16:55:26 <RRSAgent> RRSAgent has joined #webauthn
16:55:26 <RRSAgent> logging to https://www.w3.org/2018/08/08-webauthn-irc
16:55:28 <trackbot> RRSAgent, make logs public
16:55:28 <Zakim> Zakim has joined #webauthn
16:55:30 <trackbot> Meeting: Web Authentication Working Group Teleconference
16:55:30 <trackbot> Date: 08 August 2018
16:55:33 <weiler> present+ weiler
16:58:58 <weiler> present+ agl
17:00:51 <weiler> present+ Ketan
17:01:35 <mandyam> mandyam has joined #webauthn
17:02:20 <Ketan> Ketan has joined #webauthn
17:02:28 <mandyam> present+ gmandyam
17:02:57 <weiler> present+ nadalin
17:02:58 <elundberg> elundberg has joined #webauthn
17:03:06 <weiler> present+ Akshay
17:03:08 <elundberg> present+
17:03:34 <weiler> chair: nadalin
17:05:07 <jfontana> jfontana has joined #webauthn
17:05:30 <weiler> present+ jfontana
17:05:54 <elundberg> weiler: Chrome on my phone doesn't want to load the call URL in the agenda email
17:08:04 <jfontana> you had a mic for a bit and it was echoing
17:08:39 <jfontana> tony: yes, we did get updated CR draft out there
17:08:48 <jfontana> ...published
17:09:15 <jfontana> ...as far as IPR is concerned should be no issue going forward
17:09:26 <jfontana> ...we can get things closed in time for PR submission.
17:09:33 <jfontana> ...any qustions.
17:09:46 <jeffh> jeffh has joined #webauthn
17:09:54 <jeffh> present+ amazingly enuff
17:10:01 <jfontana> @weiler no comments on it. I have not looked at time tool.
17:10:04 <jeffh> present+
17:10:12 <jfontana> tony: I think we can keep up if we can get thse PRs and issues closed.
17:10:34 <weiler> present- amazingly, enuff
17:10:41 <jfontana> https://github.com/w3c/webauthn/pull/1021
17:10:52 <jfontana> tony: akshay has singed off on this.
17:11:13 <jfontana> ..no to enough acess rights , Mike can you do it. Yes.
17:11:43 <jfontana> https://github.com/w3c/webauthn/pull/1023
17:12:02 <jfontana> tony: we need emil to sign off on this. Mike has signed off
17:12:14 <jfontana> ....can we give Jeff same authority he had before.
17:12:22 <jfontana> @weiler that should be fine.
17:12:29 <jfontana> toney: jeffH can you merge
17:12:34 <jfontana> jeffH: I can do it.
17:12:51 <jfontana> @weiler on time line. should I send out snippet of timeline to everyone.
17:13:25 <jfontana> https://github.com/w3c/webauthn/pull/1024
17:13:44 <jfontana> tony: this is ready to go. Dominic? he does not have rights.
17:13:50 <jfontana> jeffH: I can do it
17:14:07 <jfontana> tony: we don't have PRs without milestones, lets look at issues.
17:14:33 <jfontana> tony: https://github.com/w3c/webauthn/issues/876
17:14:47 <jfontana> ...we had a decision on this.
17:15:08 <jfontana> ...we have 3 technical issues
17:15:43 <jfontana> ...#294, #1004, 876
17:16:12 <jfontana> ...#1014 also
17:16:17 <apowers> present+
17:16:50 <jfontana> selfissue: can I go back to 876. we can 't close until credman is fixed.
17:16:56 <jfontana> ...who can do PR
17:17:00 <jfontana> JeffH: I can
17:17:06 <jfontana> selfissue: I will add that
17:17:27 <jfontana> jeffH: i proposed it last week. I have work to do in credman and I will get to it next week.
17:18:00 <jfontana> https://github.com/w3c/webauthn/issues/1014
17:18:22 <jfontana> tony: not sure this is an issue
17:18:57 <jfontana> agl: we looked at this last week
17:19:11 <jfontana> tony: it is tagged an technical and i can't see it
17:19:20 <jfontana> jeffH: i think we agree we can pull technical tag
17:19:54 <jfontana> tony: i  think that gets us down to the last 3 technical issues.
17:20:29 <jfontana> ...we have #334, I don't think Christiaan is on the call today.
17:20:47 <weiler> present+ John_Bradley, selfissued
17:21:08 <jfontana> jeffH: there needs to be some clarification. And work I did with Emil on authenticator taxonomy. One could say it has been addressed to some degree, but it needs review or more detail
17:21:22 <jfontana> tony: who is good to review
17:21:27 <jfontana> ...akshay?
17:21:35 <jfontana> akshay: sure.
