IRC log of webauthn on 2018-08-08

Timestamps are in UTC.

16:55:26 [RRSAgent]
RRSAgent has joined #webauthn
16:55:26 [RRSAgent]
logging to https://www.w3.org/2018/08/08-webauthn-irc
16:55:28 [trackbot]
RRSAgent, make logs public
16:55:28 [Zakim]
Zakim has joined #webauthn
16:55:30 [trackbot]
Meeting: Web Authentication Working Group Teleconference
16:55:30 [trackbot]
Date: 08 August 2018
16:55:33 [weiler]
present+ weiler
16:58:58 [weiler]
present+ agl
17:00:51 [weiler]
present+ Ketan
17:01:35 [mandyam]
mandyam has joined #webauthn
17:02:20 [Ketan]
Ketan has joined #webauthn
17:02:28 [mandyam]
present+ gmandyam
17:02:57 [weiler]
present+ nadalin
17:02:58 [elundberg]
elundberg has joined #webauthn
17:03:06 [weiler]
present+ Akshay
17:03:08 [elundberg]
present+
17:03:34 [weiler]
chair: nadalin
17:05:07 [jfontana]
jfontana has joined #webauthn
17:05:30 [weiler]
present+ jfontana
17:05:54 [elundberg]
weiler: Chrome on my phone doesn't want to load the call URL in the agenda email
17:08:04 [jfontana]
you had a mic for a bit and it was echoing
17:08:39 [jfontana]
tony: yes, we did get updated CR draft out there
17:08:48 [jfontana]
...published
17:09:15 [jfontana]
...as far as IPR is concerned should be no issue going forward
17:09:26 [jfontana]
...we can get things closed in time for PR submission.
17:09:33 [jfontana]
...any qustions.
17:09:46 [jeffh]
jeffh has joined #webauthn
17:09:54 [jeffh]
present+ amazingly enuff
17:10:01 [jfontana]
@weiler no comments on it. I have not looked at time tool.
17:10:04 [jeffh]
present+
17:10:12 [jfontana]
tony: I think we can keep up if we can get thse PRs and issues closed.
17:10:34 [weiler]
present- amazingly, enuff
17:10:41 [jfontana]
https://github.com/w3c/webauthn/pull/1021
17:10:52 [jfontana]
tony: akshay has singed off on this.
17:11:13 [jfontana]
..no to enough acess rights , Mike can you do it. Yes.
17:11:43 [jfontana]
https://github.com/w3c/webauthn/pull/1023
17:12:02 [jfontana]
tony: we need emil to sign off on this. Mike has signed off
17:12:14 [jfontana]
....can we give Jeff same authority he had before.
17:12:22 [jfontana]
@weiler that should be fine.
17:12:29 [jfontana]
toney: jeffH can you merge
17:12:34 [jfontana]
jeffH: I can do it.
17:12:51 [jfontana]
@weiler on time line. should I send out snippet of timeline to everyone.
17:13:25 [jfontana]
https://github.com/w3c/webauthn/pull/1024
17:13:44 [jfontana]
tony: this is ready to go. Dominic? he does not have rights.
17:13:50 [jfontana]
jeffH: I can do it
17:14:07 [jfontana]
tony: we don't have PRs without milestones, lets look at issues.
17:14:33 [jfontana]
tony: https://github.com/w3c/webauthn/issues/876
17:14:47 [jfontana]
...we had a decision on this.
17:15:08 [jfontana]
...we have 3 technical issues
17:15:43 [jfontana]
...#294, #1004, 876
17:16:12 [jfontana]
...#1014 also
17:16:17 [apowers]
present+
17:16:50 [jfontana]
selfissue: can I go back to 876. we can 't close until credman is fixed.
17:16:56 [jfontana]
...who can do PR
17:17:00 [jfontana]
JeffH: I can
17:17:06 [jfontana]
selfissue: I will add that
17:17:27 [jfontana]
jeffH: i proposed it last week. I have work to do in credman and I will get to it next week.
17:18:00 [jfontana]
https://github.com/w3c/webauthn/issues/1014
17:18:22 [jfontana]
tony: not sure this is an issue
17:18:57 [jfontana]
agl: we looked at this last week
17:19:11 [jfontana]
tony: it is tagged an technical and i can't see it
17:19:20 [jfontana]
jeffH: i think we agree we can pull technical tag
17:19:54 [jfontana]
tony: i think that gets us down to the last 3 technical issues.
17:20:29 [jfontana]
...we have #334, I don't think Christiaan is on the call today.
17:20:47 [weiler]
present+ John_Bradley, selfissued
17:21:08 [jfontana]
jeffH: there needs to be some clarification. And work I did with Emil on authenticator taxonomy. One could say it has been addressed to some degree, but it needs review or more detail
17:21:22 [jfontana]
tony: who is good to review
17:21:27 [jfontana]
...akshay?
17:21:35 [jfontana]
akshay: sure.
