IRC log of webauthn on 2018-08-08
Timestamps are in UTC.
- 16:55:26 [RRSAgent]
- RRSAgent has joined #webauthn
- 16:55:26 [RRSAgent]
- logging to https://www.w3.org/2018/08/08-webauthn-irc
- 16:55:28 [trackbot]
- RRSAgent, make logs public
- 16:55:28 [Zakim]
- Zakim has joined #webauthn
- 16:55:30 [trackbot]
- Meeting: Web Authentication Working Group Teleconference
- 16:55:30 [trackbot]
- Date: 08 August 2018
- 16:55:33 [weiler]
- present+ weiler
- 16:58:58 [weiler]
- present+ agl
- 17:00:51 [weiler]
- present+ Ketan
- 17:01:35 [mandyam]
- mandyam has joined #webauthn
- 17:02:20 [Ketan]
- Ketan has joined #webauthn
- 17:02:28 [mandyam]
- present+ gmandyam
- 17:02:57 [weiler]
- present+ nadalin
- 17:02:58 [elundberg]
- elundberg has joined #webauthn
- 17:03:06 [weiler]
- present+ Akshay
- 17:03:08 [elundberg]
- present+
- 17:03:34 [weiler]
- chair: nadalin
- 17:05:07 [jfontana]
- jfontana has joined #webauthn
- 17:05:30 [weiler]
- present+ jfontana
- 17:05:54 [elundberg]
- weiler: Chrome on my phone doesn't want to load the call URL in the agenda email
- 17:08:04 [jfontana]
- you had a mic for a bit and it was echoing
- 17:08:39 [jfontana]
- tony: yes, we did get updated CR draft out there
- 17:08:48 [jfontana]
- ...published
- 17:09:15 [jfontana]
- ...as far as IPR is concerned should be no issue going forward
- 17:09:26 [jfontana]
- ...we can get things closed in time for PR submission.
- 17:09:33 [jfontana]
- ...any qustions.
- 17:09:46 [jeffh]
- jeffh has joined #webauthn
- 17:09:54 [jeffh]
- present+ amazingly enuff
- 17:10:01 [jfontana]
- @weiler no comments on it. I have not looked at time tool.
- 17:10:04 [jeffh]
- present+
- 17:10:12 [jfontana]
- tony: I think we can keep up if we can get thse PRs and issues closed.
- 17:10:34 [weiler]
- present- amazingly, enuff
- 17:10:41 [jfontana]
- https://github.com/w3c/webauthn/pull/1021
- 17:10:52 [jfontana]
- tony: akshay has singed off on this.
- 17:11:13 [jfontana]
- ..no to enough acess rights , Mike can you do it. Yes.
- 17:11:43 [jfontana]
- https://github.com/w3c/webauthn/pull/1023
- 17:12:02 [jfontana]
- tony: we need emil to sign off on this. Mike has signed off
- 17:12:14 [jfontana]
- ....can we give Jeff same authority he had before.
- 17:12:22 [jfontana]
- @weiler that should be fine.
- 17:12:29 [jfontana]
- toney: jeffH can you merge
- 17:12:34 [jfontana]
- jeffH: I can do it.
- 17:12:51 [jfontana]
- @weiler on time line. should I send out snippet of timeline to everyone.
- 17:13:25 [jfontana]
- https://github.com/w3c/webauthn/pull/1024
- 17:13:44 [jfontana]
- tony: this is ready to go. Dominic? he does not have rights.
- 17:13:50 [jfontana]
- jeffH: I can do it
- 17:14:07 [jfontana]
- tony: we don't have PRs without milestones, lets look at issues.
- 17:14:33 [jfontana]
- tony: https://github.com/w3c/webauthn/issues/876
- 17:14:47 [jfontana]
- ...we had a decision on this.
- 17:15:08 [jfontana]
- ...we have 3 technical issues
- 17:15:43 [jfontana]
- ...#294, #1004, 876
- 17:16:12 [jfontana]
- ...#1014 also
- 17:16:17 [apowers]
- present+
- 17:16:50 [jfontana]
- selfissue: can I go back to 876. we can 't close until credman is fixed.
