01:38:58 RRSAgent has joined #webauthnnetwork 01:38:58 logging to https://www.w3.org/2019/09/18-webauthnnetwork-irc 01:39:06 rrsagent, make records public 01:54:17 nmooney has joined #webauthnnetwork 04:15:21 nmooney has joined #webauthnnetwork 05:30:14 nmooney has joined #webauthnnetwork 05:32:08 cwarnier has joined #webauthnnetwork 05:33:56 Steven-Google has joined #webauthnnetwork 05:34:22 agektmr has joined #webauthnnetwork 05:34:24 mitja has joined #webauthnnetwork 05:34:25 vkuntz has joined #webauthnnetwork 05:34:31 pamela has joined #webauthnnetwork 05:34:40 present+ 05:34:57 dino has joined #webauthnnetwork 05:35:05 jfontana has joined #webauthnnetwork 05:35:05 Yanni has joined #webauthnnetwork 05:35:17 urata has joined #webauthnnetwork 05:35:30 James: Network based transport via https for Web authn 05:35:47 SteveBecker has joined #webauthnnetwork 05:35:53 ...user don't want to think about authenticators 05:36:02 btidor has joined #webauthnnetwork 05:36:15 as adoption increases, what will authenticators look like? what we have now may still be popular 05:36:31 ..we want to enable workflows, 05:36:44 ....how many poeple here familiar with caBLE? 05:36:47 lots of hands up 05:36:51 YangHau has joined #webauthnnetwork 05:37:07 James: it is for mobile roaming use case 05:37:18 eliminates a Blue tooth pairing case 05:37:35 jeffh has joined #webauthnnetwork 05:38:03 pranjal has joined #webauthnnetwork 05:38:07 bluetooth is not always avaialble and it would be nice to have network based transport, 05:38:22 Ctypton, has anyheard of it. mobile based authenticator 05:38:28 Crypton 05:38:34 Gerhard has joined #webauthnnetwork 05:38:51 they are doing this in the wild they are over ridign the navigator credential object. 05:39:12 Nick: they see mobile doable with an extension 05:39:22 ...but they can read every page you go to. 05:39:34 second issues with this. the 05:40:13 ...it can be an usafe solution. they are implementing their own thing 05:40:22 ...we see it degrading security. 05:40:35 James: we have talked about it on some web authn calls. 05:40:36 tpk has joined #webauthnnetwork 05:40:49 present+ 05:41:27 james: now is time to ponder on this problem before the ecosystem is degrading any further 05:41:33 ...not picking on Crypton. 05:41:41 q+ 05:41:43 ...we have built a pro-type 05:42:33 Gerhard: when U2f first came out we had to work to make it work, we wanted to do it from the browser 05:42:49 ...we built a chrome plug in , and went to bank servers, it was lots of effot 05:43:07 ...we want this type of approach, but do not want to break stuff. 05:43:33 james: next point. we think cable and https can work together 05:44:00 ...we are interested in preserving properties, like anti-phishig. we think we can keep that. 05:44:35 james: we think cable can be phished. 05:44:48 JeffH: the term is phishing resistance. 05:45:03 Google disagrees with DUO 05:45:36 nick: phishing resistance is provide mostly by origin scoping to enforce, 05:45:40 ...want to continue this. 05:46:15 ...we thik we can maintain properties 05:47:14 jbradley: part of issues may be idfferenct definition of phishing resistance. 05:47:26 ...attacks are different, don 05:47:46 ...don't know if they are completely resistance, need to anlyze other parts. 05:48:05 jeffH:we disagree 05:48:23 nick: couple parts of hhttps transport may include serialization. 05:48:38 send web authn structures up to server for checking other operations. 05:49:02 james;;; lookding at based 64 and... 05:49:11 ...configuration is key 05:49:33 ...need pairing. for phishing resistance 05:50:02 having a crypto channel btween chanel biding and authenticator is must 05:50:30 ...Proopsal. webauthn JSON vai HHTP 05:50:42 ..should it CTA 05:51:01 ctap 05:51:15 ..proposal cBOR via CTAOP or HTTP 05:51:18 CTAP 05:51:32 ..not big on this idea. 05:51:54 nick: one other idea. if https too presecriptive. 05:52:09 ...we think browser can reflect trasport in a more generic eay. 05:52:12 way 05:52:38 we would aloow APIs that extesions could register with. 05:52:45 ...this idea is not fully fleshed out. 05:52:52 James showing demo. 05:54:30 ..demo over 05:54:50 jeffH: are you goiong to make your write up public 05:54:53 nick: yes. 05:55:20 james: reason we decided to keep this session is to get feedback 05:55:42 james: we know there are issues with network gtuff 05:56:06 jeffH: phishing resisteance of web authn, it is not just origin scoping. it is more with a cryptographic protocol. 05:56:28 ...nothing you can do to get someting to replay and act as user. 05:56:35 ...you can man in the middle this pariing. 05:56:48 JeffH on white board 05:57:57 jeffH: from our presepeictive this is a non-starter, it is phishable. 05:59:13 ...origin stuff - scoping and proximity, are requried together for registration. otherwise, you get in a phishable situation 06:00:22 ajitomi has joined #webauthnnetwork 06:00:50 nick: the architecture is not allowing a web site to talk to your mobile device. 