IRC log of webauthn on 2023-06-14
Timestamps are in UTC.
- 19:07:46 [RRSAgent]
- RRSAgent has joined #webauthn
- 19:07:51 [RRSAgent]
- logging to https://www.w3.org/2023/06/14-webauthn-irc
- 19:08:08 [soba]
- Zakim, this conference is WebAuthn Bi-Weekly Meeting 7/14
- 19:08:08 [Zakim]
- got it, soba
- 19:08:31 [steele]
- Meeting: WebAuthn Working Group Bi-Weekly
- 19:08:42 [steele]
- Chair: Tony Nadalin
- 19:08:48 [steele]
- Scribe: Nick Steele
- 19:13:01 [matthewmiller]
- matthewmiller has joined #webauthn
- 19:14:54 [steele]
- present+ MikeJones,AckshayKumar,TimCappalli,ShaneWeeden,EmilLundberg,JohnPascoe,DavidTurner,JamesZhang,AndersAberg,JohnBradley
- 19:15:08 [steele]
- TOPIC: PR Discussion
- 19:15:26 [steele]
- Discussing https://github.com/w3c/webauthn/pull/1901
- 19:16:09 [steele]
- Tim framing the problem: The current developer guidance to relying parties for whether they can offer passkeys to users is to call isUVPAA() and isConditionalMediationAvailable(). One returns a boolean, the other a promise. This is already complex . This also doesn't tell the whole story.
- 19:16:25 [steele]
- Shane: These two methods both return a boolean now
- 19:17:25 [steele]
- John: What do browsers think about this? Is this going to be gated across Firefox and other platforms? Is this going to be a dynamic value? how can isPasskeyPlatformAuthenticatorAvailable() be changed by the platform and client?
- 19:17:42 [steele]
- Tim: User should be able to remediate
- 19:18:07 [steele]
- MattM: This could be difficult for an RP, where we might want to provide steps for remediation
- 19:18:24 [steele]
- Tim: Anything a user can fix on their own will be prompted by the client device
- 19:19:09 [steele]
- MattM: we haven't seen this out in the wild all the time. ex: Chrome asks to enable bluetooth only once, but if disallowed, there is no further prompt and remediation becomes difficult
- 19:19:36 [steele]
- Tim: There's a layering problem here where we decide what remediation should be handled where
- 19:21:27 [steele]
- Nick Steele: this might not be able to pick up platform providers
- 19:22:03 [steele]
- Tim C: If you're ( a third party provider) intercepting the request (which all are right now) then you should be able to pick up and respond
- 19:22:21 [steele]
- John: The other way to frame this would be something like isCTAP2RoamingAuthenticatorSupported()
- 19:22:59 [steele]
- Tim: this doesn't work in a firefox case
- 19:24:20 [steele]
- Discussion around what types of providers and authenticators would be available to respond true/false to the proposed method
- 19:25:08 [steele]
- zakim, who's here?
- 19:25:08 [Zakim]
- Present: MikeJones, AckshayKumar, TimCappalli, ShaneWeeden, EmilLundberg, JohnPascoe, DavidTurner, JamesZhang, AndersAberg, JohnBradley
- 19:25:11 [Zakim]
- On IRC I see matthewmiller, RRSAgent, elundberg, Zakim, steele, ignaloidas, Defluo, smcgruer_[EST], jochen____, Dongwoo, hadleybeeman, sangwhan, slightlyoff, gonzu_15, imlostlmao,
- 19:25:11 [Zakim]
- ... Paul, networkException, TimCappalli, sdd, iyobro143, plh, weiler
- 19:28:42 [steele]
- Discussion around scenarios where a platform passkey authenticator may not be available but there is a synced passkey available
- 19:29:39 [steele]
- MattM: Cisco currently struggling with
- 19:30:03 [steele]
- ... webviews that say WebAuthn API are available but error out upon request
- 19:30:44 [steele]
- Discussion around legacy browsers and webviews where they might be unable to access this information or even make use of passkeys
- 19:32:17 [steele]
- present+ JasonCai
- 19:33:01 [steele]
- John: So this may help people when presented with Web Kiosks or versions of Linux that may have versions of CTAP2
- 19:33:29 [steele]
- Tim agrees this is helpful for public terminal / personal devices flows
- 19:34:01 [steele]
- MattM: Would we be able to concat isUVPAA and isHybrid into a single call?
- 19:34:09 [steele]
- Tim: separate PR drafted
- 19:34:34 [steele]
- MattM: Does this clash with the Hinting proposal posed at the F2F?
