19:03:45 <RRSAgent> RRSAgent has joined #webauthn
19:03:49 <RRSAgent> logging to https://www.w3.org/2024/01/31-webauthn-irc
19:04:08 <steele> Meeting: WebAuthn Weekly WG Meeting
19:04:19 <steele> Chair: AGL
19:04:25 <steele> Scribe: steele
19:04:38 <steele> Topic: Pull Requests
19:05:01 <steele> https://github.com/w3c/webauthn/pull/2018
19:06:13 <steele> Anders: We've received negative feedback regarding not assuming that localhost is a secure context, this should change
19:06:31 <steele> There are pending approvals and comments, will let sit for a week before moving forward on this PR
19:06:40 <steele> https://github.com/w3c/webauthn/pull/2019
19:07:17 <steele> Anders: meant to supplement #2018, drafted an example of what would be allowed
19:07:28 <steele> AGL: I think this is reasonable to be merged in alongside #2018
19:07:34 <steele> https://github.com/w3c/webauthn/pull/2017
19:08:35 <steele> present+ Tim,Emil,Anders,Nick,Adam,Shane,DavidWaite,Khaled,Lachlan,James,DavidTurner
19:08:44 <steele> Emil: Mike Jones wished to review this issue
19:08:51 <steele> https://github.com/w3c/webauthn/pull/1954
19:09:47 <steele> David: I have some real world examples on this and will write up a response, plan to re-address this next week to the WG
19:09:55 <steele> https://github.com/w3c/webauthn/pull/1953
19:10:37 <steele> David: Wanted to sanity check the example I created, wanted inout by John Bradley, considering merging this sooner although happy to revisit next week alongside #1954
19:11:04 <steele> Emil: Fine with merging but would like to check the example. I'm fine with merging as we'e delayed quite a bit
19:11:32 <steele> David: let's plan to merge next week unless there's a push otherwise
19:12:28 <steele> There may be a delay on this due to FIDO Plenary next week which might cancel the WG meeting
19:12:42 <steele> present+ Nina
19:13:03 <steele> No one present to discuss https://github.com/w3c/webauthn/pull/1951
19:13:15 <steele> https://github.com/w3c/webauthn/pull/1926
19:14:12 <steele> Shane: no one present from Microsoft to discuss, might reach out to MSFT's Ackshay directly
19:14:40 <steele> Tim: Monty Wiseman from BeyondIdentity might be able to help with this
19:14:57 <steele> ACTION: Tim and/or DavidTurner to connect with Monty
19:15:13 <steele> Nina returns to discuss https://github.com/w3c/webauthn/pull/1951
19:15:37 <steele> Nina: the API shape seems fine although there will be a request for changes incoming
19:15:44 <steele> present+ JohnPascoe
19:16:11 <steele> TOPIC: Issues
19:16:22 <steele> https://github.com/w3c/webauthn/issues/2016
19:16:56 <steele> Shane: I don't see anything that necessarily requires a change here.
19:17:07 <steele> Emil: I have something in mind an am getting around to it
19:17:19 <steele> https://github.com/w3c/webauthn/issues/2010
19:18:21 <steele> Nina: we have some internal tests that exercise this behaviour. This would be a browser bug, not a functional issue
19:18:27 <steele> AGL to close with followup comment
19:18:35 <steele> https://github.com/w3c/webauthn/issues/1984
19:19:22 <steele> consensus that this is a real and we'll draft a PR to fix it
19:20:17 <steele> ACTION: Nina to read through 1984 (the pull request, not the dystopian novella)
19:20:37 <steele> https://github.com/w3c/webauthn/issues/1980
19:20:55 <steele> Action: Remind Arnar to follow up with this post-FIDO Plenary
19:21:10 <steele> https://github.com/w3c/webauthn/issues/1979
19:21:14 <steele> Tony to follow up
19:21:19 <steele> https://github.com/w3c/webauthn/issues/1976
19:21:47 <steele> Nick: I'll follow up on this
19:23:30 <steele> TOPIC: Issue Backlog Combing
19:23:35 <steele> https://github.com/w3c/webauthn/issues/1962
19:24:49 <steele> John: Spec-wise, we still don't spell out the behavior in the spec here, but we now provide an AAGUID and strip it out for hardware keys
19:25:11 <steele> AGL: so the spec change needed is "zero out the AAGUID in the case of non-platform authenticators?"
