<wseltzer> jfontana: Tony and I talked about TPAC
<wseltzer> ... Oct. 7, Secure Payments IG
<wseltzer> ... Oct. 14 regular Webauthn
<wseltzer> ... Oct 19 or 20, joint meeting with Web Payments WG
<wseltzer> ... Oct. 21 regular WebAuthn
<wseltzer> ... note the FIDO plenary potential overlap
<wseltzer> Nadalin: only the joint meeting on 7 Oct.
<wseltzer> nadalin: WPSIG, Web Payments Security IG: W3C, FIDO, EMVCO
<wseltzer> agl: fine not to meet on 21 Oct.
<wseltzer> Akshay: timing of joint meeting?
<wseltzer> fontana: between 8-9am Pacific
<wseltzer> nadalin: we'll share a complete schedule
<wseltzer> nadalin: tentatively, cancel 7 and 21 Oct.
<wseltzer> ... if needed, we can reschedule
tony: get wd-04 done before end
of month
... end of Oct. for CR
... completion
akshay: I am implementing ctap
2.1 for the platform
... should be end of month
tony: I don't know status of
safari
... we need two interoperable implementations
JTan: we won't be ready
tony: left with edge and Chrome
bradley: do we do it with ctap 2.0 only
agl: we don't talk about 2.1, think just demonstrate what is in this spec.
endy: I can't predict the director response on the code base, and if it is two implelmentations
akshay: they can be behaving differently
tony: when w do the implementation w can write this into the interop report
bradley: firefox could be the other implemenation if we don't add 2.1 stuff.
tony: open PRs
https://github.com/w3c/webauthn/pull/1470
agl: I need to catch up
https://github.com/w3c/webauthn/pull/1472
agl: nina is not here
tony: seems ready to go
akshay: looks good to me. merge
tony: yes, merge
https://github.com/w3c/webauthn/pull/1474
jTan: still waiting for reply from lawyers.
tony: what do we do here
jeffH: wait.
... this is not essential, I think.
tony: leave open
https://github.com/w3c/webauthn/pull/1480
elundberg: good to go
akshay: what is solution here? are you saying RP should send fake credentials.
elundberg: this is an attack that
effects users that don't use web authn
... there are other alternatives.
bradley: some discussion on this in the press. they said we were encouraging discovery of accounts to brute force
elunberg: why is the allow list empty?
bradley: the point is the attacker can look into different second factors
ellundberg, maybe say non-empty and failure
scribe: I will fix that
tony: are you OK making changes
and merging
... any objections?
none
https://github.com/w3c/webauthn/pull/1476
tony: this is feature policy
jeffH: this has been split into #1479, do feature policies in another action
jc_moz: would rather see this are re-base
jeffH: this looks fine to me, let's figure out how to land this.
JC_moz: I think we can land this once it's in shape.
tony: includes 1479?
jc_moz: yes
tony: let's do this is two steps
https://github.com/w3c/webauthn/pull/1481
jc_moz: follow-up to move
extension before PR
... remove extension
... need to see if we can publish a note out of this group, if
not, we can move to WICG
tony: this is OK?
<wseltzer> https://wicg.io
wendy: we can publish a non-normative note. WICGis community group that works from github.
jc_moz: part of point, this is
crypto function we should get wider review
... WICG is a good place to do this.
tony: everyone OK on moving forward?
bradley: prefer keeping the note inside the working group, and get wider input
selfissue: I agree. we control our own destiny
<wseltzer> nadalin: any objections to publishing as a note? hearing none.
tony: we have a few untriaged issues
https://github.com/w3c/webauthn/issues/1477
jeffH: dinosaur
tony: goal is to get this done by CR?
jeffH: this is background
https://github.com/w3c/webauthn/issues/1478
tony: this is to remove this. this can land in wd-04
https://github.com/w3c/webauthn/issues/1457
nsteele: this is in the community group
bradley: decided to keep this around to track the issue. no spec changes
https://github.com/w3c/webauthn/issues/1453
jtan: no update on this, apple attestation
https://github.com/w3c/webauthn/issues/1441
tony: john and mike, can you look at this
bradley: will be adding wording
tony: what about interoperable implementations
jc_moz: won't have ctap2
bradley: don't need to do ctap2
jc_moz: i'll have to get back to you on that.
tony: any more issues?
... adjourn
rrsagent: make logs public
rrsagent: draft minutes
This is scribe.perl Revision of Date Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/Web Payments/Secure Payments IG/ Succeeded: s/@@/Web Payments WG/ Present: jfontana elundberg jbarclay wseltzer agl akshay davidturner eric jeremy nadalin rae sbweeden jeffh nsteele selfissued jcj_moz No ScribeNick specified. Guessing ScribeNick: jfontana Inferring Scribes: jfontana WARNING: No "Topic:" lines found. Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2020Sep/0048.html WARNING: No date found! Assuming today. (Hint: Specify the W3C IRC log URL, and the date will be determined from that.) Or specify the date like this: <dbooth> Date: 12 Sep 2002 People with action items: WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]