shane: talked with author of https://
… thinks we should close it
… correction. #1547 is PR, #1510 is issue
tony: update #1510 and leave at Level 3, and close PR #1547
tony: so no issues left, closes the one technical issue against CT
… anyway objection to go to PR?
… targeting at FEb. 9
… not hearing any objections
… we have consensus for going to PR
… we have seven editorial issues and will move to Level 3 if not closed
… so we have two weeks to get these done.
… move editors in and out
… any other discussion?
Resolution: Move WebAuthn Level 2 to PR
Bradley: I added some new issues with AGL, but need triage and are not for now.
tony: discuss now to provide insight
… what could be added is HSTS. issue here is with RP and browser and who knows what
… strict transport security needs to be turned on
agl: lots of resoruces, HSTS which domain does this need to be true?
bradley: IPRD, i believe.
agl: worry here, this doesn't mean anything.
… worried that this will be mis-understood
bradley: your position. things could be loaded on page from other domains and do a MIM attack
agl: not domains, but yes...
… I worry about this being mis-understood.
… and too much to manage
bradley: maybe just not this and tell NIST we can't do AAL3?
… we keep coming back to there is no solution if you use a browser
agl: I hear lots of mis-match
… with NIST, we could talk about setting flags and loading domains
… maybe an answer in there?
jeffH: there are two separate things here.
bradley: what they want to get out of this is user can't accept a self signed cert
… want to be strict, worried about certificate issues
agl: resource can get stuck in cache then java script can do anything
… if this is what they want, they should not be pushing the flag
bradley: they want binding to java script
… they are not solving that problem
agl: they want this to solve the java script problem
bradley: they are looking for something that is insecure like TLS for smart cards
agl: they need to understand what does not work
… lets not add to this, it is not meaningful
agl: they are looking for solutions, but they need a lot more than we've talked about
agl: detach from HSTS root.
jeffH: we could sacrifice security with this.
bradley: I will close this one. https://
agl: I hold places for charter review. one was non-modal UI, and authenticator more than one key.