19:00:59 RRSAgent has joined #webauthn 19:00:59 logging to https://www.w3.org/2021/12/01-webauthn-irc 19:01:01 RRSAgent, make logs Public 19:01:04 Meeting: Web Authentication WG 19:01:04 Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2021Dec/0000.html 19:49:20 jfontana has joined #webauthn 20:01:27 jfontana_ has joined #webauthn 20:02:04 elundberg has joined #webauthn 20:02:08 present+ 20:02:37 present+ 20:04:22 wendy: asked for a charter extension, asked for 6 months. don't expect to take nearly that long 20:04:46 ...about to send out update on addressing the objections 20:04:55 tonuy: at the beginning of the year? 20:05:05 ...liley 15th is last meeting of the year 20:05:19 tony: anything else on charter 20:05:36 ...mozillla had no response to chat on charter 20:05:49 elundberg_ has joined #webauthn 20:06:12 jeffH: they did not formally object, they are from other parties. 20:07:48 jbarclay has joined #webauthn 20:08:06 present+ 20:08:07 tony: will you make a PR 20:08:26 agl: I commented on what I saw, he wrote some words, but not a PR 20:08:40 ...waiting for him to get back to me 20:09:02 tony: looks like proposed wording would close all the objections. 20:09:23 go to PRS 20:09:37 https://github.com/w3c/webauthn/pull/1680 20:10:01 agl: i have not looked at response, these aren't major. 20:10:32 dveditz has joined #webauthn 20:10:48 present+ 20:10:58 https://github.com/w3c/webauthn/pull/1663 20:11:46 jeffH: work in progress 20:13:17 shane: when pass keys are prevalent, there is still a bunch of to-dos there, more on the way 20:13:42 tara has joined #webauthn 20:13:49 ...it feels like this extension will be called for on many requests 20:14:04 ...interested in thoughts of more RPs 20:14:16 TimC: a couple of use cases. 20:14:41 shane: wnat a credential but no control for that. 20:14:53 timC: you only use device key in your logic 20:15:04 ...there will platforms that require sync 20:15:14 ...seom will need extension 20:15:16 some 20:15:58 agl: don't ignore primary key 20:16:15 ...you get better flows with more verification 20:16:58 jeffH: I thik shane is saying how RP will use this extension - it is not clear 20:17:45 elundburg: there is some explicit language, like we added to recovery system, maybe something like that can be done here 20:17:59 shane: I would like to review something like that. 20:18:29 s/is some explicit language, like/is no current in-spec precedent of RP extension processing steps, but like/ 20:18:35 jeffH: attestation is not the issue, the RP will have to deal with what it gets back in terms of attestation 20:18:53 ...it will have to factor that in risk assessment 20:19:09 https://github.com/w3c/webauthn/pull/1621 20:20:34 https://github.com/w3c/webauthn/pull/1576 20:20:47 jeffH: still work in progress, but close 20:22:02 https://github.com/w3c/webauthn/pull/1425 20:22:14 elundburg: still holding 20:22:33 tony: open issues, untriaged. 20:23:33 https://github.com/w3c/webauthn/issues/1681 20:23:43 tony: thinking this was for FIDO. 20:24:17 https://github.com/w3c/webauthn/issues/1667 20:24:59 akshay: asking for more on this, there are 3-4 requirements we are trying to work out. 20:26:15 ...design requirements has changed on this 20:26:20 ...I need to look again. 20:27:19 ...with SPC, there is an API that will call the WebAuth. public? private? 20:27:33 ...this is in a payments scenario. 20:28:00 ...do we need to change webauthn to help make the SPC call? 20:28:46 ...web auth spec needs to say a third party can be enabled. 20:28:56 jeffH: I think that is a web authn extension 20:29:17 aksay: in that context can I call with web authn 20:29:18 agl: no 20:29:30 ...it is payment request 20:29:40 jbradley: needs to be some sort of control. 20:29:47 ...not random RPs 20:30:07 ...we are still at the level of how this will work, rather than how APIs releate 20:30:49 akshay: has to come from SPC calll 20:31:24 jeffH: yes. jeff explains 20:31:44 akshay: what if RP sets this extension and does not use SPC 20:31:54 agl: that is not the way it was intended. 