IRC log of webauthn on 2021-12-01
Timestamps are in UTC.
- 19:00:59 [RRSAgent]
- RRSAgent has joined #webauthn
- 19:00:59 [RRSAgent]
- logging to https://www.w3.org/2021/12/01-webauthn-irc
- 19:01:01 [Zakim]
- RRSAgent, make logs Public
- 19:01:04 [Zakim]
- Meeting: Web Authentication WG
- 19:01:04 [wseltzer]
- Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2021Dec/0000.html
- 19:49:20 [jfontana]
- jfontana has joined #webauthn
- 20:01:27 [jfontana_]
- jfontana_ has joined #webauthn
- 20:02:04 [elundberg]
- elundberg has joined #webauthn
- 20:02:08 [elundberg]
- present+
- 20:02:37 [jfontana_]
- present+
- 20:04:22 [jfontana_]
- wendy: asked for a charter extension, asked for 6 months. don't expect to take nearly that long
- 20:04:46 [jfontana_]
- ...about to send out update on addressing the objections
- 20:04:55 [jfontana_]
- tonuy: at the beginning of the year?
- 20:05:05 [jfontana_]
- ...liley 15th is last meeting of the year
- 20:05:19 [jfontana_]
- tony: anything else on charter
- 20:05:36 [jfontana_]
- ...mozillla had no response to chat on charter
- 20:05:49 [elundberg_]
- elundberg_ has joined #webauthn
- 20:06:12 [jfontana_]
- jeffH: they did not formally object, they are from other parties.
- 20:07:48 [jbarclay]
- jbarclay has joined #webauthn
- 20:08:06 [jbarclay]
- present+
- 20:08:07 [jfontana_]
- tony: will you make a PR
- 20:08:26 [jfontana_]
- agl: I commented on what I saw, he wrote some words, but not a PR
- 20:08:40 [jfontana_]
- ...waiting for him to get back to me
- 20:09:02 [jfontana_]
- tony: looks like proposed wording would close all the objections.
- 20:09:23 [jfontana_]
- go to PRS
- 20:09:37 [jfontana_]
- https://github.com/w3c/webauthn/pull/1680
- 20:10:01 [jfontana_]
- agl: i have not looked at response, these aren't major.
- 20:10:32 [dveditz]
- dveditz has joined #webauthn
- 20:10:48 [dveditz]
- present+
- 20:10:58 [jfontana_]
- https://github.com/w3c/webauthn/pull/1663
- 20:11:46 [jfontana_]
- jeffH: work in progress
- 20:13:17 [jfontana_]
- shane: when pass keys are prevalent, there is still a bunch of to-dos there, more on the way
- 20:13:42 [tara]
- tara has joined #webauthn
- 20:13:49 [jfontana_]
- ...it feels like this extension will be called for on many requests
- 20:14:04 [jfontana_]
- ...interested in thoughts of more RPs
- 20:14:16 [jfontana_]
- TimC: a couple of use cases.
- 20:14:41 [jfontana_]
- shane: wnat a credential but no control for that.
- 20:14:53 [jfontana_]
- timC: you only use device key in your logic
- 20:15:04 [jfontana_]
- ...there will platforms that require sync
- 20:15:14 [jfontana_]
- ...seom will need extension
- 20:15:16 [jfontana_]
- some
- 20:15:58 [jfontana_]
- agl: don't ignore primary key
- 20:16:15 [jfontana_]
- ...you get better flows with more verification
- 20:16:58 [jfontana_]
- jeffH: I thik shane is saying how RP will use this extension - it is not clear
- 20:17:45 [jfontana_]
- elundburg: there is some explicit language, like we added to recovery system, maybe something like that can be done here
- 20:17:59 [jfontana_]
- shane: I would like to review something like that.