17:21:44 <jfontana> assigned to akshay and christiaan
17:22:01 <jfontana> https://github.com/w3c/webauthn/issues/358
17:22:05 <RRSAgent> I have made the request to generate https://www.w3.org/2018/08/08-webauthn-minutes.html weiler
17:22:07 <jfontana> tony: assume jeffH is lookng at this
17:22:27 <jfontana> jeffH: we are not going to fix everything for PR, we have been chipping away at it
17:22:40 <RRSAgent> I have made the request to generate https://www.w3.org/2018/08/08-webauthn-minutes.html weiler
17:22:44 <jfontana> https://github.com/w3c/webauthn/issues/403
17:22:50 <jfontana> jeffH: this is on my list to address
17:23:02 <jfontana> https://github.com/w3c/webauthn/issues/462
17:23:10 <jfontana> tony: this goes along with the duplicates.
17:23:15 <jfontana> ..you chipping away
17:23:19 <jfontana> jeffH: yes.
17:23:43 <jfontana> elundberg think there is some we can eliminate in # 462
17:23:55 <jfontana> https://github.com/w3c/webauthn/issues/578
17:24:20 <jfontana> tony: elundberg did you cover this with taxonomy
17:24:29 <jfontana> elundberg: I don't think so.
17:25:11 <jfontana> tony: would seem this might be a place this gets described also. can you look and this and incorporate?
17:25:35 <jfontana> elundberg: yes. will look at authenticator operations
17:25:52 <jfontana> https://github.com/w3c/webauthn/issues/585
17:26:48 <jfontana> tony: is it possible we wind up looking at server spec in FIDO re: RPs
17:27:41 <jfontana> jeffH: can we reference the server spec from FIDO.
17:27:46 <jfontana> tony: it should be public
17:28:02 <jfontana> heffH: someone can add a reference for it and we can wait for it to appear.
17:28:13 <jfontana> tony: I will make sure that goes public - FIDO server.
17:28:22 <jfontana> ...it is out for IPR review
17:28:33 <jfontana> ...we will make it a public document
17:29:30 <jfontana> apowers: the server spec is published
17:29:38 <jfontana> jeffH: we can reference it
17:29:45 <apowers> manu: https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html
17:29:50 <apowers> doh
17:30:14 <jfontana> https://github.com/w3c/webauthn/issues/704
17:30:20 <jfontana> jeffH: this is just editorial
17:30:29 <jfontana> https://github.com/w3c/webauthn/issues/733
17:30:44 <jfontana> jeffH: waiting for feedback from the accessibility people
17:30:55 <jfontana> tony: can we get a message to them, sam
17:31:06 <jfontana> @weiler: I can figure it out.
17:31:15 <jfontana> https://github.com/w3c/webauthn/issues/764
17:31:28 <jfontana> elundberg: not much was can do here
17:31:43 <jfontana> tony: not sure there is much we actually would want to do here. I can cause other issues
17:31:53 <jfontana> ...I suggest this winds up getting closed.
17:32:01 <jfontana> selfissue: closed or V2
17:32:28 <jfontana> tony: it comes down to authenticator selection, we can push it off or we can close it now.
17:33:06 <jfontana> agl: on the surface, this person is looking at silent authenticators, I am in favor of closing.
17:33:13 <jfontana> tony: I would agree on close
17:33:32 <jfontana> jeffH: close it with noted rational.
17:33:42 <jfontana> https://github.com/w3c/webauthn/issues/796
17:33:45 <jfontana> tony: cleanup
17:33:56 <jfontana> https://github.com/w3c/webauthn/issues/876
17:34:08 <jfontana> tony: back to this, we are OK with this
17:34:21 <jfontana> https://github.com/w3c/webauthn/issues/972
17:35:00 <jfontana> agl: this is awkward one. fido spec shows the whole complex thing, we want to reference the spec , but the spec is kind of nonsense and nobody does it.
17:35:10 <jfontana> ...I will take on PR and try to work that diplomatically
17:35:22 <jfontana> https://github.com/w3c/webauthn/issues/980
17:35:49 <jfontana> agl: might be some minor cleanup here. but in has AppID implications.
17:35:57 <jfontana> tony: we don't want to do that.
17:36:12 <jfontana> ... not sure a clarification would be any good in extension
17:36:27 <jfontana> agl: I think there is some confusion here.
17:37:13 <jfontana> ...would it help to clarify, but something in the issue
17:37:25 <jfontana> .... I will add a comment in the issue for Shane (author)
17:37:30 <jfontana> jeffH: that sounds good
17:37:44 <jfontana> https://github.com/w3c/webauthn/issues/981
17:38:09 <jfontana> jeffH: on this one, in FIDO registry there is , i think, 4 certificate flavors
17:38:30 <jfontana> ...this is kind of an interop thing. Shane has a good point here, what should RPs implement for?
17:39:05 <jfontana> ...this has broadened out, it might be good to constrain
17:39:19 <mandyam> q+
17:39:45 <weiler> ack ma
17:40:07 <jfontana> gmandyam: is algorithm re-specified in the cert chain?
