Web Authentication WG

27 January 2021


agl, akshay, davidturner, davidwaite, dveditz, elundberg, jeffh, jfontana, jfontana_, nadalin, nsteele, sbweeden, selfissued, wseltzer, yuriy
Fontana, Nadalin

Meeting minutes

shane: talked with author of https://github.com/w3c/webauthn/issues/1510
… thinks we should close it
… correction. #1547 is PR, #1510 is issue

tony: update #1510 and leave at Level 3, and close PR #1547



tony: so no issues left, closes the one technical issue against CT
… CR
… anyway objection to go to PR?
… targeting at FEb. 9
… not hearing any objections
… we have consensus for going to PR
… we have seven editorial issues and will move to Level 3 if not closed
… so we have two weeks to get these done.

… move editors in and out
… any other discussion?

Resolution: Move WebAuthn Level 2 to PR

Bradley: I added some new issues with AGL, but need triage and are not for now.

tony: discuss now to provide insight

bradley: #1554

… what could be added is HSTS. issue here is with RP and browser and who knows what
… strict transport security needs to be turned on

agl: lots of resoruces, HSTS which domain does this need to be true?

bradley: IPRD, i believe.

agl: worry here, this doesn't mean anything.
… worried that this will be mis-understood

bradley: your position. things could be loaded on page from other domains and do a MIM attack

agl: not domains, but yes...
… I worry about this being mis-understood.
… and too much to manage

bradley: maybe just not this and tell NIST we can't do AAL3?
… we keep coming back to there is no solution if you use a browser

agl: I hear lots of mis-match
… with NIST, we could talk about setting flags and loading domains
… maybe an answer in there?

jeffH: there are two separate things here.

bradley: what they want to get out of this is user can't accept a self signed cert
… want to be strict, worried about certificate issues

agl: resource can get stuck in cache then java script can do anything
… if this is what they want, they should not be pushing the flag

bradley: they want binding to java script
… they are not solving that problem

agl: they want this to solve the java script problem

bradley: they are looking for something that is insecure like TLS for smart cards

agl: they need to understand what does not work
… lets not add to this, it is not meaningful

agl: they are looking for solutions, but they need a lot more than we've talked about

agl: detach from HSTS root.

jeffH: we could sacrifice security with this.

bradley: I will close this one. https://github.com/w3c/webauthn/issues/1554

agl: I hold places for charter review. one was non-modal UI, and authenticator more than one key.



tony: adjorn

Summary of resolutions

  1. Move WebAuthn Level 2 to PR
Minutes manually created (not a transcript), formatted by scribe.perl version 127 (Wed Dec 30 17:39:58 2020 UTC).


No scribenick or scribe found. Guessed: jfontana

Maybe present: Bradley, shane, tony