IRC log of webauthn on 2017-08-09

Timestamps are in UTC.

16:39:35 [RRSAgent]
RRSAgent has joined #webauthn
16:39:35 [RRSAgent]
logging to http://www.w3.org/2017/08/09-webauthn-irc
16:39:37 [trackbot]
RRSAgent, make logs public
16:39:37 [Zakim]
Zakim has joined #webauthn
16:39:39 [trackbot]
Zakim, this will be
16:39:39 [Zakim]
I don't understand 'this will be', trackbot
16:39:40 [trackbot]
Meeting: Web Authentication Working Group Teleconference
16:39:40 [trackbot]
Date: 09 August 2017
16:40:02 [weiler]
present?
16:40:06 [weiler]
present+
16:45:58 [weiler]
present+ jbradley
16:53:45 [dmitriz]
dmitriz has joined #webauthn
16:54:48 [Jbradley_]
Jbradley_ has joined #Webauthn
16:55:58 [wseltzer]
present+
16:56:07 [dmitriz]
present+
17:00:22 [jcj_moz]
present+
17:01:27 [jeffh]
jeffh has joined #webauthn
17:02:17 [kpaulh]
kpaulh has joined #webauthn
17:02:34 [weiler]
present+ kpaulh, AkshayKumar, jfontana, nadalin
17:02:58 [selfissued]
selfissued has joined #webauthn
17:03:13 [selfissued]
present+
17:03:26 [apowers]
apowers has joined #webauthn
17:04:00 [weiler]
present+ jeffh
17:04:12 [jeffh]
present+ jeffh
17:04:26 [jyasskin]
present+
17:05:11 [CR01]
CR01 has joined #webauthn
17:05:26 [weiler]
present+ ChristiaanBrand
17:06:47 [weiler]
present+ angelo, apowers, rolf
17:07:09 [angelo]
angelo has joined #webauthn
17:08:52 [wseltzer]
https://github.com/w3c/webauthn/issues/527
17:13:47 [CR01]
slightlyoff: making isPlatformAuthenticatorAvailable an attribute doesn't work as it cannot have UI then.
17:15:02 [angelo]
There are very few controversy around isPlatformAuthenticatorReady.
17:16:35 [jeffh]
s/slightlyoff/selfissued/
17:16:56 [CR01]
Thanks.
17:17:01 [jeffh]
sorry, there's a fair bit of controversy re how isPlatformAuthenticatorReady is specified
17:17:49 [CR01]
not resolving a promise doesn't seem to be a good approach
17:18:10 [angelo]
Sorry I am getting caught up on the scribe
17:18:28 [CR01]
porposal: merge 523 and fix the example
17:18:37 [angelo]
Kim: I am in agreement with resolving https://github.com/w3c/webauthn/pull/523
17:18:54 [angelo]
JC: I am in agreement with https://github.com/w3c/webauthn/pull/523
17:19:37 [angelo]
JeffH: 523 isn't too well written.
17:19:46 [angelo]
Tony: Mike, can you take a look at the grammar issue
17:20:02 [CR01]
Close but don't merge 528
17:20:02 [angelo]
Mike: I will take a look at the grammar side.
17:20:43 [angelo]
We will close https://github.com/w3c/webauthn/pull/528.
17:21:15 [angelo]
We're looking at https://github.com/w3c/webauthn/pull/525
17:21:28 [Ketan]
Ketan has joined #webauthn
17:22:17 [angelo]
525 registers numbers for the 3 RSA signature algorithms instead of strings
17:22:34 [angelo]
In 525, one of the algorithm becomes -255
17:23:08 [angelo]
JeffH: I haven't read the PR yet but I count on MikeJones who is the expert on the COSE and IANA registry
17:24:20 [angelo]
JeffH: In a PR that was recently merged, we changed algorithm identifer from WebCrypto identifiers to typedef identifiers
17:24:49 [angelo]
In COSE spec, you are allowed to use either small integer or small string to register algorithms
17:25:17 [angelo]
MikeJ: I agree there's a testing thing with using strings
17:27:12 [angelo]
John: I am generally in supportive of making strings into integers
17:28:15 [angelo]
JC: Are we adding constants? Would browsers have to handle it?
17:28:49 [angelo]
MikeJ: we probably want to do that in the future
17:29:17 [angelo]
Tony: everyone seems in agreement with merging 525
17:30:14 [angelo]
After the two PRs (https://github.com/w3c/webauthn/pull/525 and https://github.com/w3c/webauthn/pull/528), I will start publishing WD06
17:30:30 [angelo]
We're starting to look at WD07
17:31:06 [angelo]
We are looking at https://github.com/w3c/webauthn/pull/498, which is a pull request for WD07
17:31:27 [angelo]
Tony: I am wondering whether it would make into WD07
17:32:05 [angelo]
JeffH: Yes, I believe so. There's a standing PR on CredMan.
