17:32:25 <RRSAgent> RRSAgent has joined #webauthn
17:32:25 <RRSAgent> logging to https://www.w3.org/2019/09/04-webauthn-irc
17:32:29 <wseltzer> rrsagent, make logs public
17:32:32 <Zakim> Zakim has joined #webauthn
17:32:38 <wseltzer> Meeting: Web Authentication WG
17:32:49 <wseltzer> wseltzer has changed the topic to: 4 Sept WebAuthn
19:00:30 <elundberg> elundberg has joined #webauthn
19:00:33 <Ketan> Ketan has joined #webauthn
19:00:57 <sbweeden> sbweeden has joined #webauthn
19:01:50 <jfontana> jfontana has joined #webauthn
19:03:12 <jfontana> 04 09 2019
19:04:05 <Rolf> Rolf has joined #webauthn
19:04:50 <jfontana> tony: One more meeting, then two skips. 18th, 25th
19:04:55 <jfontana> ...status of charter changes.
19:05:03 <wseltzer> regrets+ wseltzer
19:05:16 <jfontana> ...it is out for review by AC reps. we are extended to 30th of Oct.
19:05:24 <jfontana> ...this allows charter process to run its course.
19:05:54 <jfontana> ...vote to approve the charter if yo are AC rep
19:06:26 <jfontana> ..any questions on TPAC agenda, please post to list
19:06:34 <jfontana> ...if you are in Japan, you can join.
19:06:55 <jfontana> ...if you have any adds to agenda send to Tony. demos, etc, Sign up for meeting.
19:07:21 <jfontana> ...couple of invited guests have been approved.
19:08:29 <jfontana> https://github.com/w3c/webauthn/pull/653
19:08:38 <jfontana> tony: won't go over.
19:08:52 <jfontana> https://github.com/w3c/webauthn/pull/909
19:09:12 <jfontana> skip
19:09:31 <jfontana> https://github.com/w3c/webauthn/pull/1250
19:09:38 <jfontana> tony: need akshay to review
19:09:42 <jfontana> akshay: yes
19:10:15 <jfontana> https://github.com/w3c/webauthn/pull/1256
19:10:26 <jfontana> tony: nina you won't be in Japan
19:10:50 <jfontana> ...this will come up at face to face
19:10:54 <jfontana> nina: I won't be there.
19:11:03 <jfontana> tony: jeffH can you represent
19:11:06 <jfontana> jeffH: yes.
19:11:22 <jfontana> tony: akshay, need to push to close by before or during face to face
19:11:28 <jfontana> akshay: I will do it
19:11:38 <jfontana> tony: agl have you signed off.
19:11:44 <jfontana> ...please look at it before face to face
19:11:51 <jfontana> ...jeffH has approved.
19:12:16 <jfontana> agl: if nina thinks this is good, I think it is good.
19:12:23 <jfontana> tony: put that on reviewer list
19:12:40 <jfontana> https://github.com/w3c/webauthn/pull/1270
19:12:43 <jfontana> tony: ready to go?
19:13:02 <jfontana> elundberg: not ready. JeffH has some comments
19:13:18 <jfontana> jeffH: it will be fine. work in my comments
19:13:26 <jfontana> ...I am putting it on elundberg
19:13:44 <jfontana> tony: elundberg, please look at this one.
19:13:54 <jfontana> elundberg: OK
19:14:14 <jfontana> ...only thing is term bootstrap. we could merge and continue that discussion later
19:14:31 <jfontana> jeffH; some editorial. but thanks for the other clean-up
19:14:41 <jfontana> ...it improves issues #344
19:15:09 <jfontana> elundberg: we could merge this now.
19:15:40 <jfontana> jeffH: later clean-up is fine
19:15:59 <jfontana> elundberg: I will merge
19:16:20 <jfontana> https://github.com/w3c/webauthn/pull/1276
19:16:44 <jfontana> tony: this needs additional reveiw
19:16:51 <jfontana> akshay: I need more detail
19:16:59 <jfontana> jeffH: further changes needed in Cred Man
19:17:08 <jfontana> ...I will shoot to finish before TPAC
19:17:30 <jfontana> ...this helps cross origin I-frames via feature policyt
19:18:07 <jfontana> ...real meat will be in cred man spec
19:18:15 <jfontana> tony: how will the RPs know what to do
19:18:48 <jfontana> jeffH: way feature policy works, there is default allow list. this is same origin as ancestors by default
19:18:59 <jfontana> ...does not changing exisiting default behavior
19:19:26 <jfontana> ...but somebody could explicitly engage cross origin I-frame
19:19:38 <jfontana> ...boolean will be true
19:20:04 <jfontana> tony: how will RPs know what to look for
19:20:10 <jfontana> jeffH: it will be in the spec
19:20:17 <jfontana> ...it covers RPs
19:20:38 <jfontana> ...we are making changes from level 1. we should explian how it works.
19:20:44 <jfontana> ...as opposed to level 1
19:21:11 <jfontana> jbradley: this should only effect people who have turned it on.
19:21:21 <jfontana> https://github.com/w3c/webauthn/pull/1284
19:21:26 <jfontana> tony: still in progress. no review
19:21:48 <jfontana> jeffh: real simple. a small change
19:22:07 <jfontana> ...i landed the change in feature policy world, in terms of list of defined feature policies.
19:22:27 <jfontana> agl: this should be able to land now
19:22:33 <jfontana> ...please review
19:22:45 <jfontana> akshay: looks good to me. I signed off on itt.
19:23:34 <jfontana> https://github.com/w3c/webauthn/pull/1288
19:23:44 <jfontana> elundberg: any objections to merging?
19:23:55 <jfontana> tony: jeff H and akshay have approved.
