Meeting minutes
<matthewmiller> Hmm, that's not it
wendy: still under review for new charter
tony: Pull requests
https://
tony: has approval by reviewers. we can merge this?
agl: I don't think we should rush
… some open questions
tony: let it hang
agl: what should it be, should it be less than 1024
selfissue: I agree it should be less
agl: I will make the change.
… I will update and we can revisit
tony: self issue will review
selfissue: yes. with comment
agl: we need to define it, or someone else will
shane: I have come across where the number is bigger
… very anecdotal, I don't have data
akshay: I will look from MSFT side
… microsoft
mattM: I left a comment, maybe needs followup
agl: wil revisit in a couple of weeks
https://
Zach: main reason is if site wants to use caBLE and the site realizes other transport options
… user can switch to other transport from caBLE.
tony: akshay have you looked at it.
akshay: no
tony: emil have you loked at it.
elundburg: are you looking for list of transports
agl: how do we get that
elundburg: from registration
agl: what is the use case of a full list
mattM: is this for RP to know when to pormpt user to enroll a platform authenticator when available.
… feels strange. can they rely on only transports. there is divergence.
agl: inthe end the goal is to do smarter things.
… difference in design comes in difference of goal
elundburg: can you tell which transport to use.
shane: why attestation responses are a bunch of methods, where assurtion you just access the data
agl: it is web IDL rules.
shane: I will open an issue and wait for a response.
shane: well I do understand use case. I am OK here
tony: shane can review
shane: yes
https://
lundberg: still some issues. some open discussions
https://
tony: Stephen McGruer to talk about SPC Secure Payment Confirmation
… from Google
akshay: why do we want to go beyond SPC.
… I can control the authentication.
… with this there will be a pop-up.
… i think all these have to be ok for platform and security keys
… user experience is a big deal for us.
… I want to keep the existing control. so no one can ask for creds on my site.
… can RP opt into these behaviors?
… the three levels. me as RP controls WebAuthn. second with iFrame. three can go cross origin.
… how do we do this?
… I am slightly concerned about user experience
… we still want to claim phishing resistance
Christiaan: everything that works on the web, works with iFrames
… web authn credetials work fine in a iFrame
… I don't care about being embedded in iFrame all the time. we have said SPC can do some logic and credential time.
… it is an extension you set for how credential is used.
… akshay it sound if we have opt out we should be good to proceeds
akshay: yes. there should not be any UI that comes up from RP. you have to opt in
christiaan: this is only about internal keys. no other transport, but we could react that
… we could react to that.
akshay: I am not comfortable to say we can figure it out now.
christaian: if there is something available in browser, then you can use it. we are not talking about all transports
akshay: we still have reservations, what credential you use
christiaan: given complexity, what we are planning to ship, we are not bringing in physical keys rigiht now
elundberg: is we do this layer, is it possible to support later.
?
… it may end up that we can't support external keys in the future. we need to consider that design
christiaan: two things here. can you exercise credential in third party context.
… applies internal and external keys. that is out of scope of websuthn
… other; if we don't know about credential, in this case how do we prohibit browser to ask users to plug in security key
… this brings in complexity.
sMcGruer: can't plug in authenticator because the browser does not know it
… we want to interrogate the credential in some way later
christiaan: external case is lots of complexity, we have not had ask for that yet
akshay: we need to think through this. the user experience and phishing - we have to design for the future and it may be acceptable there.
christiaan: this will involve CTAP
… we are going ahead with our launch with the internal keys. we can talk external later.
tony: circle about this after the in-person FIDO meeting.
https://
tony: this is emil
tony: a few untriaged issues
https://
Zach: not ready
https://
tony: waiting for this to get done
https://
elungberg: I have not asked for review yet
tony: in two weeks we will talk with internationalization folks.
… please look at the PRs #1664 #1643 #1642 #1646 for the Sept. 22 meeting
tony: for TPAC, they want to talk about Web Payments, they have scheduled a meeting. Any reason not to schedule with Web Payments group.
… two hours each day.
… this is our off week.
… for web authn group
… it would be 8am in morning
… eastern time