IRC log of webauthn on 2022-11-16
Timestamps are in UTC.
- 19:59:30 [RRSAgent]
- RRSAgent has joined #webauthn
- 19:59:30 [RRSAgent]
- logging to https://www.w3.org/2022/11/16-webauthn-irc
- 19:59:32 [Zakim]
- RRSAgent, make logs Public
- 19:59:34 [Zakim]
- Meeting: Web Authentication WG
- 20:01:37 [wseltzer]
- Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2022Nov/0054.html
- 20:02:15 [wseltzer]
- present+ Akshay, Nadalin, nsteele, sbweeden, elundberg, smcgruer, JasonCai, matthewmiller, wseltzer
- 20:03:33 [wseltzer]
- present+ SueKoomen
- 20:04:06 [wseltzer]
- regrets+ TimCappalli, MikeJones, JohnBradley
- 20:04:29 [wseltzer]
- Nadalin: PR 1814
- 20:04:51 [wseltzer]
- elundberg: editorial, fixing a reference
- 20:05:11 [wseltzer]
- sbweeden: I approved
- 20:05:22 [wseltzer]
- ... it's trivial
- 20:05:32 [wseltzer]
- nadalin: no objections to merging
- 20:05:46 [wseltzer]
- nadalin: 1774
- 20:05:51 [wseltzer]
- elundberg: still open
- 20:06:11 [wseltzer]
- nadalin: 1821
- 20:06:19 [kaiju]
- kaiju has joined #webauthn
- 20:06:19 [wseltzer]
- sbweeden: approve, it's trivial
- 20:06:26 [wseltzer]
- nadalin: merge
- 20:06:35 [wseltzer]
- nadalin: 1813
- 20:06:43 [wseltzer]
- elundberg: editorial, renaming some properties
- 20:07:06 [wseltzer]
- nadalin: good to merge
- 20:07:34 [wseltzer]
- nadalin: 1812
- 20:07:50 [wseltzer]
- elundberg: restructures DPK attestation to use credential record abstraction
- 20:08:11 [wseltzer]
- ... for easier reading. I'd like some review
- 20:08:28 [wseltzer]
- present+ JohnPascoe, RanjivaPrasad
- 20:08:39 [wseltzer]
- regrets+ agl, Nina
- 20:09:09 [wseltzer]
- elundberg: please take a look if you're interested in DPK extension
- 20:09:25 [wseltzer]
- nadalin: 1801
- 20:09:42 [wseltzer]
- smcgruer: Web Payments WG request to allow x-origin iframe to support payments use cases
- 20:09:56 [wseltzer]
- ... awaiting further reply
- 20:10:53 [wseltzer]
- johnpascoe: Apple's disagreements are noted there, remain
- 20:11:14 [wseltzer]
- akshay: do we have reasoning?
- 20:11:39 [wseltzer]
- johnpascoe: It seems the wrong point for credential creation; likely to create user confusion
- 20:12:03 [wseltzer]
- ... user confusion that URL in URL bar isn't for what you're registering credential
- 20:12:10 [wseltzer]
- ... hard to convey accurately to user what's happening
- 20:12:24 [wseltzer]
- akshay: I see the confusion where the URL differs from what you're registering
- 20:12:40 [wseltzer]
- ... 3DS use case shouldn't be mixed with login use case is solved by an extra property
- 20:13:01 [wseltzer]
- johnpascoe: proposed fix is make sure you register 3DS credentials on a different subdomain from login
- 20:13:23 [wseltzer]
- akshay: many RPs do not care about payments
- 20:13:35 [wseltzer]
- ... ability of random websites to call a prompt concerns me
- 20:14:04 [wseltzer]
- ... can we have a RP opt-in, e.g. .wellknown to allow the x-origin UI?
- 20:14:58 [wseltzer]
- smcgruer: this is enrollment
- 20:15:14 [wseltzer]
- akshay: security-wise, server can check responses
- 20:15:32 [wseltzer]
- ... but the fact that a random website can *ask* for login.microsoft.com is a brand and usability problem
- 20:16:58 [wseltzer]
- smcgruer: for authentication time, there's an opt-in, default off
- 20:17:12 [wseltzer]
- ... I wasn't aware of that concern at enrollment
- 20:17:20 [wseltzer]
- ... still don't fully see it
- 20:17:50 [wseltzer]
- akshay: phishing resistance. previously, you could clone a website; webauthn says the browser won't even show you the login
- 20:18:18 [wseltzer]
- ... now, why is prompt coming from random phishing website
- 20:18:55 [wseltzer]
- smcgruer: not seeing huge difference from popup
- 20:19:53 [wseltzer]
- ... back to John's point, nothing today stops an RP from creating a passkey for whatever they want
- 20:20:09 [wseltzer]
- ... even if they tell the user the passkey is only for payments, it will show up in password manager
- 20:21:23 [wseltzer]
- @@: do we know how mozilla feels?
- 20:21:33 [matthewmiller]
- matthewmiller has joined #webauthn
- 20:21:41 [wseltzer]
- dveditz: generally uncomfortable with the flow
- 20:22:03 [wseltzer]
- ... need to think more about user experience for username/password vs passkey
- 20:22:14 [wseltzer]
- akshay: I'd like a couple weeks to review
- 20:23:25 [wseltzer]
- nadalin: question of how many implementations we'd get, as well as consensus or not
- 20:23:43 [wseltzer]
- smcgruer_[EST]: thanks for input. we want to hear questions and concerns
- 20:25:09 [wseltzer]
- smcgruer: there's a silent fall-back from dev perspective, it won't work if not implemented
- 20:26:05 [wseltzer]
- s/the flow/creating credentials in x-origin iframe; have to think further whether webauthn makes a difference/
- 20:26:41 [wseltzer]
- smcgruer_[EST]: in the original issue, there's a list of payment folks who want to do this
- 20:26:56 [wseltzer]
- ... they're not looking to create an account, but to create a passkey
- 20:27:20 [wseltzer]
- ... they've authenticated the user to some extent, and want to create a passkey for future interactions
- 20:27:31 [wseltzer]
- -> earlier issue https://github.com/w3c/webauthn/issues/1656
- 20:27:39 [wseltzer]
- nadalin: we'll leave it for a few more weeks
- 20:27:55 [wseltzer]
- ... return at next meeting in 2 weeks.