06:01:02 ...we think we address your concern 06:01:27 nick: in a normal case, users have authenticator and mobile device. 06:01:55 ...our proposal. we allows users to pass a message 06:02:20 ...the service on the netowrk, is some separate site that passes message between browser and mobile authenticator 06:02:24 jeffH: why? 06:02:41 ...I could create a message passer 06:02:57 nick: we are using a QR code to establish a channel to message passer 06:03:09 ...the passer can deny, but can't inspect content 06:03:41 jbradley: biggest issue with QR code - it is uni directional . so no bi-directional 06:03:56 ...begtween user agaent and third party is addressed by protocols 06:04:03 ..this is about using CTAP 06:04:32 jeffH: we havethinking on this. 06:04:59 ...we think we can use cable to help establish the binding. then you can use standard transport for DUO proposed transport 06:05:08 nick: we agree 06:06:52 jeffH: key thinkg here; server and the laptop and the phone. security is here. 06:07:09 ...don't hav eto do over bluetooth. can go over usb 06:07:17 ...but phone and laptop need to talk to each other. 06:07:44 jeffH: we have boiled caBle to phne and laptop pairing. 06:07:57 ...don't do the round trip 06:08:14 ...the connection is bi-directional and encrypted. 06:08:58 jbradley: figuring this out, the https then may be of equivalent secruity. 06:09:24 jeffH: we are looking at caBLE in this context. 06:09:55 jbradley: need to include CTAP in this. you want to take advantage of web authn to the platform and allow CTAP to talk over transport. 06:10:00 Yanni has joined #webauthnnetwork 06:10:06 ...messing with this is more trouble that it is worth. 06:10:50 ...there are a bunch of things going on here. 06:11:04 nick: we can't rely on a platform. we run on the web. 06:11:35 btidor has joined #webauthnnetwork 06:11:41 jeffH: tis distinction is nailed down in the spec. it is called client platform. 06:12:00 ...our beef is making sure the binding is secure. 06:12:19 james: we want to increase adoption. 06:13:00 ...we want to support as many use cases as possible 06:13:07 jeffH: we like that idea 06:13:24 nick: want to show there are some things broken and we can fix them. 06:14:23 Gerhard: our ideal scenario is you can take a fido token and use it anywhre. 06:16:13 ccccccjekcfhgdbcurieeluutukururhlnjnrdtitnuj 06:16:53 ccccccjekcfhtnjbnuunnrrjidkhfnvjgbnntgthnllb 06:18:24 jeffH: I want to use the term binding, not pairing. 06:18:56 nmooney has joined #webauthnnetwork 06:19:22 gerhard: I just want to say, once I pair and have a session, I want to reach out to a phone in a trusted way. 06:19:54 ...it is not always user initiated. but once I have consent, I want to reach out for a new cryptogram 06:20:04 jbradley: this is not really what this is for. 06:21:13 ...you are talking binding of platform authenticator... 06:21:55 nick: yor use case scenario is not enabled by this 06:22:12 Steven-Google has joined #webauthnnetwork 06:22:13 pranjal has joined #webauthnnetwork 06:23:58 benjamin: looking at fido for web payments and the adoption is not here. this looks interesting. 06:24:32 jbradley: but this is designed to not have a plug-in. 06:28:39 jbradley: deal with this as a transport and let the platform negotiate for the transport. 06:29:25 ...i would lean toward defining it in the spec, and let the client platform do its end of it. 06:29:57 pranjal_ has joined #webauthnnetwork 06:32:46 jeffH: we want this to just work 06:32:52 james: that is what we want also. 06:34:39 s/ccccccjekcfhgdbcurieeluutukururhlnjnrdtitnuj// 06:34:54 s/ccccccjekcfhtnjbnuunnrrjidkhfnvjgbnntgthnllb// 06:39:01 rssagent, draft minutes 06:39:36 nmooney has joined #webauthnnetwork 06:40:07 rssagent, make logs public 06:45:54 wseltzer has joined #webauthnnetwork 06:49:13 rrsagent, draft minutes 06:49:13 I have made the request to generate https://www.w3.org/2019/09/18-webauthnnetwork-minutes.html wseltzer 06:59:33 Yanni has joined #webauthnnetwork 07:20:52 pranjal has joined #webauthnnetwork 07:30:42 pranjal has joined #webauthnnetwork 07:35:24 dino has joined #webauthnnetwork 07:37:53 mitja has joined #webauthnnetwork 07:43:39 nmooney has joined #webauthnnetwork 07:48:51 RRSAgent, draft minutes 07:48:51 I have made the request to generate https://www.w3.org/2019/09/18-webauthnnetwork-minutes.html nmooney 07:50:14 Meeting: WebAuthn Network Transport Unconference Discussion 07:50:46 mitja has joined #webauthnnetwork 07:53:31 jbarclay has joined #webauthnnetwork 07:55:08 mitja has joined #webauthnnetwork 08:02:25 mitja has joined #webauthnnetwork 08:23:49 mitja has joined #webauthnnetwork 08:33:00 dino has joined #webauthnnetwork 08:35:05 pranjal has joined #webauthnnetwork 08:40:32 pranjal_ has joined #webauthnnetwork 09:00:31 pranjal has joined #webauthnnetwork 09:15:18 nmooney has joined #webauthnnetwork 09:27:03 nmooney has joined #webauthnnetwork 11:10:01 nmooney has joined #webauthnnetwork 12:11:15 pranjal has joined #webauthnnetwork