IRC log of webauthnnetwork on 2019-09-18
Timestamps are in UTC.
- 01:38:58 [RRSAgent]
- RRSAgent has joined #webauthnnetwork
- 01:38:58 [RRSAgent]
- logging to https://www.w3.org/2019/09/18-webauthnnetwork-irc
- 01:39:06 [nmooney]
- rrsagent, make records public
- 01:54:17 [nmooney]
- nmooney has joined #webauthnnetwork
- 04:15:21 [nmooney]
- nmooney has joined #webauthnnetwork
- 05:30:14 [nmooney]
- nmooney has joined #webauthnnetwork
- 05:32:08 [cwarnier]
- cwarnier has joined #webauthnnetwork
- 05:33:56 [Steven-Google]
- Steven-Google has joined #webauthnnetwork
- 05:34:22 [agektmr]
- agektmr has joined #webauthnnetwork
- 05:34:24 [mitja]
- mitja has joined #webauthnnetwork
- 05:34:25 [vkuntz]
- vkuntz has joined #webauthnnetwork
- 05:34:31 [pamela]
- pamela has joined #webauthnnetwork
- 05:34:40 [vkuntz]
- present+
- 05:34:57 [dino]
- dino has joined #webauthnnetwork
- 05:35:05 [jfontana]
- jfontana has joined #webauthnnetwork
- 05:35:05 [Yanni]
- Yanni has joined #webauthnnetwork
- 05:35:17 [urata]
- urata has joined #webauthnnetwork
- 05:35:30 [jfontana]
- James: Network based transport via https for Web authn
- 05:35:47 [SteveBecker]
- SteveBecker has joined #webauthnnetwork
- 05:35:53 [jfontana]
- ...user don't want to think about authenticators
- 05:36:02 [btidor]
- btidor has joined #webauthnnetwork
- 05:36:15 [jfontana]
- as adoption increases, what will authenticators look like? what we have now may still be popular
- 05:36:31 [jfontana]
- ..we want to enable workflows,
- 05:36:44 [jfontana]
- ....how many poeple here familiar with caBLE?
- 05:36:47 [jfontana]
- lots of hands up
- 05:36:51 [YangHau]
- YangHau has joined #webauthnnetwork
- 05:37:07 [jfontana]
- James: it is for mobile roaming use case
- 05:37:18 [jfontana]
- eliminates a Blue tooth pairing case
- 05:37:35 [jeffh]
- jeffh has joined #webauthnnetwork
- 05:38:03 [pranjal]
- pranjal has joined #webauthnnetwork
- 05:38:07 [jfontana]
- bluetooth is not always avaialble and it would be nice to have network based transport,
- 05:38:22 [jfontana]
- Ctypton, has anyheard of it. mobile based authenticator
- 05:38:28 [jfontana]
- Crypton
- 05:38:34 [Gerhard]
- Gerhard has joined #webauthnnetwork
- 05:38:51 [jfontana]
- they are doing this in the wild they are over ridign the navigator credential object.
- 05:39:12 [jfontana]
- Nick: they see mobile doable with an extension
- 05:39:22 [jfontana]
- ...but they can read every page you go to.
- 05:39:34 [jfontana]
- second issues with this. the
- 05:40:13 [jfontana]
- ...it can be an usafe solution. they are implementing their own thing
- 05:40:22 [jfontana]
- ...we see it degrading security.
- 05:40:35 [jfontana]
- James: we have talked about it on some web authn calls.
- 05:40:36 [tpk]
- tpk has joined #webauthnnetwork
- 05:40:49 [jfontana]
- present+
- 05:41:27 [jfontana]
- james: now is time to ponder on this problem before the ecosystem is degrading any further
- 05:41:33 [jfontana]
- ...not picking on Crypton.
- 05:41:41 [Gerhard]
- q+
- 05:41:43 [jfontana]
- ...we have built a pro-type
- 05:42:33 [jfontana]
- Gerhard: when U2f first came out we had to work to make it work, we wanted to do it from the browser
- 05:42:49 [jfontana]
- ...we built a chrome plug in , and went to bank servers, it was lots of effot
- 05:43:07 [jfontana]
- ...we want this type of approach, but do not want to break stuff.
- 05:43:33 [jfontana]
- james: next point. we think cable and https can work together
- 05:44:00 [jfontana]
- ...we are interested in preserving properties, like anti-phishig. we think we can keep that.
- 05:44:35 [jfontana]
- james: we think cable can be phished.
- 05:44:48 [jfontana]
- JeffH: the term is phishing resistance.
- 05:45:03 [jfontana]
- Google disagrees with DUO
- 05:45:36 [jfontana]
- nick: phishing resistance is provide mostly by origin scoping to enforce,
- 05:45:40 [jfontana]
- ...want to continue this.
- 05:46:15 [jfontana]
- ...we thik we can maintain properties
- 05:47:14 [jfontana]
- jbradley: part of issues may be idfferenct definition of phishing resistance.
- 05:47:26 [jfontana]
- ...attacks are different, don
- 05:47:46 [jfontana]
- ...don't know if they are completely resistance, need to anlyze other parts.
