01:38:58 <RRSAgent> RRSAgent has joined #webauthnnetwork
01:38:58 <RRSAgent> logging to https://www.w3.org/2019/09/18-webauthnnetwork-irc
01:39:06 <nmooney> rrsagent, make records public
01:54:17 <nmooney> nmooney has joined #webauthnnetwork
04:15:21 <nmooney> nmooney has joined #webauthnnetwork
05:30:14 <nmooney> nmooney has joined #webauthnnetwork
05:32:08 <cwarnier> cwarnier has joined #webauthnnetwork
05:33:56 <Steven-Google> Steven-Google has joined #webauthnnetwork
05:34:22 <agektmr> agektmr has joined #webauthnnetwork
05:34:24 <mitja> mitja has joined #webauthnnetwork
05:34:25 <vkuntz> vkuntz has joined #webauthnnetwork
05:34:31 <pamela> pamela has joined #webauthnnetwork
05:34:40 <vkuntz> present+
05:34:57 <dino> dino has joined #webauthnnetwork
05:35:05 <jfontana> jfontana has joined #webauthnnetwork
05:35:05 <Yanni> Yanni has joined #webauthnnetwork
05:35:17 <urata> urata has joined #webauthnnetwork
05:35:30 <jfontana> James: Network based transport via https for Web authn
05:35:47 <SteveBecker> SteveBecker has joined #webauthnnetwork
05:35:53 <jfontana> ...user don't want to think about authenticators
05:36:02 <btidor> btidor has joined #webauthnnetwork
05:36:15 <jfontana> as adoption increases, what will authenticators look like? what we have now may still be popular
05:36:31 <jfontana> ..we want to enable workflows,
05:36:44 <jfontana> ....how many poeple here familiar with caBLE?
05:36:47 <jfontana> lots of hands up
05:36:51 <YangHau> YangHau has joined #webauthnnetwork
05:37:07 <jfontana> James: it is for mobile roaming use case
05:37:18 <jfontana> eliminates a Blue tooth pairing case
05:37:35 <jeffh> jeffh has joined #webauthnnetwork
05:38:03 <pranjal> pranjal has joined #webauthnnetwork
05:38:07 <jfontana> bluetooth is not  always avaialble and it would be nice to have network based transport,
05:38:22 <jfontana> Ctypton, has anyheard of it. mobile based authenticator
05:38:28 <jfontana> Crypton
05:38:34 <Gerhard> Gerhard has joined #webauthnnetwork
05:38:51 <jfontana> they are doing this  in the wild they are over ridign the navigator credential  object.
05:39:12 <jfontana> Nick: they see mobile doable with an extension
05:39:22 <jfontana> ...but they can read every page you go to.
05:39:34 <jfontana>  second issues with this. the
05:40:13 <jfontana> ...it can be an usafe solution. they are implementing their own thing
05:40:22 <jfontana> ...we see it degrading security.
05:40:35 <jfontana> James: we have talked about it on some web authn calls.
05:40:36 <tpk> tpk has joined #webauthnnetwork
05:40:49 <jfontana> present+
05:41:27 <jfontana> james: now is time to ponder on this problem before the ecosystem is degrading any further
05:41:33 <jfontana> ...not picking on Crypton.
05:41:41 <Gerhard> q+
05:41:43 <jfontana>  ...we have built a pro-type
05:42:33 <jfontana> Gerhard: when U2f first came out we had to work to make it work, we wanted to do it from the browser
05:42:49 <jfontana> ...we built a chrome plug in , and went to bank servers, it was lots of effot
05:43:07 <jfontana> ...we want this type of approach, but do not want to break stuff.
05:43:33 <jfontana> james: next point. we think cable and https can work together
05:44:00 <jfontana> ...we are interested in preserving properties, like anti-phishig. we think we can keep that.
05:44:35 <jfontana> james: we think cable can be phished.
05:44:48 <jfontana> JeffH: the term is phishing resistance.
05:45:03 <jfontana> Google disagrees with DUO
05:45:36 <jfontana> nick: phishing resistance  is provide mostly by origin scoping to enforce,
05:45:40 <jfontana> ...want to continue this.
05:46:15 <jfontana> ...we thik we can maintain properties
05:47:14 <jfontana> jbradley: part of issues may be idfferenct definition of phishing resistance.
05:47:26 <jfontana> ...attacks are different, don
05:47:46 <jfontana> ...don't know if they are completely resistance, need to anlyze other parts.