17:40:31 <jfontana> agl: it's x509 tells you ..... can put anything in
17:41:23 <jfontana> elundberg: should we add a note  to refeence this registry that jeffH mentioned and say these 4 algorithms should be added
17:41:31 <jfontana> jeffH: I am putting in a comment now
17:42:38 <jfontana> agl: we could nail down more here
17:42:46 <jfontana> jeffH: you may want to
17:43:26 <jfontana> agl: as browsers implementing this spec, we pass what the token gives us. this is kind of a FIDO thing
17:43:42 <jfontana> elundberg: it is also related to assertion signatures.
17:44:00 <jfontana> ...could have any flavor for user keys, but need to support all key formats
17:44:11 <jfontana> agl: the assertion key is negotiated to some extent.
17:44:14 <jfontana> ..it has to work.
17:45:32 <jfontana> gmandyam: I ask about this at IETF. we have definitive algorithms and cert rules, it is up to RP whether they want to interpret or ignore
17:45:36 <jfontana> ...what else can you say
17:45:56 <jfontana> jbradley: which anything should I implement is the question from shane
17:46:16 <jfontana> gmandyam: fair enough, but jeff's concern in valid
17:47:30 <jfontana> agl: if you want interop, you do not force attestation
17:47:53 <jfontana> jbradley: the other thing is, this might be valuable in the FIDO metadata
17:48:12 <jfontana> jbradley: never mind this might be circular
17:48:42 <jfontana> tony: OK, any other discussion on #981
17:48:55 <jfontana> https://github.com/w3c/webauthn/issues/1012
17:49:03 <jfontana> tony: we have a PR open against, should be ok
17:49:14 <jfontana> ...we discussed #1014
17:49:21 <jfontana> ...and #1019 is just editorial
17:49:33 <jfontana> jeffH: elundberg is assigned.
17:49:43 <jfontana> tony: that takes us through the issues.
17:50:01 <jfontana> ...we have couple of open issued for triage.
17:50:38 <jfontana> https://github.com/w3c/webauthn/issues/1011
17:51:13 <jfontana> gmandyam: the PR does not remove Safety Net , it is just for augmentation.
17:51:36 <jfontana> ...we can close it, but it not something for L1 perhaps
17:51:43 <jfontana> tony: we can tackle in L2
17:51:54 <jfontana> gmandyam: sure
17:52:36 <jfontana> ...in Level2 timeframe there will products in market will have trust on attestation....it seems we can find a solution to position this so it is not a choice or of or the other
17:52:53 <RRSAgent> I have made the request to generate https://www.w3.org/2018/08/08-webauthn-minutes.html weiler
17:52:55 <jfontana> https://github.com/w3c/webauthn/issues/1020
17:53:01 <jfontana> tony: is this in our scope
17:53:17 <jfontana> elundberg: I plan to add a comment. Hopefully there will be a fix.
17:53:39 <jfontana> JeffH: in could bring clarification in the spec
17:54:11 <jfontana> gmandyam: user can leverage what is in the browser
17:54:30 <jfontana> elundberg: we don't require implementers of web authn are not required to implement ctap
17:54:44 <jfontana> ...so it does not require external authenticators
17:55:01 <jfontana> gmandyam: isn't that the point
17:55:28 <jfontana> jeffH: summarize at bottom on issue, and he discusses risk... we know this. RPs can to things to accommodate this
17:55:36 <elundberg> s/hopefully there will be a fix/hopefully this will be a wontfix/
17:55:37 <jfontana> ...it goes back to use cases in #334
17:55:47 <jfontana> ..his point may be moot. and we need to explain it better.
17:55:55 <jfontana> selfissue: can you add that to #334
17:56:02 <jfontana> jeffH: sure
17:56:12 <jfontana> tony: last one is 1022
17:56:22 <jfontana> https://github.com/w3c/webauthn/issues/1022
17:56:45 <jfontana> tony: looks like we are doing this today, but it is not document well
17:56:56 <jfontana> tony: agl I will assign this one to you
17:57:05 <jfontana> ...that is all I have for today.
17:57:10 <jfontana> ..anything else?
17:58:04 <jfontana> elundberg: I am a bit worried aobut lcient operations we have , we have 3-4 ways to abort and return error. I am worried we might not be clear.
17:58:13 <jfontana> tony: can you put it into level 2
17:58:48 <jfontana> selfissue: I have editorial question. the current CR is not listed in the set of previous versions
17:59:07 <jfontana> jeffH: we typically had to add that manually after the editor's draft.
17:59:25 <jfontana> selfissue: I will create an issue and assign it to...
17:59:29 <jfontana> tony: sam
17:59:53 <jfontana> @weiler: were there any working drafts issued between the two CRS
17:59:59 <jfontana> tony: not that i am aware of
18:00:14 <jfontana> @weiler: you want the editor's draft to show that?
18:00:21 <jfontana> tony: yes.
18:00:27 <RRSAgent> I have made the request to generate https://www.w3.org/2018/08/08-webauthn-minutes.html weiler
19:47:43 <Zakim> Zakim has left #webauthn