06:19:16 <RRSAgent> RRSAgent has joined #crossdevicesec
06:19:16 <RRSAgent> logging to https://www.w3.org/2021/10/20-crossdevicesec-irc
06:19:18 <dom> RRSAgent, stay
06:19:21 <dom> RRSAgent, make log public
13:28:18 <dwaite> dwaite has joined #crossdevicesec
13:52:47 <dj2> dj2 has joined #crossdevicesec
13:53:38 <Kristina> Kristina has joined #crossdevicesec
13:54:28 <dwaite> dwaite has joined #crossdevicesec
14:01:13 <wseltzer> wseltzer has joined #crossdevicesec
14:01:33 <Ian> Ian has joined #crossdevicesec
14:01:54 <Rolf> Rolf has joined #crossdevicesec
14:02:09 <kleber> kleber has joined #crossdevicesec
14:02:21 <weiler> weiler has joined #crossdevicesec
14:02:48 <Zakim> Zakim has joined #crossdevicesec
14:03:51 <yigu> yigu has joined #crossdevicesec
14:04:09 <wseltzer> scribenick: wseltzer
14:04:10 <kris_chapman_> kris_chapman_ has joined #crossdevicesec
14:04:13 <russStringham> russStringham has joined #crossdevicesec
14:04:43 <bmay> bmay has joined #crossdevicesec
14:05:37 <Ian> (Noting for the record that there is not a desire to record)
14:05:57 <j_pascoe> j_pascoe has joined #crossdevicesec
14:06:13 <wbaker> wbaker has joined #crossdevicesec
14:06:14 <wseltzer> timcappalli: [shows a screen with linking devices via QR code]
14:06:25 <wseltzer> ... cross-device flow
14:06:34 <wseltzer> ... user has a phone and a laptop/desktop
14:06:48 <wseltzer> ... try to access desktop resource, are presented with a QR code
14:07:01 <wseltzer> ... TLS cert validation has succeeded for origin in their browser
14:07:08 <wseltzer> ... User opens phone (camera or wallet)
14:07:52 <wseltzer> ... thinking generically of "wallet"
14:08:01 <Ian> [Payment apps are another instance of wallet]
14:08:14 <wseltzer> ... bucket of credentials
14:08:34 <wseltzer> ... QR could contain request or point the device to a request object elsewhere
14:08:43 <Kristina> SIOP stands for self-issued openid provider
14:08:47 <wseltzer> ... could be like OIDC
14:08:53 <Kristina> https://openid.bitbucket.io/connect/openid-connect-self-issued-v2-1_0.html
14:09:30 <wseltzer> ... wallet needs to get user consent: "do you want to respond to this request?"
14:10:08 <wseltzer> ... today, browser posts back, without binding
14:10:20 <wseltzer> ... that's where the security model has a gap
14:10:48 <wseltzer> KristinaYasuda: mitigations we've been discussing with different communitieis
14:11:14 <wseltzer> ... OpenID foundation, Mobile Driving License (MDL), OAuth flows
14:11:45 <wseltzer> .. First mitigation: when user is asked for consent, show user from where request comes, where it goes
14:12:09 <wseltzer> ... if bad acto phishes the request, won't match. Up to the user to note the mismatch
14:12:52 <wseltzer> ... Next consideration: use proximity to check
14:13:01 <wseltzer> s/.. First/... First/
14:13:20 <wseltzer> ... make sure QR code and scanning device are close enoug
14:13:24 <dwaite> +1 Ian - I'd say WebAuthn, payments, mDL, OIDC/WebID2020, OAuth Device flow. Payments, authn, and derivatives (authz, attributes)
14:13:48 <wseltzer> ... IP addresses aren't necessarily useful
14:14:04 <wseltzer> ... enterprise could say "both devices on trusted network"
14:14:24 <wseltzer> ... limitation, e.g., if onboarding new device; on public network
14:14:34 <wseltzer> ... user cooperating with attacker, in proximity
14:15:25 <wseltzer> ... using WebAuthn, assuring user has control of private key,
14:15:51 <dwaite> WebID2020 -> Federated Credential Management API (forgot the name there for a moment)
14:16:07 <wseltzer> ... Another, something shared, PIN or OTP
14:16:22 <wseltzer> ... user sees something on screen, types it on mobile
14:16:28 <weiler> q+
14:17:07 <wseltzer> ... biometrics, where device displaying QR captures biometric
14:17:21 <wseltzer> ... locally, device compares for match
14:17:58 <wseltzer> ... Just some ideas for sharing, want to open for discussion
14:18:29 <wseltzer> ack weiler
14:18:49 <wseltzer> weiler: can you restate problem statement?
