Meeting minutes
agl: Google put out its latest plan that will come to a github issues in a few weeks.
tony: once in form of an issue, we can crank up meeting times a bit.
https://
<jeffh> what agl referred to: https://
elundberg: I don't the modify parameters is in scope.We can make other pieces more clear.
… i have re-writtend soem to make them more clear from RP and client authenticator
… nothing here that are new requirements.
tony: reviewers?
shane: will review
aksahy: will review
https://
selfissue: I can look at this during call
https://
jeffH: this is ongoing. it is draft.
https://
elundberg: waiting on other issues, multiple keys, FIDO discussion
jeffH: this will come to W3C soon-ish on two key issue in WEb authn context.
… continuity signal is how we think this will work. its a platform authenticator
agl: more depth will come. two keys is part of this, b ring back some of the hardware backed properties.
… it is different than backing up keys, it is agument of that
DWaite: this is an extension.
agl: yes, extenstions are optional. need to prepare to accept.
… two key would not come unsolicited
<jeffh> apple's "move beyond passwords" WWDC talk: https://
DWaite: concerned the other way
… what if it does not come back with two keys
agl: this is in excess of what is there rigiht now. don't depend on second key
… guidance, it is a risk signal
elundberg: R
… RPs are expected to accept unsolicited extensions
… our proposal has two options.
agl: for your context, maybe haredware bound key, that migth be way you would use it, don't see how it transports keys
elundberg: I meant delivering Key to RP
eluncberg: don't think recovery will be in near term. WE can wait for Google to come up with their scheme
https://
elundberg: large blob. I will look at the feedback.
https://
<selfissued> I'm good merging https://
https://
jeffH: merging
tony: matt can you merge #1625
matt: token binding it is unrecognized shape, what do you do?
agl: type errors are not called out in spec IDL takes care of that
… not sure where these came from.
matt: they are very old, 3 years.
… nothing is returning token binding these days.
tony: will leave token binding laying around
https://
tony: this is not a spec issue
… how to handle
akshay: I will explain and likely close
DavV: itis firefox issue
https://
tony: this is deletion one; around for 4 weeks. no response. close?
elundberg: close
https://
agl: think this is CTAP/CBOR issue
tony: any issues to discuss
https://
elundberg; in past decided not to make a breaking change
… is there more a case to re-consider
agl: this default is problematic in some scenarioes
… there was misunderstanding if this was vulnerability - it seems it was not
agl: could set explicitly it to prefer
akshay: we needed some context where the user was
elundberg: we have the same resolution as before
selfissue: get the RPs to do the right thing here.
elundberg: I will update and close without comment.
agl: I will file an issue to get rid of token binding?
nSteele: I will work on PR.