Meeting minutes
SPC: From browser cache to FIDO/WebAuthn integration
smcgruer_[EST]: This is about how we are going to get from today's Chrome implementation of SPC to a future where SPC is properly part of the underlying (FIDO-related) APIs
[SPC today]
smcgruer_[EST]: Some limitations today - we cache info in the browser, which means first of all that credentials are not shared between browsers running on the same device.
smcgruer_[EST]: Also means we limit use of credentials to a subset of what we want to be used for SPC (e.g., ordinary FIDO credentials in a 1p context)
smcgruer_[EST]: Another limitation today is no support for remote authenticators
smcgruer_[EST]: And finally, we don't want to override some WebAuthn behaviors
[Stephen walks through SPC flow reminder]
Ian: Please include the flow slide in the explainer!~
[Ideal end state]
smcgruer_[EST]: (1) no overrides of underlying APIs (2) reliance on authenticators (CTAP) to answer questions (a) does credential exist? (b) is it available cross-origin if this is a cross-origin request? (3) any [discoverable] FIDO credential should work (4) only cross-origin credentials should work in cross-origin scenarios (5) should work with platform and roaming authenticators.
[What needs to change to get there]
smcgruer_[EST]: Lots to read there
[Very aggressive timeline!]
smcgruer_[EST]: We're already behind. At a high level, we need a few things:
… authenticators need to have the spc extension
… SPC needs to be cleaned up to align with that
… the "payment" extension needs to become an alias for the above
… it will take some time to get authenticator support (e.g., a year)
… in the meantime I would like to hear from you -- should we support a second extension that can be used to allow requests for cross-origin
… if you are a user of SPC ONLY in a 1p context, should we support that before the authenticators make it easier for us?
JeanLuc: What is impact on reliance on discoverable credentials?
smcgruer_[EST]: Discoverable credentials allow us to look up credentials. Today, to my knowledge, right now authenticators don't let you do that look-up without a user interaction with the device.
… they are more used in WebAuthn right now where the platform authenticator says "which of these identities do you want to use?"
… that said, discoverable credentials are likely to be the basis for the BROWSER to query authenticators silently.
… we are close to having this. These APIs (mostly) exist; what we need is the cross-origin bit
smcgruer_[EST]: I believe we have resolved that any returned credential can be used for 1p context
… in the latest Windows insider built they have added APIs for listing discoverable credentials without user interaction.
IJ: Is the silent access API a work item at the CTAP level?
smcgruer_[EST]: In terms of 3p bit, there's a pending pull request at the CTAP level.
… that will make it possible to query authenticators
Ian: What about standard API for roaming authenticators?
smcgruer_[EST]: I think that's supported via Credential Management API; John Bradley could clarify here.
Ian: Back to Stephen's question -- any views on priority of 1p support without SPC-bit set within the next year?
Erhard: Yes, I would say we would be interested support for the feature.
smcgruer_[EST]: What we would do is to introduce 2 more extensions. One would be mark a credential as "SPC" and one would be to set a credential as cross-origin enabled.
… both would be cached in the browser
… one would mean "ok for SPC cross origin"
… one would mean "ok for SPC, but not cross origin"
… and the existing extension would mean "ok for SPC and cross origin" (an alias)
Erhard: That makes sense.
Ian: Backwards compatibility issues?
smcgruer_[EST]: Should have no impact on 3DS integration. This happens a credential creation time (which is not covered in 3DS)
Ian: What should we be looking for at TPAC on this?
<JeanLuc> what is currently missing on SPC to be able to use roaming authenticator?
smcgruer_[EST]: I could imagine talking about the 2 extensions; but not sure what priority of that is yet.
… separately we'll provide an update on where we are with authenticators.
… I would like to see the 3p bit merged in FIDO by then
smcgruer_[EST]: Regarding support for roaming authenticators:
a) We could specify a fallback flow in the spec: "If you have a roaming authenticator, insert now." It's a fair amount of implementation.
b) Or, to do this more properly, we'd need to understand what the Credential Management API can do for us; discussion with WebAuthn folks. They have a long-term conversation about whether roaming authenticators should be able to proactively tell the OS (after first inserted) what credentials are available.
… then you could use this for SPC without having the device already inserted.
TPAC 2022
Registration soon!
… hotel info + special rate
https://
Ian: Remote participation will be an option
<Sue> Will you be sending out the agenda soon?
Ian: At the latest mid-August
<Sue> Monday morning?
<Sue> Would we start Monday morning?
Monday, 12 September, 9:00-16:00 PT. Note: We will do our best to ensure that critical agenda items are discussed in the morning session.
<Sue> Thank you
<JeanLuc> Is DID Working Group part of TPAC?
https://
<JeanLuc> thanks
Next meeting of WPWG
https://
18 August
ADJOURNED