20:14:57 <RRSAgent> RRSAgent has joined #webauthn
20:15:01 <RRSAgent> logging to https://www.w3.org/2023/01/11-webauthn-irc
20:15:01 <Zakim> RRSAgent, make logs Public
20:15:02 <Zakim> please title this meeting ("meeting: ..."), smcgruer_[EST]
20:15:21 <smcgruer_[EST]> Meeting: Web Authentication WG
20:15:49 <nsteele> thanks!
20:16:06 <smcgruer_[EST]> Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2023Jan/0037.html
20:16:11 <nsteele> Wendy always dealt with zakim T-T
20:16:26 <smcgruer_[EST]> zakim, start meeting
20:16:26 <Zakim> RRSAgent, make logs Public
20:16:27 <Zakim> please title this meeting ("meeting: ..."), smcgruer_[EST]
20:18:00 <smcgruer_[EST]> Meeting: Web Authentication WG
20:18:47 <smcgruer_[EST]> Zakim, meeting: Web Authentication WG
20:18:47 <Zakim> I don't understand 'meeting: Web Authentication WG', smcgruer_[EST]
20:20:19 <smcgruer_[EST]> Discussing https://github.com/w3c/webauthn/pull/1812
20:20:22 <smcgruer_[EST]> Emil waiting for Tim to respond
20:20:24 <smcgruer_[EST]> Discussing https://github.com/w3c/webauthn/pull/1801
20:21:16 <smcgruer_[EST]> (scribing of remaining open PRs lost due to tech issues)
20:24:36 <smcgruer_[EST]> meeting: Web Authentication WG
20:27:09 <smcgruer_[EST]> Zakim, list attendees
20:27:09 <Zakim> As of this point the attendees have been (no one)
20:27:30 <smcgruer_[EST]> present+ kaiju matthewmiller plh nsteele
20:29:53 <smcgruer_[EST]> present+ agl, Dan_Veditz, David_Turner, David_Waite, elundberg, Jason_Cai, John_Bradley, John_Pascoe, Mike_Jones, Ranjiva_Prasad, Shane_Weeden, TimCappalli, Tony_England
20:31:01 <smcgruer_[EST]> (scribing picking back up with hopefully technical issues resolved)
20:31:02 <smcgruer_[EST]> https://github.com/w3c/webauthn/issues/1800
20:31:20 <smcgruer_[EST]> nsteele: Any updates?
20:32:03 <smcgruer_[EST]> Shane_Weeden: No; intention was to try and close differences in autofill behavior between Chrome and Safari, in the spec
20:32:11 <smcgruer_[EST]> agl: Chrome and Safari have now harmonized?
20:32:35 <smcgruer_[EST]> Shane_Weeden: Yes, but we need to spec that for future implementors
20:32:37 <smcgruer_[EST]> agl: Will mention it to Nina
20:32:53 <smcgruer_[EST]> https://github.com/w3c/webauthn/issues/1791
20:33:23 <smcgruer_[EST]> matthewmiller: Still valid, will get it to it at some point
20:33:33 <smcgruer_[EST]> https://github.com/w3c/webauthn/issues/1779
20:33:40 <smcgruer_[EST]> agl: Still open, not sure we'll get it to it anytime soon
20:33:53 <smcgruer_[EST]> https://github.com/w3c/webauthn/issues/1757
20:34:21 <smcgruer_[EST]> https://github.com/w3c/webauthn/issues/1745
20:34:40 <smcgruer_[EST]> (1745 is now closed)
20:34:44 <smcgruer_[EST]> https://github.com/w3c/webauthn/issues/1742
20:35:45 <smcgruer_[EST]> John_Bradley: Could browsers just not throw TypeErrors?
20:35:59 <smcgruer_[EST]> agl: Even if we did, enterprise value would get mapped from unknown to none (if browser doesnt recognize it)
20:36:24 <smcgruer_[EST]> ...adding yet another static method to detect this apriori is welcome, someone can send a PR
20:37:08 <smcgruer_[EST]> ...we'd probably land the change if someone cared enough to write the PR
20:37:19 <smcgruer_[EST]> John_Pascoe: Wouldn't oppose it.