19:24:16 <jfontana> https://github.com/w3c/webauthn/pull/1289
19:25:58 <jfontana> agl: part of the steps need to remain.
19:26:13 <jfontana> ...you should stop and think about extensions
19:26:23 <jfontana> ...this change seems fine.
19:26:49 <jfontana> shane: do you have proposal for more words
19:27:24 <jfontana> agl: perhaps a note, add info. about extension actions.
19:27:34 <jfontana> shane: I can add something like that
19:27:48 <jfontana> tony: but this will be change in behavoir. willit break
19:28:03 <jfontana> elundberg: will they have to accept extensions they don't know about.
19:28:16 <jfontana> ...but extension note is given, should they accept it?
19:28:39 <jfontana> shane: the whole point. could the RP open or fail closed.
19:28:47 <jfontana> ...practical use that it should not always do that.
19:28:58 <jfontana> elundberg: these are probably well known extensions
19:29:11 <jfontana> shane: no one knows cred protect. it is not public yet.
19:29:52 <jfontana> ...what is right answer here. maybe it should not be injected.
19:30:13 <jfontana> DWaite: our RP had issue with this.
19:30:37 <jfontana> ...we were saying it was not compatible with new YubiKeys, but it was browser issue with compliance
19:30:50 <jfontana> ...it is an extension, that RP don't understand this now.
19:30:59 <jfontana> ...RPs don't seem to have the knowledge.
19:31:10 <jfontana> agl: this is why we are doing this chamnge
19:31:24 <jfontana> tony: shane, do you have what you need.
19:31:31 <jfontana> shane:  need approvers
19:31:45 <jfontana> tony: agl, jeffH, elundberg on the list
19:31:52 <jfontana> alexei: If I may...
19:32:35 <jfontana> ...related questions. arbitrary extensions from authenticators, is this still a thing. I thought we didn't want this.
19:32:39 <jfontana> jbradley: chrome added it
19:33:12 <jfontana> agl: this was about what was rejected. if it is problem we could change our stance.
19:34:30 <jfontana> jbradley: i suspect that we want to allow the user to have control via browser or authenticator
19:35:29 <jfontana> akshay: can we reject these things. I would say let it play out and see what happens.
19:36:00 <jfontana> jbradley: I don't know of any scenarioes now, but maybe down the road.
19:36:39 <jfontana> ...the concern for RP, if extension that meanings are different and it changes security context
19:37:17 <jfontana> ...I think this is pretty low risk.
19:37:38 <jfontana> akshay: ultimately it is for the RP to decide.
19:37:56 <jfontana> ...should be case by case basis
19:38:12 <jfontana> shane: another example may be cred ??? extension
19:38:29 <jfontana> ...cred prop
19:38:53 <jfontana> ..cred props. new to level 2. deals with resident keys
19:39:25 <jfontana> akshay: looks like we have different points of view for different scenarioes.
19:40:44 <jfontana> shane: all add note and see if reviewers can approve or not.
19:40:54 <jfontana> tony: akshay, take a second look.
19:40:57 <jfontana> akshay: yes.
19:42:15 <jfontana> moving to issues
19:42:49 <jfontana> #1282 lcosed
19:42:59 <jfontana> #1283 closed
19:43:23 <jfontana> https://github.com/w3c/webauthn/issues/1285
19:43:34 <jfontana> agl: still some conversation
19:43:41 <jfontana> tony: this is not ready yet.
19:43:46 <ignaloidas> ignaloidas has joined #webauthn
19:44:29 <jfontana> akshay: does not seem anyone is using icons at this time
19:44:50 <jfontana> agl: we do not store icons on authenticator
19:45:22 <jfontana> ...expectation some authenticators will be larger, maybe then can store data URLs, not yet.
19:45:33 <jfontana> jeffH: like built-in platform authenticators
19:45:40 <Zakim> Zakim has left #webauthn
19:45:58 <jfontana> thttps://github.com/w3c/webauthn/issues/1286
19:46:28 <jfontana> akshay: look at it before TPAC
19:46:36 <jfontana> tony: any open issues for discussion.
19:46:49 <jfontana> ...any questions, concerns, updates.
19:47:33 <jfontana> ...at TPAC, we will look at issues for WD-02. we may have to react before all the editorial ones land
19:47:45 <jfontana> jeffH: the  list is going to change between now and TPAC
19:47:55 <jfontana> tony: that is todayt's agenda.
19:48:23 <jfontana> ...OK, meeting next week, then off for two weeks on call (TPAC starts on Sept. 16)
19:48:56 <jfontana> rrsagent, make logs public
19:49:10 <jfontana> rrsagent, draft minutes
19:49:10 <RRSAgent> I have made the request to generate https://www.w3.org/2019/09/04-webauthn-minutes.html jfontana
19:49:40 <jfontana> chairs: Nadalin, Fontana
19:50:02 <jfontana> Date 04 09 2019
19:50:23 <jfontana> rrsagent, list attendees
19:50:23 <RRSAgent> I'm logging. I don't understand 'list attendees', jfontana.  Try /msg RRSAgent help
19:50:54 <jfontana> rrsagent, attendees
19:50:54 <RRSAgent> I'm logging. I don't understand 'attendees', jfontana.  Try /msg RRSAgent help
19:51:08 <jfontana> rrsagent, draft minutes
19:51:08 <RRSAgent> I have made the request to generate https://www.w3.org/2019/09/04-webauthn-minutes.html jfontana
19:51:55 <jfontana> zakim, list attendees
20:45:01 <wseltzer> zakim, who is here?
21:34:18 <L2WD02> L2WD02 has joined #webauthn
21:45:37 <jbarclay> jbarclay has joined #webauthn
23:01:43 <ignaloidas> ignaloidas has joined #webauthn