Meeting minutes
tony: we are passed the Rec and in red stage
… when do we publish?
wendy: Thursday - tomorrow
agl: two implementation is resolved
tony: yes
… agree on publishing
consensus is Thursday
agl: level 2 and CTAP 2.1 are tidy up specs
wendy: overall it makes the spec more secure
tony: thanks to everyone.
agl: have issue from fido2; credblob
… we wanted to discuss it here
… extension
akshay: trying to figure out why this is necessary, it is in client extensions.
selfissue: th point here is want to be consistent in the way extensions behave
agl: it lets RPs determine if the browser supports extension even if authenticator does not
tony: anything from FIDO land
<jeffh> agl: if an extension is not exposed at the webauthn level, it would not need a client output....
jbradley: nothing relevant
<wseltzer> PROPOSED: Adopt Level 2 Rec as FPWD for Level 3
<wseltzer> [no objection]
<jeffh> jeffh: so moved
tony: is there unanimous consent?
<nsteele> (yes)
Resolution: Adopt Level 2 Rec as FPWD for Level 3
tony: we can start the transition on Github
tony: we are going from master to main
tony: we can do it now or after the call.
… objections? <hearing none>
tony: all set to go Main.
https://
tony: ok
https://
jbradley: i left a note to close it
tony: should we move to bi-weekly calls as we get going on Level 3
… any support
agl: I expect Level 3 to be more robust than L2
… won't be too long, two months would be disappointing
tony: meet in two weeks from today and go to that schedule.
… we will go every other wednesday
https://
jeffH: spec says authenticator should implement signature counter feature, but in practice may not be much utility
jbradley: some usefulness, signature counter to detect cloning
… optional in FIDO certification above Level 2
… above Level 1
correction
shan: there is nothing for cloning detection
jbradley: counter is allowed to be zero
agl: we might tweak that
shane: having seen the counter in Chrome, I realized it was following the rules
agl: global counter across all creds. if attacked can get into service they can follow counter
… they can craft false signatures and slip them in where they are OK
jbradley: but would have to be in real time
… have to get the user to use the authenticator on the other site.
… before they log in to legit site
agl: it takes some juggling
jbradley: real question, counter was intended for software
jbradley: we should change this in the security requirements at FIDO
agl: does not sound like we have consensus, I suggest closing it
jbradley: there is some more things in here with counters.
shane: I only see this when I use the conformance tool
agl: our model is the authentication never stops.
nsteele: the way we see this used with Apple devices, it is shared in os
jbradley: Chrome on Apple or Safari
nsteele: on chrome
nsteele: sorry, it is safari
jbradley: looks like we are closing this down, likely take it up in FIDO from a certification angle
agl: looks liek chrome on map uses time stamp
correction - that is chrome on mac
tony: jeff, you will close this
jeffH: yes.
tony: anything else?
<wseltzer> calendar: https://