IRC log of webauthn on 2021-09-08
Timestamps are in UTC.
- 19:00:03 [RRSAgent]
- RRSAgent has joined #webauthn
- 19:00:03 [RRSAgent]
- logging to https://www.w3.org/2021/09/08-webauthn-irc
- 19:00:06 [Zakim]
- RRSAgent, make logs Public
- 19:00:06 [Zakim]
- Meeting: Web Authentication WG
- 19:01:59 [wseltzer]
- wseltzer has changed the topic to: 8 September
- 19:02:12 [wseltzer]
- Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2021Sep/0010.html
- 19:02:15 [wseltzer]
- wseltzer has changed the topic to: 8 September: https://lists.w3.org/Archives/Public/public-webauthn/2021Sep/0010.html
- 19:02:43 [matthewmiller]
- matthewmiller has joined #webauthn
- 19:02:47 [matthewmiller]
- present+
- 19:03:07 [matthewmiller]
- Hmm, that's not it
- 19:03:35 [nsteele]
- nsteele has joined #webauthn
- 19:03:41 [nsteele]
- present+
- 19:04:04 [jfontana_]
- jfontana_ has joined #webauthn
- 19:04:13 [jfontana_]
- present+
- 19:05:13 [jfontana_]
- wendy: still under review for new charter
- 19:05:39 [jfontana_]
- tony: Pull requests
- 19:05:53 [jfontana_]
- https://github.com/w3c/webauthn/pull/1664
- 19:06:03 [elundberg]
- elundberg has joined #webauthn
- 19:06:06 [jfontana_]
- tony: has approval by reviewers. we can merge this?
- 19:06:13 [jfontana_]
- agl: I don't think we should rush
- 19:06:15 [nina]
- nina has joined #webauthn
- 19:06:20 [jfontana_]
- ...some open questions
- 19:06:48 [jfontana_]
- tony: let it hang
- 19:07:05 [jfontana_]
- agl: what should it be, should it be less than 1024
- 19:07:29 [jfontana_]
- selfissue: I agree it should be less
- 19:07:33 [jfontana_]
- agl: I will make the change.
- 19:07:47 [jfontana_]
- ...I will update and we can revisit
- 19:07:55 [jfontana_]
- tony: self issue will review
- 19:08:04 [jfontana_]
- selfissue: yes. with comment
- 19:08:44 [elundberg]
- present+
- 19:09:01 [jfontana_]
- agl: we need to define it, or someone else will
- 19:10:44 [jfontana_]
- shane: I have come across where the number is bigger
- 19:10:59 [jfontana_]
- ...very anecdotal, I don't have data
- 19:11:27 [jfontana_]
- akshay: I will look from MSFT side
- 19:11:32 [jfontana_]
- ...microsoft
- 19:11:59 [jfontana_]
- mattM: I left a comment, maybe needs followup
- 19:12:08 [jfontana_]
- agl: wil revisit in a couple of weeks
- 19:12:18 [jfontana_]
- https://github.com/w3c/webauthn/pull/1668
- 19:13:33 [jfontana_]
- Zach: main reason is if site wants to use caBLE and the site realizes other transport options
- 19:13:47 [jfontana_]
- ...user can switch to other transport from caBLE.
- 19:13:59 [jfontana_]
- tony: akshay have you looked at it.
- 19:14:03 [jfontana_]
- akshay: no
- 19:14:12 [jfontana_]
- tony: emil have you loked at it.
- 19:14:48 [jfontana_]
- elundburg: are you looking for list of transports
- 19:14:53 [jfontana_]
- agl: how do we get that
- 19:15:07 [jfontana_]
- elundburg: from registration
- 19:15:14 [jfontana_]
- agl: what is the use case of a full list
- 19:16:08 [jfontana_]
- mattM: is this for RP to know when to pormpt user to enroll a platform authenticator when available.
- 19:17:08 [jfontana_]
- ...feels strange. can they rely on only transports. there is divergence.
- 19:17:36 [jfontana_]
- agl: inthe end the goal is to do smarter things.
- 19:17:49 [jfontana_]
- ...difference in design comes in difference of goal
- 19:18:50 [jfontana_]
- elundburg: can you tell which transport to use.
- 19:19:48 [jfontana_]
- shane: why attestation responses are a bunch of methods, where assurtion you just access the data
- 19:19:53 [jfontana_]
- agl: it is web IDL rules.
- 19:22:10 [jfontana_]
- shane: I will open an issue and wait for a response.
- 19:23:29 [jfontana_]
- shane: well I do understand use case. I am OK here
- 19:23:50 [jfontana_]
- tony: shane can review
- 19:23:53 [jfontana_]
- shane: yes
- 19:24:29 [jfontana_]
- https://github.com/w3c/webauthn/pull/1663
- 19:25:21 [jfontana_]
- lundberg: still some issues. some open discussions
- 19:25:41 [jfontana_]
- https://github.com/w3c/webauthn/pull/1660
- 19:25:56 [selfissued]
- selfissued has joined #webauthn
- 19:26:02 [selfissued]
- present+
- 19:29:11 [jfontana_]
- tony: Stephen McGruer to talk about SPC Secure Payment Confirmation
- 19:29:18 [jfontana_]
- ...from Google
- 19:30:37 [jfontana_]
- akshay: why do we want to go beyond SPC.
- 19:30:49 [jfontana_]
- ... I can control the authentication.
