IRC log of webauthnnetwork on 2019-09-18

Timestamps are in UTC.

01:38:58 [RRSAgent]

RRSAgent has joined #webauthnnetwork

01:38:58 [RRSAgent]

logging to https://www.w3.org/2019/09/18-webauthnnetwork-irc

01:39:06 [nmooney]

rrsagent, make records public

01:54:17 [nmooney]

nmooney has joined #webauthnnetwork

04:15:21 [nmooney]

nmooney has joined #webauthnnetwork

05:30:14 [nmooney]

nmooney has joined #webauthnnetwork

05:32:08 [cwarnier]

cwarnier has joined #webauthnnetwork

05:33:56 [Steven-Google]

Steven-Google has joined #webauthnnetwork

05:34:22 [agektmr]

agektmr has joined #webauthnnetwork

05:34:24 [mitja]

mitja has joined #webauthnnetwork

05:34:25 [vkuntz]

vkuntz has joined #webauthnnetwork

05:34:31 [pamela]

pamela has joined #webauthnnetwork

05:34:40 [vkuntz]

present+

05:34:57 [dino]

dino has joined #webauthnnetwork

05:35:05 [jfontana]

jfontana has joined #webauthnnetwork

05:35:05 [Yanni]

Yanni has joined #webauthnnetwork

05:35:17 [urata]

urata has joined #webauthnnetwork

05:35:30 [jfontana]

James: Network based transport via https for Web authn

05:35:47 [SteveBecker]

SteveBecker has joined #webauthnnetwork

05:35:53 [jfontana]

...user don't want to think about authenticators

05:36:02 [btidor]

btidor has joined #webauthnnetwork

05:36:15 [jfontana]

as adoption increases, what will authenticators look like? what we have now may still be popular

05:36:31 [jfontana]

..we want to enable workflows,

05:36:44 [jfontana]

....how many poeple here familiar with caBLE?

05:36:47 [jfontana]

lots of hands up

05:36:51 [YangHau]

YangHau has joined #webauthnnetwork

05:37:07 [jfontana]

James: it is for mobile roaming use case

05:37:18 [jfontana]

eliminates a Blue tooth pairing case

05:37:35 [jeffh]

jeffh has joined #webauthnnetwork

05:38:03 [pranjal]

pranjal has joined #webauthnnetwork

05:38:07 [jfontana]

bluetooth is not always avaialble and it would be nice to have network based transport,

05:38:22 [jfontana]

Ctypton, has anyheard of it. mobile based authenticator

05:38:28 [jfontana]

Crypton

05:38:34 [Gerhard]

Gerhard has joined #webauthnnetwork

05:38:51 [jfontana]

they are doing this in the wild they are over ridign the navigator credential object.

05:39:12 [jfontana]

Nick: they see mobile doable with an extension

05:39:22 [jfontana]

...but they can read every page you go to.

05:39:34 [jfontana]

second issues with this. the

05:40:13 [jfontana]

...it can be an usafe solution. they are implementing their own thing

05:40:22 [jfontana]

...we see it degrading security.

05:40:35 [jfontana]

James: we have talked about it on some web authn calls.

05:40:36 [tpk]

tpk has joined #webauthnnetwork

05:40:49 [jfontana]

present+

05:41:27 [jfontana]

james: now is time to ponder on this problem before the ecosystem is degrading any further

05:41:33 [jfontana]

...not picking on Crypton.

05:41:41 [Gerhard]

q+

05:41:43 [jfontana]

...we have built a pro-type

05:42:33 [jfontana]

Gerhard: when U2f first came out we had to work to make it work, we wanted to do it from the browser

05:42:49 [jfontana]

...we built a chrome plug in , and went to bank servers, it was lots of effot

05:43:07 [jfontana]

...we want this type of approach, but do not want to break stuff.

05:43:33 [jfontana]

james: next point. we think cable and https can work together

05:44:00 [jfontana]

...we are interested in preserving properties, like anti-phishig. we think we can keep that.

05:44:35 [jfontana]

james: we think cable can be phished.

05:44:48 [jfontana]

JeffH: the term is phishing resistance.

05:45:03 [jfontana]

Google disagrees with DUO

05:45:36 [jfontana]

nick: phishing resistance is provide mostly by origin scoping to enforce,

05:45:40 [jfontana]

...want to continue this.

05:46:15 [jfontana]

...we thik we can maintain properties

05:47:14 [jfontana]

jbradley: part of issues may be idfferenct definition of phishing resistance.

05:47:26 [jfontana]

...attacks are different, don

05:47:46 [jfontana]

...don't know if they are completely resistance, need to anlyze other parts.

