IRC log of webauthn on 2023-06-14

Timestamps are in UTC.

19:07:46 [RRSAgent]
RRSAgent has joined #webauthn
19:07:51 [RRSAgent]
logging to https://www.w3.org/2023/06/14-webauthn-irc
19:08:08 [soba]
Zakim, this conference is WebAuthn Bi-Weekly Meeting 7/14
19:08:08 [Zakim]
got it, soba
19:08:31 [steele]
Meeting: WebAuthn Working Group Bi-Weekly
19:08:42 [steele]
Chair: Tony Nadalin
19:08:48 [steele]
Scribe: Nick Steele
19:13:01 [matthewmiller]
matthewmiller has joined #webauthn
19:14:54 [steele]
present+ MikeJones,AckshayKumar,TimCappalli,ShaneWeeden,EmilLundberg,JohnPascoe,DavidTurner,JamesZhang,AndersAberg,JohnBradley
19:15:08 [steele]
TOPIC: PR Discussion
19:15:26 [steele]
Discussing https://github.com/w3c/webauthn/pull/1901
19:16:09 [steele]
Tim framing the problem: The current developer guidance to relying parties for whether they can offer passkeys to users is to call isUVPAA() and isConditionalMediationAvailable(). One returns a boolean, the other a promise. This is already complex . This also doesn't tell the whole story.
19:16:25 [steele]
Shane: These two methods both return a boolean now
19:17:25 [steele]
John: What do browsers think about this? Is this going to be gated across Firefox and other platforms? Is this going to be a dynamic value? how can isPasskeyPlatformAuthenticatorAvailable() be changed by the platform and client?
19:17:42 [steele]
Tim: User should be able to remediate
19:18:07 [steele]
MattM: This could be difficult for an RP, where we might want to provide steps for remediation
19:18:24 [steele]
Tim: Anything a user can fix on their own will be prompted by the client device
19:19:09 [steele]
MattM: we haven't seen this out in the wild all the time. ex: Chrome asks to enable bluetooth only once, but if disallowed, there is no further prompt and remediation becomes difficult
19:19:36 [steele]
Tim: There's a layering problem here where we decide what remediation should be handled where
19:21:27 [steele]
Nick Steele: this might not be able to pick up platform providers
19:22:03 [steele]
Tim C: If you're ( a third party provider) intercepting the request (which all are right now) then you should be able to pick up and respond
19:22:21 [steele]
John: The other way to frame this would be something like isCTAP2RoamingAuthenticatorSupported()
19:22:59 [steele]
Tim: this doesn't work in a firefox case
19:24:20 [steele]
Discussion around what types of providers and authenticators would be available to respond true/false to the proposed method
19:25:08 [steele]
zakim, who's here?
19:25:08 [Zakim]
Present: MikeJones, AckshayKumar, TimCappalli, ShaneWeeden, EmilLundberg, JohnPascoe, DavidTurner, JamesZhang, AndersAberg, JohnBradley
19:25:11 [Zakim]
On IRC I see matthewmiller, RRSAgent, elundberg, Zakim, steele, ignaloidas, Defluo, smcgruer_[EST], jochen____, Dongwoo, hadleybeeman, sangwhan, slightlyoff, gonzu_15, imlostlmao,
19:25:11 [Zakim]
... Paul, networkException, TimCappalli, sdd, iyobro143, plh, weiler
19:28:42 [steele]
Discussion around scenarios where a platform passkey authenticator may not be available but there is a synced passkey available
19:29:39 [steele]
MattM: Cisco currently struggling with
19:30:03 [steele]
... webviews that say WebAuthn API are available but error out upon request
19:30:44 [steele]
Discussion around legacy browsers and webviews where they might be unable to access this information or even make use of passkeys
19:32:17 [steele]
present+ JasonCai
19:33:01 [steele]
John: So this may help people when presented with Web Kiosks or versions of Linux that may have versions of CTAP2
19:33:29 [steele]
Tim agrees this is helpful for public terminal / personal devices flows
19:34:01 [steele]
MattM: Would we be able to concat isUVPAA and isHybrid into a single call?
