18:20:11 RRSAgent has joined #webauthn 18:20:11 logging to https://www.w3.org/2021/08/11-webauthn-irc 18:20:13 RRSAgent, make logs Public 18:20:15 Meeting: Web Authentication WG 19:00:57 present+ 19:01:15 elundberg has joined #webauthn 19:01:48 regrets+ Nadalin 19:02:06 present+ jfontana, akshay, davidwaite, elundberg, sbweeden 19:03:04 present+ Rae 19:04:30 present+ timcappalli 19:05:54 Topic: Charter 19:06:10 wseltzer: just getting the final comments from team for Director review, should go to AC review soon 19:06:13 topic: PRs 19:06:28 chair: jfontana 19:06:46 elundberg: Most of my PRs, waiting review from JeffH 19:07:19 ... PR 1660, I'm not sure whether it's good. Thoughts? 19:07:24 ... please review 19:07:41 https://github.com/w3c/webauthn/pull/1660 19:07:47 sbweeden: I'll review 19:07:55 agl: I just clicked approve 19:08:04 present+ agl 19:10:13 sbweeden: "chosen by authenticator or client"? 19:10:20 agl: "not chosen by RP"? 19:10:57 jfontana: https://github.com/w3c/webauthn/pull/1661 19:11:08 elundberg: this was just a bikeshed warning fix 19:11:37 ... to fix the dictionary 19:12:24 jfontana: https://github.com/w3c/webauthn/pull/1622 19:12:48 elundberg: waiting for Jeff 19:13:05 ... as is 1621 19:13:50 sbweeden: it was waiting on a different PR 19:14:01 elundberg: and the other is now ready to be merged 19:14:41 ... I'll merge 1649 into this branch, as it was all approved 19:15:26 jfontana: Now to issues 19:15:49 ... https://github.com/w3c/webauthn/issues/1656 19:16:15 present+ dveditz 19:17:32 akshay: no objection from me, want to hear from Mozilla 19:18:03 jfontana: needs more input 19:19:00 dveditz: I'd have to go back to those who commented 19:19:11 agl: I think the objection then was to lack of use case 19:20:04 dveditz: I'll ask. Spec doesn't like to make UI prescription, but so long as it's clear to the user 19:20:28 agl: we're assuming we can convey to user cross-origin communication 19:20:37 ... for federation, as well as for this 19:21:14 dveditz: similar issue with OAuth in frames vs popups 19:21:59 jfontana: 1657 19:23:40 ... let's update 19:23:46 ... 1658 19:23:55 agl: device-bound keys, from another issue 19:24:12 ... value of sites being able to have concept of "same device" 19:24:26 ... as a signal to risk engine 19:24:47 ... I retired a previous issue on the same topic 19:25:05 jfontana: leave open for some discussion? 19:25:25 agl: we'll likely start with 1637 first 19:26:34 jfontana: 1659 19:26:46 agl: elundberg's PR will close this when landed 19:26:53 jfontana: 1662 19:28:15 jfontana: 1640? 19:28:39 akshay: just gathering feedback. will remain there for a while. Mark as L3 19:29:21 jfontana: 1639 19:29:39 agl: likely addressed by 1637 19:34:24 jfontana: 1630 19:34:29 ... hearing no objections to closing 19:35:12 jfontana: 1617 19:35:37 agl: question of what value to pick, if we think there should be a max credential ID length 19:36:41 elundberg: no bigger than fits in CTAP 19:37:01 agl: I'll address 19:37:10 jfontana: 1612 19:37:34 akshay: can close 19:40:56 agl: scope as device vs app 19:41:40 davidwaite: how does this work with CaBLE? 19:42:10 agl: phone authenticator, a device with app-scoped keys would use a different key for app vs web 19:42:41 davidwaite: viable cross-device? 19:43:20 agl: what app is CABLE? that's up to the implementation 19:47:54 jbradley: I'd prefer not to have to support it on roaming authenticators 20:00:52 jfontana: longer discussion, let's keep it open 20:00:55 [adjourned] 20:00:58 rrsagent, draft minutes 20:00:58 I have made the request to generate https://www.w3.org/2021/08/11-webauthn-minutes.html wseltzer