14:19:42 <dwaite> q+
14:19:43 <wseltzer> Kristina: User tries to log in to device with QR code. Attacker could screenshot the QR code
14:19:46 <Rolf> q+
14:20:06 <wseltzer> ... log in to website, using laptop
14:20:09 <Ian> ack dwa
14:20:10 <wseltzer> ack next
14:20:12 <reillyg> reillyg has joined #crossdevicesec
14:20:13 <wseltzer> q+ Rolf
14:20:21 <kenrb> kenrb has joined #crossdevicesec
14:20:37 <wseltzer> dwaite: I'm on a device; the credentials or payment are released by another device
14:20:47 <reillyg> q+
14:20:48 <wseltzer> ... there's no channel (yet)
14:20:55 <kris_chapman_> q+
14:20:58 <wseltzer> ... so if the user doesn't verify htey're interatcting with the right site
14:21:10 <wseltzer> ... the credentials/payment could be sent to the wrong site
14:21:32 <wseltzer> ... in FIDO-land, CABle
14:22:04 <wseltzer> ... trying to understand commonalities, for single solution
14:22:05 <Kristina> caBLE
14:22:15 <wseltzer> s/CABle/caBLE/
14:22:38 <wseltzer> tim: New TC at OASIS looking at QR code phishing
14:23:11 <wseltzer> Rolf: authenticate a session with a separate device
14:23:17 <wseltzer> ... need migration
14:23:27 <wseltzer> ... roaming authenticators in FIDO-land
14:23:54 <wseltzer> ... out-of-band authentication, many of the solutions are phishable
14:24:05 <wseltzer> s/solutions/proposed solutions/
14:24:06 <dwaite> CaBLE - cable-equivalent security for talking to CTAP 2 authenticators over BLE. The idea being then you have the same phishing resistance of WebAuthn when interacting with detached hardware
14:24:10 <Jemma__> Jemma__ has joined #crossdevicesec
14:24:30 <wseltzer> ... you can't make QR codes unphishable for session authentication
14:24:49 <wseltzer> ... in payment situation, you typically see the transaction text
14:25:30 <Joshua_112> Joshua_112 has joined #crossdevicesec
14:25:43 <weiler> q+
14:25:58 <Ian> ack rolf
14:26:29 <wseltzer> ... caBLE tries to build communication channel back to browser
14:26:59 <wseltzer> tim: another complicating dimension is there's no existing relationship between devices
14:27:24 <dwaite> +q
14:27:30 <wseltzer> ack reillyg
14:27:53 <wseltzer> reillyg: is caBLE the obvious solution?
14:28:09 <wseltzer> tim: we think it is, want to hear the use cases
14:28:18 <wseltzer> ... caBLE v2 isn't yet a public spec
14:28:49 <wseltzer> ... talk about MDL, passports
14:29:03 <wseltzer> Kristina: if you think caBLE v2 is the solution, let us know
14:29:06 <weiler> [Where are the problem statement and use cases documented?]
14:29:25 <wseltzer> Rolf: how many of the PCs these days support Bluetooth practically, enabled?
14:29:44 <wseltzer> tim: don't know offhand
14:30:41 <Kristina> q+
14:30:42 <wseltzer> ... fragmentation in hardware and stack
14:30:48 <Kristina> q-
14:31:03 <wseltzer> kris_chapman_: seen Salesforce clients with this situation,
14:31:18 <wseltzer> ... e.g. using QR codes for service appointments, to check-in
14:31:29 <wseltzer> ... Companies using for employee attendance or badges
14:31:37 <wseltzer> q?
14:31:39 <wseltzer> ack kris_chapman_
14:31:53 <wseltzer> tim: the reverse, taking the artifact with you?
14:32:09 <wseltzer> kris_chapman_: the QR code will go to the client, they scan their own code at the appointment
14:32:23 <wseltzer> ack weiler
14:32:35 <wseltzer> weiler: where's the problem statement and use cases documented?
14:32:40 <Ian> +1 to a use cases discussion
14:32:51 <wseltzer> ... that would help us to know as community
14:33:14 <wseltzer> tim: we'll take that as one of the outcomes of this call
14:33:36 <wseltzer> Kristina: where's a good place to host such a document?
14:34:04 <wseltzer> tim: could be a github document
14:34:12 <wseltzer> reillyg: or MSedge explainers
14:34:23 <Ian> [No GitHub pref]
14:34:48 <wseltzer> weiler: when you have something, you can poke the public-web-security mailing list
14:34:54 <Ian> [Also send notice to public-payments-wg@w3.org for awareness of payments use cases]
14:35:05 <wseltzer> dwaite: think about what makes it easy for people to contribute
14:35:08 <Kristina> q?
14:35:13 <wseltzer> ack dw
14:35:24 <wseltzer> dwaite: +1 to weiler re documenting use cases
14:35:29 <Ian> [Payments folks have also had intermittent discussion of QR codes, see => https://github.com/w3c/webpayments/wiki/QR_2020]
14:35:30 <bmay> q+
14:35:33 <wbaker> q?
14:35:43 <wseltzer> ... I'd be happy to help contribute
14:35:46 <wbaker> q+
14:35:56 <Jemma> present+
14:36:01 <Ian> present+
14:36:04 <wseltzer> ... is this payments, establish relationships, single transaction?
