IRC log of webauthn on 2021-09-08

Timestamps are in UTC.

19:00:03 [RRSAgent]
RRSAgent has joined #webauthn
19:00:03 [RRSAgent]
logging to https://www.w3.org/2021/09/08-webauthn-irc
19:00:06 [Zakim]
RRSAgent, make logs Public
19:00:06 [Zakim]
Meeting: Web Authentication WG
19:01:59 [wseltzer]
wseltzer has changed the topic to: 8 September
19:02:12 [wseltzer]
Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2021Sep/0010.html
19:02:15 [wseltzer]
wseltzer has changed the topic to: 8 September: https://lists.w3.org/Archives/Public/public-webauthn/2021Sep/0010.html
19:02:43 [matthewmiller]
matthewmiller has joined #webauthn
19:02:47 [matthewmiller]
present+
19:03:07 [matthewmiller]
Hmm, that's not it
19:03:35 [nsteele]
nsteele has joined #webauthn
19:03:41 [nsteele]
present+
19:04:04 [jfontana_]
jfontana_ has joined #webauthn
19:04:13 [jfontana_]
present+
19:05:13 [jfontana_]
wendy: still under review for new charter
19:05:39 [jfontana_]
tony: Pull requests
19:05:53 [jfontana_]
https://github.com/w3c/webauthn/pull/1664
19:06:03 [elundberg]
elundberg has joined #webauthn
19:06:06 [jfontana_]
tony: has approval by reviewers. we can merge this?
19:06:13 [jfontana_]
agl: I don't think we should rush
19:06:15 [nina]
nina has joined #webauthn
19:06:20 [jfontana_]
...some open questions
19:06:48 [jfontana_]
tony: let it hang
19:07:05 [jfontana_]
agl: what should it be, should it be less than 1024
19:07:29 [jfontana_]
selfissue: I agree it should be less
19:07:33 [jfontana_]
agl: I will make the change.
19:07:47 [jfontana_]
...I will update and we can revisit
19:07:55 [jfontana_]
tony: self issue will review
19:08:04 [jfontana_]
selfissue: yes. with comment
19:08:44 [elundberg]
present+
19:09:01 [jfontana_]
agl: we need to define it, or someone else will
19:10:44 [jfontana_]
shane: I have come across where the number is bigger
19:10:59 [jfontana_]
...very anecdotal, I don't have data
19:11:27 [jfontana_]
akshay: I will look from MSFT side
19:11:32 [jfontana_]
...microsoft
19:11:59 [jfontana_]
mattM: I left a comment, maybe needs followup
19:12:08 [jfontana_]
agl: wil revisit in a couple of weeks
19:12:18 [jfontana_]
https://github.com/w3c/webauthn/pull/1668
19:13:33 [jfontana_]
Zach: main reason is if site wants to use caBLE and the site realizes other transport options
19:13:47 [jfontana_]
...user can switch to other transport from caBLE.
19:13:59 [jfontana_]
tony: akshay have you looked at it.
19:14:03 [jfontana_]
akshay: no
19:14:12 [jfontana_]
tony: emil have you loked at it.
19:14:48 [jfontana_]
elundburg: are you looking for list of transports
19:14:53 [jfontana_]
agl: how do we get that
19:15:07 [jfontana_]
elundburg: from registration
19:15:14 [jfontana_]
agl: what is the use case of a full list
19:16:08 [jfontana_]
mattM: is this for RP to know when to pormpt user to enroll a platform authenticator when available.
19:17:08 [jfontana_]
...feels strange. can they rely on only transports. there is divergence.
19:17:36 [jfontana_]
agl: inthe end the goal is to do smarter things.
19:17:49 [jfontana_]
...difference in design comes in difference of goal
19:18:50 [jfontana_]
elundburg: can you tell which transport to use.
19:19:48 [jfontana_]
shane: why attestation responses are a bunch of methods, where assurtion you just access the data
19:19:53 [jfontana_]
agl: it is web IDL rules.
19:22:10 [jfontana_]
shane: I will open an issue and wait for a response.
19:23:29 [jfontana_]
shane: well I do understand use case. I am OK here
19:23:50 [jfontana_]
tony: shane can review
19:23:53 [jfontana_]
shane: yes
19:24:29 [jfontana_]
https://github.com/w3c/webauthn/pull/1663
19:25:21 [jfontana_]
lundberg: still some issues. some open discussions
19:25:41 [jfontana_]
https://github.com/w3c/webauthn/pull/1660
19:25:56 [selfissued]
selfissued has joined #webauthn
19:26:02 [selfissued]
present+
19:29:11 [jfontana_]
tony: Stephen McGruer to talk about SPC Secure Payment Confirmation
19:29:18 [jfontana_]
...from Google
19:30:37 [jfontana_]
akshay: why do we want to go beyond SPC.
19:30:49 [jfontana_]
... I can control the authentication.