- 20:18:29 [elundberg_]
- s/is some explicit language, like/is no current in-spec precedent of RP extension processing steps, but like/
- 20:18:35 [jfontana_]
- jeffH: attestation is not the issue, the RP will have to deal with what it gets back in terms of attestation
- 20:18:53 [jfontana_]
- ...it will have to factor that in risk assessment
- 20:19:09 [jfontana_]
- https://github.com/w3c/webauthn/pull/1621
- 20:20:34 [jfontana_]
- https://github.com/w3c/webauthn/pull/1576
- 20:20:47 [jfontana_]
- jeffH: still work in progress, but close
- 20:22:02 [jfontana_]
- https://github.com/w3c/webauthn/pull/1425
- 20:22:14 [jfontana_]
- elundburg: still holding
- 20:22:33 [jfontana_]
- tony: open issues, untriaged.
- 20:23:33 [jfontana_]
- https://github.com/w3c/webauthn/issues/1681
- 20:23:43 [jfontana_]
- tony: thinking this was for FIDO.
- 20:24:17 [jfontana_]
- https://github.com/w3c/webauthn/issues/1667
- 20:24:59 [jfontana_]
- akshay: asking for more on this, there are 3-4 requirements we are trying to work out.
- 20:26:15 [jfontana_]
- ...design requirements has changed on this
- 20:26:20 [jfontana_]
- ...I need to look again.
- 20:27:19 [jfontana_]
- ...with SPC, there is an API that will call the WebAuth. public? private?
- 20:27:33 [jfontana_]
- ...this is in a payments scenario.
- 20:28:00 [jfontana_]
- ...do we need to change webauthn to help make the SPC call?
- 20:28:46 [jfontana_]
- ...web auth spec needs to say a third party can be enabled.
- 20:28:56 [jfontana_]
- jeffH: I think that is a web authn extension
- 20:29:17 [jfontana_]
- aksay: in that context can I call with web authn
- 20:29:18 [jfontana_]
- agl: no
- 20:29:30 [jfontana_]
- ...it is payment request
- 20:29:40 [jfontana_]
- jbradley: needs to be some sort of control.
- 20:29:47 [jfontana_]
- ...not random RPs
- 20:30:07 [jfontana_]
- ...we are still at the level of how this will work, rather than how APIs releate
- 20:30:49 [jfontana_]
- akshay: has to come from SPC calll
- 20:31:24 [jfontana_]
- jeffH: yes. jeff explains
- 20:31:44 [jfontana_]
- akshay: what if RP sets this extension and does not use SPC
- 20:31:54 [jfontana_]
- agl: that is not the way it was intended.
- 20:32:07 [jfontana_]
- jbradley: there are restrictions, need to say that someplace
- 20:32:44 [jfontana_]
- ...could bve signifacnt changes on how webauthn works.
- 20:34:24 [jfontana_]
- agl: i don't believe normal web authn creds can be used in SPC space
- 20:34:33 [jfontana_]
- jbradley: this is what banks are asking for
- 20:34:47 [jfontana_]
- agl: looking at different contexts.
- 20:35:08 [jfontana_]
- jbradley: depends on how it is flagging. it determines behavior
- 20:35:37 [jfontana_]
- ...can separate the credentials for webauthn and spc. the topic of the other issue was to combine.
- 20:36:19 [jfontana_]
- agl: that want one credential to solve all the problems
- 20:36:53 [jfontana_]
- jbradley: spc is going back and forth on this.
- 20:37:12 [jfontana_]
- ...one thing is two categories of creds. first party and third party
- 20:37:31 [jfontana_]
- ...we could lose the filter of this credential is only good for authentication
- 20:37:52 [jfontana_]
- ...comes down to three different credentials, some good for multiple things
- 20:37:59 [jfontana_]
- ...storage is tricky part.
- 20:38:16 [jfontana_]
- ...only tough the SPC logic and not first part.
- 20:38:23 [jfontana_]
- touch
- 20:38:45 [jfontana_]
- ...waiting for a good idea here.
- 20:38:58 [jfontana_]
- agl: aren't these good ideas.
- 20:39:18 [jfontana_]
- jbradley: it can work, doesn't feel clean.
- 20:39:25 [jfontana_]
- ...could get conflict
- 20:40:01 [jfontana_]
- elundberg: using userID is not the best idea.
