15:49:19 RRSAgent has joined #webauthn 15:49:19 logging to https://www.w3.org/2022/06/09-webauthn-irc 15:49:21 RRSAgent, make logs Public 15:49:22 Meeting: Web Authentication WG 15:59:39 jfontana has joined #webauthn 16:00:38 invite rrsagent 16:02:13 rrsagent, make logs public 16:04:52 present+ Tim_Cappalli, Tony_Nadalin, Joseph_Vasterling, Dirk_Balfanz, Arnar_Birgisson, Emil_Lundberg, John_Fontana, Armen_Anoyan, Adam_Langley, John_Bradley, Shane_Weeden, Nick_Steele, Wendy_Seltzer 16:05:08 present+ Matthew_Miller 16:05:28 elundberg has joined #webauthn 16:05:32 present+ 16:05:44 sbweeden has joined #webauthn 16:05:47 Meeting: WebAuthn F2F 16:07:33 present+ Mike_Jones 16:07:53 Arnar has joined #webauthn 16:08:20 matthewmiller has joined #webauthn 16:08:22 Guest: Joseph Vasterling - Best Buy 16:08:44 regrets+ dveditz 16:11:11 Topic: WebAuthn @ Best Buy 16:11:25 [presentation from Joe Vasterling] 16:11:30 joseph: what is best buy doing around web authn 16:11:41 Best Buy 16:12:00 ...will give us high level overview. 16:12:11 kaiju has joined #webauthn 16:12:28 ...customer authentication is key for us. 16:12:51 ...security for customer is key, secure as possible, with a lot of challenges. 16:12:59 ...security vs. friction 16:13:07 ...we are customer obsessed 16:13:29 ...more customer interaction is the goal and to drive addtional security 16:14:15 ...we rolled out Webauthn on large screen experience 16:14:30 present+ Martin_Kreichgauer 16:14:43 ...credential selection is first step. 16:14:52 ...ties credential to webauthn process 16:15:16 ...user gets to recognized state and thenm prompted for credential 16:17:07 ...works with chrome and firefox 16:17:20 shane: do you filter for other platforms 16:18:07 joseph: I don't think we are asking for attestation. 16:18:40 joseph: we are working on the feedback loop 16:18:51 ...we do surveys on bestbuy.com site. 16:19:04 Andrew: we created UX guidelines. 16:19:11 ...did you look at those. 16:19:29 present+ Andrew_Shikiar 16:19:31 joseph: it seemed confusing at times 16:19:45 ...they seaid the spec was confusing to them 16:20:03 ...they struggled on their own, trying to give feedback 16:20:28 A.Shikiar: I will send you the UX work that we have done. 16:20:39 joseph: I will take a look 16:20:52 tony: what is update? 16:21:20 joseph: it is light. we are trying to help customers through the authentication process 16:21:31 ...we don't know yet what to call the button for authentication 16:21:41 ...we would like more traffic. 16:22:01 Matt: how did you think about the security 16:22:40 joseph: we do see people in channel and account takeover , trying to help security here 16:23:07 ...we discovered webauthn, but we are exploring all options 16:23:28 NickS: were you doing any testing, conformance test 16:23:37 joseph: I will take that back. 16:24:12 matt: as a consumer I was happy to see the options 16:24:31 joseph: as you work on this, fraud is a big issue. 16:24:40 ...so we want good authentication. 16:25:40 shane: on account take over. pre-webauthn you could force multifactor to you do that 16:25:49 joseph: we see some success here. 16:25:54 wseltzer has changed the topic to: 9 June F2F https://www.w3.org/events/meetings/53cc9a2e-c2fe-4a2a-81b0-314c39463969 16:26:00 ...it is compulsory 16:27:22 joseph: we do look at payments, no looking at the flow. more about how to control the flow 16:27:43 bradley: you are part of the risk analysis, this is for payments 16:27:51 agl: have you seen passkeys 16:28:02 joseph: no 16:29:20 joseph: we have not removed the log-in; once they do the initial credential we can take away log-in 16:29:38 ...we are using surveys and tools for feedback on WebAuthn 16:31:24 Andrew Shikiar: 16:31:33 ...we need to iterate passkeys 16:31:39 ...that is based on testing 16:31:41 arnar has joined #webauthn 16:31:54 getting that feedback to FIDO 16:31:59 ...want to gather all we can 16:32:04 ...it shows future directions 16:32:26 ...w3c and FIDO there is overlap, we want to support the Adoption Community Group 16:32:43 ...web authn and FIDO is a close working relationshiop 16:33:12 ...one goald for FIDO was to enable libraries 16:33:18 ...want to see that take place. 