20:32:07 jbradley: there are restrictions, need to say that someplace 20:32:44 ...could bve signifacnt changes on how webauthn works. 20:34:24 agl: i don't believe normal web authn creds can be used in SPC space 20:34:33 jbradley: this is what banks are asking for 20:34:47 agl: looking at different contexts. 20:35:08 jbradley: depends on how it is flagging. it determines behavior 20:35:37 ...can separate the credentials for webauthn and spc. the topic of the other issue was to combine. 20:36:19 agl: that want one credential to solve all the problems 20:36:53 jbradley: spc is going back and forth on this. 20:37:12 ...one thing is two categories of creds. first party and third party 20:37:31 ...we could lose the filter of this credential is only good for authentication 20:37:52 ...comes down to three different credentials, some good for multiple things 20:37:59 ...storage is tricky part. 20:38:16 ...only tough the SPC logic and not first part. 20:38:23 touch 20:38:45 ...waiting for a good idea here. 20:38:58 agl: aren't these good ideas. 20:39:18 jbradley: it can work, doesn't feel clean. 20:39:25 ...could get conflict 20:40:01 elundberg: using userID is not the best idea. 20:40:28 jbradley talking about credential management API; but that could means changes to CTAP 2.1 20:40:44 elundberg: there is a drawback. 20:41:17 jbradley: almost a new data member rather than re-using cred blob 20:41:29 ...not much cred blob deployment 20:41:45 akshay: opinion, both ideas I really do not like. 20:42:29 ...if you keep changing requirements it looks more and more like it needs a new property on the keys 20:43:12 ... user ID or cred blob is not something I want to change 20:43:46 ...I don't want to tangle with first party 20:44:13 jbradley: the name space does not let third party SPC cred used for normal WebAuthn authentication 20:44:24 akshay: I do not see that solution right now 20:45:17 jbradley: could do name space thing, but if you want to use SpC for cred in first party context, then we need to do something different in name space 20:45:49 ...if we separate the SPC cred, so it is not used for normal authentication, they may ned two name spaces 20:46:03 akshay: they have their own server logic 20:47:28 jbradely: I will look at it to see what we can do, but some of the browser may have to change 20:48:02 jeffH: it could be a client extension and not pass down to authenticator 20:48:11 akshay: thinking that with SPC 20:49:56 jbradley: maybe we never mix SPC context 20:54:35 agl: I want to talk about JSON 20:55:03 Martin: Issue1683 20:55:49 ...want JSON serialized - all the RPs have to write their own serialization 20:56:03 ...shold we make RPs lives easier? 20:56:41 akshay: if it helps RPs i am favor of this 20:56:49 tony: does not seem to break anything. 20:56:59 martin: it is backward compatible. 20:57:11 ...default case for simple RP 20:57:14 tony: is there support 20:57:18 ...agl? 20:57:21 agl: yes 20:57:38 dan: I would want to support this 20:58:07 ...I would support in mozilla at some time later 20:58:42 agl: JSON here would not unpack authn data . 20:58:51 ...would turn into strings 21:09:22 rrsagent, make logs public 21:09:35 rrsagent, draft minutes 21:09:35 I have made the request to generate https://www.w3.org/2021/12/01-webauthn-minutes.html jfontana_ 21:09:46 zakim, list attendees 21:09:46 As of this point the attendees have been elundberg, jfontana_, jbarclay, dveditz 21:11:19 Also in attendance, Wendy S., Tony N., Adam L, D. Waite, Martin V, Tim C., E. Lundberg, 21:11:32 ...j.Bradley 21:11:54 Chairs: Nadalin, Fontana 21:13:03 *web page updated with minutes 21:13:11 zakim, bye 21:13:11 leaving. As of this point the attendees have been elundberg, jfontana_, jbarclay, dveditz 21:13:11 Zakim has left #webauthn 21:13:20 rrsagent, bye 21:13:20 I see no action items