18:44:04 <RRSAgent> RRSAgent has joined #webauthn
18:44:04 <RRSAgent> logging to https://www.w3.org/2021/06/16-webauthn-irc
18:44:05 <Zakim> RRSAgent, make logs Public
18:44:07 <Zakim> Meeting: Web Authentication WG
18:44:12 <wseltzer> Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2021Jun/0059.html
18:56:35 <matthewmiller> matthewmiller has joined #webauthn
18:59:57 <jfontana> jfontana has joined #webauthn
19:00:23 <elundberg> elundberg has joined #webauthn
19:01:08 <jfontana> present+
19:01:28 <selfissued> selfissued has joined #webauthn
19:02:14 <selfissued> present+
19:02:41 <nsteele> nsteele has joined #webauthn
19:02:43 <matthewmiller> present+
19:02:48 <nsteele> present +
19:05:57 <jeffh> present+
19:08:01 <jfontana> agl: Google put out its latest plan that will come to a github issues in a few weeks.
19:08:14 <dveditz> dveditz has joined #webauthn
19:08:23 <dveditz> present+
19:08:28 <jfontana> tony: once in form of an issue, we can crank up meeting times a bit.
19:08:54 <jfontana> https://github.com/w3c/webauthn/pull/1621
19:08:57 <jeffh> what agl referred to: https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/go6GoFW27Dw
19:09:57 <jfontana> elundberg: I don't the modify parameters is in scope.We can make other pieces more clear.
19:10:32 <jfontana> ...i have re-writtend soem to make them more clear from RP and client authenticator
19:10:47 <jfontana> ...nothing here that are new requirements.
19:11:15 <jfontana> tony: reviewers?
19:11:28 <wseltzer> present+
19:11:36 <jfontana> shane: will review
19:11:55 <jfontana> aksahy: will review
19:12:02 <jfontana> https://github.com/w3c/webauthn/pull/1615
19:13:38 <jfontana> selfissue: I can look at this during call
19:13:53 <jfontana> https://github.com/w3c/webauthn/pull/1576
19:14:13 <jfontana> jeffH: this is ongoing. it is  draft.
19:14:24 <jfontana> https://github.com/w3c/webauthn/pull/1425
19:14:51 <jfontana> elundberg: waiting on other issues, multiple keys, FIDO discussion
19:15:24 <jfontana> jeffH: this will come to W3C soon-ish on two key issue in WEb authn context.
19:15:54 <jfontana> ...continuity signal is how we think this will work. its a platform authenticator
19:16:35 <jfontana> agl: more depth will come. two keys is part of this, b ring back some of the hardware backed properties.
19:16:47 <jfontana> ...it is different than backing up keys, it is agument of that
19:17:14 <jfontana> DWaite: this is an extension.
19:17:29 <jfontana> agl: yes, extenstions are optional. need to prepare to accept.
19:17:39 <jfontana> ...two key would not come unsolicited
19:17:44 <jeffh> apple's "move beyond passwords"  WWDC talk: https://developer.apple.com/videos/play/wwdc2021/10106/
19:17:47 <jfontana> DWaite: concerned the other way
19:17:59 <jfontana> ....what if it does not come back with two keys
19:18:14 <jfontana> agl: this is in excess of what is there rigiht now. don't depend on second key
19:18:59 <jfontana> ...guidance, it is a risk signal
19:19:36 <jfontana> elundberg: R
19:19:55 <jfontana> ...RPs are expected to accept unsolicited extensions
19:20:23 <jfontana> ...our proposal has two options.
19:21:16 <jfontana> agl: for your context, maybe haredware bound key, that migth be way you would use it, don't see how it transports keys
19:21:42 <jfontana> elundberg: I meant delivering Key to RP
19:22:44 <jfontana> eluncberg: don't think recovery will be in near term. WE can wait for Google to come up with their scheme
19:23:37 <jfontana> https://github.com/w3c/webauthn/pull/1622
19:24:01 <jfontana> elundberg: large blob. I will look at the feedback.
19:25:00 <jfontana> https://github.com/w3c/webauthn/pull/1625
19:25:13 <selfissued> I'm good merging https://github.com/w3c/webauthn/pull/1615
19:28:23 <jfontana> https://github.com/w3c/webauthn/pull/1625
19:28:30 <jfontana> jeffH: merging
19:28:44 <jfontana> tony: matt can you merge #1625
19:30:21 <jfontana> matt: token binding it is unrecognized shape, what do you do?
19:30:47 <jfontana> agl: type errors are not called out in spec IDL takes care of that
19:30:55 <jfontana> ...not sure where these came from.
19:31:02 <jfontana> matt: they are very old, 3 years.
19:31:15 <jfontana> ...nothing is returning token binding these days.
19:33:26 <jfontana> tony: will leave token binding laying around
19:34:15 <jfontana> https://github.com/w3c/webauthn/issues/1620
19:34:35 <jfontana> tony: this is not a spec issue
19:34:41 <jfontana> ...how to handle
19:34:52 <jfontana> akshay: I will explain and likely close
19:35:36 <jfontana> DavV: itis firefox issue
19:36:00 <jfontana> https://github.com/w3c/webauthn/issues/1612
19:36:33 <jfontana> tony: this is deletion one; around for 4 weeks. no response. close?
19:36:39 <jfontana> elundberg: close
19:37:11 <jfontana> https://github.com/w3c/webauthn/issues/1624
19:37:51 <jfontana> agl: think this is CTAP/CBOR issue
19:39:38 <jfontana> tony: any issues to discuss
19:40:30 <jfontana> https://github.com/w3c/webauthn/issues/1618
19:40:52 <jfontana> elundberg; in past decided not to make a breaking change
19:41:00 <jfontana> ...is there more a case to re-consider
19:41:13 <jfontana> agl: this default is problematic in some scenarioes
19:42:02 <jfontana> ... there was misunderstanding if this was vulnerability - it seems it was not
19:42:23 <jfontana> agl: could set explicitly it to prefer
19:42:36 <jfontana> akshay: we needed some context where the user was
19:44:37 <jfontana> elundberg: we have the same resolution as before
19:44:47 <jfontana> selfissue: get the RPs to do the right thing here.
19:44:57 <jfontana> elundberg: I will update and close without comment.
19:48:33 <jfontana> agl: I will file an issue to get rid of token binding?
19:48:44 <jfontana> nSteele: I will work on PR.
19:50:51 <wseltzer> rrsagent, draft minutes
19:50:51 <RRSAgent> I have made the request to generate https://www.w3.org/2021/06/16-webauthn-minutes.html wseltzer
19:53:14 <dveditz> dveditz has joined #webauthn
19:53:58 <dveditz> dveditz has joined #webauthn