- 17:16:56 [jfontana]
- ...who can do PR
- 17:17:00 [jfontana]
- JeffH: I can
- 17:17:06 [jfontana]
- selfissue: I will add that
- 17:17:27 [jfontana]
- jeffH: i proposed it last week. I have work to do in credman and I will get to it next week.
- 17:18:00 [jfontana]
- https://github.com/w3c/webauthn/issues/1014
- 17:18:22 [jfontana]
- tony: not sure this is an issue
- 17:18:57 [jfontana]
- agl: we looked at this last week
- 17:19:11 [jfontana]
- tony: it is tagged an technical and i can't see it
- 17:19:20 [jfontana]
- jeffH: i think we agree we can pull technical tag
- 17:19:54 [jfontana]
- tony: i think that gets us down to the last 3 technical issues.
- 17:20:29 [jfontana]
- ...we have #334, I don't think Christiaan is on the call today.
- 17:20:47 [weiler]
- present+ John_Bradley, selfissued
- 17:21:08 [jfontana]
- jeffH: there needs to be some clarification. And work I did with Emil on authenticator taxonomy. One could say it has been addressed to some degree, but it needs review or more detail
- 17:21:22 [jfontana]
- tony: who is good to review
- 17:21:27 [jfontana]
- ...akshay?
- 17:21:35 [jfontana]
- akshay: sure.
- 17:21:44 [jfontana]
- assigned to akshay and christiaan
- 17:22:01 [jfontana]
- https://github.com/w3c/webauthn/issues/358
- 17:22:05 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/08/08-webauthn-minutes.html weiler
- 17:22:07 [jfontana]
- tony: assume jeffH is lookng at this
- 17:22:27 [jfontana]
- jeffH: we are not going to fix everything for PR, we have been chipping away at it
- 17:22:40 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/08/08-webauthn-minutes.html weiler
- 17:22:44 [jfontana]
- https://github.com/w3c/webauthn/issues/403
- 17:22:50 [jfontana]
- jeffH: this is on my list to address
- 17:23:02 [jfontana]
- https://github.com/w3c/webauthn/issues/462
- 17:23:10 [jfontana]
- tony: this goes along with the duplicates.
- 17:23:15 [jfontana]
- ..you chipping away
- 17:23:19 [jfontana]
- jeffH: yes.
- 17:23:43 [jfontana]
- elundberg think there is some we can eliminate in # 462
- 17:23:55 [jfontana]
- https://github.com/w3c/webauthn/issues/578
- 17:24:20 [jfontana]
- tony: elundberg did you cover this with taxonomy
- 17:24:29 [jfontana]
- elundberg: I don't think so.
- 17:25:11 [jfontana]
- tony: would seem this might be a place this gets described also. can you look and this and incorporate?
- 17:25:35 [jfontana]
- elundberg: yes. will look at authenticator operations
- 17:25:52 [jfontana]
- https://github.com/w3c/webauthn/issues/585
- 17:26:48 [jfontana]
- tony: is it possible we wind up looking at server spec in FIDO re: RPs
- 17:27:41 [jfontana]
- jeffH: can we reference the server spec from FIDO.
- 17:27:46 [jfontana]
- tony: it should be public
- 17:28:02 [jfontana]
- heffH: someone can add a reference for it and we can wait for it to appear.
- 17:28:13 [jfontana]
- tony: I will make sure that goes public - FIDO server.
- 17:28:22 [jfontana]
- ...it is out for IPR review
- 17:28:33 [jfontana]
- ...we will make it a public document
- 17:29:30 [jfontana]
- apowers: the server spec is published
- 17:29:38 [jfontana]
- jeffH: we can reference it
- 17:29:45 [apowers]
- manu: https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html
- 17:29:50 [apowers]
- doh
- 17:30:14 [jfontana]
- https://github.com/w3c/webauthn/issues/704
- 17:30:20 [jfontana]
- jeffH: this is just editorial
- 17:30:29 [jfontana]
- https://github.com/w3c/webauthn/issues/733
- 17:30:44 [jfontana]
- jeffH: waiting for feedback from the accessibility people
- 17:30:55 [jfontana]
- tony: can we get a message to them, sam
- 17:31:06 [jfontana]
- @weiler: I can figure it out.