20:37:45 <smcgruer_[EST]> elundberg: Can we reflect on enums at the JS layer? Is the WebIDL type exposed?
20:37:46 <nsteele> It was
20:37:52 <smcgruer_[EST]> agl: Not sure, worth checking.
20:37:55 <smcgruer_[EST]> elundberg: I will check.
20:38:19 <smcgruer_[EST]> https://github.com/w3c/webauthn/issues/1741
20:38:34 <smcgruer_[EST]> agl: Isn't this done?
20:38:58 <smcgruer_[EST]> Shane_Weeden: Yes
20:39:07 <smcgruer_[EST]> (issue is closed out)
20:39:13 <smcgruer_[EST]> https://github.com/w3c/webauthn/issues/1822
20:40:39 <smcgruer_[EST]> matthewmiller: In summary, setting residentKey=preferred leads to scenario where discoverable credentials will be created on devices with limited storage where you may not want to. There's no good value for an RP to set if they don't want to consume limited DC slots, because discouraged will not activate Passkeys on platform authenticators
20:41:01 <smcgruer_[EST]> ...so if you want Passkeys but also want to be mindful of limited storage, cannot do that as an RP
20:41:24 <smcgruer_[EST]> John_Bradley: Most acute problem is that CTAP2 doesn't give users a way to remove credentials. CTAP2.1pre does.
20:41:43 <smcgruer_[EST]> ... in CTAP2.1 added GetInfo data about how many resident key slots are still available
20:41:53 <smcgruer_[EST]> ...not sure if RPs should do anything more
20:42:20 <smcgruer_[EST]> agl: Agreed
20:42:39 <smcgruer_[EST]> John_Bradley: Platform needs to be smarter about when to map preferred to 'create a DC'
20:43:03 <smcgruer_[EST]> ...on Windows, will try to make a DC and if it fails will try again with non-DC
20:43:09 <smcgruer_[EST]> ...is that what Chrome does?
20:43:35 <smcgruer_[EST]> agl: Not sure. However I think that maybe we should pre-emptively switch to non-DC if < 8 slots available (with CTAP2.1)
20:43:55 <smcgruer_[EST]> matthewmiller: Can we make security keys opt-in by requiring (scribe, missed this)
20:44:11 <smcgruer_[EST]> ... make it so that you only get DCs on everything if you choose "required", not "preferred"
20:44:30 <smcgruer_[EST]> John_Bradley: with CTAP2.1, platform can make that decision
20:44:35 <smcgruer_[EST]> matthewmiller: But then RP has to keep track of changes in that logic
20:44:47 <smcgruer_[EST]> John_Bradley: No, preferred means I'm ok to accept a non-DC, thats not changing
20:45:20 <smcgruer_[EST]> Shane_Weeden: Don't like that the platform is in control, user should be able to choose. Could have two users with two identical security keys, but one gets DC and one not.
20:45:34 <smcgruer_[EST]> Tim_Cappalli: But users don't understand it anyway; what do they do?
20:46:03 <smcgruer_[EST]> matthewmiller: So we should remove it from user control and give RP controls instead. RP can explain it to users./
20:46:26 <smcgruer_[EST]> agl: wrt Shane's scenario, that is true today already? Making the number 8 instead of 0 doesn't make it worse?
20:46:39 <smcgruer_[EST]> Shane_Weeden: Reasonable, but I'd just never use preferred then
20:46:48 <smcgruer_[EST]> Tim_Cappalli: Can show adaptive UI after registration?
20:46:57 <smcgruer_[EST]> Shane_Weeden: Only if credprops is supported by the client, not all clients do
20:47:32 <smcgruer_[EST]> matthewmiller: Also, with Android as-is, RPs have to platform detection. Can't always send same options. Need to send discouraged for security key, but not on Android.
20:47:43 <smcgruer_[EST]> ...preferred leads to DC creation on security keys
20:48:39 <smcgruer_[EST]> John_Bradley: agl and I are saying we should move in the direction of security keys *don't* make DC for 'preferred' unless there are lots of slots (CTAP >= 2.1)
20:48:54 <smcgruer_[EST]> agl: Not sure I can necessarily align with that... we're closer to "almost always make DC"
20:49:05 <smcgruer_[EST]> ...would probably always make them on 2.0 no matter what
20:49:31 <smcgruer_[EST]> Mike_Jones: Why save the last 8?