05:48:05 <jfontana> jeffH:we disagree
05:48:23 <jfontana> nick: couple parts of hhttps transport may include serialization.
05:48:38 <jfontana> send web authn structures up to server for checking other operations.
05:49:02 <jfontana> james;;; lookding at based 64 and...
05:49:11 <jfontana> ...configuration is key
05:49:33 <jfontana>  ...need pairing. for phishing resistance
05:50:02 <jfontana> having a crypto channel btween chanel biding  and authenticator is must
05:50:30 <jfontana> ...Proopsal. webauthn JSON vai HHTP
05:50:42 <jfontana> ..should it CTA
05:51:01 <jfontana> ctap
05:51:15 <jfontana> ..proposal cBOR  via CTAOP or HTTP
05:51:18 <jfontana> CTAP
05:51:32 <jfontana> ..not big on this idea.
05:51:54 <jfontana> nick: one other idea. if https too presecriptive.
05:52:09 <jfontana> ...we think browser can reflect trasport in a more generic eay.
05:52:12 <jfontana> way
05:52:38 <jfontana> we would aloow APIs that extesions could register with.
05:52:45 <jfontana> ...this idea is not fully fleshed out.
05:52:52 <jfontana> James showing demo.
05:54:30 <jfontana> ..demo over
05:54:50 <jfontana> jeffH: are you goiong to make your write up public
05:54:53 <jfontana> nick: yes.
05:55:20 <jfontana> james: reason we decided to keep this session is to get feedback
05:55:42 <jfontana> james: we know there are issues with network gtuff
05:56:06 <jfontana> jeffH: phishing resisteance of web authn, it is not just origin scoping. it is more with a cryptographic protocol.
05:56:28 <jfontana> ...nothing you can do to get someting to replay and act as user.
05:56:35 <jfontana> ...you can man in the middle this pariing.
05:56:48 <jfontana> JeffH on white board
05:57:57 <jfontana> jeffH: from our presepeictive this is a non-starter, it is phishable.
05:59:13 <jfontana> ...origin stuff - scoping and proximity, are requried together for registration. otherwise, you get in a phishable situation
06:00:22 <ajitomi> ajitomi has joined #webauthnnetwork
06:00:50 <jfontana> nick: the architecture is not allowing a web site to talk to your mobile device.
06:01:02 <jfontana> ...we think we address your concern
06:01:27 <jfontana> nick: in a normal case, users have authenticator and mobile device.
06:01:55 <jfontana> ...our proposal. we allows users to pass a message
06:02:20 <jfontana> ...the service on the netowrk, is some separate site that passes message between browser and mobile authenticator
06:02:24 <jfontana> jeffH: why?
06:02:41 <jfontana> ...I could create a message passer
06:02:57 <jfontana> nick: we are using a QR code to establish a channel to message passer
06:03:09 <jfontana> ...the passer can deny, but can't inspect content
06:03:41 <jfontana> jbradley: biggest issue with QR code - it is uni directional . so no bi-directional
06:03:56 <jfontana> ...begtween user agaent and third party is addressed by protocols
06:04:03 <jfontana> ..this is about using CTAP
06:04:32 <jfontana> jeffH: we havethinking on this.
06:04:59 <jfontana> ...we think we can use cable to help establish the binding. then you can use standard transport for DUO proposed transport
06:05:08 <jfontana> nick: we agree
06:06:52 <jfontana> jeffH: key thinkg here; server and the laptop and the phone. security is here.
06:07:09 <jfontana> ...don't hav eto do over bluetooth. can go over usb
06:07:17 <jfontana> ...but phone and laptop need to talk to each other.
06:07:44 <jfontana> jeffH: we have boiled caBle to phne and laptop pairing.
06:07:57 <jfontana> ...don't do the round trip
06:08:14 <jfontana> ...the connection is bi-directional and encrypted.
06:08:58 <jfontana> jbradley: figuring this out, the https then may be of equivalent secruity.
06:09:24 <jfontana> jeffH: we are looking at caBLE in this context.
06:09:55 <jfontana> jbradley: need to include CTAP in this. you want to take advantage of web authn to the platform and allow CTAP to talk over transport.
06:10:00 <Yanni> Yanni has joined #webauthnnetwork
06:10:06 <jfontana> ...messing with this is more trouble that it is worth.
06:10:50 <jfontana> ...there are a bunch of things going on here.
06:11:04 <jfontana> nick: we can't rely on a platform. we run on the web.
06:11:35 <btidor> btidor has joined #webauthnnetwork
06:11:41 <jfontana> jeffH: tis distinction is nailed down in the spec. it is called client platform.
