17:08:07 RRSAgent has joined #webauthn 17:08:07 logging to http://www.w3.org/2017/10/11-webauthn-irc 17:08:09 RRSAgent, make logs public 17:08:09 Zakim has joined #webauthn 17:08:11 Meeting: Web Authentication Working Group Teleconference 17:08:11 Date: 11 October 2017 17:08:15 scribenick: jcj_moz 17:08:27 present+ 17:08:29 jeffh has joined #webauthn 17:08:40 present+ 17:08:43 john: There's an agenda in everyone's email 17:08:55 ... We'll go through 4,5,6 and then pick up again at 2PM PST 17:09:06 ... We want to go through all the PRs so we can publish WD-07 by the target date, 3 Nov 17:09:20 present+ 17:09:31 present+ 17:10:48 selfissued has joined #webauthn 17:11:58 jfontana has joined #webauthn 17:12:38 starting with #548 17:13:12 John: https://github.com/w3c/webauthn/issues/584 17:15:02 (we are setting up screen sharing) 17:16:47 gmandyam has joined #webauthn 17:17:03 present+ gmandyam 17:17:45 christiaan: We think this might no longer be an issue, because the hash of the client data has more information than just the RP ID 17:18:00 ... so we think maybe this is not needed anymore and we can just close this 17:18:58 rolf: Can we jump to #597? 17:19:10 john: OK, let's close down 584 17:19:29 ... now https://github.com/w3c/webauthn/pull/597 17:20:09 rolf: I hope we can pull the trigger on this 17:20:23 Alex: Microsoft doesn't understand what this issue was 17:20:54 rolf: Signature counter not described at the right level. Some vendors want to be able to opt-out. 17:21:26 Alex: Is there math to show that there is a privacy issue? 17:21:55 rolf: No. 17:23:11 Rolf: Some authenticators might not want to persist this 17:23:39 John Bradley: This was from Adam Langley, about correlating counters 17:24:48 present+ 17:25:05 Alex: I do not want to lose this feature for a theoretical attack 17:26:13 John Bradley: Some argue that RPs won't use this counter the way it's defined 17:28:18 Dirk: We disallow tokens that are malfunctioning at Google 17:29:32 (a fire alarm goes off) 17:31:04 Rolf: This is easy to handle on the server side, some having the counter and some don't. 17:31:47 Mike Jones: To the extent that we're not bifurcating the behaviors that are allowed, code is simpler 17:33:34 Mike Jones: In general for protocol design, if you give people multiple ways to do things it generates interop problems 17:34:48 Rolf: So this is PR 539 17:34:59 https://github.com/w3c/webauthn/pull/539 17:35:21 jfontana: We'll table this until the microsoft folks get back 17:35:42 jfontana: now https://github.com/w3c/webauthn/pull/498 17:36:04 jeffh: This is not ready yet 17:36:42 ... We can probably do the webauthn side without waiting for credman 17:36:58 jfontana: let's move on then 17:37:23 jeffh: oh and I want to thank jyasskin for his help 17:37:44 jfontana: Now #544 https://github.com/w3c/webauthn/pull/544 17:37:54 (Angelo is here) 17:38:26 angelo: Not a lot of objections to making this work 17:39:10 jcj_moz want our dom masters to look at this. they need to review 17:40:34 jcj_moz is aking annevk to review 17:41:02 Angelo: ... so it still needs work 17:41:08 jfontana: https://github.com/w3c/webauthn/pull/600 17:41:24 jeffh: I've reviewed this 17:41:32 jfontana: jeffh can you merge this? 17:41:42 jfontana: Now https://github.com/w3c/webauthn/pull/602 17:43:27 jcj_moz: We should start a list of PRs to review and merge this afternoon, and start with 602 17:43:30 jfontana: OK 17:43:40 jfontana: https://github.com/w3c/webauthn/pull/603 17:43:48 ... is that also a candidate for that list? 17:44:01 jeffh: yes 17:44:41 jfontana: https://github.com/w3c/webauthn/pull/604 17:45:50 jeffh: I'll add this to the wd-07 milestone and add it to the review list this afternoon 17:45:59 (Alex has returned) 17:46:10 jfontana: Let's start again on 597 and 539 17:48:42 present+ jfontana, weiler, ChristiaanBrand, JakobEhrensvard, AkshayKumar, apowers 17:49:00 Akshay: I want to merge 539 and close the 597, I think 539 is closer to what we're talking through here 17:49:10 ... and then we can open a PR to make sure the counter is mandatory 17:49:20 present+ JohnBradley 17:50:49 present+ Rolf 17:51:28 (Rolf gives a 60 second summary of #539) 17:55:42 JakobEhrensvard: Does this cover U2F makeCredential? 