- 20:28:17 [wseltzer]
- nadalin: Untriaged, 1822
- 20:28:49 [wseltzer]
- elundberg: should there be more granular resident key options
- 20:29:36 [wseltzer]
- ... don't exhaust limit space
- 20:29:43 [wseltzer]
- s/limit/limited/
- 20:29:57 [wseltzer]
- sbweeden: prefer if unlimited depends on cooperative RP involvement
- 20:30:24 [wseltzer]
- ... if you're going to preserve discoverable credential space, client needs to help orchestrate
- 20:31:05 [wseltzer]
- johnpascoe: as browser, do we just assume any key has limited storage
- 20:31:14 [wseltzer]
- elundberg: recent CTAP has a field
- 20:31:31 [wseltzer]
- ... if nothing, you should assume limited
- 20:33:03 [wseltzer]
- akshay: in deployment, you're selecting one UX or another; in "preferred", I don't really know how UX will work
- 20:33:25 [wseltzer]
- ... I don't think there's a webauthn change required here.
- 20:33:58 [wseltzer]
- ... platform or browser could make tweaks
- 20:34:09 [wseltzer]
- elundberg: that makes sense
- 20:34:20 [wseltzer]
- davidwaite: this is to solve for the starvation case
- 20:34:44 [wseltzer]
- ... there could be recommended heuristics
- 20:37:04 [wseltzer]
- nadalin: leave this as-is for now
- 20:37:13 [wseltzer]
- present+ davidwaite
- 20:37:33 [wseltzer]
- nadalin: 1819
- 20:38:11 [wseltzer]
- ... this may be implementation
- 20:39:10 [wseltzer]
- ... I'll ask adam
- 20:39:16 [wseltzer]
- nadalin: 1818
- 20:39:22 [wseltzer]
- elundberg: close, redirected
- 20:39:38 [wseltzer]
- nadalin: 1817
- 20:40:15 [wseltzer]
- sbweeden: re duplication of data in client extension results
- 20:40:58 [wseltzer]
- ... duplicate in unsigned data seems a recipe for reading from the wrong place
- 20:41:12 [wseltzer]
- elundberg: agree. would like comment from Mike Jones
- 20:44:21 [wseltzer]
- sbweeden: let's wait for Mike Jones, Adam
- 20:44:26 [wseltzer]
- nadalin: 1816
- 20:46:05 [wseltzer]
- ... any objection to closing?
- 20:46:28 [wseltzer]
- ... 1808
- 20:47:13 [wseltzer]
- elundberg: we closed earlier, as there's no ask for change
- 20:47:25 [wseltzer]
- ... got requested to reopen, but no response
- 20:47:31 [wseltzer]
- nadalin: close it again
- 20:48:02 [wseltzer]
- ... if asks to reopen again, we need feedback
- 20:48:07 [wseltzer]
- nadalin: 1803
- 20:48:34 [wseltzer]
- sbweeden: elundberg responded
- 20:48:51 [wseltzer]
- ... if I want to pursue, should offer a non-normative PR
- 20:50:13 [wseltzer]
- nadalin: leave open and revisit
- 20:50:39 [wseltzer]
- matthewmiller: can we look at 1255,, duplicate of issue that's rather old
- 20:51:32 [wseltzer]
- ... comes down to browser implementation, whether there's any desire for the feature
- 20:52:01 [wseltzer]
- ... L3 has some precdent for serializing options for use in a form
- 20:52:33 [wseltzer]
- elundberg: agree that JSON serialization makes the threshold lower
- 20:52:43 [wseltzer]
- ... I'd like to see the feature but don't feel strongly
- 20:52:57 [wseltzer]
- johnpascoe: I'd like to see the feature too
- 20:53:20 [wseltzer]
- matthewmiller: would like to see it to make webauthn a first-class feature in the DOM
- 20:53:47 [wseltzer]
- sbweeden: what's the motivation for not wanting to use javascript?
- 20:54:11 [wseltzer]
- matthewmiller: e.g. allowing frontend devs to work in HTML, as with username/password form
- 20:54:31 [wseltzer]
- ... declarative form-building
- 20:55:56 [wseltzer]
- nadalin: need to look at the charter scope
- 20:57:30 [wseltzer]
- dveditz: Moz would have some interest, e.g. Tor project, noscript
- 20:58:14 [wseltzer]
- nadalin: leave it for consideration
- 20:58:58 [wseltzer]
- elundberg: shall I note tentative support from Safari and Firefox, but issue is low priority
- 20:59:12 [wseltzer]
- dveditz, johnpascoe: interest, not support
- 20:59:40 [wseltzer]
- rrsagent, draft minutes
- 20:59:40 [RRSAgent]
- I have made the request to generate https://www.w3.org/2022/11/16-webauthn-minutes.html wseltzer
- 21:07:04 [kaiju]
- kaiju has joined #webauthn
- 21:13:07 [kaiju]
- kaiju has joined #webauthn
- 21:23:09 [kaiju]
- kaiju has joined #webauthn
- 21:27:13 [kaiju]
- kaiju has joined #webauthn
- 23:29:27 [kaiju]
- kaiju has joined #webauthn