Web Authentication WG

07 April 2021


agl, akshay, bill, davidwaite, dveditz, elundberg, jeffh, jfontana, johnbradley, nadalin, nsteele, rae, sbweeden, timcappalli

Meeting minutes

tony: we are passed the Rec and in red stage
… when do we publish?

wendy: Thursday - tomorrow

agl: two implementation is resolved

tony: yes
… agree on publishing

consensus is Thursday

agl: level 2 and CTAP 2.1 are tidy up specs

wendy: overall it makes the spec more secure

tony: thanks to everyone.

agl: have issue from fido2; credblob
… we wanted to discuss it here
… extension

akshay: trying to figure out why this is necessary, it is in client extensions.

selfissue: th point here is want to be consistent in the way extensions behave

agl: it lets RPs determine if the browser supports extension even if authenticator does not

tony: anything from FIDO land

<jeffh> agl: if an extension is not exposed at the webauthn level, it would not need a client output....

jbradley: nothing relevant

<wseltzer> PROPOSED: Adopt Level 2 Rec as FPWD for Level 3

<wseltzer> [no objection]

<jeffh> jeffh: so moved

tony: is there unanimous consent?

<nsteele> (yes)

Resolution: Adopt Level 2 Rec as FPWD for Level 3

tony: we can start the transition on Github

tony: we are going from master to main

tony: we can do it now or after the call.
… objections? <hearing none>

tony: all set to go Main.


tony: ok


jbradley: i left a note to close it

tony: should we move to bi-weekly calls as we get going on Level 3
… any support

agl: I expect Level 3 to be more robust than L2
… won't be too long, two months would be disappointing

tony: meet in two weeks from today and go to that schedule.
… we will go every other wednesday


jeffH: spec says authenticator should implement signature counter feature, but in practice may not be much utility

jbradley: some usefulness, signature counter to detect cloning
… optional in FIDO certification above Level 2
… above Level 1


shan: there is nothing for cloning detection

jbradley: counter is allowed to be zero

agl: we might tweak that

shane: having seen the counter in Chrome, I realized it was following the rules

agl: global counter across all creds. if attacked can get into service they can follow counter
… they can craft false signatures and slip them in where they are OK

jbradley: but would have to be in real time
… have to get the user to use the authenticator on the other site.
… before they log in to legit site

agl: it takes some juggling

jbradley: real question, counter was intended for software

jbradley: we should change this in the security requirements at FIDO

agl: does not sound like we have consensus, I suggest closing it

jbradley: there is some more things in here with counters.

shane: I only see this when I use the conformance tool

agl: our model is the authentication never stops.

nsteele: the way we see this used with Apple devices, it is shared in os

jbradley: Chrome on Apple or Safari

nsteele: on chrome

nsteele: sorry, it is safari

jbradley: looks like we are closing this down, likely take it up in FIDO from a certification angle

agl: looks liek chrome on map uses time stamp

correction - that is chrome on mac

tony: jeff, you will close this

jeffH: yes.

tony: anything else?

<wseltzer> calendar: https://www.w3.org/groups/wg/webauthn/calendar

Summary of resolutions

  1. Adopt Level 2 Rec as FPWD for Level 3
Minutes manually created (not a transcript), formatted by scribe.perl version 127 (Wed Dec 30 17:39:58 2020 UTC).


Succeeded: s/authenticator/authentication/

No scribenick or scribe found. Guessed: jfontana

Maybe present: jbradley, selfissue, shan, shane, tony, wendy