17:55:44 jcj_moz: Yes 17:56:01 jfontana: If we do 539 versus 597 are we leaving something on the table? 17:56:13 AkshayKumar: No, they are alternatives 17:57:34 jcj_moz: So AkshayKumar will open a follow on, rolf will update the PR, and we will merge it 17:57:36 present+ AlexRadutsky 17:57:38 jfontana: Yes 17:58:24 jfontana: So ... 604? 17:58:39 jfontana: Now 607 17:58:44 https://github.com/w3c/webauthn/pull/607 18:00:52 present+ nadalin 18:00:54 jfontana: let's coffee break 18:01:26 rrsagent, draft minutes 18:01:26 I have made the request to generate http://www.w3.org/2017/10/11-webauthn-minutes.html weiler 18:01:36 rrsagent, make logs public 18:13:00 elundberg has joined #webauthn 18:14:07 https://github.com/w3c/webauthn/pull/611 18:18:19 jeffh: Let's add this to the list, #611, for this afternoon 18:18:47 https://github.com/w3c/webauthn/pull/614 18:18:58 jfontana: elundberg, can you give us the rundown of https://github.com/w3c/webauthn/pull/614 18:20:29 jfontana: please merge 614 18:20:36 jfontana: https://github.com/w3c/webauthn/pull/615 18:21:01 jcj_moz: Already r+'d 18:21:37 jfontana: ok to merge 615 18:22:08 elundberg_ has joined #webauthn 18:22:25 jfontana: https://github.com/w3c/webauthn/pull/617 18:23:00 jcj_moz: Out of date, closed 18:23:29 jfontana: https://github.com/w3c/webauthn/pull/619 18:32:33 selfissued: Let's defer discussing this until we get Angelo back on the call 18:32:41 jfontana: https://github.com/w3c/webauthn/issues/620 18:34:03 jfontana: Will add this to the review list 18:34:38 AkshayKumar: The credential ID in this PR has two forms 18:34:48 ... it can be random, or a hash of a public key 18:35:12 jyasskin: I shouldn't say random if it is a hash 18:35:26 AkshayKumar: I think this makes sense 18:40:29 jyasskin: Make sure my definitions are good, jeffh 18:53:35 scribenick: weiler 18:54:09 https://github.com/w3c/webauthn/issues/537 18:54:14 "Make create() and get() abortable " 18:54:19 jeffh: will be fixed by 618? 18:54:50 jcj_moz: The JS->CBOR conversion is often specified in "Authenticator extension input", and the reverse is in "Client extension output". 18:55:25 https://github.com/w3c/webauthn/issues/547 18:55:43 selfissued: the cose algs are well-specified. this should be closed. 18:58:12 rrsagent, draft minutes 18:58:12 I have made the request to generate http://www.w3.org/2017/10/11-webauthn-minutes.html weiler 18:58:35 breaking for 1 hour; resuming 4pm EDT, 1pm PDT 18:58:40 rrsagent, draft minutes 18:58:40 I have made the request to generate http://www.w3.org/2017/10/11-webauthn-minutes.html weiler 19:38:22 angelo has joined #webauthn 20:00:17 resuming. 20:04:07 Jeff Hodges says that #498 is making progress but is still not ready to merge 20:05:08 present+ angelo 20:05:26 present+ dirk 20:06:29 chair: jfontana 20:07:45 elundberg has joined #webauthn 20:08:05 Dirk: I left Sydney with the homework of figuring out how to shorten these name 20:11:53 We're talking about https://github.com/w3c/webauthn/pull/582 - Restore identifier alignment with CTAP and WD-06 20:27:14 https://github.com/w3c/webauthn/issues?page=2&q=is%3Aopen+is%3Aissue+milestone%3AWD-07 20:27:39 updated sort: https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AWD-07+sort%3Acreated-asc 20:30:00 proposing to close 238 as a duplicate of issue 537 / pr 544. 20:31:02 https://github.com/w3c/webauthn/issues/292 20:35:49 angelo: i think this is a corner-case race condition. even specifying this will not help much. 20:36:25 jcj: a race condition here is a sign of miscreance. 20:37:28 we're not sure what to do with this. .... 20:38:24 should say something in impl. considerations. will know more once we have multiple transports. 20:38:58 https://github.com/w3c/webauthn/issues/374 restrict WebAuthentication API to only top level browsing context 20:43:16 angelo: idea #1: have the UI show the source. #2 feature policy. #3 tell credman to open up. 20:43:23 https://github.com/w3c/webappsec-credential-management/issues/3 20:43:25 ... recommend #3. 20:43:32 that is the credman issue 20:45:45 alexei: chrome/goog is thinking that it is ok if a non-top-level-browsing-context calls into navigator.credentials.