19:07:46 <RRSAgent> RRSAgent has joined #webauthn
19:07:51 <RRSAgent> logging to https://www.w3.org/2023/06/14-webauthn-irc
19:08:08 <soba> Zakim, this conference is WebAuthn Bi-Weekly Meeting 7/14
19:08:08 <Zakim> got it, soba
19:08:31 <steele> Meeting: WebAuthn Working Group Bi-Weekly
19:08:42 <steele> Chair: Tony Nadalin
19:08:48 <steele> Scribe: Nick Steele
19:13:01 <matthewmiller> matthewmiller has joined #webauthn
19:14:54 <steele> present+ MikeJones,AckshayKumar,TimCappalli,ShaneWeeden,EmilLundberg,JohnPascoe,DavidTurner,JamesZhang,AndersAberg,JohnBradley
19:15:08 <steele> TOPIC: PR Discussion
19:15:26 <steele> Discussing https://github.com/w3c/webauthn/pull/1901
19:16:09 <steele> Tim framing the problem: The current developer guidance to relying parties for whether they can offer passkeys to users is to call isUVPAA() and isConditionalMediationAvailable(). One returns a boolean, the other a promise. This is already complex . This also doesn't tell the whole story.
19:16:25 <steele> Shane: These two methods both return a boolean now
19:17:25 <steele> John: What do browsers think about this? Is this going to be gated across Firefox and other platforms? Is this going to be a dynamic value? how can isPasskeyPlatformAuthenticatorAvailable() be changed by the platform and client?
19:17:42 <steele> Tim: User should be able to remediate
19:18:07 <steele> MattM: This could be difficult for an RP, where we might want to provide steps for remediation
19:18:24 <steele> Tim: Anything a user can fix on their own will be prompted by the client device
19:19:09 <steele> MattM: we haven't seen this out in the wild all the time. ex: Chrome asks to enable bluetooth only once, but if disallowed, there is no further prompt and remediation becomes difficult
19:19:36 <steele> Tim: There's a layering problem here where we decide what remediation should be handled where
19:21:27 <steele> Nick Steele: this might not be able to pick up platform providers
19:22:03 <steele> Tim C: If you're ( a third party provider) intercepting the request (which all are right now) then you should be able to pick up and respond
19:22:21 <steele> John: The other way to frame this would be something like isCTAP2RoamingAuthenticatorSupported()
19:22:59 <steele> Tim: this doesn't work in a firefox case
19:24:20 <steele> Discussion around what types of providers and authenticators would be available to respond true/false to the proposed method
19:25:08 <steele> zakim, who's here?
19:25:08 <Zakim> Present: MikeJones, AckshayKumar, TimCappalli, ShaneWeeden, EmilLundberg, JohnPascoe, DavidTurner, JamesZhang, AndersAberg, JohnBradley
19:25:11 <Zakim> On IRC I see matthewmiller, RRSAgent, elundberg, Zakim, steele, ignaloidas, Defluo, smcgruer_[EST], jochen____, Dongwoo, hadleybeeman, sangwhan, slightlyoff, gonzu_15, imlostlmao,
19:25:11 <Zakim> ... Paul, networkException, TimCappalli, sdd, iyobro143, plh, weiler
19:28:42 <steele> Discussion around scenarios where a platform passkey authenticator may not be available but there is a synced passkey available
19:29:39 <steele> MattM: Cisco currently struggling with
19:30:03 <steele> ... webviews that say WebAuthn API are available but error out upon request
19:30:44 <steele> Discussion around legacy browsers and webviews where they might be unable to access this information or even make use of passkeys
19:32:17 <steele> present+ JasonCai
19:33:01 <steele> John: So this may help people when presented with Web Kiosks or versions of Linux that may have versions of CTAP2
19:33:29 <steele> Tim agrees this is helpful for public terminal / personal devices flows
19:34:01 <steele> MattM: Would we be able to concat isUVPAA and isHybrid into a single call?
19:34:09 <steele> Tim: separate PR drafted
19:34:34 <steele> MattM: Does this clash with the Hinting proposal posed at the F2F?
