IRC log of webauthn on 2023-01-11
Timestamps are in UTC.
- 20:14:57 [RRSAgent]
- RRSAgent has joined #webauthn
- 20:15:01 [RRSAgent]
- logging to https://www.w3.org/2023/01/11-webauthn-irc
- 20:15:01 [Zakim]
- RRSAgent, make logs Public
- 20:15:02 [Zakim]
- please title this meeting ("meeting: ..."), smcgruer_[EST]
- 20:15:21 [smcgruer_[EST]]
- Meeting: Web Authentication WG
- 20:15:49 [nsteele]
- thanks!
- 20:16:06 [smcgruer_[EST]]
- Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2023Jan/0037.html
- 20:16:11 [nsteele]
- Wendy always dealt with zakim T-T
- 20:16:26 [smcgruer_[EST]]
- zakim, start meeting
- 20:16:26 [Zakim]
- RRSAgent, make logs Public
- 20:16:27 [Zakim]
- please title this meeting ("meeting: ..."), smcgruer_[EST]
- 20:18:00 [smcgruer_[EST]]
- Meeting: Web Authentication WG
- 20:18:47 [smcgruer_[EST]]
- Zakim, meeting: Web Authentication WG
- 20:18:47 [Zakim]
- I don't understand 'meeting: Web Authentication WG', smcgruer_[EST]
- 20:20:19 [smcgruer_[EST]]
- Discussing https://github.com/w3c/webauthn/pull/1812
- 20:20:22 [smcgruer_[EST]]
- Emil waiting for Tim to respond
- 20:20:24 [smcgruer_[EST]]
- Discussing https://github.com/w3c/webauthn/pull/1801
- 20:21:16 [smcgruer_[EST]]
- (scribing of remaining open PRs lost due to tech issues)
- 20:24:36 [smcgruer_[EST]]
- meeting: Web Authentication WG
- 20:27:09 [smcgruer_[EST]]
- Zakim, list attendees
- 20:27:09 [Zakim]
- As of this point the attendees have been (no one)
- 20:27:30 [smcgruer_[EST]]
- present+ kaiju matthewmiller plh nsteele
- 20:29:53 [smcgruer_[EST]]
- present+ agl, Dan_Veditz, David_Turner, David_Waite, elundberg, Jason_Cai, John_Bradley, John_Pascoe, Mike_Jones, Ranjiva_Prasad, Shane_Weeden, TimCappalli, Tony_England
- 20:31:01 [smcgruer_[EST]]
- (scribing picking back up with hopefully technical issues resolved)
- 20:31:02 [smcgruer_[EST]]
- https://github.com/w3c/webauthn/issues/1800
- 20:31:20 [smcgruer_[EST]]
- nsteele: Any updates?
- 20:32:03 [smcgruer_[EST]]
- Shane_Weeden: No; intention was to try and close differences in autofill behavior between Chrome and Safari, in the spec
- 20:32:11 [smcgruer_[EST]]
- agl: Chrome and Safari have now harmonized?
- 20:32:35 [smcgruer_[EST]]
- Shane_Weeden: Yes, but we need to spec that for future implementors
- 20:32:37 [smcgruer_[EST]]
- agl: Will mention it to Nina
- 20:32:53 [smcgruer_[EST]]
- https://github.com/w3c/webauthn/issues/1791
- 20:33:23 [smcgruer_[EST]]
- matthewmiller: Still valid, will get it to it at some point
- 20:33:33 [smcgruer_[EST]]
- https://github.com/w3c/webauthn/issues/1779
- 20:33:40 [smcgruer_[EST]]
- agl: Still open, not sure we'll get it to it anytime soon
- 20:33:53 [smcgruer_[EST]]
- https://github.com/w3c/webauthn/issues/1757
- 20:34:21 [smcgruer_[EST]]
- https://github.com/w3c/webauthn/issues/1745
- 20:34:40 [smcgruer_[EST]]
- (1745 is now closed)
- 20:34:44 [smcgruer_[EST]]
- https://github.com/w3c/webauthn/issues/1742
- 20:35:45 [smcgruer_[EST]]
- John_Bradley: Could browsers just not throw TypeErrors?
- 20:35:59 [smcgruer_[EST]]
- agl: Even if we did, enterprise value would get mapped from unknown to none (if browser doesnt recognize it)
- 20:36:24 [smcgruer_[EST]]
- ...adding yet another static method to detect this apriori is welcome, someone can send a PR
- 20:37:08 [smcgruer_[EST]]
- ...we'd probably land the change if someone cared enough to write the PR
- 20:37:19 [smcgruer_[EST]]
- John_Pascoe: Wouldn't oppose it.
