Web Authentication WG

24 February 2021


agl, akshay, davidturner, davidwaite, dveditz, elundberg, jeffh, jeremyerickson, jfontana, johnbradley, matthewmiller, nadalin, nsteele, raerivera, sbweeden, timcappalli, wseltzer

Meeting minutes

tony: not expecting any changes
… everyone agree

jeffH: this will be renaming the master branch

Tony: yes.
… no PRs until Level 3.

tony: any level 3 issues we want to look at?

agl: we can talk about what we are referencing
… a web site wished to use a usernameless flow
… need to give some icon to click

<jeffh> Explainer: WebAuthn Conditional/Hinted UI

agl: we want something in the background, pop up a non-module design, maybe have something subtle


tony: a few issues here.

<wseltzer> Explainer: WebAuthn Conditional/Hinted UI

agl: remote desktop may be a thing, we might look at that in Level 3
… accommodation could be small or large. maybe remote desktop or browser stuff
… may want to consider for L3

MMiller: not much of a jump to a bad actor doing something with remote session

agl: FIDO has a proximity assumption
… it has some idea they are sending to the correct machine.

agl: no magic answer

bradley: would a remote software you could have a desktop authenticator, but this is probably long way down the road

jeremy: clarification. do we care about proximity or is it channel binding

agl: explains proximity and FIDO and remote

jeremy: i don't see channel binding in this.
… proximity is hard to measure
… trying to think about this in new ways

lundberg: physical proximity is less relevant than if reg. ceremony is mediated by the browser.

jeremy: you could today forward a USB device, you extend the channel, hopefully over a secure connection

jeffh: proximity thing is between user and authenticator they actually touch. we have that. it is transitive auth. down to remote machine

bradley: seen interesting work on remoting

jeremy: would this then relate to VMware
… are there issues with this

bradley: doesn't always work. failure is remote software in my ming
… mind

jeremy: what is the spec clarifying

<matthewmiller> ^ that was me lol

akshay: we would be looking to local platform for RP, but won't use remote platform authenticator, phishing would be a real problem

agl: that matches our expectations.
… details wouldn't be that clear
… chrome has had this for a decade. have to work on the functionality.

tony: anymore to discuss?
… adjourn.

Minutes manually created (not a transcript), formatted by scribe.perl version 127 (Wed Dec 30 17:39:58 2020 UTC).


Succeeded: s|https://www.irccloud.com/pastebin/0gNc4dIo/|-> https://docs.google.com/document/d/11hWpUPAnblPtkn1f7AIQW0ujoiu_BAKzlMVhZKQPiW8/ Explainer: WebAuthn Conditional/Hinted UI|

No scribenick or scribe found. Guessed: jfontana

Maybe present: bradley, jeremy, lundberg, MMiller, tony