IRC log of wpwg-spc on 2021-08-30
Timestamps are in UTC.
- 15:58:22 [RRSAgent]
- RRSAgent has joined #wpwg-spc
- 15:58:22 [RRSAgent]
- logging to https://www.w3.org/2021/08/30-wpwg-spc-irc
- 15:58:26 [Ian]
- Meeting: SPC Task Force
- 15:58:28 [Ian]
- Chair: Ian
- 15:58:34 [Ian]
- Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0039.html
- 15:58:44 [Ian]
- Scribe: Ian
- 15:58:46 [Ian]
- present+
- 15:58:58 [Ian]
- present+ John_Bradley
- 16:00:10 [Ian]
- present+ Gerhard_Oosthuizen
- 16:01:04 [Ian]
- present+ Clinton_Allen
- 16:01:17 [Ian]
- present+ Doug_Fisher
- 16:01:40 [clinton]
- clinton has joined #wpwg-spc
- 16:02:38 [Ian]
- present+ Bastien_Latge
- 16:02:48 [Ian]
- present+ Susan_Pandy
- 16:03:12 [Ian]
- Topic: Pull request 120
- 16:03:17 [Ian]
- Ian: Ok @goosth?
- 16:03:30 [Ian]
- present+ Michel_Weksler
- 16:03:32 [mweksler]
- mweksler has joined #wpwg-spc
- 16:03:48 [Ian]
- present+ Adrian_Hope-Bailie
- 16:04:08 [Ian]
- Topic: Editor thanks!
- 16:04:21 [Ian]
- present+ Stephen_McGruer
- 16:05:02 [Ian]
- FPWD is tomorrow!
- 16:05:30 [Ian]
- Topic: Chrome updates?
- 16:06:00 [Ian]
- Stephen: Chatted with WebAuthn WG last week; expect more discussion next week. No actions yet.
- 16:06:19 [Ian]
- ...we have filed an intent to ship in 95; not a guarantee but we hope to have it there.
- 16:06:33 [Ian]
- John_Bradley: M95 where?
- 16:06:37 [Ian]
- Stephen: MacOS and Windows
- 16:07:03 [Ian]
- John_Bradley: How are you doing it on Windows? WebAuthn.dll v1 doesn't have any way to track cross-origin flag.
- 16:07:30 [Ian]
- ...the question is: how does the platform authenticator differentiate SPC v other FIDO credentials?
- 16:07:35 [jonathan__]
- jonathan__ has joined #wpwg-spc
- 16:07:47 [jonathan__]
- present+
- 16:07:50 [Ian]
- Stephen: I don't think today it's the job of the platform authenticator. We have a local browser list implementation today (not the long-term plan)
- 16:08:30 [Ian]
- present+ Sameer_Tare
- 16:08:58 [Ian]
- Stephen: Temporary in-browser storage today; various proposals being discussed (e.g., CTAP, or discoverable credentials)
- 16:09:43 [Ian]
- John_Bradley: Windows doesn't have non-discoverable-credentials.
- 16:10:32 [Ian]
- ..in principle SPC credentials are non-discoverable
- 16:10:38 [Ian]
- stephen: Yes, when used in a 3p context
- 16:11:14 [Ian]
- IJ: What does the spec need to say?
- 16:11:49 [Ian]
- Stephen: I was waiting to chat with WebAuthn folks before adding some info to the spec.
- 16:11:58 [Ian]
- John_Bradley: LargeBlob is a viable option.
- 16:12:45 [Ian]
- ...best thing is to have an extension IMO and store information in authenticator.
- 16:13:00 [Ian]
- ...could be a Webauthn extension (inherited by CTAP)
- 16:13:24 [Ian]
- ...there's no reason the extension couldn't also be passed to the authenticator
- 16:13:37 [Ian]
- ...the question is how the authenticator tells the platform that it is one kind of credential or another
- 16:14:00 [Ian]
- Stephen: Long term, what I'm hoping to do is that the necessary APIs for conditional UI should enable this use case.
- 16:14:25 [Ian]
- ...what we need is the ability to say "Does this credential match?" without a user interaction....
- 16:15:38 [Ian]
- AdrianHB: Is our use case in front of conditional UI folks?
- 16:15:42 [Ian]
- Stephen: Yes from Google side
- 16:16:04 [Ian]
- John_Bradley: People aren't necessarily thinking how this will work with caBLE
- 16:16:37 [Ian]
- ...how do private APIs talk to internal authenticator....we need to think about how this works with roaming authenticators
- 16:16:47 [Ian]
- Stephen: I agree.