- 17:31:15 [jfontana]
- https://github.com/w3c/webauthn/issues/764
- 17:31:28 [jfontana]
- elundberg: not much was can do here
- 17:31:43 [jfontana]
- tony: not sure there is much we actually would want to do here. I can cause other issues
- 17:31:53 [jfontana]
- ...I suggest this winds up getting closed.
- 17:32:01 [jfontana]
- selfissue: closed or V2
- 17:32:28 [jfontana]
- tony: it comes down to authenticator selection, we can push it off or we can close it now.
- 17:33:06 [jfontana]
- agl: on the surface, this person is looking at silent authenticators, I am in favor of closing.
- 17:33:13 [jfontana]
- tony: I would agree on close
- 17:33:32 [jfontana]
- jeffH: close it with noted rational.
- 17:33:42 [jfontana]
- https://github.com/w3c/webauthn/issues/796
- 17:33:45 [jfontana]
- tony: cleanup
- 17:33:56 [jfontana]
- https://github.com/w3c/webauthn/issues/876
- 17:34:08 [jfontana]
- tony: back to this, we are OK with this
- 17:34:21 [jfontana]
- https://github.com/w3c/webauthn/issues/972
- 17:35:00 [jfontana]
- agl: this is awkward one. fido spec shows the whole complex thing, we want to reference the spec , but the spec is kind of nonsense and nobody does it.
- 17:35:10 [jfontana]
- ...I will take on PR and try to work that diplomatically
- 17:35:22 [jfontana]
- https://github.com/w3c/webauthn/issues/980
- 17:35:49 [jfontana]
- agl: might be some minor cleanup here. but in has AppID implications.
- 17:35:57 [jfontana]
- tony: we don't want to do that.
- 17:36:12 [jfontana]
- ... not sure a clarification would be any good in extension
- 17:36:27 [jfontana]
- agl: I think there is some confusion here.
- 17:37:13 [jfontana]
- ...would it help to clarify, but something in the issue
- 17:37:25 [jfontana]
- .... I will add a comment in the issue for Shane (author)
- 17:37:30 [jfontana]
- jeffH: that sounds good
- 17:37:44 [jfontana]
- https://github.com/w3c/webauthn/issues/981
- 17:38:09 [jfontana]
- jeffH: on this one, in FIDO registry there is , i think, 4 certificate flavors
- 17:38:30 [jfontana]
- ...this is kind of an interop thing. Shane has a good point here, what should RPs implement for?
- 17:39:05 [jfontana]
- ...this has broadened out, it might be good to constrain
- 17:39:19 [mandyam]
- q+
- 17:39:45 [weiler]
- ack ma
- 17:40:07 [jfontana]
- gmandyam: is algorithm re-specified in the cert chain?
- 17:40:31 [jfontana]
- agl: it's x509 tells you ..... can put anything in
- 17:41:23 [jfontana]
- elundberg: should we add a note to refeence this registry that jeffH mentioned and say these 4 algorithms should be added
- 17:41:31 [jfontana]
- jeffH: I am putting in a comment now
- 17:42:38 [jfontana]
- agl: we could nail down more here
- 17:42:46 [jfontana]
- jeffH: you may want to
- 17:43:26 [jfontana]
- agl: as browsers implementing this spec, we pass what the token gives us. this is kind of a FIDO thing
- 17:43:42 [jfontana]
- elundberg: it is also related to assertion signatures.
- 17:44:00 [jfontana]
- ...could have any flavor for user keys, but need to support all key formats
- 17:44:11 [jfontana]
- agl: the assertion key is negotiated to some extent.
- 17:44:14 [jfontana]
- ..it has to work.