06:12:00 <jfontana> ...our beef is making sure the binding is secure.
06:12:19 <jfontana> james: we want to increase adoption.
06:13:00 <jfontana> ...we want to support as many use cases as possible
06:13:07 <jfontana> jeffH: we like that idea
06:13:24 <jfontana> nick: want to show there are some things broken and we can fix them.
06:14:23 <jfontana> Gerhard: our ideal scenario is you can take a fido token and use it anywhre.
06:16:13 <jfontana> ccccccjekcfhgdbcurieeluutukururhlnjnrdtitnuj
06:16:53 <jfontana> ccccccjekcfhtnjbnuunnrrjidkhfnvjgbnntgthnllb
06:18:24 <jfontana> jeffH: I want to use the term binding, not pairing.
06:18:56 <nmooney> nmooney has joined #webauthnnetwork
06:19:22 <jfontana> gerhard: I just want to say, once I pair and have a session, I want to reach out to a phone in a trusted way.
06:19:54 <jfontana> ...it is not always user initiated.  but once I have consent, I want to reach out for a new cryptogram
06:20:04 <jfontana> jbradley: this is not really what this is for.
06:21:13 <jfontana> ...you are talking binding of platform authenticator...
06:21:55 <jfontana> nick: yor use case scenario is not enabled by this
06:22:12 <Steven-Google> Steven-Google has joined #webauthnnetwork
06:22:13 <pranjal> pranjal has joined #webauthnnetwork
06:23:58 <jfontana> benjamin: looking at fido for web payments and the adoption is not here. this looks interesting.
06:24:32 <jfontana> jbradley: but this is designed to not have a plug-in.
06:28:39 <jfontana> jbradley: deal with this as a transport and let the platform negotiate for the transport.
06:29:25 <jfontana> ...i would lean toward defining it in the spec, and let the client platform do its end of it.
06:29:57 <pranjal_> pranjal_ has joined #webauthnnetwork
06:32:46 <jfontana> jeffH: we want this to just work
06:32:52 <jfontana> james: that is what we want also.
06:34:39 <jfontana> s/ccccccjekcfhgdbcurieeluutukururhlnjnrdtitnuj//
06:34:54 <jfontana> s/ccccccjekcfhtnjbnuunnrrjidkhfnvjgbnntgthnllb//
06:39:01 <jfontana> rssagent, draft minutes
06:39:36 <nmooney> nmooney has joined #webauthnnetwork
06:40:07 <jfontana> rssagent, make logs public
06:45:54 <wseltzer> wseltzer has joined #webauthnnetwork
06:49:13 <wseltzer> rrsagent, draft minutes
06:49:13 <RRSAgent> I have made the request to generate https://www.w3.org/2019/09/18-webauthnnetwork-minutes.html wseltzer
06:59:33 <Yanni> Yanni has joined #webauthnnetwork
07:20:52 <pranjal> pranjal has joined #webauthnnetwork
07:30:42 <pranjal> pranjal has joined #webauthnnetwork
07:35:24 <dino> dino has joined #webauthnnetwork
07:37:53 <mitja> mitja has joined #webauthnnetwork
07:43:39 <nmooney> nmooney has joined #webauthnnetwork
07:48:51 <nmooney> RRSAgent, draft minutes
07:48:51 <RRSAgent> I have made the request to generate https://www.w3.org/2019/09/18-webauthnnetwork-minutes.html nmooney
07:50:14 <nmooney> Meeting: WebAuthn Network Transport Unconference Discussion
07:50:46 <mitja> mitja has joined #webauthnnetwork
07:53:31 <jbarclay> jbarclay has joined #webauthnnetwork
07:55:08 <mitja> mitja has joined #webauthnnetwork
08:02:25 <mitja> mitja has joined #webauthnnetwork
08:23:49 <mitja> mitja has joined #webauthnnetwork
08:33:00 <dino> dino has joined #webauthnnetwork
08:35:05 <pranjal> pranjal has joined #webauthnnetwork
08:40:32 <pranjal_> pranjal_ has joined #webauthnnetwork
09:00:31 <pranjal> pranjal has joined #webauthnnetwork
09:15:18 <nmooney> nmooney has joined #webauthnnetwork
09:27:03 <nmooney> nmooney has joined #webauthnnetwork
11:10:01 <nmooney> nmooney has joined #webauthnnetwork
12:11:15 <pranjal> pranjal has joined #webauthnnetwork