- 20:37:45 [smcgruer_[EST]]
- elundberg: Can we reflect on enums at the JS layer? Is the WebIDL type exposed?
- 20:37:46 [nsteele]
- It was
- 20:37:52 [smcgruer_[EST]]
- agl: Not sure, worth checking.
- 20:37:55 [smcgruer_[EST]]
- elundberg: I will check.
- 20:38:19 [smcgruer_[EST]]
- https://github.com/w3c/webauthn/issues/1741
- 20:38:34 [smcgruer_[EST]]
- agl: Isn't this done?
- 20:38:58 [smcgruer_[EST]]
- Shane_Weeden: Yes
- 20:39:07 [smcgruer_[EST]]
- (issue is closed out)
- 20:39:13 [smcgruer_[EST]]
- https://github.com/w3c/webauthn/issues/1822
- 20:40:39 [smcgruer_[EST]]
- matthewmiller: In summary, setting residentKey=preferred leads to scenario where discoverable credentials will be created on devices with limited storage where you may not want to. There's no good value for an RP to set if they don't want to consume limited DC slots, because discouraged will not activate Passkeys on platform authenticators
- 20:41:01 [smcgruer_[EST]]
- ...so if you want Passkeys but also want to be mindful of limited storage, cannot do that as an RP
- 20:41:24 [smcgruer_[EST]]
- John_Bradley: Most acute problem is that CTAP2 doesn't give users a way to remove credentials. CTAP2.1pre does.
- 20:41:43 [smcgruer_[EST]]
- ... in CTAP2.1 added GetInfo data about how many resident key slots are still available
- 20:41:53 [smcgruer_[EST]]
- ...not sure if RPs should do anything more
- 20:42:20 [smcgruer_[EST]]
- agl: Agreed
- 20:42:39 [smcgruer_[EST]]
- John_Bradley: Platform needs to be smarter about when to map preferred to 'create a DC'
- 20:43:03 [smcgruer_[EST]]
- ...on Windows, will try to make a DC and if it fails will try again with non-DC
- 20:43:09 [smcgruer_[EST]]
- ...is that what Chrome does?
- 20:43:35 [smcgruer_[EST]]
- agl: Not sure. However I think that maybe we should pre-emptively switch to non-DC if < 8 slots available (with CTAP2.1)
- 20:43:55 [smcgruer_[EST]]
- matthewmiller: Can we make security keys opt-in by requiring (scribe, missed this)
- 20:44:11 [smcgruer_[EST]]
- ... make it so that you only get DCs on everything if you choose "required", not "preferred"
- 20:44:30 [smcgruer_[EST]]
- John_Bradley: with CTAP2.1, platform can make that decision
- 20:44:35 [smcgruer_[EST]]
- matthewmiller: But then RP has to keep track of changes in that logic
- 20:44:47 [smcgruer_[EST]]
- John_Bradley: No, preferred means I'm ok to accept a non-DC, thats not changing
- 20:45:20 [smcgruer_[EST]]
- Shane_Weeden: Don't like that the platform is in control, user should be able to choose. Could have two users with two identical security keys, but one gets DC and one not.
- 20:45:34 [smcgruer_[EST]]
- Tim_Cappalli: But users don't understand it anyway; what do they do?
- 20:46:03 [smcgruer_[EST]]
- matthewmiller: So we should remove it from user control and give RP controls instead. RP can explain it to users./
- 20:46:26 [smcgruer_[EST]]
- agl: wrt Shane's scenario, that is true today already? Making the number 8 instead of 0 doesn't make it worse?
- 20:46:39 [smcgruer_[EST]]
- Shane_Weeden: Reasonable, but I'd just never use preferred then
- 20:46:48 [smcgruer_[EST]]
- Tim_Cappalli: Can show adaptive UI after registration?
- 20:46:57 [smcgruer_[EST]]
- Shane_Weeden: Only if credprops is supported by the client, not all clients do
- 20:47:32 [smcgruer_[EST]]
- matthewmiller: Also, with Android as-is, RPs have to platform detection. Can't always send same options. Need to send discouraged for security key, but not on Android.
