18:03:17 <RRSAgent> RRSAgent has joined #webauthn
18:03:22 <RRSAgent> logging to https://www.w3.org/2024/03/13-webauthn-irc
18:03:50 <Rolf> Rolf has joined #webauthn
18:03:56 <plh> Chair: Tony
18:04:25 <plh> present+ MatthewM, Pascoe, Simone, Rolf, Sweeden, DavidW, DavidT
18:04:46 <plh> Meeting: Web Authentication Working Group
18:05:02 <plh> rrsagent, make logs public
18:05:07 <elundberg> Scribe: EmilLundberg
18:06:20 <elundberg> topic: Face-to-face 2024-04-19
18:06:21 <plh> present+ Nina
18:06:49 <elundberg> agl: on track, no signup yet but will send out attendance survey
18:07:22 <elundberg> Zakim, list participants
18:07:34 <Zakim> Zakim has joined #webauthn
18:07:47 <elundberg> Zakim, this conference is WebAuthn WG weekly
18:07:47 <Zakim> got it, elundberg
18:08:06 <elundberg> present+ MatthewM, Pascoe, Simone, Rolf, Sweeden, DavidW, DavidT, Nina
18:09:34 <elundberg> plh: transferring my role to Simone Onofri
18:10:55 <elundberg> present+ elundberg, TimCappalli, JohnBradley, agl, AndersÅberg,
18:11:09 <elundberg> #2020
18:11:41 <elundberg> rolf: shouldn't be any worse than today
18:12:08 <elundberg> MatthewM: is the name abbreviated because of authenticator processing?
18:12:46 <elundberg> ...new name is "confirmation" extension
18:13:35 <elundberg> JohnBradley: saving bytes is important for authenticators in constrained hardware, with limited size buffers
18:14:16 <elundberg> Sweeden: some references to "txAuthSimple" or the like still remain
18:15:18 <elundberg> ...i.e. CollectedClientTxAuthSimpleData
18:16:01 <elundberg> MatthewM: I'm happy to move this forward
18:16:14 <elundberg> nadalin: Is there interest from more than 1 browser to support this?
18:16:16 <elundberg> agl: L3 or beyond?
18:16:37 <elundberg> ...there is interest, but [as for Chrome] not within L3 timeline
18:17:46 <elundberg> TimCappalli: should be enough implementations with ~1 browser and a couple of browser extensions/etc
18:18:13 <elundberg> agl: Chrome on Android would likely pass this through at some point, Chrome on iOS is not up to us
18:18:35 <elundberg> ...Windows does not yet have a pluggable provider interface
18:19:14 <elundberg> JohnBradley: Windows update cycle is ~6 months to a year
18:19:47 <elundberg> nadalin: sounds like this is unlikely to land in L3
18:20:11 <elundberg> Rolf: still interested in moving this along
18:20:20 <elundberg> nadalin: any password providers interested?
18:20:39 <elundberg> AndersÅberg: Bitwarden has no position yet
18:20:54 <elundberg> ...there is some interest
18:21:46 <elundberg> Rolf: need platform support to drive interest, and interest to drive platform support
18:22:40 <elundberg> #2023
18:22:55 <elundberg> my bad
18:22:57 <elundberg> #2033
18:23:13 <elundberg> nadalin: looks good to go
18:23:20 <elundberg> ...any other changes to editors/contributors?
18:24:23 <elundberg> elundberg: what's the difference between editors and contributors?