16:33:32 tony: where does PassKey going 16:33:47 andrew: I hear alot about it 16:34:12 ...taking a lot out of play 16:34:21 s/a lot/passwords/ 16:34:29 ...would be interesting to see how enterprise goes. 16:34:52 ...I think the security key is the gold standard 16:35:17 tony: one of your principals is impacted 16:35:40 ...we need to see how enterprise goes. 16:35:58 bradley: passkeys will work with Level 2 certification 16:36:12 ...passkeys are not being standardized 16:36:36 Tim: we need to see it as a credential type 16:36:47 ...it needs to be generic. 16:37:11 ...there is not a threat here. there is not a spec called passkeys 16:37:31 Nick: it is coming out like it is different keys 16:38:17 matt: enterprise is losing the controls on the security model 16:38:19 shane: yes. 16:38:23 agenda+ enterprise RP use cases (Matt_Miller) 16:38:41 bradley: we should talk about multi-device creds, which is just one piece. 16:38:53 matt: enerprise RPs asking about passkeys. 16:39:10 selfissued has joined #webauthn 16:39:17 present+ 16:39:32 shane: challege for platform providers, enterprise is not set to adopt this right now 16:39:52 ...some of the model is out of sequence. 16:40:13 kaiju has joined #webauthn 16:40:43 Topic: TPAC 16:40:46 tony: one thing to bring up is TPAC 16:40:50 present+ 16:41:09 ...request to meet with anti-fraud and payments people 16:41:19 ...TPAC is end of September 16:41:37 [12-16 September] 16:41:40 wendy: 12-16 September 16:43:34 tnoy: so we will be there; meet with payments, privacy and anti-fraud fols, 16:43:57 agenda+ PRs 16:44:13 tony: look at some PRs and some details, then go to Christiaan when he gets here. 16:45:32 zakim, take up agendum 3 16:45:32 agendum 3 -- PRs -- taken up [from wseltzer] 16:48:30 nsteele has joined #webauthn 16:49:32 present+ John_Pascoe, David_Waite 16:49:42 tony: let's go to open issues. 16:51:28 https://github.com/w3c/webauthn/pull/1733 16:51:40 https://github.com/w3c/webauthn/issues/1731 16:52:03 elundberg: adds some things we may not want to do as an RP 16:52:14 ...I encourage review and feedback 16:52:40 Tim: maybe do this after the Ping presentation 16:53:31 DWaite: there will be Ping ID presentation. point is that FIDO does not protect against supply chain attacks 16:54:08 elundberg: issue with unstreded sub-domains. 16:54:37 s/unstreded/untrusted code on/ 16:54:49 tony: Nick has this come up with adoption group 16:54:55 nicK: not really 16:55:26 bradly: Token Binding would have made this easier... 16:55:52 https://github.com/w3c/webauthn/pull/1732 16:56:00 agl: no changes 16:56:24 tony: move forward with this one. 16:57:19 tony: will circle back 16:57:44 https://github.com/w3c/webauthn/pull/1703 16:58:17 matt: trying to figure this one out; could use a working session and push this through 16:58:24 agenda+ pr1703, JSON (de)serialization 16:58:27 agL: I want to see this defined and lander 16:58:31 ...landed 16:58:51 martin: in reasonable shape, some open areas. 16:59:16 ...another one is about structure of IDL 16:59:28 agl: this is not a web api. 16:59:49 ...it does not have to follow all the IDL 17:00:31 matt: write as vaild IDL, but not restricted compoents 17:00:39 martin: should still be valid IDL 17:00:49 agl: there are no binding. 