W3C

– DRAFT –
Web Authentication WG

11 August 2021

Attendees

Present
agl, akshay, davidwaite, dveditz, elundberg, jfontana, Rae, sbweeden, timcappalli, wseltzer
Regrets
Nadalin
Chair
jfontana
Scribe
wseltzer

Meeting minutes

Charter

wseltzer: just getting the final comments from team for Director review, should go to AC review soon

PRs

elundberg: Most of my PRs, waiting review from JeffH
… PR 1660, I'm not sure whether it's good. Thoughts?
… please review

https://github.com/w3c/webauthn/pull/1660

sbweeden: I'll review

agl: I just clicked approve

sbweeden: "chosen by authenticator or client"?

agl: "not chosen by RP"?

jfontana: https://github.com/w3c/webauthn/pull/1661

elundberg: this was just a bikeshed warning fix
… to fix the dictionary

jfontana: https://github.com/w3c/webauthn/pull/1622

elundberg: waiting for Jeff
… as is 1621

sbweeden: it was waiting on a different PR

elundberg: and the other is now ready to be merged
… I'll merge 1649 into this branch, as it was all approved

jfontana: Now to issues
https://github.com/w3c/webauthn/issues/1656

akshay: no objection from me, want to hear from Mozilla

jfontana: needs more input

dveditz: I'd have to go back to those who commented

agl: I think the objection then was to lack of use case

dveditz: I'll ask. Spec doesn't like to make UI prescription, but so long as it's clear to the user

agl: we're assuming we can convey to user cross-origin communication
… for federation, as well as for this

dveditz: similar issue with OAuth in frames vs popups

jfontana: 1657
… let's update
… 1658

agl: device-bound keys, from another issue
… value of sites being able to have concept of "same device"
… as a signal to risk engine
… I retired a previous issue on the same topic

jfontana: leave open for some discussion?

agl: we'll likely start with 1637 first

jfontana: 1659

agl: elundberg's PR will close this when landed

jfontana: 1662

jfontana: 1640?

akshay: just gathering feedback. will remain there for a while. Mark as L3

jfontana: 1639

agl: likely addressed by 1637

jfontana: 1630
… hearing no objections to closing

jfontana: 1617

agl: question of what value to pick, if we think there should be a max credential ID length

elundberg: no bigger than fits in CTAP

agl: I'll address

jfontana: 1612

akshay: can close

agl: scope as device vs app

davidwaite: how does this work with CaBLE?

agl: phone authenticator, a device with app-scoped keys would use a different key for app vs web

davidwaite: viable cross-device?

agl: what app is CABLE? that's up to the implementation

jbradley: I'd prefer not to have to support it on roaming authenticators

jfontana: longer discussion, let's keep it open

[adjourned]

Minutes manually created (not a transcript), formatted by scribe.perl version 136 (Thu May 27 13:50:24 2021 UTC).

Diagnostics

No scribenick or scribe found. Guessed: wseltzer

Maybe present: jbradley