20:49:56 <smcgruer_[EST]> John_Bradley: Want to reserve slots for some future sites that use residentKey="required"
20:50:14 <smcgruer_[EST]> Shane_Weeden: But that is relying on RPs to only use residentKey="required" if they NEED it
20:50:24 <smcgruer_[EST]> Tim_Capalli: I expect vast majority will use rk='required'
20:50:33 <smcgruer_[EST]> John_Bradley: Then this is a pointless discussion
20:50:41 <smcgruer_[EST]> ...because there will be no space
20:51:13 <smcgruer_[EST]> s/Tim_Capalli/Tim_Cappalli
20:52:10 <smcgruer_[EST]> Tim_Cappalli: Ultimately its a limited resource, but users don't understand it (unlike say file system size)
20:52:55 <smcgruer_[EST]> matthewmiller: Another scenario - some RPs may be aiming only for passwordless don't have DC as a requirement, so maybe want to set discouraged
20:53:07 <smcgruer_[EST]> ...but then you get passkeys on everything but Android, which is weird
20:53:53 <smcgruer_[EST]> Tim_Cappalli: In my opinion no new RP should ever want to NOT create a passkey
20:54:24 <smcgruer_[EST]> John_Bradley: We have heard cases where they need an attestation, and the only way to do that (on Android?) was to create a non-DC
20:55:49 <smcgruer_[EST]> matthewmiller: WebAuthn is not passkeys. We should enable flows that don't necessarily want DCs
20:55:57 <smcgruer_[EST]> agl: I think rk=preferred is still a good option
20:56:11 <smcgruer_[EST]> ...its unfortunate that on CTAP2.0 you will fill the security key
20:56:32 <smcgruer_[EST]> ...but over time, market will fix this - if you need lots of credentials, market will sell keys with huge storage
20:56:43 <smcgruer_[EST]> Shane_Weeden: How should RP handle that if credProp isn't supported then?
20:56:55 <smcgruer_[EST]> agl: I am assuming RP is collecting username + sending down list of credentials
20:57:00 <smcgruer_[EST]> Shane_Weeden: Isn't that an anti-pattern?
20:57:11 <smcgruer_[EST]> agl: Roughly agree, but many RPs are telling us that they will do this in the medium term
20:57:48 <smcgruer_[EST]> John_Bradley: We've said that this is bad because it leaks whether a site has an account with a given username (because attacker can sniff for returned credential IDs), but maybe that's just fine
20:58:07 <smcgruer_[EST]> elundberg: Yes, if your sign-up form already rejects already-signed-up emails, then this is essentially moot
21:02:33 <smcgruer_[EST]> (a general discussion occurs about how the spec can/might guide RP UX, and that the answer is it cannot)
21:02:59 <smcgruer_[EST]> Tim_Cappalli: We're trying to build a dictionary in passkeys.dev which will tell people "if you pass these options on [browser] on [OS], you get [this UX sequence] for your users"
21:03:07 <smcgruer_[EST]> ...We welcome help!
21:04:21 <nsteele> Wrapping this up, thx so much for scribing btw sorry for going over
21:05:06 <smcgruer_[EST]> rrsagent, draft minutes
21:05:07 <RRSAgent> I have made the request to generate https://www.w3.org/2023/01/11-webauthn-minutes.html smcgruer_[EST]
21:06:18 <smcgruer_[EST]> Zakim, bye
21:06:18 <Zakim> leaving.  As of this point the attendees have been kaiju, matthewmiller, plh, nsteele, agl, Dan_Veditz, David_Turner, David_Waite, elundberg, Jason_Cai, John_Bradley, John_Pascoe,
21:06:18 <Zakim> Zakim has left #webauthn
21:06:21 <Zakim> ... Mike_Jones, Ranjiva_Prasad, Shane_Weeden, TimCappalli, Tony_England
21:39:24 <nsteele> nsteele has joined #webauthn