17:00:55 ...tooling does not have to process. 17:01:02 ...it is only humans will ever read this 17:01:18 bradly: but Mozilla has rules around this. 17:01:39 agl: this is mostly for developers 17:02:08 agl: should we delete IDL 17:02:35 martin: it is probably best to leave it in 17:03:09 elundberg: could we do this a different way in public key creation 17:04:37 eluncberg: you have add jason 17:04:57 ...json 17:06:56 agl: martin thinks we need to have it in. 17:07:09 ...elundberg is this fundamental in PR 17:07:48 elundberg: maybe we should be more rigorous, but willing to let some things go 17:08:03 matt: should be leave something for other browser developers 17:08:20 elunberg: mostly tweaks here, not so for fundamentals 17:08:28 matt: I will close this out. 17:08:42 martin: I can try to do this in a prototyple. 17:09:27 elunberg: I thnk of down stream we should be fine. 17:12:28 martin: we should look at processing 17:12:51 selfissue: think you will find all that in the registry 17:15:39 agl: work assigned to work toward closing this 17:15:59 zakim, drop agendum 4 17:15:59 agendum 4, pr1703, JSON (de)serialization, dropped 17:16:35 [break, 10 minutes] 17:19:45 nsteele has joined #webauthn 17:26:58 [resuming] 17:27:08 https://github.com/w3c/webauthn/pull/1695 17:27:13 aggl: we shold merge 17:27:27 present+ Akshay_Kumar 17:27:30 tony: merge 17:27:47 tony: emil can you look at this one. 17:28:52 self-issue: I am approving now 17:29:55 tony: any objections? 17:30:02 tony: no 17:31:40 elundberg: mostly editorial, the rest we can approve 17:32:24 tony: merged 17:33:34 https://github.com/w3c/webauthn/pull/1663 17:33:35 https://github.com/w3c/webauthn/pull/1663 17:34:05 agl: adds second key to given credential, android expects to support with when go public with passkeys 17:36:25 bradley: missing in CTAP a notion of attestation type 17:37:19 ...we may want to have a certain attestation type; or Post Quantum , want to allow RP to have attestation types 17:37:30 ...may be useful at CTAP layer to say more. 17:37:48 ...I would like to fix is properly at CTAP level 17:38:29 ...lets not do it as a one off 17:38:42 ...would have to add flags to get attestations 17:39:07 agl: how to we express at aweb authn level 17:39:35 bradley: sort of already have a mapping 17:39:55 agl: you want attestations and types 17:40:08 bradley: will give us some room down the road to fill in gaps 17:40:53 ...I would like to have RP options without blowing up things later in Post Quantum 17:41:27 ...what do we want to do with multi-device creds. 17:42:01 ...DPK, not multi-device cres 17:42:15 ...Device Public Key 17:43:26 agl: DPK opens up some things we don't like 17:44:15 shane: this is going away from my question 17:44:47 ...what is risk of not support DPK as primary credentials 17:45:07 agl: we don't want to make this a smooth operation 17:47:01 ....check that, we want this to be a smooth operation 17:50:16 self-issue: how do we make this actionable 17:50:50 bradley: change proposed taking over entire cryto-gram 17:51:14 ...there is not an issue for this yet 17:51:44 ...only question is to do this in way that will not impact existing RPs 17:52:13 ...there are things that may go beyond the RP. 17:52:59 self-issue: 17:53:23 ...defers 17:55:03 agl: are we changing this out , and an unsigned output? 17:55:17 dirk: DPK choose to make use of this. 17:55:46 agL: this should not break anything. 17:56:26 akshay: what will the main key signed in this case. 17:56:49 agl: both will be signed. one normal one unsigned over the authenticator data 17:57:18 dirk: how does attestation work then> 17:57:42 agl: new fields in CTAP2, it will control attestation and normal attestation. 