Meeting minutes
Charter
wseltzer: just getting the final comments from team for Director review, should go to AC review soon
PRs
elundberg: Most of my PRs, waiting review from JeffH
… PR 1660, I'm not sure whether it's good. Thoughts?
… please review
https://
sbweeden: I'll review
agl: I just clicked approve
sbweeden: "chosen by authenticator or client"?
agl: "not chosen by RP"?
jfontana: https://
elundberg: this was just a bikeshed warning fix
… to fix the dictionary
jfontana: https://
elundberg: waiting for Jeff
… as is 1621
sbweeden: it was waiting on a different PR
elundberg: and the other is now ready to be merged
… I'll merge 1649 into this branch, as it was all approved
jfontana: Now to issues
… https://
akshay: no objection from me, want to hear from Mozilla
jfontana: needs more input
dveditz: I'd have to go back to those who commented
agl: I think the objection then was to lack of use case
dveditz: I'll ask. Spec doesn't like to make UI prescription, but so long as it's clear to the user
agl: we're assuming we can convey to user cross-origin communication
… for federation, as well as for this
dveditz: similar issue with OAuth in frames vs popups
jfontana: 1657
… let's update
… 1658
agl: device-bound keys, from another issue
… value of sites being able to have concept of "same device"
… as a signal to risk engine
… I retired a previous issue on the same topic
jfontana: leave open for some discussion?
agl: we'll likely start with 1637 first
jfontana: 1659
agl: elundberg's PR will close this when landed
jfontana: 1662
jfontana: 1640?
akshay: just gathering feedback. will remain there for a while. Mark as L3
jfontana: 1639
agl: likely addressed by 1637
jfontana: 1630
… hearing no objections to closing
jfontana: 1617
agl: question of what value to pick, if we think there should be a max credential ID length
elundberg: no bigger than fits in CTAP
agl: I'll address
jfontana: 1612
akshay: can close
agl: scope as device vs app
davidwaite: how does this work with CaBLE?
agl: phone authenticator, a device with app-scoped keys would use a different key for app vs web
davidwaite: viable cross-device?
agl: what app is CABLE? that's up to the implementation
jbradley: I'd prefer not to have to support it on roaming authenticators
jfontana: longer discussion, let's keep it open
[adjourned]