- 05:48:05 [jfontana]
- jeffH:we disagree
- 05:48:23 [jfontana]
- nick: couple parts of hhttps transport may include serialization.
- 05:48:38 [jfontana]
- send web authn structures up to server for checking other operations.
- 05:49:02 [jfontana]
- james;;; lookding at based 64 and...
- 05:49:11 [jfontana]
- ...configuration is key
- 05:49:33 [jfontana]
- ...need pairing. for phishing resistance
- 05:50:02 [jfontana]
- having a crypto channel btween chanel biding and authenticator is must
- 05:50:30 [jfontana]
- ...Proopsal. webauthn JSON vai HHTP
- 05:50:42 [jfontana]
- ..should it CTA
- 05:51:01 [jfontana]
- ctap
- 05:51:15 [jfontana]
- ..proposal cBOR via CTAOP or HTTP
- 05:51:18 [jfontana]
- CTAP
- 05:51:32 [jfontana]
- ..not big on this idea.
- 05:51:54 [jfontana]
- nick: one other idea. if https too presecriptive.
- 05:52:09 [jfontana]
- ...we think browser can reflect trasport in a more generic eay.
- 05:52:12 [jfontana]
- way
- 05:52:38 [jfontana]
- we would aloow APIs that extesions could register with.
- 05:52:45 [jfontana]
- ...this idea is not fully fleshed out.
- 05:52:52 [jfontana]
- James showing demo.
- 05:54:30 [jfontana]
- ..demo over
- 05:54:50 [jfontana]
- jeffH: are you goiong to make your write up public
- 05:54:53 [jfontana]
- nick: yes.
- 05:55:20 [jfontana]
- james: reason we decided to keep this session is to get feedback
- 05:55:42 [jfontana]
- james: we know there are issues with network gtuff
- 05:56:06 [jfontana]
- jeffH: phishing resisteance of web authn, it is not just origin scoping. it is more with a cryptographic protocol.
- 05:56:28 [jfontana]
- ...nothing you can do to get someting to replay and act as user.
- 05:56:35 [jfontana]
- ...you can man in the middle this pariing.
- 05:56:48 [jfontana]
- JeffH on white board
- 05:57:57 [jfontana]
- jeffH: from our presepeictive this is a non-starter, it is phishable.
- 05:59:13 [jfontana]
- ...origin stuff - scoping and proximity, are requried together for registration. otherwise, you get in a phishable situation
- 06:00:22 [ajitomi]
- ajitomi has joined #webauthnnetwork
- 06:00:50 [jfontana]
- nick: the architecture is not allowing a web site to talk to your mobile device.
- 06:01:02 [jfontana]
- ...we think we address your concern
- 06:01:27 [jfontana]
- nick: in a normal case, users have authenticator and mobile device.
- 06:01:55 [jfontana]
- ...our proposal. we allows users to pass a message
- 06:02:20 [jfontana]
- ...the service on the netowrk, is some separate site that passes message between browser and mobile authenticator
- 06:02:24 [jfontana]
- jeffH: why?
- 06:02:41 [jfontana]
- ...I could create a message passer
- 06:02:57 [jfontana]
- nick: we are using a QR code to establish a channel to message passer
- 06:03:09 [jfontana]
- ...the passer can deny, but can't inspect content
- 06:03:41 [jfontana]
- jbradley: biggest issue with QR code - it is uni directional . so no bi-directional
- 06:03:56 [jfontana]
- ...begtween user agaent and third party is addressed by protocols
- 06:04:03 [jfontana]
- ..this is about using CTAP
- 06:04:32 [jfontana]
- jeffH: we havethinking on this.
- 06:04:59 [jfontana]
- ...we think we can use cable to help establish the binding. then you can use standard transport for DUO proposed transport
- 06:05:08 [jfontana]
- nick: we agree
- 06:06:52 [jfontana]
- jeffH: key thinkg here; server and the laptop and the phone. security is here.
- 06:07:09 [jfontana]
- ...don't hav eto do over bluetooth. can go over usb
- 06:07:17 [jfontana]
- ...but phone and laptop need to talk to each other.
- 06:07:44 [jfontana]
- jeffH: we have boiled caBle to phne and laptop pairing.
- 06:07:57 [jfontana]
- ...don't do the round trip
- 06:08:14 [jfontana]
- ...the connection is bi-directional and encrypted.
- 06:08:58 [jfontana]
- jbradley: figuring this out, the https then may be of equivalent secruity.
- 06:09:24 [jfontana]
- jeffH: we are looking at caBLE in this context.
- 06:09:55 [jfontana]
- jbradley: need to include CTAP in this. you want to take advantage of web authn to the platform and allow CTAP to talk over transport.
- 06:10:00 [Yanni]
- Yanni has joined #webauthnnetwork
- 06:10:06 [jfontana]
- ...messing with this is more trouble that it is worth.
- 06:10:50 [jfontana]
- ...there are a bunch of things going on here.
- 06:11:04 [jfontana]
- nick: we can't rely on a platform. we run on the web.
