Web Authentication WG

21 Oct 2020



jcj_moz, elundberg, jeffh, wseltzer, jfontana_, selfissued
Nadalin, Fontana


tony: open PRS


jtan: intent is to address a specific device

akshay: in consumer we ask for attestation but don't really do anythign with it.
... on enterprise side can chose what to allow and dis-allow, using an AAGUID

jtan: for enterprise, usually want to recognize a single device
... if you have enterprise mode on, you use some featues

aksahy: still is model of a device

jbradlley: if you don't have aaguid, that may mess people up, CTAP2 assume aaguid

jtan: there should not be an aaguid

jbradley: individual device, not class of devices

jan: yes.

jTan: yes.
... please add your opinions in github

elundberg: PR is about attestation CA?

akshay: trying to figure out what it is

shane: can tell it is apple attestation
... but can't tell by device
... need to separate what will be done in future versions of apple attestation
... there is an implementation in the wild.

jbradley: are we saying there is another way to deal with apple attestation

shane: no. the way it works, i look at aaguid and if it is all zeros, I need to use something else

jbradley: the intent was to go foward with aaguids, but if we have subject key identifies, we may need to tweak FIDO MDS

akshay: I put all the commands in the pull request

jbradley: why all zeros

jtan: no particular reason

jbradley: you collide with U2F authenticators by using alll zeros

jtan: you wont have other devices that use applel attestation

jbradelly: so we may need custom logic

jtan: we will discuss internally

tony: bradley, you will update?

shane: what needs to be updated
... don't need to mention aaguid

jeffH: I don't see any mention of aaguid

jtan: I will modify #1474, and keep #1491 together.


tony: elundberg, are your questions answered

elundberg: yes, it looks good to go. some minor suggestions - editorial

tony: jeffH?
... OK

jeffH: largely


jeffH: basically ready to go.

tony: jc_moz and akshay, you looking at this

jc_moz: i flagged this for folks at Mozilla, I have not heard back.
... my understanding it looks fine.

akshay: we need to review who knows this better

jeffH: intersection observer is still in comment phase

discussing browser and click jacking


jeffH: elundberg has a good point.
... shane has comment in issue. I have not read it

shane: I don't think we need a new attestation type

jeffH: some people have gotten this wrong.

jbradley: does cover, but has to have correct self-signed cert

jeffH: i put comment into PR. may just need to clarify here.

shane: will we clarify here

jeffH: we will ask FIDO nicely


tnoy: need a check off here.


shane: action I took last week, I did address that

tony: any other review?
... think this is ready to go, elundberg signed off


tony: fixed. merged


elundberg: align wording.

tony: i will wait for #1491, create a PR for this one

<selfissued> Later...

tony: adjourn

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version (CVS log)
$Date: 2020/10/21 20:03:02 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision of Date 
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Present: jcj_moz elundberg jeffh wseltzer jfontana_ selfissued
No ScribeNick specified.  Guessing ScribeNick: jfontana_
Inferring Scribes: jfontana_

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2020Oct/0082.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report

WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)

[End of scribe.perl diagnostic output]