17:21:44 [jfontana]
assigned to akshay and christiaan
17:22:01 [jfontana]
https://github.com/w3c/webauthn/issues/358
17:22:05 [RRSAgent]
I have made the request to generate https://www.w3.org/2018/08/08-webauthn-minutes.html weiler
17:22:07 [jfontana]
tony: assume jeffH is lookng at this
17:22:27 [jfontana]
jeffH: we are not going to fix everything for PR, we have been chipping away at it
17:22:40 [RRSAgent]
I have made the request to generate https://www.w3.org/2018/08/08-webauthn-minutes.html weiler
17:22:44 [jfontana]
https://github.com/w3c/webauthn/issues/403
17:22:50 [jfontana]
jeffH: this is on my list to address
17:23:02 [jfontana]
https://github.com/w3c/webauthn/issues/462
17:23:10 [jfontana]
tony: this goes along with the duplicates.
17:23:15 [jfontana]
..you chipping away
17:23:19 [jfontana]
jeffH: yes.
17:23:43 [jfontana]
elundberg think there is some we can eliminate in # 462
17:23:55 [jfontana]
https://github.com/w3c/webauthn/issues/578
17:24:20 [jfontana]
tony: elundberg did you cover this with taxonomy
17:24:29 [jfontana]
elundberg: I don't think so.
17:25:11 [jfontana]
tony: would seem this might be a place this gets described also. can you look and this and incorporate?
17:25:35 [jfontana]
elundberg: yes. will look at authenticator operations
17:25:52 [jfontana]
https://github.com/w3c/webauthn/issues/585
17:26:48 [jfontana]
tony: is it possible we wind up looking at server spec in FIDO re: RPs
17:27:41 [jfontana]
jeffH: can we reference the server spec from FIDO.
17:27:46 [jfontana]
tony: it should be public
17:28:02 [jfontana]
heffH: someone can add a reference for it and we can wait for it to appear.
17:28:13 [jfontana]
tony: I will make sure that goes public - FIDO server.
17:28:22 [jfontana]
...it is out for IPR review
17:28:33 [jfontana]
...we will make it a public document
17:29:30 [jfontana]
apowers: the server spec is published
17:29:38 [jfontana]
jeffH: we can reference it
17:29:45 [apowers]
manu: https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html
17:29:50 [apowers]
doh
17:30:14 [jfontana]
https://github.com/w3c/webauthn/issues/704
17:30:20 [jfontana]
jeffH: this is just editorial
17:30:29 [jfontana]
https://github.com/w3c/webauthn/issues/733
17:30:44 [jfontana]
jeffH: waiting for feedback from the accessibility people
17:30:55 [jfontana]
tony: can we get a message to them, sam
17:31:06 [jfontana]
@weiler: I can figure it out.
17:31:15 [jfontana]
https://github.com/w3c/webauthn/issues/764
17:31:28 [jfontana]
elundberg: not much was can do here
17:31:43 [jfontana]
tony: not sure there is much we actually would want to do here. I can cause other issues
17:31:53 [jfontana]
...I suggest this winds up getting closed.
17:32:01 [jfontana]
selfissue: closed or V2
17:32:28 [jfontana]
tony: it comes down to authenticator selection, we can push it off or we can close it now.
17:33:06 [jfontana]
agl: on the surface, this person is looking at silent authenticators, I am in favor of closing.
17:33:13 [jfontana]
tony: I would agree on close
17:33:32 [jfontana]
jeffH: close it with noted rational.
17:33:42 [jfontana]
https://github.com/w3c/webauthn/issues/796
17:33:45 [jfontana]
tony: cleanup
17:33:56 [jfontana]
https://github.com/w3c/webauthn/issues/876
17:34:08 [jfontana]
tony: back to this, we are OK with this
17:34:21 [jfontana]
https://github.com/w3c/webauthn/issues/972
17:35:00 [jfontana]
agl: this is awkward one. fido spec shows the whole complex thing, we want to reference the spec , but the spec is kind of nonsense and nobody does it.
17:35:10 [jfontana]
...I will take on PR and try to work that diplomatically
17:35:22 [jfontana]
https://github.com/w3c/webauthn/issues/980
17:35:49 [jfontana]
agl: might be some minor cleanup here. but in has AppID implications.
17:35:57 [jfontana]
tony: we don't want to do that.
17:36:12 [jfontana]
... not sure a clarification would be any good in extension
17:36:27 [jfontana]
agl: I think there is some confusion here.
17:37:13 [jfontana]
...would it help to clarify, but something in the issue
17:37:25 [jfontana]
.... I will add a comment in the issue for Shane (author)
17:37:30 [jfontana]
jeffH: that sounds good
17:37:44 [jfontana]
https://github.com/w3c/webauthn/issues/981
17:38:09 [jfontana]
jeffH: on this one, in FIDO registry there is , i think, 4 certificate flavors
17:38:30 [jfontana]
...this is kind of an interop thing. Shane has a good point here, what should RPs implement for?
17:39:05 [jfontana]
...this has broadened out, it might be good to constrain
17:39:19 [mandyam]
q+
17:39:45 [weiler]
ack ma
17:40:07 [jfontana]
gmandyam: is algorithm re-specified in the cert chain?