- 17:45:32 [jfontana]
- gmandyam: I ask about this at IETF. we have definitive algorithms and cert rules, it is up to RP whether they want to interpret or ignore
- 17:45:36 [jfontana]
- ...what else can you say
- 17:45:56 [jfontana]
- jbradley: which anything should I implement is the question from shane
- 17:46:16 [jfontana]
- gmandyam: fair enough, but jeff's concern in valid
- 17:47:30 [jfontana]
- agl: if you want interop, you do not force attestation
- 17:47:53 [jfontana]
- jbradley: the other thing is, this might be valuable in the FIDO metadata
- 17:48:12 [jfontana]
- jbradley: never mind this might be circular
- 17:48:42 [jfontana]
- tony: OK, any other discussion on #981
- 17:48:55 [jfontana]
- https://github.com/w3c/webauthn/issues/1012
- 17:49:03 [jfontana]
- tony: we have a PR open against, should be ok
- 17:49:14 [jfontana]
- ...we discussed #1014
- 17:49:21 [jfontana]
- ...and #1019 is just editorial
- 17:49:33 [jfontana]
- jeffH: elundberg is assigned.
- 17:49:43 [jfontana]
- tony: that takes us through the issues.
- 17:50:01 [jfontana]
- ...we have couple of open issued for triage.
- 17:50:38 [jfontana]
- https://github.com/w3c/webauthn/issues/1011
- 17:51:13 [jfontana]
- gmandyam: the PR does not remove Safety Net , it is just for augmentation.
- 17:51:36 [jfontana]
- ...we can close it, but it not something for L1 perhaps
- 17:51:43 [jfontana]
- tony: we can tackle in L2
- 17:51:54 [jfontana]
- gmandyam: sure
- 17:52:36 [jfontana]
- ...in Level2 timeframe there will products in market will have trust on attestation....it seems we can find a solution to position this so it is not a choice or of or the other
- 17:52:53 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/08/08-webauthn-minutes.html weiler
- 17:52:55 [jfontana]
- https://github.com/w3c/webauthn/issues/1020
- 17:53:01 [jfontana]
- tony: is this in our scope
- 17:53:17 [jfontana]
- elundberg: I plan to add a comment. Hopefully there will be a fix.
- 17:53:39 [jfontana]
- JeffH: in could bring clarification in the spec
- 17:54:11 [jfontana]
- gmandyam: user can leverage what is in the browser
- 17:54:30 [jfontana]
- elundberg: we don't require implementers of web authn are not required to implement ctap
- 17:54:44 [jfontana]
- ...so it does not require external authenticators
- 17:55:01 [jfontana]
- gmandyam: isn't that the point
- 17:55:28 [jfontana]
- jeffH: summarize at bottom on issue, and he discusses risk... we know this. RPs can to things to accommodate this
- 17:55:36 [elundberg]
- s/hopefully there will be a fix/hopefully this will be a wontfix/
- 17:55:37 [jfontana]
- ...it goes back to use cases in #334
- 17:55:47 [jfontana]
- ..his point may be moot. and we need to explain it better.
- 17:55:55 [jfontana]
- selfissue: can you add that to #334
- 17:56:02 [jfontana]
- jeffH: sure
- 17:56:12 [jfontana]
- tony: last one is 1022
- 17:56:22 [jfontana]
- https://github.com/w3c/webauthn/issues/1022
- 17:56:45 [jfontana]
- tony: looks like we are doing this today, but it is not document well
- 17:56:56 [jfontana]
- tony: agl I will assign this one to you
- 17:57:05 [jfontana]
- ...that is all I have for today.
- 17:57:10 [jfontana]
- ..anything else?
- 17:58:04 [jfontana]
- elundberg: I am a bit worried aobut lcient operations we have , we have 3-4 ways to abort and return error. I am worried we might not be clear.
- 17:58:13 [jfontana]
- tony: can you put it into level 2
- 17:58:48 [jfontana]
- selfissue: I have editorial question. the current CR is not listed in the set of previous versions
- 17:59:07 [jfontana]
- jeffH: we typically had to add that manually after the editor's draft.
- 17:59:25 [jfontana]
- selfissue: I will create an issue and assign it to...
- 17:59:29 [jfontana]
- tony: sam
- 17:59:53 [jfontana]
- @weiler: were there any working drafts issued between the two CRS
- 17:59:59 [jfontana]
- tony: not that i am aware of
- 18:00:14 [jfontana]
- @weiler: you want the editor's draft to show that?
- 18:00:21 [jfontana]
- tony: yes.
- 18:00:27 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/08/08-webauthn-minutes.html weiler
- 19:47:43 [Zakim]
- Zakim has left #webauthn