17:32:42 [angelo]
498 is a possible breaking change
17:33:31 [angelo]
JC: I am not sure if this is a breaking change.
17:33:32 [jeffh]
jeffh: folks have had to already workaround/address the issues in pr #489 and credman
17:34:49 [angelo]
jc: oh yeah there's an old conversation around whether we want to make it an valid domain or an origin.
17:36:35 [angelo]
Angelo: I will take a closer look at 489 later this week.
17:37:00 [jfontana]
jfontana has joined #webauthn
17:37:24 [CR01]
all 498 not 489?
17:38:21 [jeffh]
above discussion wrt PR #498
17:38:39 [jeffh]
angelo: now issues discussion - want to discuss issue #458
17:39:20 [jeffh]
angelo: domains change on web or are nominally equivalent from the perspective of the domains admins eg google.com and youtube.com
17:41:04 [angelo]
angelo: I am hoping people can propose ideas to help address problems in 458
17:41:29 [CR01]
Digital Asset Links (https://developers.google.com/digital-asset-links/v1/getting-started) are similar to original FIDO TrustedFacets lists.
17:41:45 [angelo]
JeffH: At U2F and UAF era, we didn't want to do federal identity management
17:42:05 [CR01]
FIDO decided at that time to stay out of federation - and hence do not allow credentials to be shared across domains.
17:43:03 [angelo]
JeffH: if one of the implementers wants to do something for their special deployment, that's fine. But the problem is how we want to standardize in W3C
17:43:43 [angelo]
JeffH: the user of digital asset links is also not available on the credman spec but only with Chrome's implementation.
17:43:45 [jyasskin]
1+
17:43:47 [jyasskin]
q+
17:44:37 [angelo]
Before, people's favored solution has been to use federation.
17:46:29 [CR01]
small companies sometimes prefer a more lightweight method than federation
17:47:34 [jeffh]
jyasskin: olddomain.com has creds there, visit newdomain.com, get redirected to olddomain.com, get cred, then redirect back to newdomain.com
17:48:23 [jyasskin]
q-
17:48:36 [angelo]
One of the possible solutions is to use OpenID connect.
17:48:56 [jeffh]
angelo: <relates use case(s) where using federation to address domain changes is troublesome>
17:49:19 [dmitriz]
dmitriz has joined #webauthn
17:49:39 [jeffh]
jbradley: in fed world have seen use of federation to address these cases. tho have had discussions with google about a priori mapping of domains....
17:49:41 [angelo]
Another challenge is if IDPs themselves decide to change their domain
17:49:49 [angelo]
Another challenge is if IDPs themselves decide to change their own domains
17:49:57 [jeffh]
christiaan: sounds like a federation issue to me
17:51:49 [jeffh]
angelo: foo.com federates to login.live.com, bar.com feds with google.com, but same IDP controls both, want to merge everything into one domain. dont want old domains to remain and confuse users. so eventually have live.com to point to the right place.
17:56:45 [wseltzer]
https://github.com/w3c/webauthn/issues/458
17:56:58 [angelo]
Perhaps we can talk about this another day. Federation seems to be the commone issue here.
17:58:01 [angelo]
I am not a fan of digital asset links myself but I was hoping someone can propose some ideas that could work better than those
18:01:07 [angelo]
Akshay created a PR in FIDO-2 world to address CTAP and U2F compat
18:01:42 [angelo]
MikeJ: The intention for that PR is to address the compat. Other folks on the call who are also part of that WG should review this.
18:03:43 [angelo]
In the WebAuthn spec, the authenticator model is very hand-wavy. The CTAP spec has the concrete model.
18:04:08 [angelo]
JC: why do I have to look at WebAuthn?
18:04:30 [angelo]
The CTAP WG and U2F WG are merged together.
18:04:58 [angelo]
jc: I am just worried I may have implemented the wrong thing.
18:06:14 [angelo]
JeffH: that's not well thought out yet. Having the implementers writing code would help work this through.
18:09:05 [wseltzer]
rrsagent, draft minutes
18:09:05 [RRSAgent]
I have made the request to generate http://www.w3.org/2017/08/09-webauthn-minutes.html wseltzer
18:09:14 [wseltzer]
rrsagent, make logs public
18:09:19 [wseltzer]
rrsagent, draft minutes
18:09:19 [RRSAgent]
I have made the request to generate http://www.w3.org/2017/08/09-webauthn-minutes.html wseltzer
18:09:46 [wseltzer]
Chairs: nadalin, jfontana
18:09:48 [wseltzer]
rrsagent, draft minutes
18:09:48 [RRSAgent]
I have made the request to generate http://www.w3.org/2017/08/09-webauthn-minutes.html wseltzer
19:53:14 [weiler]
weiler has joined #webauthn
22:04:14 [Zakim]
Zakim has left #webauthn