- 20:40:28 [jfontana_]
- jbradley talking about credential management API; but that could means changes to CTAP 2.1
- 20:40:44 [jfontana_]
- elundberg: there is a drawback.
- 20:41:17 [jfontana_]
- jbradley: almost a new data member rather than re-using cred blob
- 20:41:29 [jfontana_]
- ...not much cred blob deployment
- 20:41:45 [jfontana_]
- akshay: opinion, both ideas I really do not like.
- 20:42:29 [jfontana_]
- ...if you keep changing requirements it looks more and more like it needs a new property on the keys
- 20:43:12 [jfontana_]
- ... user ID or cred blob is not something I want to change
- 20:43:46 [jfontana_]
- ...I don't want to tangle with first party
- 20:44:13 [jfontana_]
- jbradley: the name space does not let third party SPC cred used for normal WebAuthn authentication
- 20:44:24 [jfontana_]
- akshay: I do not see that solution right now
- 20:45:17 [jfontana_]
- jbradley: could do name space thing, but if you want to use SpC for cred in first party context, then we need to do something different in name space
- 20:45:49 [jfontana_]
- ...if we separate the SPC cred, so it is not used for normal authentication, they may ned two name spaces
- 20:46:03 [jfontana_]
- akshay: they have their own server logic
- 20:47:28 [jfontana_]
- jbradely: I will look at it to see what we can do, but some of the browser may have to change
- 20:48:02 [jfontana_]
- jeffH: it could be a client extension and not pass down to authenticator
- 20:48:11 [jfontana_]
- akshay: thinking that with SPC
- 20:49:56 [jfontana_]
- jbradley: maybe we never mix SPC context
- 20:54:35 [jfontana_]
- agl: I want to talk about JSON
- 20:55:03 [jfontana_]
- Martin: Issue1683
- 20:55:49 [jfontana_]
- ...want JSON serialized - all the RPs have to write their own serialization
- 20:56:03 [jfontana_]
- ...shold we make RPs lives easier?
- 20:56:41 [jfontana_]
- akshay: if it helps RPs i am favor of this
- 20:56:49 [jfontana_]
- tony: does not seem to break anything.
- 20:56:59 [jfontana_]
- martin: it is backward compatible.
- 20:57:11 [jfontana_]
- ...default case for simple RP
- 20:57:14 [jfontana_]
- tony: is there support
- 20:57:18 [jfontana_]
- ...agl?
- 20:57:21 [jfontana_]
- agl: yes
- 20:57:38 [jfontana_]
- dan: I would want to support this
- 20:58:07 [jfontana_]
- ...I would support in mozilla at some time later
- 20:58:42 [jfontana_]
- agl: JSON here would not unpack authn data .
- 20:58:51 [jfontana_]
- ...would turn into strings
- 21:09:22 [jfontana_]
- rrsagent, make logs public
- 21:09:35 [jfontana_]
- rrsagent, draft minutes
- 21:09:35 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/12/01-webauthn-minutes.html jfontana_
- 21:09:46 [jfontana_]
- zakim, list attendees
- 21:09:46 [Zakim]
- As of this point the attendees have been elundberg, jfontana_, jbarclay, dveditz
- 21:11:19 [jfontana_]
- Also in attendance, Wendy S., Tony N., Adam L, D. Waite, Martin V, Tim C., E. Lundberg,
- 21:11:32 [jfontana_]
- ...j.Bradley
- 21:11:54 [jfontana_]
- Chairs: Nadalin, Fontana
- 21:13:03 [jfontana_]
- *web page updated with minutes
- 21:13:11 [jfontana_]
- zakim, bye
- 21:13:11 [Zakim]
- leaving. As of this point the attendees have been elundberg, jfontana_, jbarclay, dveditz
- 21:13:11 [Zakim]
- Zakim has left #webauthn
- 21:13:20 [jfontana_]
- rrsagent, bye
- 21:13:20 [RRSAgent]
- I see no action items