- 06:11:35 [btidor]
- btidor has joined #webauthnnetwork
- 06:11:41 [jfontana]
- jeffH: tis distinction is nailed down in the spec. it is called client platform.
- 06:12:00 [jfontana]
- ...our beef is making sure the binding is secure.
- 06:12:19 [jfontana]
- james: we want to increase adoption.
- 06:13:00 [jfontana]
- ...we want to support as many use cases as possible
- 06:13:07 [jfontana]
- jeffH: we like that idea
- 06:13:24 [jfontana]
- nick: want to show there are some things broken and we can fix them.
- 06:14:23 [jfontana]
- Gerhard: our ideal scenario is you can take a fido token and use it anywhre.
- 06:16:13 [jfontana]
- ccccccjekcfhgdbcurieeluutukururhlnjnrdtitnuj
- 06:16:53 [jfontana]
- ccccccjekcfhtnjbnuunnrrjidkhfnvjgbnntgthnllb
- 06:18:24 [jfontana]
- jeffH: I want to use the term binding, not pairing.
- 06:18:56 [nmooney]
- nmooney has joined #webauthnnetwork
- 06:19:22 [jfontana]
- gerhard: I just want to say, once I pair and have a session, I want to reach out to a phone in a trusted way.
- 06:19:54 [jfontana]
- ...it is not always user initiated. but once I have consent, I want to reach out for a new cryptogram
- 06:20:04 [jfontana]
- jbradley: this is not really what this is for.
- 06:21:13 [jfontana]
- ...you are talking binding of platform authenticator...
- 06:21:55 [jfontana]
- nick: yor use case scenario is not enabled by this
- 06:22:12 [Steven-Google]
- Steven-Google has joined #webauthnnetwork
- 06:22:13 [pranjal]
- pranjal has joined #webauthnnetwork
- 06:23:58 [jfontana]
- benjamin: looking at fido for web payments and the adoption is not here. this looks interesting.
- 06:24:32 [jfontana]
- jbradley: but this is designed to not have a plug-in.
- 06:28:39 [jfontana]
- jbradley: deal with this as a transport and let the platform negotiate for the transport.
- 06:29:25 [jfontana]
- ...i would lean toward defining it in the spec, and let the client platform do its end of it.
- 06:29:57 [pranjal_]
- pranjal_ has joined #webauthnnetwork
- 06:32:46 [jfontana]
- jeffH: we want this to just work
- 06:32:52 [jfontana]
- james: that is what we want also.
- 06:34:39 [jfontana]
- s/ccccccjekcfhgdbcurieeluutukururhlnjnrdtitnuj//
- 06:34:54 [jfontana]
- s/ccccccjekcfhtnjbnuunnrrjidkhfnvjgbnntgthnllb//
- 06:39:01 [jfontana]
- rssagent, draft minutes
- 06:39:36 [nmooney]
- nmooney has joined #webauthnnetwork
- 06:40:07 [jfontana]
- rssagent, make logs public
- 06:45:54 [wseltzer]
- wseltzer has joined #webauthnnetwork
- 06:49:13 [wseltzer]
- rrsagent, draft minutes
- 06:49:13 [RRSAgent]
- I have made the request to generate https://www.w3.org/2019/09/18-webauthnnetwork-minutes.html wseltzer
- 06:59:33 [Yanni]
- Yanni has joined #webauthnnetwork
- 07:20:52 [pranjal]
- pranjal has joined #webauthnnetwork
- 07:30:42 [pranjal]
- pranjal has joined #webauthnnetwork
- 07:35:24 [dino]
- dino has joined #webauthnnetwork
- 07:37:53 [mitja]
- mitja has joined #webauthnnetwork
- 07:43:39 [nmooney]
- nmooney has joined #webauthnnetwork
- 07:48:51 [nmooney]
- RRSAgent, draft minutes
- 07:48:51 [RRSAgent]
- I have made the request to generate https://www.w3.org/2019/09/18-webauthnnetwork-minutes.html nmooney
- 07:50:14 [nmooney]
- Meeting: WebAuthn Network Transport Unconference Discussion
- 07:50:46 [mitja]
- mitja has joined #webauthnnetwork
- 07:53:31 [jbarclay]
- jbarclay has joined #webauthnnetwork
- 07:55:08 [mitja]
- mitja has joined #webauthnnetwork
- 08:02:25 [mitja]
- mitja has joined #webauthnnetwork
- 08:23:49 [mitja]
- mitja has joined #webauthnnetwork
- 08:33:00 [dino]
- dino has joined #webauthnnetwork
- 08:35:05 [pranjal]
- pranjal has joined #webauthnnetwork
- 08:40:32 [pranjal_]
- pranjal_ has joined #webauthnnetwork
- 09:00:31 [pranjal]
- pranjal has joined #webauthnnetwork
- 09:15:18 [nmooney]
- nmooney has joined #webauthnnetwork
- 09:27:03 [nmooney]
- nmooney has joined #webauthnnetwork
- 11:10:01 [nmooney]
- nmooney has joined #webauthnnetwork
- 12:11:15 [pranjal]
- pranjal has joined #webauthnnetwork