3.org/2017/05/24-webauthn-minutes.html weiler 17:55:26 Now 462: undefined terms 17:56:26 relevant for milestone: CR. 17:56:41 Simple, but work to add defs 17:56:45 Now: 466 17:57:28 MikeJ working on that. 17:57:45 rp.id already present. 17:57:53 So: just do it. 17:57:55 Now 467: 17:59:34 proposal exists. Please review. 18:00:25 Now 471: 18:01:09 Now 472: 18:02:02 Optimization to reduce number of bytes if only a single item is relevant 18:02:22 thank you - go for it 18:02:25 scribenick: weiler 18:02:33 474: 18:02:49 jeffh: need yjasskin, jcj's input. 18:03:03 selfissued: does not allowing host #'s make it harder to test? 18:03:32 jeffh: dunno. w/ HSTS, we disallowed all but domain names. HTTP strict transport security. policy to say "only-TLS". 18:04:01 jcj: ... not a big deal to not be using port numbers. 18:04:14 jeffH; not only no ports; also no IP addrs. 18:04:36 nadalin: adjourned 18:04:43 rrsagent, draft minutes 18:04:43 I have made the request to generate http://www.w3.org/2017/05/24-webauthn-minutes.html weiler 18:47:59 weiler has joined #webauthn 19:57:49 Zakim has left #webauthn