- 19:34:42 [steele]
- Ackshay: diff issue
- 19:34:48 [steele]
- MattM: there is overlap here
- 19:35:04 [steele]
- Tim: there are hints provided here
- 19:35:28 [steele]
- MattM: figuring out how much conflict there is here btwn the two methods
- 19:35:57 [steele]
- Tim: Emil had many good comments, to respond to them in bulk: 'I agree, but some of this should be a diff PR'
- 19:36:08 [steele]
- Chair: are you proposing two more?
- 19:36:47 [steele]
- Tim: Well Firefox had a method along the lines of CTAP2withClientPin() that was fairly valuable, could be worth including, there's two separate sets of verbosity here
- 19:37:00 [steele]
- Chair: tying to understand how much information we wish to disclose in these methods
- 19:37:20 [steele]
- Tim: This value is true/false but discloses just as much as isUVPAA()
- 19:37:25 [steele]
- some disagreement
- 19:37:52 [steele]
- John et al.: could give one more bit of info than UVPAA
- 19:38:24 [steele]
- Emil: I have some issue with how the term/spec defines Platform Authenticator
- 19:39:09 [steele]
- Nick Stele: existing issue in the repo for better defining the current state of Platform Authenticator
- 19:42:03 [steele]
- Trying to gain consensus on the name and coverage of the method
- 19:44:21 [steele]
- JohnPascoe: I don't think there's any older platforms [for Apple] that wouldn't be able to support passkeys
- 19:49:30 [steele]
- Chair tabling discussion on call to move to other open issues
- 19:49:56 [steele]
- https://github.com/w3c/webauthn/pull/1894
- 19:50:57 [steele]
- https://github.com/w3c/webauthn/pull/1893
- 19:51:00 [steele]
- https://github.com/w3c/webauthn/pull/1891
- 19:51:07 [steele]
- Tim: Waiting on more reviews
- 19:51:14 [steele]
- ACTION: Adam and John to review https://github.com/w3c/webauthn/pull/1893
- 19:51:23 [steele]
- woop
- 19:51:30 [steele]
- ACTION: Adam and John to review https://github.com/w3c/webauthn/pull/1891 NOT https://github.com/w3c/webauthn/pull/1893
- 19:51:45 [steele]
- https://github.com/w3c/webauthn/pull/1887
- 19:52:45 [steele]
- MattM Merged
- 19:53:07 [steele]
- Chair moves to triage open PRs and issues
- 19:56:23 [steele]
- Discussion around what we want to add before finishing level 3
- 19:56:55 [steele]
- Discussion around what would occur after working group disbandment
- 19:57:53 [steele]
- W3C Errata discussion
- 20:01:37 [steele]
- Zakim, list participants
- 20:01:37 [Zakim]
- As of this point the attendees have been MikeJones, AckshayKumar, TimCappalli, ShaneWeeden, EmilLundberg, JohnPascoe, DavidTurner, JamesZhang, AndersAberg, JohnBradley, JasonCai
- 20:01:42 [steele]
- RRSAgent, make logs public
- 20:01:46 [steele]
- RRSAgent, generate minutes
- 20:01:47 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/06/14-webauthn-minutes.html steele
- 20:01:57 [steele]
- Zakim, bye
- 20:01:57 [Zakim]
- leaving. As of this point the attendees have been MikeJones, AckshayKumar, TimCappalli, ShaneWeeden, EmilLundberg, JohnPascoe, DavidTurner, JamesZhang, AndersAberg, JohnBradley,
- 20:01:57 [Zakim]
- Zakim has left #webauthn
- 20:02:00 [Zakim]
- ... JasonCai
- 20:02:06 [steele]
- RRSAgent, bye
- 20:02:06 [RRSAgent]
- I see 2 open action items saved in https://www.w3.org/2023/06/14-webauthn-actions.rdf :
- 20:02:06 [RRSAgent]
- ACTION: Adam and John to review https://github.com/w3c/webauthn/pull/1893 [1]
- 20:02:06 [RRSAgent]
- recorded in https://www.w3.org/2023/06/14-webauthn-irc#T19-51-14
- 20:02:06 [RRSAgent]
- ACTION: Adam and John to review https://github.com/w3c/webauthn/pull/1891 NOT https://github.com/w3c/webauthn/pull/1893 [2]
- 20:02:06 [RRSAgent]
- recorded in https://www.w3.org/2023/06/14-webauthn-irc#T19-51-30