jfontana: report from TPAC meetings
jfontana: pull requests
jeffh: 1621 and 1674 look good to me
... others should review
sbweeden: 1621 looks close to me, waiting for a final review when emlun says it's ready
jfontana: awaiting input from emil
jeffh: nina and I have been collaborating on 1576
nina: worth your attention, it will be ready soon
... also look at companion PR on Credential Management
<jeffh> https://github.com/w3c/webappsec-credential-management/pull/155
nina: PR #155 in CredMan
agl: I filed a TAG review request on 1637
jfontana: over to issues
... 1679
agl: it's a correct observation
jeffh: we went around on this in the early development
jfontana: close?
agl: what's the worst that could happen? attacker learns all the details of the credential except its private key... and the site overwrites with same credential ID, user could interact with attacker account
... so don't overwrite
... I might write a note in the spec about it
jfontana: 1677
sbweeden: not a spec issue
<scribe> ... closed
jfontana: 1676
nsteele: I can respond
jfontana: 1673
sbweeden: I'll make a comment
jfontana: 1671
akshay: look again in 2 weeks
johnbradley: re iframe, a discussion in Apple bug tracker, with argumentation against using webauthn in iframe
johnpascoe: think we'll require storage access API permissions
... speaking for webkit
johnbradley: an additional dialog?
johnpascoe: additional dialog for cookies used cross-origin anyway
... per-site that embeds the iframe
dveditz: users don't necessarily know that a frame is there or what's in it
davidwaite: even login may be embedded in iframe
nsteele: we see that too
... fairly common
johnbradley: do we need to surface this if safari and firefox have behavior changes
dveditz: we're active in discussions of storage access API
... and expect to follow standards that are developed
agl: as I understand, not an API change, but a UI step
jeffh: can we talk aboout 1637?
https://github.com/w3c/webauthn/issues/1637
agl: wondering if Mozilla had thoughts on this issue
dveditz: working to gather those
jfontana: 1667
akshay: two problems with cross-origin authentication
... one, not considering all the authenticators out there
... two, unwanted prompt that could come from websites
timcappalli: this could be a way to make ephemeral keys for not syncing
jfontana: 1665?
jeffh: this comes from 1637, to break out the discussion
... a reminder to come back to this "glue"
jfontana: 1658
jeffh: we have a draft PR, needs review
agl: for blink process, I'll be sending an explainer to TAG for min pin length
<jeffh> minPinLength ctap extension spec text: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-minpinlength-extension
[adjourned]