14:36:21 <wseltzer> ... e.g. MDL presentation, is brand new set of prompts every time
14:36:59 <wseltzer> ... payments, authentication, delegated authz, VC,
14:37:05 <Kristina> q?
14:37:16 <wseltzer> ... trust relationship between devices, sometimes transactional
14:37:27 <wseltzer> ... could be possiblity of other use cases like info-sharing across sessions
14:37:30 <Rolf> q+
14:37:40 <wseltzer> ack bm
14:38:02 <wseltzer> bmay: in lots of groups using github
14:38:10 <Kristina> q?
14:38:30 <wseltzer> Rolf: use cases: for me it's transactional things, e.g. sharing health data with hospital X
14:38:41 <wseltzer> ... description that user can undersatnd, bound to the approval
14:38:46 <wseltzer> ... different from session identifier
14:38:53 <reillyg> The MSEdgeExplainers repository is a GitHub repository: https://github.com/MicrosoftEdge/MSEdgeExplainers
14:38:58 <Jemma> +1 for using w3c github
14:39:12 <wseltzer> ... security considerations different
14:39:17 <wseltzer> ack wb
14:39:26 <wseltzer> wbaker: IPR protection aspect is the value
14:39:52 <wseltzer> ... are we covered in what will happen eventually
14:40:21 <wseltzer> ... value in making sure IPR is traceable
14:40:29 <wseltzer> q+
14:40:41 <weiler> scribe+
14:40:55 <weiler> wendell: GH is great.  tying it to w3c IPR is the value.
14:40:56 <wseltzer> wbaker: tying to W3C IPR policy is valuable
14:41:05 <Kristina> q?
14:41:07 <Jemma> +1 to wbaker
14:41:11 <weiler> ... don't walk about it here and then move it elsewhere, where coverage is ambiguous.
14:41:15 <weiler> s/walk/talk/
14:41:42 <weiler> tim: any precedence for a use case doc?
14:41:46 <Ian> scribenick: Ian
14:41:52 <weiler> wendy: fine use case for.a CG.
14:42:01 <weiler> s/precedence/precedent/
14:42:15 <wbaker> Wendy stewards ADBG with is full of use case documents!
14:42:16 <weiler> wendy: that has CLA and IPR tracking, and can go to other w3c groups or elsewhere.
14:42:35 <weiler> tim: I fear mtg fatigue and spinning up CGs.  We can do a CG w/o mtgs?
14:42:43 <weiler> wendy: yes
14:43:00 <Kristina> q?
14:43:06 <wseltzer> q-
14:43:08 <wseltzer> ack Rolf
14:43:23 <weiler> tim: others like CGs?
14:43:28 <weiler> [resounding yes]
14:43:46 <Kristina> q?
14:43:52 <weiler> scribe-
14:44:03 <Kristina> q?
14:44:09 <bmay> q+
14:44:40 <Jemma> good question, Ian.
14:44:40 <wseltzer> Ian: where can we learn more about caBLE v2, when would it become public?
14:44:50 <wseltzer> tim: it's in private development, woudl come to FIDO Alliance
14:45:29 <dwaite> +q
14:45:42 <wseltzer> Ian: we have Web Payments Security IG, not publicly minuted. If you'd like a payments-focused audience, I invite you to share there
14:45:44 <Ian> Ian: Ping me for WPSIG review of a use cases doc
14:46:02 <wseltzer> tim: will communicate on public-web-security
14:46:03 <weiler> public-web-security@w3.org
14:46:07 <wseltzer> q?
14:46:29 <wseltzer> Kristina: next step, to compile use cases document
14:46:44 <wseltzer> bmay: is there a link for more background?
14:46:56 <wseltzer> tim: not concisely
14:47:10 <wseltzer> ... caBLE v1 is in WebAuthn GH issue
14:47:32 <wseltzer> dwaite: caBLE is about channel, not CTAP specific
14:48:03 <Kristina> https://bitbucket.org/openid/connect/issues/1269/add-security-considerations-for-cross
14:48:18 <dwaite> q-
14:48:26 <wseltzer> ack bm
14:48:27 <Kristina> https://bitbucket.org/openid/connect/issues/1273/mitigating-security-risk-by-using-webauthn
14:48:32 <weiler> https://lists.w3.org/Archives/Public/public-web-security/
14:48:38 <Ian> [The Web Security IG is closed but apparently the list lives on => https://www.w3.org/Security/wiki/IG ]
14:48:52 <Kristina> q?
14:49:27 <Sarah> Sarah has joined #crossdevicesec
14:50:17 <wseltzer> rrsagent, draft minutes
14:50:17 <RRSAgent> I have made the request to generate https://www.w3.org/2021/10/20-crossdevicesec-minutes.html wseltzer
14:50:22 <wseltzer> rrsagent, make logs public
15:03:52 <Sarah_> Sarah_ has joined #crossdevicesec
15:13:12 <j_pascoe> j_pascoe has joined #crossdevicesec
15:26:33 <reillyg> reillyg has left #crossdevicesec
16:28:39 <dom> RRSAgent, bye
16:28:39 <RRSAgent> I see no action items