19:34:42 <steele> Ackshay: diff issue
19:34:48 <steele> MattM: there is overlap here
19:35:04 <steele> Tim: there are hints provided here
19:35:28 <steele> MattM: figuring out how much conflict there is here btwn the two methods
19:35:57 <steele> Tim: Emil had many good comments, to respond to them in bulk: 'I agree, but some of this should be a diff PR'
19:36:08 <steele> Chair: are you proposing two more?
19:36:47 <steele> Tim: Well Firefox had a method along the lines of CTAP2withClientPin() that was fairly valuable, could be worth including, there's two separate sets of verbosity here
19:37:00 <steele> Chair: tying to understand how much information we wish to disclose in these methods
19:37:20 <steele> Tim: This value is true/false but discloses just as much as isUVPAA()
19:37:25 <steele> some disagreement
19:37:52 <steele> John et al.: could give one more bit of info than UVPAA
19:38:24 <steele> Emil: I have some issue with how the term/spec defines Platform Authenticator
19:39:09 <steele> Nick Stele: existing issue in the repo for better defining the current state of Platform Authenticator
19:42:03 <steele> Trying to gain consensus on the name and coverage of the method
19:44:21 <steele> JohnPascoe: I don't think there's any older platforms [for Apple] that wouldn't be able to support passkeys
19:49:30 <steele> Chair tabling discussion on call to move to other open issues
19:49:56 <steele> https://github.com/w3c/webauthn/pull/1894
19:50:57 <steele> https://github.com/w3c/webauthn/pull/1893
19:51:00 <steele> https://github.com/w3c/webauthn/pull/1891
19:51:07 <steele> Tim: Waiting on more reviews
19:51:14 <steele> ACTION: Adam and John to review https://github.com/w3c/webauthn/pull/1893
19:51:23 <steele> woop
19:51:30 <steele> ACTION: Adam and John to review https://github.com/w3c/webauthn/pull/1891 NOT https://github.com/w3c/webauthn/pull/1893
19:51:45 <steele> https://github.com/w3c/webauthn/pull/1887
19:52:45 <steele> MattM Merged
19:53:07 <steele> Chair moves to triage open PRs and issues
19:56:23 <steele> Discussion around what we want to add before finishing level 3
19:56:55 <steele> Discussion around what would occur after working group disbandment
19:57:53 <steele> W3C Errata discussion
20:01:37 <steele> Zakim, list participants
20:01:37 <Zakim> As of this point the attendees have been MikeJones, AckshayKumar, TimCappalli, ShaneWeeden, EmilLundberg, JohnPascoe, DavidTurner, JamesZhang, AndersAberg, JohnBradley, JasonCai
20:01:42 <steele> RRSAgent, make logs public
20:01:46 <steele> RRSAgent, generate minutes
20:01:47 <RRSAgent> I have made the request to generate https://www.w3.org/2023/06/14-webauthn-minutes.html steele
20:01:57 <steele> Zakim, bye
20:01:57 <Zakim> leaving.  As of this point the attendees have been MikeJones, AckshayKumar, TimCappalli, ShaneWeeden, EmilLundberg, JohnPascoe, DavidTurner, JamesZhang, AndersAberg, JohnBradley,
20:01:57 <Zakim> Zakim has left #webauthn
20:02:00 <Zakim> ... JasonCai
20:02:06 <steele> RRSAgent, bye
20:02:06 <RRSAgent> I see 2 open action items saved in https://www.w3.org/2023/06/14-webauthn-actions.rdf :
20:02:06 <RRSAgent> ACTION: Adam and John to review https://github.com/w3c/webauthn/pull/1893 [1]
20:02:06 <RRSAgent>   recorded in https://www.w3.org/2023/06/14-webauthn-irc#T19-51-14
20:02:06 <RRSAgent> ACTION: Adam and John to review https://github.com/w3c/webauthn/pull/1891 NOT https://github.com/w3c/webauthn/pull/1893 [2]
20:02:06 <RRSAgent>   recorded in https://www.w3.org/2023/06/14-webauthn-irc#T19-51-30