18:24:38 <elundberg> ...or rather, how do we make the difference
18:27:21 <elundberg> nadalin: contributors come with/draft ideas, editors make lots of text changes
18:28:09 <elundberg> ...no specific responsibilities of an editor, help churn the spec through process when that needs to be done
18:28:50 <elundberg> Nina: reading the W3C definition it seems like most of our "contributors" should be listed as "authors", but I don't think it matters much
18:29:36 <elundberg> simone: chairs appoint the editors
18:31:16 <elundberg> nadalin: merging #2033
18:31:34 <elundberg> #2017
18:32:18 <elundberg> elundberg: working on it
18:32:42 <elundberg> agl: changing to "code point MUST be removed" would make some implementations non-compliant
18:32:57 <elundberg> ...(client implementations)
18:33:35 <elundberg> ...but we _can_ make breaking changes between levels
18:34:07 <elundberg> ...Chrome would be find with that change
18:34:15 <elundberg> JohnBradley: nothing would change for authenticators
18:35:03 <elundberg> nadalin: could still cause problems
18:35:16 <elundberg> JohnBradley: what problems? it's causing problems now by doing the wrong thing
18:36:29 <elundberg> elundberg: what won't change is that for RPs, 64 bytes is the max without getting unpredictable results
18:36:44 <elundberg> #1954
18:36:51 <elundberg> https://github.com/w3c/webauthn/pull/1954
18:37:16 <elundberg> DavidW: still pending, waiting for a workable example
18:37:25 <elundberg> ...#1953 awaiting review from JohnBradley
18:37:59 <elundberg> ...can synthesize an example, but want to wait for an actual prototype implementation
18:40:27 <elundberg> nadalin: #1953 is ok to merge
18:40:41 <elundberg> #1951
18:40:44 <elundberg> https://github.com/w3c/webauthn/pull/1951
18:40:56 <elundberg> pascoe: pending review
18:41:24 <elundberg> #2040
18:41:25 <elundberg> https://github.com/w3c/webauthn/pull/2040
18:42:37 <elundberg> ...restricting the origin to a single domain is too limited for some deployments
18:42:55 <elundberg> ...this would allow hosting a list of allowed origins at a .well-known URL
18:43:32 <elundberg> ...there is a recommended cap of 5 "labels" (i.e., domain minus eTLD)
18:44:34 <elundberg> ...unlimited number was considered too permissive, 5 was selected as a reasonable number
18:44:59 <elundberg> Sweeden: if this is a SHOULD, could client implementations set a lower limit?
18:45:03 <elundberg> agl: 5 should be the minimum
18:45:23 <elundberg> TimCappalli: would Apple support 5?
18:45:25 <elundberg> Pascoe: no comment
18:46:22 <elundberg> MatthewM: why /origins and not just /webauthn with a doc we can extend later?
18:46:30 <elundberg> agl: array is not a valid JSON root
18:47:21 <elundberg> TimCappalli: we considered merging with similar things for the passkey migration protocol, but these things seem unrelated enough
18:47:51 <elundberg> MatthewM: [passkey management?]
18:47:59 <elundberg> TimCappalli: separate spec outside of WebAuthn
18:49:20 <elundberg> Sweeden: seems reasonable to make it a shared .well-known/webauthn instead of separate endpoints
18:49:58 <elundberg> agl: my mistake, array can be a JSON root
18:50:13 <elundberg> DavidW: should be a JSON object root for extensibility
18:50:57 <elundberg> JohnBradley: we can create a registry for defining new properties
18:52:43 <elundberg> TimCappalli: changing to an extensible multi-purpose doc is a substantive change to the PR, might take a while
18:54:40 <elundberg> ...needs a new section to define the multi-purpose doc
18:55:11 <elundberg> MatthewM: how specific/single-purpose do other .well-knowns tend to be?
18:55:39 <elundberg> Sweeden: fairly general, I would support a single extensible endpoint
18:56:39 <elundberg> agl: we could postpone extracting a standalone section until we do define additional properties
18:58:26 <elundberg> Nina: a single endpoint could help with caching too
18:59:58 <elundberg> nadalin: hearing consensus for a single extensible endpoint
19:01:24 <elundberg> ...will this impact the other .well-known for passkeys in webbappsec?
19:01:35 <elundberg> TimCappalli: consider that unrelated for now
19:01:50 <elundberg> nadalin: adjourn
19:02:05 <elundberg> Zakim, list participants
19:02:05 <Zakim> As of this point the attendees have been MatthewM, Pascoe, Simone, Rolf, Sweeden, DavidW, DavidT, Nina, elundberg, TimCappalli, JohnBradley, agl, AndersÅberg
19:02:32 <elundberg> present+ TonyNadalin
19:02:37 <elundberg> Zakim, list participants
19:02:37 <Zakim> As of this point the attendees have been MatthewM, Pascoe, Simone, Rolf, Sweeden, DavidW, DavidT, Nina, elundberg, TimCappalli, JohnBradley, agl, AndersÅberg, TonyNadalin
19:02:45 <elundberg> RRSAgent, make logs public
19:02:52 <elundberg> RRSAgent, generate minutes
19:02:54 <RRSAgent> I have made the request to generate https://www.w3.org/2024/03/13-webauthn-minutes.html elundberg
19:03:09 <elundberg> Zakim, bye
19:03:09 <Zakim> leaving.  As of this point the attendees have been MatthewM, Pascoe, Simone, Rolf, Sweeden, DavidW, DavidT, Nina, elundberg, TimCappalli, JohnBradley, agl, AndersÅberg,
19:03:09 <Zakim> Zakim has left #webauthn
19:03:12 <Zakim> ... TonyNadalin
19:03:20 <elundberg> RRSAgent, bye
19:03:20 <RRSAgent> I see no action items