19:25:39 <steele> John, who would have a lot of additional work if he were to write said PR: yes
19:27:11 <steele> Shane: I think it's great that platform providers provide an AAGUID, but I don't know if it matters whethere it gets 0'd out or not. If I request att = none, and I got back an AAGUID == 000s, I wouldn't care, because I don't need both
19:27:46 <steele> AGL: The identity of the platform authenticator was a forgone conclusion, things are evolving that only the identity of the hardware key is a forgone conclusion
19:28:01 <steele> Shane: isn't it okay to say, if att = none, 0 it out?
19:28:10 <steele> present+ MatthewMiller
19:28:27 <steele> Matthew: we lose our ability to hint
19:29:58 <steele> Nick: I want to show an identifier
19:31:38 <steele> Tim: if you as an RP are making changes to an authenticator, then you're probably asking for attestation. What do we want to give guidance to do? Request direct?
19:32:22 <steele> Shane: If I really want an AAGUID i'll just request direct
19:32:32 <steele> Matthew: that adds additional friction
19:33:12 <steele> i.e. additional warning modal for xplatofrm
19:40:05 <steele> Discussion around attestation and identifying providers, hardware keys, and platforms
19:40:22 <steele> Discussion around prioritizing this value
19:40:49 <steele> ACTION: agl to write a pull request to discuss in 2 weeks
19:41:15 <steele> https://github.com/w3c/webauthn/issues/1917
19:41:50 <steele> Shane: i thought the decision was "if an RP requested enterprise, but the authenticator couldn't provide it, it would provide direct attestation"
19:42:20 <steele> discussion that this would be higher priority than the AAGUID work
19:42:29 <steele> https://github.com/w3c/webauthn/issues/1913
19:42:50 <steele> Emil: chrome and firefox people, please take note
19:43:25 <steele> This is a browser issue regarding CSS rendering?
19:44:52 <steele> Nina: could possibly ask Bikeshed maintainer about this
19:45:00 <steele> https://github.com/w3c/webauthn/issues/1895
19:45:28 <steele> We tagged this issue open and then removed the PR, discussion
19:45:58 <steele> Emil: my opinion is that this feature wouldn't be impressive enough to motivate developing it further.
19:47:19 <steele> https://github.com/w3c/webauthn/issues/1859
19:47:29 <steele> Matthew: I would like to discuss this in person at a face to face meeting
19:47:56 <steele> AGL: Tony might not be thrilled but we can discuss in two weeks
19:48:40 <steele> Discussion around April 19th IIW face to face
19:51:16 <steele> Straw polling for Identiverse vs IIW F2F
19:55:05 <steele> https://github.com/w3c/webauthn/issues/1854
19:55:16 <steele> Nina: Great idea that no one has the time to do because low value
19:55:41 <steele> Matthew: you could achieve this with more efficient usage of abort controller in the client
19:55:51 <steele> i.e. the browsers
19:57:44 <steele> AGL: does anyone wish to fight for this issue?
19:57:47 <steele> none
19:57:56 <steele> AGL closes issue
20:03:06 <steele> TOPIC: additional topics
20:03:10 <steele> No meeting next week
20:03:20 <steele> Zakim, list participants
20:03:20 <Zakim> As of this point the attendees have been Tim, Emil, Anders, Nick, Adam, Shane, DavidWaite, Khaled, Lachlan, James, DavidTurner, Nina, JohnPascoe, MatthewMiller
20:03:28 <steele> RRSAgent, make logs public
20:03:33 <steele> RRSAgent, generate minutes
20:03:34 <RRSAgent> I have made the request to generate https://www.w3.org/2024/01/31-webauthn-minutes.html steele
23:09:54 <steele> steele has joined #webauthn