18:03:37 nsteele has joined #webauthn 18:08:56 present+ Pamela_Dingle 18:12:59 agl: I think the DPK stays in the extension 18:14:00 shane: enterprise need a way to deal with cloud ??? 18:15:05 agl: we want to make a clear path for DPK 18:16:18 shane: give me a device bound cred, DPK is a hard way to express this. 18:27:23 arnar has joined #webauthn 18:27:47 bradley: difference this makes RP, can get attestation without DPK 18:28:03 ...should authenticators return it RPs could do it. 18:29:10 tony: any objections of returning DPK 18:29:32 agl: we are not breaking it. 18:30:19 nsteele has joined #webauthn 18:30:30 agl: apple is getting rid of passwords... 18:31:32 shane: if no attesation for the DPK, then it is nearly useless 18:31:51 bradely: we have to nail this down. 18:32:08 agl: RP won't get attestation this year 18:42:27 nsteele has joined #webauthn 18:42:49 nsteele has joined #webauthn 18:45:10 nsteele has joined #webauthn 18:47:30 agl: I will write a PR on this. 18:47:39 nsteele has joined #webauthn 18:47:41 zakim, remind us in 13 minutes 18:47:41 ok, wseltzer 18:47:51 [lunch break, 13 minutes] 19:00:42 wseltzer, you asked to be reminded at this time 19:02:01 [returning] 19:02:09 nsteele has joined #webauthn 19:04:44 Topic: Demo 19:05:36 [Christiaan shows a passkey demo] 19:13:11 end of demo 19:13:56 matt: does this use conditional UI 19:14:10 Christiaan: yes 19:22:51 nsteele has joined #webauthn 19:27:40 sbweeden has joined #webauthn 19:29:44 https://github.com/w3c/webauthn/pull/1576 19:29:52 Topic: Back to PRs 19:30:07 nina: I also have to send updates to HTML 19:30:19 ... we could merge with a note that HTML updates are also needed 19:30:49 ... I haven't yet opened an issue in HTML to avoid circular dependency 19:31:09 tony: Can you open an issue or PR there for tracking here? 19:31:19 nina: yes 19:31:56 ... and 1576 is ready to merge from my perspective 19:32:36 john: Should timeouts be respected? 19:32:44 nina: called out recommend avoid setting timeouts 19:33:30 john: @@ 19:33:39 nina: when you cancel the request, we don't resolve the promise 19:33:51 ... so we're not signaling that user has credential but chooses not to use it 19:34:13 ... webauthn without conditional UI can show error because it's the same error as timeout 19:34:25 nsteele has joined #webauthn 19:34:30 Do you need me to take over 19:34:34 wendy 19:35:22 * jfontana can you take the next 10 minutes? 19:35:46 matthew_miller: what if you keep changing focus to and from the username field, does it prompt every time? 19:35:55 nina: I think it should be every time 19:36:10 ... though it could be a more subtle indicator on subsequent visits 19:36:19 s/visits/focus/ 19:36:44 matthew: there could be implementation variations 19:36:50 tim: as there are for password 19:37:14 tony: so you'll update and we'll discuss at next meeting 19:37:25 tony: 1425, recovery extension? 19:37:31 elundberg: nothing new 19:37:50 tony: 1736 19:38:03 https://github.com/w3c/webauthn/pull/1736 19:38:08 elundberg: looks ready to go 19:38:16 tony: any objections? 19:38:32 ... merge 19:39:15 tony: 1741, did we resolve? 19:40:25 john_bradley: related to DPK, PRs in CTAP 19:40:30 tony: 1740 19:40:53 elundberg: some editorial fixes 19:41:18 ... I'll create the PR 19:41:22 tony: 1739 19:42:29 (returning to that one) 19:42:34 tony: 1738 19:43:47 john_bradley: how can we add flexibility, so it doesn't blow up browser 19:44:22 sbweeden: other examples where we deal with fingerprinting surface, compat? 19:44:39 ... e.g. getWebauthnLevel 19:45:11 tim: could you follow sec client hints ? 19:45:59 matthewmiller has joined #webauthn 19:46:10 * jfontana Wendy I can take over 19:47:36 nina: ok upgrading to chrome. 