05:48:05 [jfontana]

jeffH:we disagree

05:48:23 [jfontana]

nick: couple parts of hhttps transport may include serialization.

05:48:38 [jfontana]

send web authn structures up to server for checking other operations.

05:49:02 [jfontana]

james;;; lookding at based 64 and...

05:49:11 [jfontana]

...configuration is key

05:49:33 [jfontana]

...need pairing. for phishing resistance

05:50:02 [jfontana]

having a crypto channel btween chanel biding and authenticator is must

05:50:30 [jfontana]

...Proopsal. webauthn JSON vai HHTP

05:50:42 [jfontana]

..should it CTA

05:51:01 [jfontana]

ctap

05:51:15 [jfontana]

..proposal cBOR via CTAOP or HTTP

05:51:18 [jfontana]

CTAP

05:51:32 [jfontana]

..not big on this idea.

05:51:54 [jfontana]

nick: one other idea. if https too presecriptive.

05:52:09 [jfontana]

...we think browser can reflect trasport in a more generic eay.

05:52:12 [jfontana]

way

05:52:38 [jfontana]

we would aloow APIs that extesions could register with.

05:52:45 [jfontana]

...this idea is not fully fleshed out.

05:52:52 [jfontana]

James showing demo.

05:54:30 [jfontana]

..demo over

05:54:50 [jfontana]

jeffH: are you goiong to make your write up public

05:54:53 [jfontana]

nick: yes.

05:55:20 [jfontana]

james: reason we decided to keep this session is to get feedback

05:55:42 [jfontana]

james: we know there are issues with network gtuff

05:56:06 [jfontana]

jeffH: phishing resisteance of web authn, it is not just origin scoping. it is more with a cryptographic protocol.

05:56:28 [jfontana]

...nothing you can do to get someting to replay and act as user.

05:56:35 [jfontana]

...you can man in the middle this pariing.

05:56:48 [jfontana]

JeffH on white board

05:57:57 [jfontana]

jeffH: from our presepeictive this is a non-starter, it is phishable.

05:59:13 [jfontana]

...origin stuff - scoping and proximity, are requried together for registration. otherwise, you get in a phishable situation

06:00:22 [ajitomi]

ajitomi has joined #webauthnnetwork

06:00:50 [jfontana]

nick: the architecture is not allowing a web site to talk to your mobile device.

06:01:02 [jfontana]

...we think we address your concern

06:01:27 [jfontana]

nick: in a normal case, users have authenticator and mobile device.

06:01:55 [jfontana]

...our proposal. we allows users to pass a message

06:02:20 [jfontana]

...the service on the netowrk, is some separate site that passes message between browser and mobile authenticator

06:02:24 [jfontana]

jeffH: why?

06:02:41 [jfontana]

...I could create a message passer

06:02:57 [jfontana]

nick: we are using a QR code to establish a channel to message passer

06:03:09 [jfontana]

...the passer can deny, but can't inspect content

06:03:41 [jfontana]

jbradley: biggest issue with QR code - it is uni directional . so no bi-directional

06:03:56 [jfontana]

...begtween user agaent and third party is addressed by protocols

06:04:03 [jfontana]

..this is about using CTAP

06:04:32 [jfontana]

jeffH: we havethinking on this.

06:04:59 [jfontana]

...we think we can use cable to help establish the binding. then you can use standard transport for DUO proposed transport

06:05:08 [jfontana]

nick: we agree

06:06:52 [jfontana]

jeffH: key thinkg here; server and the laptop and the phone. security is here.

06:07:09 [jfontana]

...don't hav eto do over bluetooth. can go over usb

06:07:17 [jfontana]

...but phone and laptop need to talk to each other.

06:07:44 [jfontana]

jeffH: we have boiled caBle to phne and laptop pairing.

06:07:57 [jfontana]

...don't do the round trip

06:08:14 [jfontana]

...the connection is bi-directional and encrypted.

06:08:58 [jfontana]

jbradley: figuring this out, the https then may be of equivalent secruity.

06:09:24 [jfontana]

jeffH: we are looking at caBLE in this context.

06:09:55 [jfontana]

jbradley: need to include CTAP in this. you want to take advantage of web authn to the platform and allow CTAP to talk over transport.

06:10:00 [Yanni]

Yanni has joined #webauthnnetwork

06:10:06 [jfontana]

...messing with this is more trouble that it is worth.

06:10:50 [jfontana]

...there are a bunch of things going on here.

06:11:04 [jfontana]

nick: we can't rely on a platform. we run on the web.

06:11:35 [btidor]

btidor has joined #webauthnnetwork

06:11:41 [jfontana]

jeffH: tis distinction is nailed down in the spec. it is called client platform.