{create,get}, that that is OK if and only if there is explicit user interaction that explains what origin is doing what 20:47:43 angelo: three positions on this: (1) show user explicit UI, (2) rely upon "feature policy" spec that allows top-level browser context to set policy down context stack, (3) just relax the restriction that is presently in Credman 20:48:08 ... and mike jones has a fourth option 20:50:10 alexei: (explains context to mikej) notes that proposal (0) is leave things as-is 20:51:15 jcj_moz: notes that (3) is not "just screw privacy" -- there's actual security issues in here 20:52:03 mkej: while we build experimental versions, maybe we should be lenient, and in meantime collect data and discuss with credman folks eg mkwst et al to tighten it down later.... 20:52:37 alexei: easier to keep restrictions now and relax them later, than the opposite 20:55:14 alexei, jcj_moz, angelo: 20:55:50 angelo: in looking at schedules, does not think the feature policy spec is viable in our timeline... 20:56:40 personally speaking, I do think feature policy is the optimum solution 20:57:18 alexei & jcj_moz: do not think feature policy will solve this completely... and yes there's timing issues 20:57:18 notwithstanding the schedule 21:01:47 https://github.com/w3c/webauthn/issues/380 21:08:08 gmandyam has joined #webauthn 21:15:26 https://github.com/w3c/webauthn/issues/524 21:16:12 ^ punting to L2 21:16:22 https://github.com/w3c/webauthn/issues/535 gets addressed by 498 21:16:45 https://github.com/w3c/webauthn/issues/536 21:20:14 gmandyam has joined #webauthn 21:26:35 https://github.com/w3c/webauthn/pull/557 21:33:38 https://www.w3.org/TR/WebCryptoAPI/#JsonWebKey-dictionary 21:53:51 q+ 21:59:26 q? 21:59:32 q- 21:59:41 ack gmandyam 21:59:45 JC said that at most he could support adding get methods that return data in different formats. He doesn't support duplicating data. 22:00:21 We have a principle across the web platform to provide APIs to enable extensible web platform 22:00:56 We provided complicated data structure so that developers can build frameworks on top of them 22:01:02 jfontana has joined #webauthN 22:01:48 Angelo said that as a browser vendor, he doesn't see why they would want to write the extra get methods when applications can do that themselves 22:02:11 jfontana has joined #webauthN 22:02:13 q+ 22:02:23 JC - I don't want to change the dictionaries and I don't want to duplicate the data 22:02:48 The general direction in the past few years across the web platform is to write basic APIs such as WebAssembly to allow developers to build on top of 22:07:07 https://github.com/w3c/webauthn/issues/557 include public key in result from create() #557 22:07:25 JC will close #557 22:07:31 was not consensus. closing it as "won't fix" 22:08:35 630 has been merged. 22:08:56 https://github.com/w3c/webauthn/pull/620 and https://github.com/w3c/webauthn/pull/623 22:09:00 https://github.com/w3c/webauthn/pull/623 22:10:17 rolf: this redefinition of Credential ID does not make sense to me. 22:31:57 https://github.com/w3c/webauthn/issues/561 22:32:01 and https://github.com/w3c/webauthn/issues/560 22:58:47 rrsagent, draft minutes 22:58:47 I have made the request to generate http://www.w3.org/2017/10/11-webauthn-minutes.html weiler 23:04:51 q+ 23:11:42 emil: sees no value in this w/o the attestation. 23:12:14 long discussion of the value of webauthn w/o attestations. Christiaan: sees a use for unphishable auth even w/o attestation 23:12:23 ack el 23:21:31 https://github.com/w3c/webauthn/issues/628 23:47:01 conclusion: should write up the PR (Dirk). and prioritize the conversation. 23:58:07 list of PRs that need work: 602, 603, 604 (editorial), 539 (needs work), 607, 611, 620 (editorial?), 623, 624, 498 (complex), 520-23. 23:58:46 634 fixes 564 23:58:53 https://github.com/w3c/webauthn/pull/634 23:59:12 I'd like to request that y'all approve and merge https://github.com/w3c/webauthn/pull/602 and https://github.com/w3c/webauthn/pull/603. They tend to conflict with other patches, and merging them will also make other patches easier to write clearly.