17:59:19 <RRSAgent> RRSAgent has joined #webauthn
17:59:19 <RRSAgent> logging to https://www.w3.org/2021/04/07-webauthn-irc
17:59:21 <Zakim> RRSAgent, make logs Public
17:59:23 <Zakim> Meeting: Web Authentication WG
17:59:24 <wseltzer> Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2021Apr/0019.html
19:02:04 <jeffh> present+
19:02:58 <jfontana> jfontana has joined #webauthn
19:03:29 <elundberg> elundberg has joined #webauthn
19:03:47 <jfontana> present+
19:04:43 <wseltzer> present+ akshay, nadalin, agl, bill, rae, davidwaite, elundberg, sbweeden, johnbradley, timcappalli
19:04:52 <jfontana> tony: we are passed the Rec and in red stage
19:04:57 <jfontana> ...when do we publish?
19:05:07 <jfontana> wendy: Thursday - tomorrow
19:05:32 <dveditz> dveditz has joined #webauthn
19:05:42 <jfontana> agl: two implementation is resolved
19:05:44 <dveditz> present+
19:05:47 <jfontana> tony: yes
19:06:02 <jfontana> ...agree on publishing
19:06:11 <jfontana> consensus is Thursday
19:08:07 <jfontana> agl: level 2 and CTAP 2.1 are tidy up specs
19:08:20 <jfontana> wendy: overall it makes the spec more secure
19:08:30 <jfontana> tony: thanks to everyone.
19:10:04 <jfontana> agl:  have issue from fido2; credblob
19:10:23 <jfontana> ...we wanted to discuss it here
19:10:55 <jfontana> ...extension
19:11:26 <jfontana> akshay: trying to figure out why this is necessary, it is in client extensions.
19:12:21 <jfontana> selfissue: th point here is want to be consistent in the way extensions behave
19:13:05 <jfontana> agl: it lets RPs determine if the browser supports extension even if authenticator does not
19:13:30 <jfontana> tony: anything from FIDO land
19:13:42 <jeffh> agl: if an extension is not exposed at the webauthn level, it would not need a client output....
19:13:44 <jfontana> jbradley: nothing relevant
19:14:21 <wseltzer> PROPOSED: Adopt Level 2 Rec as FPWD for Level 3
19:14:27 <wseltzer> [no objection]
19:14:31 <nsteele> nsteele has joined #webauthn
19:14:38 <jeffh> jeffh: so moved
19:14:39 <nsteele> present+
19:14:42 <jfontana> tony: is there unanimous consent?
19:14:48 <nsteele> (yes)
19:14:50 <wseltzer> RESOLVED: Adopt Level 2 Rec as FPWD for Level 3
19:14:59 <jfontana> tony: we can start the transition on Github
19:15:46 <jfontana> tony: we are going from master to main
19:15:53 <jfontana> tony: we can do it now or after the call.
19:16:22 <jfontana> ...objections? <hearing none>
19:16:42 <jfontana> tony: all set to go Main.
19:17:07 <jfontana> https://github.com/w3c/webauthn/issues/1591
19:18:09 <jfontana> tony: ok
19:18:14 <jfontana> https://github.com/w3c/webauthn/issues/1580
19:18:48 <jfontana> jbradley: i left a note to close it
19:19:16 <jfontana> tony: should we move to bi-weekly calls as we get going on Level 3
19:19:21 <jfontana> ...any support
19:20:06 <jfontana> agl: I expect Level 3 to be more robust than L2
19:20:31 <jfontana> ...won't be too long, two months would be disappointing
19:21:31 <jfontana> tony: meet in two weeks from today and go to that schedule.
19:21:54 <jfontana> ...we will go every other wednesday
19:24:59 <jfontana> https://github.com/w3c/webauthn/issues/1590
19:25:50 <jfontana> jeffH: spec says authenticator should implement signature counter feature, but in practice may not be much utility
19:26:52 <jfontana> jbradley: some usefulness, signature counter to detect cloning
19:27:04 <jfontana> ...optional in FIDO certification above Level 2
19:27:14 <jfontana> ...above Level 1
19:27:23 <jfontana> correction
19:28:31 <jfontana> shan: there is nothing for cloning detection
19:28:45 <jfontana> jbradley: counter is allowed to be zero
19:28:58 <jfontana> agl: we might tweak that
19:30:55 <jfontana> shane: having seen the counter in Chrome, I realized it was following the rules
19:32:47 <jfontana> agl: global counter across all creds. if attacked can get into service they can follow counter
19:33:06 <jfontana> ...they can craft false signatures and slip them in where they are OK
19:33:16 <jfontana> jbradley: but would have to be in real time
19:33:28 <jfontana> ...have to get the user to use the authenticator on the other site.
19:33:35 <jfontana> ...before they log in to legit site
19:33:47 <jfontana> agl: it takes some juggling
19:34:10 <jfontana> jbradley: real question, counter was intended for software
19:36:30 <jfontana> jbradley: we should change this in the security requirements at FIDO
19:38:18 <jfontana> agl: does not sound like we have consensus, I suggest closing it
19:38:34 <jfontana> jbradley: there is some more things in here with counters.
19:39:55 <jfontana> shane: I only see this when I use the conformance tool
19:41:34 <jfontana> agl: our model is the authenticator never stops.
19:42:51 <jeffh> s/authenticator/authentication/
19:43:20 <jfontana> nsteele: the way we see this used with Apple devices, it is shared in os
19:43:48 <jfontana> jbradley: Chrome on Apple or Safari
19:43:54 <jfontana> nsteele: on chrome
19:44:22 <jfontana> nsteele: sorry, it is safari
19:46:51 <jfontana> jbradley: looks like we are closing this down, likely take it up in FIDO from a certification angle
19:47:19 <jfontana> agl: looks liek chrome on map uses time stamp
19:48:09 <jfontana> correction - that is chrome on mac
19:48:55 <jfontana> tony:  jeff, you will close this
19:48:58 <jfontana> jeffH: yes.
19:49:04 <jfontana> tony: anything else?
19:49:08 <wseltzer> calendar: https://www.w3.org/groups/wg/webauthn/calendar
19:49:46 <wseltzer> rrsagent, draft minutes
19:49:46 <RRSAgent> I have made the request to generate https://www.w3.org/2021/04/07-webauthn-minutes.html wseltzer
19:49:57 <wseltzer> rrsagent, make logs public
20:09:53 <wseltzer> rrsagent, bye
20:09:53 <RRSAgent> I see no action items