19:59:49 <RRSAgent> RRSAgent has joined #webauthn
19:59:49 <RRSAgent> logging to https://www.w3.org/2022/01/26-webauthn-irc
19:59:52 <Zakim> RRSAgent, make logs Public
19:59:53 <Zakim> Meeting: Web Authentication WG
20:01:39 <wseltzer> present+
20:01:47 <wseltzer> Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2022Jan/0120.html
20:02:07 <matthewmiller> matthewmiller has joined #webauthn
20:03:10 <wseltzer> chair: Nadalin, Fontana
20:03:42 <wseltzer> present+ Nadalin, Fontana, AGL, DavidTurner, Elundberg, Jpascoe, KenBuchanan, MatthewMiller, RaeRivera, TimCappalli
20:04:16 <wseltzer> Tony: Charter?
20:04:20 <wseltzer> wseltzer: No update
20:04:25 <wseltzer> Tony: Open PRs
20:04:36 <wseltzer> ... 1693
20:04:48 <wseltzer> elundberg: should be straightforward
20:05:04 <tara> tara has joined #webauthn
20:05:04 <wseltzer> ... think we can merge
20:05:31 <wseltzer> JohnBradley: Looks good
20:05:34 <wseltzer> agl: Fine
20:05:40 <wseltzer> Tony: Merge
20:05:45 <wseltzer> Tony: 1663
20:05:56 <jfontana> jfontana has joined #webauthn
20:06:03 <wseltzer> agl: can't land it yet
20:06:32 <wseltzer> regrets+ JeffH
20:07:04 <wseltzer> present+ MartinKreichgauer, NickSteele, RanjivaPrasad, TaraWhalen, WernerBruinings
20:07:19 <nsteele> nsteele has joined #webauthn
20:07:25 <nsteele> present+
20:07:32 <wseltzer> matthewmiller: many people's mental model differed from the spec
20:07:46 <wseltzer> ... PassKeys are elevating that discussion
20:08:13 <wseltzer> ... uncertainty when DevicePubKey might be supported in clients
20:08:48 <wseltzer> tim: original poster has accepted the conclusion elsewhere
20:09:34 <wseltzer> ... that the spec can't force support
20:10:43 <wseltzer> johnbradley: This WG can't do much about the underlying question
20:11:30 <wseltzer> ... SPWG certification, or vendor conversation
20:12:52 <wseltzer> matthewmiller: is it true that spec has never enforced single-device credential?
20:13:12 <wseltzer> nsteele: spec makes no statements about it, It talks only about WebAuthn API
20:13:49 <wseltzer> johnbradley: out of scope for WebAuthn; might fit in FIDO specs, where there are privacy principles that private key will never leave authenticator boundary
20:14:09 <wseltzer> ... and could be unclear what the "authenticator boundary" is for software authenticators
20:14:47 <wseltzer> elundberg: never in normative language in WebAuthn
20:15:04 <wseltzer> ... unenforceable but for RPs enforcing attestation requirements
20:15:40 <wseltzer> johnbradley: it's outside webauthn
20:18:15 <wseltzer> matthewmiller: might we consider adding something in security considerations abuot how the cloud sync model affects security model?
20:18:24 <wseltzer> ... help correct the mental modeling
20:18:35 <wseltzer> johnbradley: the whitepaper and FAQ intended to do that
20:19:05 <wseltzer> tim: not limited to cloud, also peer-to-peer sync
20:20:00 <wseltzer> johnbradley: don't know we want to get into all the possibilities
20:20:35 <wseltzer> ... concentrate WebAuthn spec on the client-RP connection
20:21:29 <wseltzer> matthewmiller: issues 1691, 1692
20:21:41 <wseltzer> ... should webauthn expose when used, not block
20:22:20 <wseltzer> tim: use cases highlighted there: credential is enrolled; platform configured to allow backup; credential capable of being backed up, not yet backed up
20:22:35 <wseltzer> ... RP could be instructed to guide user through flow
20:22:59 <wseltzer> johnbradley: RP could reject, ask for Device Pub Key in next request
20:24:57 <wseltzer> agl: DPK support and flags would launch concurrently with any launch of syncable platform authenticators
20:25:15 <wseltzer> akshay: same from Microsoft
20:26:01 <wseltzer> Tony: so, 1663
20:26:29 <wseltzer> johnbradley: keep the extension, close the issue 1691
20:27:19 <wseltzer> Tony: 1576 ongoing
20:27:26 <wseltzer> JeffH: keep it open
20:27:31 <wseltzer> Tony: 1425
20:27:39 <wseltzer> elundberg: keep it open
20:28:58 <wseltzer> Tony: Invited Expert application. Any objection?
20:29:15 <wseltzer> ... hearing none, approved
20:31:43 <nsteele> PR 1690
20:32:06 <nsteele> https://github.com/w3c/webauthn/pull/1690 being discussed
20:32:46 <wseltzer> agl: looks like spam
20:32:50 <wseltzer> Tony: close it
20:33:21 <wseltzer> Tony: Untriaged issues
20:33:23 <wseltzer> ... 1692
20:34:05 <wseltzer> Akshay: related to backup, sync. What are the possible states
20:34:19 <wseltzer> agl: modulo structure (flags/extension), looks great
20:34:34 <wseltzer> akshay: thinking flags
20:34:45 <wseltzer> ... expect to have a more concrete proposal
20:35:30 <wseltzer> Tony: we closed 1691
20:36:09 <wseltzer> JeffH: should explain: any enforcement of "must support device pub key extension" would be a certification regime, not this WG
20:38:27 <wseltzer> Tony: 1681
20:38:51 <wseltzer> jeffh: close with "What Ian says should work"
20:39:54 <wseltzer> Tony: Any other issues?
20:41:08 <wseltzer> johnbradley: Where are on KDF extension?
20:41:16 <wseltzer> Akshay: Awaiting charter
20:41:59 <wseltzer> johnbradley: we can create the PR and wait to merge
20:42:36 <wseltzer> akshay: will do
20:43:03 <wseltzer> Tony: Other issues
20:43:12 <wseltzer> nsteele: 1683
20:43:42 <wseltzer> matthewmiller: working on it with Nick
20:43:56 <wseltzer> Tony: You can create the PR
20:50:35 <wseltzer> matthewmiller: Can we talk about a potential meeting?
20:50:50 <wseltzer> [discussion of possible venues, including alongside RSA or IIW]
20:51:07 <wseltzer> Tony: Let's look for potential host alongside RSA
20:51:52 <wseltzer> [RSA scheduled June 6-9, SF]
20:52:19 <wseltzer> [note that any venue will have vaccination requirements]
20:53:02 <wseltzer> Tony: I'll also support meeting at TPAC
20:53:09 <wseltzer> [adjourned]
20:53:12 <wseltzer> rrsagent, draft minutes
20:53:12 <RRSAgent> I have made the request to generate https://www.w3.org/2022/01/26-webauthn-minutes.html wseltzer
23:34:20 <Zakim> Zakim has left #webauthn