- 16:16:55 [Gerhard_]
- Gerhard_ has joined #wpwg-spc
- 16:17:14 [Ian]
- ...what I'm hoping to see is that, with this initial version, we will prove the value and then we extend to roaming, caBLE, etc.
- 16:18:13 [Ian]
- q?
- 16:19:04 [Gerhard_]
- question: Will SPC work across all Platform Authenticators today (WebAuthn Level 1)
- 16:19:43 [Ian]
- Gerhard: Will M95 work on Android?
- 16:20:07 [Ian]
- ...will M95 work on existing Windows and MacOS versions shipping today?
- 16:20:36 [Ian]
- Stephen: Windows and MacOS works today with existing libraries today
- 16:20:49 [Ian]
- ..but we are waiting for Android to add discoverable credentials before we support SPC on Android
- 16:21:05 [Ian]
- Ian: What is that timeline?
- 16:22:08 [Ian]
- Topic: Issue 101: Proposal: support data URIs for card art icons
- 16:23:18 [Ian]
- Ian: Doug indicated probably suffices to has the URL (not the data)
- 16:23:52 [Ian]
- Stephen: Current implementation is to sign the URL.
- 16:24:05 [Ian]
- John: The authenticator signs a hash of client data.
- 16:24:18 [Ian]
- Stephen: Cripes! You're right!
- 16:25:09 [Ian]
- AdrianHB: We don't have to has the data, but we should sign the image data (e.g., base 64). You don't need to hash it.
- 16:25:34 [Ian]
- John: Put the information in client data (e.g., base 64 url encoded or whatever)
- 16:25:47 [Ian]
- Stephen: It does mean that whatever has to be sent to the RP may be quite large
- 16:26:04 [Ian]
- ....what is the hash also in webAuthN?
- 16:26:17 [Ian]
- John_Bradley: SHA256. Just the one algorithm.
- 16:27:25 [Ian]
- Stephen: the original problem is that I thought the authenticator would not like the large blob, not realizing that it would be hashed before hitting the authenticator. Sorry about that!
- 16:27:36 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/08/30-wpwg-spc-minutes.html Ian
- 16:28:26 [Ian]
- Stephen: So first problem not a problem.
- 16:28:40 [Ian]
- John_Bradley: The RP should have the image. They keep the challenge. Why can't they keep the image?
- 16:29:08 [Ian]
- Stephen: So "URL or image data"?
- 16:30:37 [Ian]
- John_Bradley: Signing over URL probably not useful for embedded flows. The Verifier doesn't know what the URL pointed to.
- 16:32:38 [Ian]
- John_Bradley: What was the feedback from Apple and Firefox on displaying image URLs in this as opposed to structured data?
- 16:32:58 [Ian]
- ...somebody else could use this API for displaying arbitrary (nefarious) images
- 16:33:10 [Ian]
- ..if it's an image URL, people will try to use it to sign for property purchases or other things
- 16:33:31 [Ian]
- Stephen: Hoping to get more input from Mozilla and Apple.
- 16:33:52 [Ian]
- ..regarding URL...it's just to an image
- 16:33:58 [Ian]
- John_Bradley: Ah, ok
- 16:34:17 [Ian]
- ..this is just for confirmation of what card image was used.
- 16:34:24 [Ian]
- Stephen: I suspect RPs will not check this field.
- 16:34:30 [Ian]
- John_Bradley: Agreed.
- 16:35:00 [Ian]
- ..if just the card image, just sign a hash of the argument that was passed.
- 16:35:11 [Ian]
- ...let the RP cache that.
- 16:35:38 [Ian]
- Topic: Next meeting 13 September
- 16:35:41 [Ian]
- (No meeting on the 6th)
- 16:36:23 [Ian]
- RRSAGENT, make minutes
- 16:36:23 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/08/30-wpwg-spc-minutes.html Ian
- 16:36:27 [Ian]
- RRSAGENT, set logs public
- 18:32:33 [Ian]
- zakim, bye
- 18:32:33 [Zakim]
- leaving. As of this point the attendees have been Ian, John_Bradley, Gerhard_Oosthuizen, Clinton_Allen, Doug_Fisher, Bastien_Latge, Susan_Pandy, Michel_Weksler,
- 18:32:33 [Zakim]
- Zakim has left #wpwg-spc
- 18:32:35 [Ian]
- rrsagent, bye
- 18:32:35 [RRSAgent]
- I see no action items