Web Authentication WG

19 Jun 2019



jfontana, jbarclay_, nsteele



tony: still on hold. waiting for CTAP work


akshay: I am working on it.


jason: have made improvements

agl: if people are happy, we can go forward with this

jason: any emails or comment

agl: I don't recall anything coming up

tony: jason, when do you expect this to land in WD-02

jason: hope is for 02

tony: emil do you still have concerns with this?

elundberg: minor
... before it seemed the resident key part had a client issue and if the client supports showing cred pick list with external resident keys.
... would it make sense if these were two things

agl: one could support a platform that supports resident keys and external could not.

akshay: we could make it two separate things

agl: you want to nail down what the resident token means

jason: that is fair

shane: one reason confusing, the scenario is not clear

akshay: certain browsers can not do this in sertain OS versions
... we can get in done in future, not today

shane: some user experience

akshay: we will have updates in the next versino
... I want only resident keys and I don't want a fail if certain resident keys don't work

alexei: can you explain more

akshay: UV covers both built in and client pin.
... we don't have place where we say you will support client but not resident
... I have users with only PIN, does the browser support it.

alexei: my question, what is the error if we dont' add this capabilityi

akshay: user has gone from clicking link to seeing it does not work

alexei: when you click link what if it returns message it does not work.

Bradley: if you had like some versions of chrome you refuse to allow a get without an allow list, you can't use a resident credential
... there may be states where you have a credential that is not useful
... I wish all browsers would implement the spec fully, then this problem would not exist.
... hopefully browser vendors are not going to end up with mis-matched features..

akshay: I am solving one problem. on some versions of firefox I can't show a link...

alexei: we do this a lot with security key, we tried path of not showing secruity key. they are confused.

akshay: I agree that is a good point

alexei: what happens if we don't have this API, what will happen when users click.

akshay: it can fail

alexei: would it be any different with or without this API

shane: trying to do detection on other things.

akshay: say you want resident keys and UVM, if it fail immediatley, maybe you don't want it.

alexei: this is about browser.

akshay: maybe we say you do this and if it fails it is returned immediately.
... user have external security key with a PIN, if UV is required, from browser it does not know what to do because they key has yet to be plugged in.

shane: seems to mean this idea is here because on inconsistency in implementation
... wouldn't it be good if this goes away

akshay: that is optimal. but for time being can't do these things on safari, firefox

tony: what do we do.
... still some push back. non-agreement
... no hurry to close this unless there is some agreement on this

alexei: can I have another week to think about it.

shane: seems you are going to have to deal with edge cases.
... you have to deal with this issue anyway.

bradley: can we do the API faster than implementing the feature, i don't think we can say that.

tony: needs further discussion?

akshay: yes.

tony: put this on hold, and wait for JC


jeffH: I will review today


rolf: I don't have an update today. can I get another week.

tony: yes.
... if not we will move it to a future version
... OK


jeffH: let's merge. I reviewed it.

elundberg: I will merge it.


tony: I think this is out of scope
... we have viewpoints on this in the issue
... if there opposition to close this one.
... with no action
... or push it to level 3

agl: we are happy with status quo

akshay: I will close


elundberg: goes with 1219, i'll put it in WD-02

agl: we can defer this, involving finger prints is new

elundberg: maybe 1219 does not solve this if you reduce scope

akshay: this PR will not solve this issue

elundberg: keep in wd-02?

tony: does not sound like we should keep

akshay: let's look at it more and figure out what to do with this PR

tony: has you change 1219, look at 1218

akshay: we have preposed this. best to discuss next week after people look at 1219

tony: OK


tony: this looks like a breaking change

jeffH: he seems to be asking for allotcating for future use.
... I am abotu to respond to say this is better dealt with in the FIDO Alliance

shane: I think you are right about this is dealt with in CTAP

agl: not sure what this is asking
... we will never use them

jeffh: there is that argument, too

akshay: in a way you can do everything in extensions, but this more FIDO thing
... even if we run out we can do it from an extensions point of view.
... wha tis the use case.

agl: we took one place to say here is a place for more bits.

jeffH: I put in comment to summarize this discussion.

tony: we can close this one. move.

shane: close

akshay: it is a none issue

jeffH: it is closed


tony: there is nothing we can do.
... it is not affecting the spec.

agl: this group does not provide a reference implemtation.

tony: agl state that and close it.


elundberg: promoted by a question in Chrome Users

tony: we don't typically proivde this typel of guide

elundberg: there is no clear path forward here. I will look at it.

jeffH: they are misunderstanding the taxonomy table
... we could add some context.

tony: we will keep it around and look for progress.


agl: nina is working on this.

jeffh: no way to wire up automatic tests. there is shim of stuff for the browser, send it into browser code, Web driver tool can simulate authenticators
... have a draft for text for web authn spec. need to review and open PR
... I put this at L3
... it might go faster on L2

tony: put at L2 and punt it if not coming along
... we are out of time


co-chairs Nadalin, Fontana

<scribe> Meeting: Web Authentication Working Group Teleconference

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2019/06/19 20:02:25 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Default Present: jfontana, jbarclay_
Present: jfontana jbarclay_ nsteele
No ScribeNick specified.  Guessing ScribeNick: jfontana
Inferring Scribes: jfontana

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2019Jun/0179.html

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report

WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)

[End of scribe.perl diagnostic output]