19:59:30 RRSAgent has joined #webauthn 19:59:30 logging to https://www.w3.org/2022/11/16-webauthn-irc 19:59:32 RRSAgent, make logs Public 19:59:34 Meeting: Web Authentication WG 20:01:37 Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2022Nov/0054.html 20:02:15 present+ Akshay, Nadalin, nsteele, sbweeden, elundberg, smcgruer, JasonCai, matthewmiller, wseltzer 20:03:33 present+ SueKoomen 20:04:06 regrets+ TimCappalli, MikeJones, JohnBradley 20:04:29 Nadalin: PR 1814 20:04:51 elundberg: editorial, fixing a reference 20:05:11 sbweeden: I approved 20:05:22 ... it's trivial 20:05:32 nadalin: no objections to merging 20:05:46 nadalin: 1774 20:05:51 elundberg: still open 20:06:11 nadalin: 1821 20:06:19 kaiju has joined #webauthn 20:06:19 sbweeden: approve, it's trivial 20:06:26 nadalin: merge 20:06:35 nadalin: 1813 20:06:43 elundberg: editorial, renaming some properties 20:07:06 nadalin: good to merge 20:07:34 nadalin: 1812 20:07:50 elundberg: restructures DPK attestation to use credential record abstraction 20:08:11 ... for easier reading. I'd like some review 20:08:28 present+ JohnPascoe, RanjivaPrasad 20:08:39 regrets+ agl, Nina 20:09:09 elundberg: please take a look if you're interested in DPK extension 20:09:25 nadalin: 1801 20:09:42 smcgruer: Web Payments WG request to allow x-origin iframe to support payments use cases 20:09:56 ... awaiting further reply 20:10:53 johnpascoe: Apple's disagreements are noted there, remain 20:11:14 akshay: do we have reasoning? 20:11:39 johnpascoe: It seems the wrong point for credential creation; likely to create user confusion 20:12:03 ... user confusion that URL in URL bar isn't for what you're registering credential 20:12:10 ... hard to convey accurately to user what's happening 20:12:24 akshay: I see the confusion where the URL differs from what you're registering 20:12:40 ... 3DS use case shouldn't be mixed with login use case is solved by an extra property 20:13:01 johnpascoe: proposed fix is make sure you register 3DS credentials on a different subdomain from login 20:13:23 akshay: many RPs do not care about payments 20:13:35 ... ability of random websites to call a prompt concerns me 20:14:04 ... can we have a RP opt-in, e.g. .wellknown to allow the x-origin UI? 20:14:58 smcgruer: this is enrollment 20:15:14 akshay: security-wise, server can check responses 20:15:32 ... but the fact that a random website can *ask* for login.microsoft.com is a brand and usability problem 20:16:58 smcgruer: for authentication time, there's an opt-in, default off 20:17:12 ... I wasn't aware of that concern at enrollment 20:17:20 ... still don't fully see it 20:17:50 akshay: phishing resistance. previously, you could clone a website; webauthn says the browser won't even show you the login 20:18:18 ... now, why is prompt coming from random phishing website 20:18:55 smcgruer: not seeing huge difference from popup 20:19:53 ... back to John's point, nothing today stops an RP from creating a passkey for whatever they want 20:20:09 ... even if they tell the user the passkey is only for payments, it will show up in password manager 20:21:23 @@: do we know how mozilla feels? 20:21:33 matthewmiller has joined #webauthn 20:21:41 dveditz: generally uncomfortable with the flow 20:22:03 ... need to think more about user experience for username/password vs passkey 20:22:14 akshay: I'd like a couple weeks to review 20:23:25 nadalin: question of how many implementations we'd get, as well as consensus or not 20:23:43 smcgruer_[EST]: thanks for input. we want to hear questions and concerns 20:25:09 smcgruer: there's a silent fall-back from dev perspective, it won't work if not implemented 20:26:05 s/the flow/creating credentials in x-origin iframe; have to think further whether webauthn makes a difference/ 20:26:41 smcgruer_[EST]: in the original issue, there's a list of payment folks who want to do this 20:26:56 ... they're not looking to create an account, but to create a passkey 20:27:20 ... they've authenticated the user to some extent, and want to create a passkey for future interactions 20:27:31 -> earlier issue https://github.com/w3c/webauthn/issues/1656 20:27:39 nadalin: we'll leave it for a few more weeks 20:27:55 ... return at next meeting in 2 weeks. 