Web Authentication WG

20 January 2021


elundberg, jeffh, jfontana, nsteele, selfissued
Fontana, Nadalin

Meeting minutes


<jeffh> https://github.com/w3c/webauthn/issues/1510

tony: this is associated with #1510, look at this.


tony: I don't think this warrants a change; other opinions?

akshay: I have to finish reading, but this UV options we have are not per-cred basis in get assertion
… he seems to be proposing do the credential thing first, but can't release the U2F cred
… I don't think this changes anything from the spec perspective.

JeffH: our thought was there is a mis-understanding.
… we were going to try and clarify.

tony: he has a PR, should we undertake this in CR

jeffH: no

akshay: no

tony: so no editorial chang for CR

jeffH: I have not gone through this with a fine tooth comb

tony: so you think this is not warranted for CR

jeffH: given pushback from Shane, Emil....

Shane: it's a very wordy description of the problem. I'm struggling with the description
… the user experience and scenario
… I am re-reading it
… initially I thought it was a misconception binding vs. ceremony

jeffH: he wrote a long blog post to go with it. I have not read that yet.

shane: need to do this before we take it on.

elundberg: I don't think we need any normative changes now
… he proposed a technical change.
… I don't see change for CR
… probably solved bypass cred protect in CTAP

jbradley: I think he thinks web authn works in a different way than it does
… we have looked at user verificaiton. don't think we can do it for L2

tonhy: but is this a web auth or ctap issue

jbradley: i don't think that it is CTAP
… is user verified preferred the best wording, we need RPs to understand/enforce this
… people are getting confused, can we solve that editorially
… but not something we can do in Level 2
… sites that don't check at all end up with UX that can confuse people

akshay: it's not a spec issue

elundberg: default is a spec issue.

jbradly: this comes up every other week. was pin in,
… maybe not have default prompt user for PIN when there isn't one.

akshay: I don't think this is a spec issue.

jeffH: lets not do anything for this issue for Level 2, clarify in adoption issues
… maybe make an editorial update in L3 and straighten it out.

tony: give one extra week to look at this

jeffH: other methods to get adoption issues out.

nickS: I need to find the time to look closer at it

tony: make a decision next week. That sound OK.

jeffH: that sounds good.

<jeffh> https://lists.w3.org/Archives/Public/public-webauthn/2021Jan/0018.html

tony: this is all out of scope

<jeffh> Denis Pinkas' comments on webauthn L2 CR

tony: some of this will be taken on in Level 3

tony: put this off - define authenticator more thoroughly

elunberg: not sure we need a definition in the definition section.

jeffH: only used in section 11
… northing to do for L2

lookin at email https://lists.w3.org/Archives/Public/public-webauthn/2021Jan/0018.html

gong through numbered sections

jeffH: in item 6 something to fix. 13.4 is not appearing in spec

elundberg: was there any content?

jeffH: thought we had some; can't find it now

jeffH: there is no content here.

tony: is this something to work on?

jeffh: editorial, we should clean it up.

jbradley: gete rid of section numbers or come up with some text.

jeffH: look back at this and see if something was deleted.

jeffH: I will submit an issu
… issu
… issue

tony: number 7 in this list?

elundberg: I will open an issue for this

tnoy: anything else
… next week we will figure out #1547
… should not do fix for L2
… reach out and see if he wants to join, but this is a normative change

tony: I will reach out
… group seems to be saying we won't take his approach to fix this - so no IPR issue.

Minutes manually created (not a transcript), formatted by scribe.perl version 127 (Wed Dec 30 17:39:58 2020 UTC).


No scribenick or scribe found. Guessed: jfontana

Maybe present: akshay, elunberg, jbradley, jbradly, nickS, Shane, tnoy, tonhy, tony