06:12:00 [jfontana]

...our beef is making sure the binding is secure.

06:12:19 [jfontana]

james: we want to increase adoption.

06:13:00 [jfontana]

...we want to support as many use cases as possible

06:13:07 [jfontana]

jeffH: we like that idea

06:13:24 [jfontana]

nick: want to show there are some things broken and we can fix them.

06:14:23 [jfontana]

Gerhard: our ideal scenario is you can take a fido token and use it anywhre.

06:16:13 [jfontana]

ccccccjekcfhgdbcurieeluutukururhlnjnrdtitnuj

06:16:53 [jfontana]

ccccccjekcfhtnjbnuunnrrjidkhfnvjgbnntgthnllb

06:18:24 [jfontana]

jeffH: I want to use the term binding, not pairing.

06:18:56 [nmooney]

nmooney has joined #webauthnnetwork

06:19:22 [jfontana]

gerhard: I just want to say, once I pair and have a session, I want to reach out to a phone in a trusted way.

06:19:54 [jfontana]

...it is not always user initiated. but once I have consent, I want to reach out for a new cryptogram

06:20:04 [jfontana]

jbradley: this is not really what this is for.

06:21:13 [jfontana]

...you are talking binding of platform authenticator...

06:21:55 [jfontana]

nick: yor use case scenario is not enabled by this

06:22:12 [Steven-Google]

Steven-Google has joined #webauthnnetwork

06:22:13 [pranjal]

pranjal has joined #webauthnnetwork

06:23:58 [jfontana]

benjamin: looking at fido for web payments and the adoption is not here. this looks interesting.

06:24:32 [jfontana]

jbradley: but this is designed to not have a plug-in.

06:28:39 [jfontana]

jbradley: deal with this as a transport and let the platform negotiate for the transport.

06:29:25 [jfontana]

...i would lean toward defining it in the spec, and let the client platform do its end of it.

06:29:57 [pranjal_]

pranjal_ has joined #webauthnnetwork

06:32:46 [jfontana]

jeffH: we want this to just work

06:32:52 [jfontana]

james: that is what we want also.

06:34:39 [jfontana]

s/ccccccjekcfhgdbcurieeluutukururhlnjnrdtitnuj//

06:34:54 [jfontana]

s/ccccccjekcfhtnjbnuunnrrjidkhfnvjgbnntgthnllb//

06:39:01 [jfontana]

rssagent, draft minutes

06:39:36 [nmooney]

nmooney has joined #webauthnnetwork

06:40:07 [jfontana]

rssagent, make logs public

06:45:54 [wseltzer]

wseltzer has joined #webauthnnetwork

06:49:13 [wseltzer]

rrsagent, draft minutes

06:49:13 [RRSAgent]

I have made the request to generate https://www.w3.org/2019/09/18-webauthnnetwork-minutes.html wseltzer

06:59:33 [Yanni]

Yanni has joined #webauthnnetwork

07:20:52 [pranjal]

pranjal has joined #webauthnnetwork

07:30:42 [pranjal]

pranjal has joined #webauthnnetwork

07:35:24 [dino]

dino has joined #webauthnnetwork

07:37:53 [mitja]

mitja has joined #webauthnnetwork

07:43:39 [nmooney]

nmooney has joined #webauthnnetwork

07:48:51 [nmooney]

RRSAgent, draft minutes

07:48:51 [RRSAgent]

I have made the request to generate https://www.w3.org/2019/09/18-webauthnnetwork-minutes.html nmooney

07:50:14 [nmooney]

Meeting: WebAuthn Network Transport Unconference Discussion

07:50:46 [mitja]

mitja has joined #webauthnnetwork

07:53:31 [jbarclay]

jbarclay has joined #webauthnnetwork

07:55:08 [mitja]

mitja has joined #webauthnnetwork

08:02:25 [mitja]

mitja has joined #webauthnnetwork

08:23:49 [mitja]

mitja has joined #webauthnnetwork

08:33:00 [dino]

dino has joined #webauthnnetwork

08:35:05 [pranjal]

pranjal has joined #webauthnnetwork

08:40:32 [pranjal_]

pranjal_ has joined #webauthnnetwork

09:00:31 [pranjal]

pranjal has joined #webauthnnetwork

09:15:18 [nmooney]

nmooney has joined #webauthnnetwork

09:27:03 [nmooney]

nmooney has joined #webauthnnetwork

11:10:01 [nmooney]

nmooney has joined #webauthnnetwork

12:11:15 [pranjal]

pranjal has joined #webauthnnetwork