- 19:31:05 [jfontana_]
- ...with this there will be a pop-up.
- 19:31:30 [jfontana_]
- ...i think all these have to be ok for platform and security keys
- 19:31:36 [jfontana_]
- ...user experience is a big deal for us.
- 19:31:59 [jfontana_]
- ...I want to keep the existing control. so no one can ask for creds on my site.
- 19:32:10 [jfontana_]
- ...can RP opt into these behaviors?
- 19:32:56 [jfontana_]
- ...the three levels. me as RP controls WebAuthn. second with iFrame. three can go cross origin.
- 19:33:05 [jfontana_]
- ...how do we do this?
- 19:33:23 [jfontana_]
- ...I am slightly concerned about user experience
- 19:33:41 [jfontana_]
- ...we still want to claim phishing resistance
- 19:34:33 [jfontana_]
- Christiaan: everything that works on the web, works with iFrames
- 19:34:43 [jfontana_]
- ...web authn credetials work fine in a iFrame
- 19:35:07 [jfontana_]
- ...I don't care about being embedded in iFrame all the time. we have said SPC can do some logic and credential time.
- 19:35:19 [jfontana_]
- ...it is an extension you set for how credential is used.
- 19:35:52 [jfontana_]
- ...akshay it sound if we have opt out we should be good to proceeds
- 19:36:18 [jfontana_]
- akshay: yes. there should not be any UI that comes up from RP. you have to opt in
- 19:38:26 [jfontana_]
- christiaan: this is only about internal keys. no other transport, but we could react that
- 19:38:52 [jfontana_]
- ...we could react to that.
- 19:39:12 [jfontana_]
- akshay: I am not comfortable to say we can figure it out now.
- 19:40:00 [jfontana_]
- christaian: if there is something available in browser, then you can use it. we are not talking about all transports
- 19:41:04 [jfontana_]
- akshay: we still have reservations, what credential you use
- 19:41:28 [jfontana_]
- christiaan: given complexity, what we are planning to ship, we are not bringing in physical keys rigiht now
- 19:41:44 [jfontana_]
- elundberg: is we do this layer, is it possible to support later.
- 19:41:46 [jfontana_]
- ?
- 19:42:36 [jfontana_]
- ...it may end up that we can't support external keys in the future. we need to consider that design
- 19:42:57 [jfontana_]
- christiaan: two things here. can you exercise credential in third party context.
- 19:43:14 [jfontana_]
- ...applies internal and external keys. that is out of scope of websuthn
- 19:43:51 [jfontana_]
- ...other; if we don't know about credential, in this case how do we prohibit browser to ask users to plug in security key
- 19:44:28 [jfontana_]
- ...this brings in complexity.
- 19:45:38 [jfontana_]
- sMcGruer: can't plug in authenticator because the browser does not know it
- 19:46:42 [jfontana_]
- ...we want to interrogate the credential in some way later
- 19:47:09 [jfontana_]
- christiaan: external case is lots of complexity, we have not had ask for that yet
- 19:48:16 [jfontana_]
- akshay: we need to think through this. the user experience and phishing - we have to design for the future and it may be acceptable there.
- 19:48:26 [jfontana_]
- christiaan: this will involve CTAP
- 19:49:26 [jfontana_]
- ...we are going ahead with our launch with the internal keys. we can talk external later.
- 19:49:39 [jfontana_]
- tony: circle about this after the in-person FIDO meeting.
- 19:51:27 [jfontana_]
- https://github.com/w3c/webauthn/pull/1621
- 19:51:39 [jfontana_]
- tony: this is emil
- 19:52:16 [jfontana_]
- tony: a few untriaged issues
- 19:52:37 [jfontana_]
- https://github.com/w3c/webauthn/issues/1666
- 19:53:05 [jfontana_]
- Zach: not ready
- 19:53:30 [jfontana_]
- https://github.com/w3c/webauthn/pull/1660
- 19:53:36 [jfontana_]
- tony: waiting for this to get done
- 19:54:30 [jfontana_]
- https://github.com/w3c/webauthn/issues/1657
- 19:54:51 [jfontana_]
- elungberg: I have not asked for review yet
- 19:55:44 [jfontana_]
- tony: in two weeks we will talk with internationalization folks.
- 19:56:19 [wseltzer]
- q+
- 19:56:52 [jfontana_]
- ...please look at the PRs #1664 #1643 #1642 #1646 for the Sept. 22 meeting
- 19:57:46 [wseltzer]
- q+
- 19:59:27 [jfontana_]
- tony: for TPAC, they want to talk about Web Payments, they have scheduled a meeting. Any reason not to schedule with Web Payments group.
- 20:00:17 [jfontana_]
- ...two hours each day.
- 20:00:50 [jfontana_]
- ...this is our off week.
- 20:00:56 [jfontana_]
- ...for web authn group
- 20:01:06 [jfontana_]
- ...it would be 8am in morning
- 20:01:12 [jfontana_]
- ...eastern time
- 20:38:03 [wseltzer]
- rrsagent, draft minutes
- 20:38:03 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/09/08-webauthn-minutes.html wseltzer
- 20:38:11 [wseltzer]
- chair: Nadalin, Fontana
- 20:38:15 [wseltzer]
- rrsagent, draft minutes
- 20:38:15 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/09/08-webauthn-minutes.html wseltzer
- 22:02:22 [Zakim]
- Zakim has left #webauthn