19:48:22 ...I am OK the caveat is this is not silver buller 19:48:27 ...bullet 19:49:52 bradley: how does microsoft feel on enum issues 19:50:25 nsteele has joined #webauthn 19:50:58 agl: we don't fall back to direct 19:51:04 ...set enterprise. 19:51:23 Bradley: that is good point 19:51:41 bradley: default is better than blowing up. 19:52:09 ...should it return a type error 19:52:25 matt: we do that an act accordingly and go to an alternative 19:52:42 agl: we have to have one rule 19:53:04 bradley: you can't no what it is before you get it 19:53:57 bradley: needs some feature detection 19:54:14 agl: we need ignore as a default 19:54:29 self-issue: who will file browser bugs? 19:54:59 nina: maybe we want to discover if enterprise attestation is supported or not 19:55:06 ...I will file bugs 19:55:13 tony: this has to be made clear in spec 19:55:35 bradely: it ignores some browser options 19:56:17 self-issue: lets not go to versioning 19:56:59 agl: do RPs what attestation flag 19:57:24 bradley: we need dom string, ignore ?? 19:58:28 selfissued has joined #webauthn 19:58:32 nsteele has joined #webauthn 19:58:34 present+ 19:58:43 https://github.com/w3c/webauthn/issues/1738#issuecomment-1151561722 20:00:32 tony: nina you will update 20:00:40 nina: which way are we going 20:01:26 agl: don't need feature flag for attestation and we want to change the dom string 20:02:04 nona: I filed an issue for the attestation feature 20:02:12 tony: so you can finish issue 20:02:14 s/nona/nina/ 20:03:21 tim: #1739 20:03:36 tim: we can to mediated UI 20:03:37 https://github.com/w3c/webauthn/pull/1576 20:03:43 rrsagent, draft minutes 20:03:43 I have made the request to generate https://www.w3.org/2022/06/09-webauthn-minutes.html wseltzer 20:04:24 chair: Nadalin, Fontana 20:04:55 i|Back to PRs|scribenick: wseltzer 20:05:37 rrsagent, draft minutes 20:05:37 I have made the request to generate https://www.w3.org/2022/06/09-webauthn-minutes.html wseltzer 20:05:49 tony: we are through the un-triaged 20:06:11 i|sec client hints|scribenick: jfontana 20:06:38 i|Guest: Joseph Vasterling - Best Buy|scribenick: jfontana| 20:06:43 rrsagent, draft minutes 20:06:43 I have made the request to generate https://www.w3.org/2022/06/09-webauthn-minutes.html wseltzer 20:07:17 tim: closed #1708 20:07:59 tony: RP use cases 20:08:10 ...this is a discussion 20:09:18 Topic: RP Use Cases 20:09:23 Matt: Cisco looking at sync across devices 20:09:40 ...this was ideal for use, being shared - less ideal 20:09:49 ...we thought it would still be bound to user 20:09:58 ...now we see sharing keys. 20:10:41 ...now we have cred does not indicate specific devices or users. 20:10:54 ...there is lack of configure with web authn and new keys 20:11:12 ...what are RP pain points. 20:11:37 ...if opt out, people will do that. but we need to have them 20:12:12 ...passkeys will come out way before DPK what happens then? 20:12:43 shane: there is going to be awful second factors as people ignore passkeys 20:13:16 matt: need to hedge capability of passkey, we could sell other products, but we shouldn't have to take those extra steps 20:13:43 ...I think we should double down on the frustrations of RPs 20:14:24 matt: the reason we stopped attestation was a consideration 20:14:33 ...it will be a negative when we have that conversation, 20:14:51 bradley: your beef is with multi-credentials 20:15:03 ...we need to be clear on the terminology 20:15:37 ...matt your problem is not with multi creds. 