- 20:47:43 [smcgruer_[EST]]
- ...preferred leads to DC creation on security keys
- 20:48:39 [smcgruer_[EST]]
- John_Bradley: agl and I are saying we should move in the direction of security keys *don't* make DC for 'preferred' unless there are lots of slots (CTAP >= 2.1)
- 20:48:54 [smcgruer_[EST]]
- agl: Not sure I can necessarily align with that... we're closer to "almost always make DC"
- 20:49:05 [smcgruer_[EST]]
- ...would probably always make them on 2.0 no matter what
- 20:49:31 [smcgruer_[EST]]
- Mike_Jones: Why save the last 8?
- 20:49:56 [smcgruer_[EST]]
- John_Bradley: Want to reserve slots for some future sites that use residentKey="required"
- 20:50:14 [smcgruer_[EST]]
- Shane_Weeden: But that is relying on RPs to only use residentKey="required" if they NEED it
- 20:50:24 [smcgruer_[EST]]
- Tim_Capalli: I expect vast majority will use rk='required'
- 20:50:33 [smcgruer_[EST]]
- John_Bradley: Then this is a pointless discussion
- 20:50:41 [smcgruer_[EST]]
- ...because there will be no space
- 20:51:13 [smcgruer_[EST]]
- s/Tim_Capalli/Tim_Cappalli
- 20:52:10 [smcgruer_[EST]]
- Tim_Cappalli: Ultimately its a limited resource, but users don't understand it (unlike say file system size)
- 20:52:55 [smcgruer_[EST]]
- matthewmiller: Another scenario - some RPs may be aiming only for passwordless don't have DC as a requirement, so maybe want to set discouraged
- 20:53:07 [smcgruer_[EST]]
- ...but then you get passkeys on everything but Android, which is weird
- 20:53:53 [smcgruer_[EST]]
- Tim_Cappalli: In my opinion no new RP should ever want to NOT create a passkey
- 20:54:24 [smcgruer_[EST]]
- John_Bradley: We have heard cases where they need an attestation, and the only way to do that (on Android?) was to create a non-DC
- 20:55:49 [smcgruer_[EST]]
- matthewmiller: WebAuthn is not passkeys. We should enable flows that don't necessarily want DCs
- 20:55:57 [smcgruer_[EST]]
- agl: I think rk=preferred is still a good option
- 20:56:11 [smcgruer_[EST]]
- ...its unfortunate that on CTAP2.0 you will fill the security key
- 20:56:32 [smcgruer_[EST]]
- ...but over time, market will fix this - if you need lots of credentials, market will sell keys with huge storage
- 20:56:43 [smcgruer_[EST]]
- Shane_Weeden: How should RP handle that if credProp isn't supported then?
- 20:56:55 [smcgruer_[EST]]
- agl: I am assuming RP is collecting username + sending down list of credentials
- 20:57:00 [smcgruer_[EST]]
- Shane_Weeden: Isn't that an anti-pattern?
- 20:57:11 [smcgruer_[EST]]
- agl: Roughly agree, but many RPs are telling us that they will do this in the medium term
- 20:57:48 [smcgruer_[EST]]
- John_Bradley: We've said that this is bad because it leaks whether a site has an account with a given username (because attacker can sniff for returned credential IDs), but maybe that's just fine
- 20:58:07 [smcgruer_[EST]]
- elundberg: Yes, if your sign-up form already rejects already-signed-up emails, then this is essentially moot
- 21:02:33 [smcgruer_[EST]]
- (a general discussion occurs about how the spec can/might guide RP UX, and that the answer is it cannot)
- 21:02:59 [smcgruer_[EST]]
- Tim_Cappalli: We're trying to build a dictionary in passkeys.dev which will tell people "if you pass these options on [browser] on [OS], you get [this UX sequence] for your users"
- 21:03:07 [smcgruer_[EST]]
- ...We welcome help!
- 21:04:21 [nsteele]
- Wrapping this up, thx so much for scribing btw sorry for going over
- 21:05:06 [smcgruer_[EST]]
- rrsagent, draft minutes
- 21:05:07 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/01/11-webauthn-minutes.html smcgruer_[EST]
- 21:06:18 [smcgruer_[EST]]
- Zakim, bye
- 21:06:18 [Zakim]
- leaving. As of this point the attendees have been kaiju, matthewmiller, plh, nsteele, agl, Dan_Veditz, David_Turner, David_Waite, elundberg, Jason_Cai, John_Bradley, John_Pascoe,
- 21:06:18 [Zakim]
- Zakim has left #webauthn
- 21:06:21 [Zakim]
- ... Mike_Jones, Ranjiva_Prasad, Shane_Weeden, TimCappalli, Tony_England
- 21:39:24 [nsteele]
- nsteele has joined #webauthn