RE: 3/23/2016 W3C Web Authentication Agenda from Anthony Nadalin on 2016-03-23 (public-webauthn@w3.org from March 2016)

From: Anthony Nadalin <tonynad@microsoft.com>
Date: Wed, 23 Mar 2016 16:55:31 +0000
To: Adam Powers <adam@fidoalliance.org>, "Le Van Gong, Hubert" <hlevangong@paypal.com>
CC: W3C Web Authn WG <public-webauthn@w3.org>, "J.C. Jones" <jjones@mozilla.com>
Message-ID: <BN3PR0301MB12346612C37DBECF399AFCD4A6810@BN3PR0301MB1234.namprd03.prod.outlook.>

Verifying an attestation can happen many many many ways, it’s our job in the security considerations section to call out that the attestations should be verified but not the specific means as that is out of scope. The Metadata service is out of scope as you point out there can be many many many different ways to build a metadata service for attestation verification

From: Adam Powers [mailto:adam@fidoalliance.org]
Sent: Wednesday, March 23, 2016 9:49 AM
To: Le Van Gong, Hubert <hlevangong@paypal.com>; Anthony Nadalin <tonynad@microsoft.com>
Cc: W3C Web Authn WG <public-webauthn@w3.org>; J.C. Jones <jjones@mozilla.com>
Subject: RE: 3/23/2016 W3C Web Authentication Agenda

Doesn’t it apply to the relying parties that would be consuming the Web Authentication APIs, such as the algorithm outlined in Section 3.5: Verifying an Attestation Statement?

I just realized that I should point out that the metadata service isn’t required to be run by FIDO — we have one instance, and others can setup their own (and I’ve heard rumors of that happening). I wouldn’t want this to be perceived as a FIDO-only service.

On March 23, 2016 at 9:42:30 AM, Anthony Nadalin (tonynad@microsoft.com<mailto:tonynad@microsoft.com>) wrote:
It’s not a W3C thing or requirement, the specifications function w/o the metadata service. We can discuss if this is needed for “FIDO” over in FIDO

From: Le Van Gong, Hubert [mailto:hlevangong@paypal.com]
Sent: Wednesday, March 23, 2016 9:38 AM
To: Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>
Cc: J.C. Jones <jjones@mozilla.com<mailto:jjones@mozilla.com>>; W3C Web Authn WG <public-webauthn@w3.org<mailto:public-webauthn@w3.org>>
Subject: Re: 3/23/2016 W3C Web Authentication Agenda

Understood but then the question is whether we lose any functionality by dropping the MD service (required or optional)…?

Thanks,
Hubert

---
Hubert A. Le Van Gong
Product & Ecosystem Security
PayPal
+1 408 601-9622
hlevangong@paypal.com<mailto:hlevangong@paypal.com>

On Mar 23, 2016, at 9:12 AM, Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>> wrote:

We should really drop any references to the FIDO metadata service , it’s not required and it is a FIDO run service

From: J.C. Jones [mailto:jjones@mozilla.com]
Sent: Tuesday, March 22, 2016 5:57 PM
To: W3C Web Authn WG <public-webauthn@w3.org<mailto:public-webauthn@w3.org>>
Subject: Re: 3/23/2016 W3C Web Authentication Agenda

All,
As promised, a PR for the more-generic naming is posted. It has some whitespace changes in it as well, so I recommend reviewing using this URL that sets w=1:

https://github.com/w3c/webauthn/pull/48/files?w=1

Generally, the following substitutions were made:

  *   Extensions were renamed from "fido." to "webauth."
  *   CredentialType "FIDO" was renamed to "ScopedUserCredential"
  *   "FIDO Authenticators" are now "WebAuth Authenticators"
  *   "FIDO Credential" and similar are now "Scoped Credential"
  *   "FIDO method" and similar are now "WebAuth method"
  *   "FIDO Relying Party" and similar are now just "Relying Party"
  *   The WebIDL DOM interface is now type "WebAuthentication" and named "webauth"
I did not attempt to change the OIDs, references to the ECDAA specification, or the FIDO Metadata Service (see Issue #47<https://github.com/w3c/webauthn/issues/47>).
Cheers,
J.C.

On Tue, Mar 22, 2016 at 3:05 PM, Alexei Czeskis <aczeskis@google.com<mailto:aczeskis@google.com>> wrote:
I think I promised to start doing the things that were marked as "do it" after the merge.  I'll try to get to some of those tonight.

Thanks!
-Alexei

________________
 . Alexei Czeskis .:. Securineer .:. 317.698.4740<tel:317.698.4740> .

On Tue, Mar 22, 2016 at 2:58 PM, Dirk Balfanz <balfanz@google.com<mailto:balfanz@google.com>> wrote:
Hi there,

I'm afraid I will have to miss certainly the beginning, if not all, of the call tomorrow.

As for the document merge, Jeff pulled the merged doc into master (source is index.src.html, output is index.html). Next step is to delete the three subdirectories webauthn-* (since they contain the old, unmerged sources) in master.

Dirk.

On Tue, Mar 22, 2016 at 9:50 AM Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>> wrote:
1. Roll Call
2. Agenda bashing
3. Document merge, status/update
4. Naming issues, update from JC
5. Walk the open issues list
7. A.O.B
8. Adjourn

Please let Richard or I know if there are any other items you would like to see on the agenda.

Received on Wednesday, 23 March 2016 16:56:02 UTC