20:15:55 matt: in this moment there are features we have issues with 20:16:17 matt: you have two things hybrid and flags 20:16:26 ...we are not ready to support this 20:16:42 tim: we all get support cases 20:17:40 agl: does this thinking include security key for employees 20:18:09 ...if we put this behind enterprise flag it is useless to you (microsoft) 20:19:00 matt: manage device policy is not going to work for us. 20:19:16 tim: same answers across all these areas 20:20:08 matt: we had security keys and now we had to adapt to cable 20:20:25 ...these are things we need ahead of time. we would have opted out 20:20:46 Christiaan: this will stablize over time 20:21:12 ...can we give people an opt-out? when everything is there it will go forward 20:21:30 matt: this will repeat itself with evolution and new featuers 20:21:49 ...what if we have different mentality on roll outs 20:22:28 Christiaan: longer term concern. we will focus on consumer, having a key will be unsettling for them 20:22:59 bradley: some browsers do a better job than others. there are things we can do. 20:23:47 matt: not just authentication experience, we have authorization 20:25:30 Christiaan: we might want to spell out some things more specifically. 20:26:24 shane: we always needed attestation. why can't we do that 20:27:02 Christiaan: so you can simply not offer anything. 20:27:34 Shane: on issue to wait on signal. At the end, I say tough 20:27:50 bradley: cable does not tell you what is coming. 20:27:55 ...user agent does not help 20:28:49 Christiaan: there are plenty of times you want an Apple platform. 20:28:59 shane: but you don't get an attestation. 20:29:17 s/want an Apple/want to know the authnr is an Apple/ 20:29:17 Matt: could we add a simple flag to registration 20:31:08 matt: we are working with a staggered roll out 20:31:25 shane: we will have windows where we will shut down WebAuthn 20:32:06 bradley: is there some attestation where we could offer? 20:34:23 tim: we mapped a user on a device and now it means nothing 20:34:56 Christiaan: there is still a value to passkeys 20:35:03 ...consumer enterrpise 20:39:05 tim: we are evangelizing a new passkey for enrollment 20:39:24 ...but now it is credential sharing 20:40:05 tony: this is a choice for people. 20:40:58 wendy: should we go back to security modeling. 20:41:21 ...as the technology is out there , use cases are overlayed 20:42:12 matt: we were just getting used to credential sharing, and then this is coming was 20:42:36 John (Apple): these are looked at as better than passwords. 20:42:44 ...it was password replacement 20:42:58 tim: what precedent we are trying to do. 20:43:17 ...we say credential sharing is coming 20:50:29 jfontana has joined #webauthn 20:51:07 scribe+ 20:51:07 shane: I don't want user to go through ceremony that the RP knows will not work 20:52:06 cnh has joined #webauthn 20:52:59 agl: I don't understand going back to RP 20:53:26 shane; It is more of having the authenticator not being able to fail as an outcome. 20:53:33 ...get the correct credential 20:54:04 ...I want the RP to be asked for a credential 20:55:01 bradley: this is more like a transport hint. 20:55:54 shane: capture the issue 20:56:24 dirk: why does this not meet the requirement on DPK? 20:56:39 christiaan: you can go back if you want 20:56:53 bradley: DPK is suppose to fail. you can't error out. 20:57:05 ...i don;t know that all RPs will want that behavior 20:57:59 matt: here is my ask. if we can't have device bound cred, can we ask for a credential to be permanently bound 20:58:10 shane: sounds like a path to distruction 20:58:32 Christiaan: I see future, we allow mulitplel vendors to plug in 20:58:51 ...put all of these passwords will have different ways to share, get back into account. 20:59:09 ...this is why we have attestation, we can go down multiple paths. 