20:28:17 nadalin: Untriaged, 1822 20:28:49 elundberg: should there be more granular resident key options 20:29:36 ... don't exhaust limit space 20:29:43 s/limit/limited/ 20:29:57 sbweeden: prefer if unlimited depends on cooperative RP involvement 20:30:24 ... if you're going to preserve discoverable credential space, client needs to help orchestrate 20:31:05 johnpascoe: as browser, do we just assume any key has limited storage 20:31:14 elundberg: recent CTAP has a field 20:31:31 ... if nothing, you should assume limited 20:33:03 akshay: in deployment, you're selecting one UX or another; in "preferred", I don't really know how UX will work 20:33:25 ... I don't think there's a webauthn change required here. 20:33:58 ... platform or browser could make tweaks 20:34:09 elundberg: that makes sense 20:34:20 davidwaite: this is to solve for the starvation case 20:34:44 ... there could be recommended heuristics 20:37:04 nadalin: leave this as-is for now 20:37:13 present+ davidwaite 20:37:33 nadalin: 1819 20:38:11 ... this may be implementation 20:39:10 ... I'll ask adam 20:39:16 nadalin: 1818 20:39:22 elundberg: close, redirected 20:39:38 nadalin: 1817 20:40:15 sbweeden: re duplication of data in client extension results 20:40:58 ... duplicate in unsigned data seems a recipe for reading from the wrong place 20:41:12 elundberg: agree. would like comment from Mike Jones 20:44:21 sbweeden: let's wait for Mike Jones, Adam 20:44:26 nadalin: 1816 20:46:05 ... any objection to closing? 20:46:28 ... 1808 20:47:13 elundberg: we closed earlier, as there's no ask for change 20:47:25 ... got requested to reopen, but no response 20:47:31 nadalin: close it again 20:48:02 ... if asks to reopen again, we need feedback 20:48:07 nadalin: 1803 20:48:34 sbweeden: elundberg responded 20:48:51 ... if I want to pursue, should offer a non-normative PR 20:50:13 nadalin: leave open and revisit 20:50:39 matthewmiller: can we look at 1255,, duplicate of issue that's rather old 20:51:32 ... comes down to browser implementation, whether there's any desire for the feature 20:52:01 ... L3 has some precdent for serializing options for use in a form 20:52:33 elundberg: agree that JSON serialization makes the threshold lower 20:52:43 ... I'd like to see the feature but don't feel strongly 20:52:57 johnpascoe: I'd like to see the feature too 20:53:20 matthewmiller: would like to see it to make webauthn a first-class feature in the DOM 20:53:47 sbweeden: what's the motivation for not wanting to use javascript? 20:54:11 matthewmiller: e.g. allowing frontend devs to work in HTML, as with username/password form 20:54:31 ... declarative form-building 20:55:56 nadalin: need to look at the charter scope 20:57:30 dveditz: Moz would have some interest, e.g. Tor project, noscript 20:58:14 nadalin: leave it for consideration 20:58:58 elundberg: shall I note tentative support from Safari and Firefox, but issue is low priority 20:59:12 dveditz, johnpascoe: interest, not support 20:59:40 rrsagent, draft minutes 20:59:40 I have made the request to generate https://www.w3.org/2022/11/16-webauthn-minutes.html wseltzer 21:07:04 kaiju has joined #webauthn 21:13:07 kaiju has joined #webauthn 21:23:09 kaiju has joined #webauthn 21:27:13 kaiju has joined #webauthn 23:29:27 kaiju has joined #webauthn