19:31:05 [jfontana_]
...with this there will be a pop-up.
19:31:30 [jfontana_]
...i think all these have to be ok for platform and security keys
19:31:36 [jfontana_]
...user experience is a big deal for us.
19:31:59 [jfontana_]
...I want to keep the existing control. so no one can ask for creds on my site.
19:32:10 [jfontana_]
...can RP opt into these behaviors?
19:32:56 [jfontana_]
...the three levels. me as RP controls WebAuthn. second with iFrame. three can go cross origin.
19:33:05 [jfontana_]
...how do we do this?
19:33:23 [jfontana_]
...I am slightly concerned about user experience
19:33:41 [jfontana_]
...we still want to claim phishing resistance
19:34:33 [jfontana_]
Christiaan: everything that works on the web, works with iFrames
19:34:43 [jfontana_]
...web authn credetials work fine in a iFrame
19:35:07 [jfontana_]
...I don't care about being embedded in iFrame all the time. we have said SPC can do some logic and credential time.
19:35:19 [jfontana_]
...it is an extension you set for how credential is used.
19:35:52 [jfontana_]
...akshay it sound if we have opt out we should be good to proceeds
19:36:18 [jfontana_]
akshay: yes. there should not be any UI that comes up from RP. you have to opt in
19:38:26 [jfontana_]
christiaan: this is only about internal keys. no other transport, but we could react that
19:38:52 [jfontana_]
...we could react to that.
19:39:12 [jfontana_]
akshay: I am not comfortable to say we can figure it out now.
19:40:00 [jfontana_]
christaian: if there is something available in browser, then you can use it. we are not talking about all transports
19:41:04 [jfontana_]
akshay: we still have reservations, what credential you use
19:41:28 [jfontana_]
christiaan: given complexity, what we are planning to ship, we are not bringing in physical keys rigiht now
19:41:44 [jfontana_]
elundberg: is we do this layer, is it possible to support later.
19:41:46 [jfontana_]
?
19:42:36 [jfontana_]
...it may end up that we can't support external keys in the future. we need to consider that design
19:42:57 [jfontana_]
christiaan: two things here. can you exercise credential in third party context.
19:43:14 [jfontana_]
...applies internal and external keys. that is out of scope of websuthn
19:43:51 [jfontana_]
...other; if we don't know about credential, in this case how do we prohibit browser to ask users to plug in security key
19:44:28 [jfontana_]
...this brings in complexity.
19:45:38 [jfontana_]
sMcGruer: can't plug in authenticator because the browser does not know it
19:46:42 [jfontana_]
...we want to interrogate the credential in some way later
19:47:09 [jfontana_]
christiaan: external case is lots of complexity, we have not had ask for that yet
19:48:16 [jfontana_]
akshay: we need to think through this. the user experience and phishing - we have to design for the future and it may be acceptable there.
19:48:26 [jfontana_]
christiaan: this will involve CTAP
19:49:26 [jfontana_]
...we are going ahead with our launch with the internal keys. we can talk external later.
19:49:39 [jfontana_]
tony: circle about this after the in-person FIDO meeting.
19:51:27 [jfontana_]
https://github.com/w3c/webauthn/pull/1621
19:51:39 [jfontana_]
tony: this is emil
19:52:16 [jfontana_]
tony: a few untriaged issues
19:52:37 [jfontana_]
https://github.com/w3c/webauthn/issues/1666
19:53:05 [jfontana_]
Zach: not ready
19:53:30 [jfontana_]
https://github.com/w3c/webauthn/pull/1660
19:53:36 [jfontana_]
tony: waiting for this to get done
19:54:30 [jfontana_]
https://github.com/w3c/webauthn/issues/1657
19:54:51 [jfontana_]
elungberg: I have not asked for review yet
19:55:44 [jfontana_]
tony: in two weeks we will talk with internationalization folks.
19:56:19 [wseltzer]
q+
19:56:52 [jfontana_]
...please look at the PRs #1664 #1643 #1642 #1646 for the Sept. 22 meeting
19:57:46 [wseltzer]
q+
19:59:27 [jfontana_]
tony: for TPAC, they want to talk about Web Payments, they have scheduled a meeting. Any reason not to schedule with Web Payments group.
20:00:17 [jfontana_]
...two hours each day.
20:00:50 [jfontana_]
...this is our off week.
20:00:56 [jfontana_]
...for web authn group
20:01:06 [jfontana_]
...it would be 8am in morning
20:01:12 [jfontana_]
...eastern time
20:38:03 [wseltzer]
rrsagent, draft minutes
20:38:03 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/09/08-webauthn-minutes.html wseltzer
20:38:11 [wseltzer]
chair: Nadalin, Fontana
20:38:15 [wseltzer]
rrsagent, draft minutes
20:38:15 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/09/08-webauthn-minutes.html wseltzer
22:02:22 [Zakim]
Zakim has left #webauthn