20:59:22 ...now we come back to meta data. 20:59:42 shane: mds will describe what these things are 21:00:19 dirk: maybe requirement is identifying a kind of passkey 21:03:52 dirk: maybe it is not the sharing, but the capabilities 21:07:20 elundberg: main argument against it is don't want a flag, don't want user to turn on better secruity. 21:11:45 shane: I have problem that is out of the RP's control to ask for a specific thing 21:12:04 elundberg: notw that we have flags it makes sense to have tihs parament on the top level. 21:12:29 s/this parameter/ 21:13:34 Matt: trying to preserve the device bound, 21:13:45 s/parament/parameter/ 21:18:08 matt: I want a fail if the credential is going to fail 21:18:25 agl: I am listening 21:19:41 shane: i don't care the answer, I wants to make this request of the client 21:20:10 s/I want/ 21:22:57 s/wants/want 21:23:31 tony: we have to show the implementation of the spec. in order to go to Recommendation 21:23:53 ...you could play with features 21:24:42 ...but it has to have implementation to have spec 21:27:57 bradley: RPs will have to decide what they are going to reject. 21:28:42 christiaan: we have to see how tis shakes out. 21:34:15 bradley: we have strong authentication, is it multiple factor? It is strong single factor. It could be part of an AAL 2, and be multi factor 21:34:42 ...we are changing the underlying rules 21:35:02 matt: is this a message going out, you want to consider a second factor 21:35:11 bradley: depends on your use case. 21:48:24 [10 min break] 21:49:02 nsteele has joined #webauthn 21:49:28 matthewmiller has joined #webauthn 21:53:32 nsteele has joined #webauthn 21:54:36 nsteele_ has joined #webauthn 22:06:50 selfissued has joined #webauthn 22:07:00 present+ 22:10:15 tony: would like to have a draft WD-01 22:11:27 sbweeden has joined #webauthn 22:11:49 ...put out a draft before TPAC 22:12:26 self-issue: do we have the people who can use the tooling? 22:13:27 action: wseltzer to do some repository cleanup 22:13:36 wendy: she can offer help from W3C 22:13:58 tony: any more issues to talk about? 22:14:03 ...SPC? 22:15:38 C 22:16:40 Topic: SPC 22:18:58 [Christiaan describes the SPC argument for non-iframe cross-origin get of credential] 22:20:27 christiaan: can we allow the creation of a webauthn credential in a cross-origin iframe? 22:23:47 jbradley: should we take this on? 22:24:04 ... admit that you can make a credential in a cross-origin iframe 22:24:11 ... which will make many IDPs happy 22:24:37 christiaan: can you write an issue? 22:24:40 jbradley: yes 22:25:18 christiaan: we also keep hearing about generic things people want signed... 22:25:31 selfissued: there's an unimplemented extension 22:26:40 agl: do users understand who is speaking is a big concern 22:35:27 agl: you navigate to example.com, get a foo.com iframe that can make a foo.com credential, that can be used on example.com 22:35:45 jbradley: make in 3d party context iframe 22:35:58 agl: make in ifrme that is not same-origin with ancestors 22:36:13 tony: Any other issues? 22:37:03 sbweeden: thanks for the conversation about the needs of enterprise 22:37:55 matthewmiller: what we're telling RPs, DPK is coming and will eventually be able to achieve the properties that had been assumed 22:38:07 ... no short-term mitigation 22:38:19 christiaan: continue to make credentials as usual in Android 22:38:44 matthewmiller: does apple have a mechanism for opting out? 22:38:53 johnp: no 22:41:01 tony: talk with you all in 3 weeks 22:41:29 ... thanks Tim for hosting 22:41:33 [adjourned] 22:41:39 rrsagent, draft minutes 22:41:39 I have made the request to generate https://www.w3.org/2022/06/09-webauthn-minutes.html wseltzer 23:25:15 nsteele has joined #webauthn