19:34:09 [steele]
Tim: separate PR drafted
19:34:34 [steele]
MattM: Does this clash with the Hinting proposal posed at the F2F?
19:34:42 [steele]
Ackshay: diff issue
19:34:48 [steele]
MattM: there is overlap here
19:35:04 [steele]
Tim: there are hints provided here
19:35:28 [steele]
MattM: figuring out how much conflict there is here btwn the two methods
19:35:57 [steele]
Tim: Emil had many good comments, to respond to them in bulk: 'I agree, but some of this should be a diff PR'
19:36:08 [steele]
Chair: are you proposing two more?
19:36:47 [steele]
Tim: Well Firefox had a method along the lines of CTAP2withClientPin() that was fairly valuable, could be worth including, there's two separate sets of verbosity here
19:37:00 [steele]
Chair: tying to understand how much information we wish to disclose in these methods
19:37:20 [steele]
Tim: This value is true/false but discloses just as much as isUVPAA()
19:37:25 [steele]
some disagreement
19:37:52 [steele]
John et al.: could give one more bit of info than UVPAA
19:38:24 [steele]
Emil: I have some issue with how the term/spec defines Platform Authenticator
19:39:09 [steele]
Nick Stele: existing issue in the repo for better defining the current state of Platform Authenticator
19:42:03 [steele]
Trying to gain consensus on the name and coverage of the method
19:44:21 [steele]
JohnPascoe: I don't think there's any older platforms [for Apple] that wouldn't be able to support passkeys
19:49:30 [steele]
Chair tabling discussion on call to move to other open issues
19:49:56 [steele]
https://github.com/w3c/webauthn/pull/1894
19:50:57 [steele]
https://github.com/w3c/webauthn/pull/1893
19:51:00 [steele]
https://github.com/w3c/webauthn/pull/1891
19:51:07 [steele]
Tim: Waiting on more reviews
19:51:14 [steele]
ACTION: Adam and John to review https://github.com/w3c/webauthn/pull/1893
19:51:23 [steele]
woop
19:51:30 [steele]
ACTION: Adam and John to review https://github.com/w3c/webauthn/pull/1891 NOT https://github.com/w3c/webauthn/pull/1893
19:51:45 [steele]
https://github.com/w3c/webauthn/pull/1887
19:52:45 [steele]
MattM Merged
19:53:07 [steele]
Chair moves to triage open PRs and issues
19:56:23 [steele]
Discussion around what we want to add before finishing level 3
19:56:55 [steele]
Discussion around what would occur after working group disbandment
19:57:53 [steele]
W3C Errata discussion
20:01:37 [steele]
Zakim, list participants
20:01:37 [Zakim]
As of this point the attendees have been MikeJones, AckshayKumar, TimCappalli, ShaneWeeden, EmilLundberg, JohnPascoe, DavidTurner, JamesZhang, AndersAberg, JohnBradley, JasonCai
20:01:42 [steele]
RRSAgent, make logs public
20:01:46 [steele]
RRSAgent, generate minutes
20:01:47 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/06/14-webauthn-minutes.html steele
20:01:57 [steele]
Zakim, bye
20:01:57 [Zakim]
leaving. As of this point the attendees have been MikeJones, AckshayKumar, TimCappalli, ShaneWeeden, EmilLundberg, JohnPascoe, DavidTurner, JamesZhang, AndersAberg, JohnBradley,
20:01:57 [Zakim]
Zakim has left #webauthn
20:02:00 [Zakim]
... JasonCai
20:02:06 [steele]
RRSAgent, bye
20:02:06 [RRSAgent]
I see 2 open action items saved in https://www.w3.org/2023/06/14-webauthn-actions.rdf :
20:02:06 [RRSAgent]
ACTION: Adam and John to review https://github.com/w3c/webauthn/pull/1893 [1]
20:02:06 [RRSAgent]
recorded in https://www.w3.org/2023/06/14-webauthn-irc#T19-51-14
20:02:06 [RRSAgent]
ACTION: Adam and John to review https://github.com/w3c/webauthn/pull/1891 NOT https://github.com/w3c/webauthn/pull/1893 [2]
20:02:06 [RRSAgent]
recorded in https://www.w3.org/2023/06/14-webauthn-irc#T19-51-30