17:40:31 [jfontana]
agl: it's x509 tells you ..... can put anything in
17:41:23 [jfontana]
elundberg: should we add a note to refeence this registry that jeffH mentioned and say these 4 algorithms should be added
17:41:31 [jfontana]
jeffH: I am putting in a comment now
17:42:38 [jfontana]
agl: we could nail down more here
17:42:46 [jfontana]
jeffH: you may want to
17:43:26 [jfontana]
agl: as browsers implementing this spec, we pass what the token gives us. this is kind of a FIDO thing
17:43:42 [jfontana]
elundberg: it is also related to assertion signatures.
17:44:00 [jfontana]
...could have any flavor for user keys, but need to support all key formats
17:44:11 [jfontana]
agl: the assertion key is negotiated to some extent.
17:44:14 [jfontana]
..it has to work.
17:45:32 [jfontana]
gmandyam: I ask about this at IETF. we have definitive algorithms and cert rules, it is up to RP whether they want to interpret or ignore
17:45:36 [jfontana]
...what else can you say
17:45:56 [jfontana]
jbradley: which anything should I implement is the question from shane
17:46:16 [jfontana]
gmandyam: fair enough, but jeff's concern in valid
17:47:30 [jfontana]
agl: if you want interop, you do not force attestation
17:47:53 [jfontana]
jbradley: the other thing is, this might be valuable in the FIDO metadata
17:48:12 [jfontana]
jbradley: never mind this might be circular
17:48:42 [jfontana]
tony: OK, any other discussion on #981
17:48:55 [jfontana]
https://github.com/w3c/webauthn/issues/1012
17:49:03 [jfontana]
tony: we have a PR open against, should be ok
17:49:14 [jfontana]
...we discussed #1014
17:49:21 [jfontana]
...and #1019 is just editorial
17:49:33 [jfontana]
jeffH: elundberg is assigned.
17:49:43 [jfontana]
tony: that takes us through the issues.
17:50:01 [jfontana]
...we have couple of open issued for triage.
17:50:38 [jfontana]
https://github.com/w3c/webauthn/issues/1011
17:51:13 [jfontana]
gmandyam: the PR does not remove Safety Net , it is just for augmentation.
17:51:36 [jfontana]
...we can close it, but it not something for L1 perhaps
17:51:43 [jfontana]
tony: we can tackle in L2
17:51:54 [jfontana]
gmandyam: sure
17:52:36 [jfontana]
...in Level2 timeframe there will products in market will have trust on attestation....it seems we can find a solution to position this so it is not a choice or of or the other
17:52:53 [RRSAgent]
I have made the request to generate https://www.w3.org/2018/08/08-webauthn-minutes.html weiler
17:52:55 [jfontana]
https://github.com/w3c/webauthn/issues/1020
17:53:01 [jfontana]
tony: is this in our scope
17:53:17 [jfontana]
elundberg: I plan to add a comment. Hopefully there will be a fix.
17:53:39 [jfontana]
JeffH: in could bring clarification in the spec
17:54:11 [jfontana]
gmandyam: user can leverage what is in the browser
17:54:30 [jfontana]
elundberg: we don't require implementers of web authn are not required to implement ctap
17:54:44 [jfontana]
...so it does not require external authenticators
17:55:01 [jfontana]
gmandyam: isn't that the point
17:55:28 [jfontana]
jeffH: summarize at bottom on issue, and he discusses risk... we know this. RPs can to things to accommodate this
17:55:36 [elundberg]
s/hopefully there will be a fix/hopefully this will be a wontfix/
17:55:37 [jfontana]
...it goes back to use cases in #334
17:55:47 [jfontana]
..his point may be moot. and we need to explain it better.
17:55:55 [jfontana]
selfissue: can you add that to #334
17:56:02 [jfontana]
jeffH: sure
17:56:12 [jfontana]
tony: last one is 1022
17:56:22 [jfontana]
https://github.com/w3c/webauthn/issues/1022
17:56:45 [jfontana]
tony: looks like we are doing this today, but it is not document well
17:56:56 [jfontana]
tony: agl I will assign this one to you
17:57:05 [jfontana]
...that is all I have for today.
17:57:10 [jfontana]
..anything else?
17:58:04 [jfontana]
elundberg: I am a bit worried aobut lcient operations we have , we have 3-4 ways to abort and return error. I am worried we might not be clear.
17:58:13 [jfontana]
tony: can you put it into level 2
17:58:48 [jfontana]
selfissue: I have editorial question. the current CR is not listed in the set of previous versions
17:59:07 [jfontana]
jeffH: we typically had to add that manually after the editor's draft.
17:59:25 [jfontana]
selfissue: I will create an issue and assign it to...
17:59:29 [jfontana]
tony: sam
17:59:53 [jfontana]
@weiler: were there any working drafts issued between the two CRS
17:59:59 [jfontana]
tony: not that i am aware of
18:00:14 [jfontana]
@weiler: you want the editor's draft to show that?
18:00:21 [jfontana]
tony: yes.
18:00:27 [RRSAgent]
I have made the request to generate https://www.w3.org/2018/08/08-webauthn-minutes.html weiler
19:47:43 [Zakim]
Zakim has left #webauthn