18:52:17 RRSAgent has joined #webauthn 18:52:17 logging to https://www.w3.org/2021/08/25-webauthn-irc 18:52:19 RRSAgent, make logs Public 18:52:20 Meeting: Web Authentication WG 18:52:25 Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2021Aug/0126.html 18:58:56 present+ 18:59:17 present+ 18:59:24 chair: Nadalin, Fontana 19:00:48 present+ nadalin, fontana, akshay, rouslan, sbweeden 19:01:15 jfontana has joined #webauthn 19:01:28 present + 19:01:45 nina has joined #webauthn 19:03:48 smcgruer_[EST] has joined #webauthn 19:05:16 elundberg has joined #webauthn 19:05:23 present+ agl, christiaan_brand, dirk_balfanz, ken_buchanan, liquian_max_gu, michael_knowles, nina_satragno, rae_rivera, smcgruer, tim_cappalli, zakaria_ridouh 19:05:39 present+ elundberg, kaan_icer, nsteele 19:08:54 wendy: charter is out for review 19:09:09 present+ 19:09:33 tony: Addison here to talk about internationalization 19:09:34 Topic: Internationalization 19:10:34 https://github.com/w3c/webauthn/issues?q=is%3Aissue+is%3Aopen+label%3Ai18n-needs-resolution 19:11:00 jfontana_ has joined #webauthn 19:11:31 addison: ripping out what was added was just going backward. 19:11:46 addison: ripping out your changes would give a string with no language metadata 19:11:47 ...preference is for additional metadata fields 19:11:54 ... that could be acceptable 19:12:09 ... Or we'd prefer additional metadata 19:12:32 ... if you really needed to include metadata in the string, we'd suggest serialization a la RDF 19:12:41 ... would appreciate your guidance on constraints 19:12:46 agl: constraints 19:12:56 ... hardware that exists only accepts a fixed number of bytes 19:13:11 ... we could rev the hardware spec, but that would take years to become prevalent in the wild 19:13:23 ... so adding new fields, we expect wouldn't work terribly well 19:13:32 addison: would that also be true re encoding into string? 19:13:41 agl: devices take a lump of bytes 19:13:52 ... where we can put anything. (some have screens) 19:13:52 dveditz has joined #webauthn 19:14:01 ... they're free to truncate arbitrarily 19:14:03 present+ 19:14:07 ... needs to decay gracefully 19:14:25 ... You could imagine API has fields we'd like and the browsers are tasked with encoding 19:14:34 ... which we'd have to specify 19:14:45 ... it's possible the encoding could happen at browser rather than RP 19:15:04 addison: my concern, suppose we go down the path of cleanup 19:15:16 ... language string followed by garbage 19:15:25 ... new implementations would have to know about that 19:15:57 ... we like separate metadata fields so old things don't have to know about it or care 19:16:40 addison: the characters you're talking about are deprecated 19:17:10 ... it wouldn't be fatal if those were displayed as hollow boxes or flags 19:17:18 ... newer implementations would know how to read 19:17:40 agl: three places of design 19:17:56 ... separate fields pushed down to device, wait until 2024 CTAP spec 19:18:14 ... metadata stretched down to the browser, who stuff it into byte strings 19:18:31 ... RPs can encode this information (what we have in l2) 19:18:41 addison: these fields shown to users when? 19:19:07 agl: on fresh sign in, browser shows strings from security key to user, as name of account 19:19:17 addison: so they do need to be human-readable 19:19:27 agl: the names come from a website 19:20:14 ... as in, "here's an account called Alice" 19:20:36 johnbradley: 2 strings, a friendly name and an account identifier 19:21:12 elundberg: API also has website name and friendly name 19:21:53 addison: trying to get a sense of importance 19:22:03 ... of doing things with metadata 19:22:35 ... I can imagine things where it would be rendered incorrectly without language to select fonts, text direction 19:22:45 ... but ok to take time to get right 19:23:42 addison: I probably need to talk to our i18n WG 19:24:07 ... It would be good if we could disappear the existing text pending new text 19:24:24 ... we need to choose between add'l metadata with long lead time vs encodin in string 19:24:31 s/encodin/encoding/ 19:24:45 addison: I'm in minority in WG proposing putting metadata at the end 19:24:52 ... so that's what's lost in truncation 19:25:08 ... others think putting metadata in front is right 19:25:13 agl: I agree with you 19:25:47 johnbradley: authenticators have fixed amount of storage, the more you allocate to identifiers, the fewer credentials you can have 19:27:27 agl: authenticators have fixed lengths 19:27:43 ... so have to reserve the max legth 19:28:48 addison: serialization as in RDF... 19:29:01 agl: a marker at the end is useful too, so if that's missing, we know truncation has occurred 19:29:10 nadalin: timing? 19:29:34 addison: why don't we target 8 September for an update 19:29:47 nadalin: thanks, and if needed, we can reschedule 19:30:03 addison: any other questions on other issues? 19:30:53 Topic: Christiaan on WebAuthn for Payments 19:31:13 christiaan: and Stephen 19:32:01 -> Slides https://lists.w3.org/Archives/Public/public-webauthn/2021Aug/att-0129/_WebAuthn_WG_August_2021__Secure_Payment_Confirmation.pdf 19:32:28 [ smcgruer shows slides ^ ] 19:34:10 s/Christiaan on/Christiaan and Stephen on SPC,/ 19:35:59 smcgruer_[EST]: motiviation for https://github.com/w3c/webauthn/issues/1656 19:42:54 johnbradley: what's different about the payment context credential 19:43:11 smcgruer_[EST]: the difference is triggered by passing the payment extension 19:43:36 christiaan: it's a webauthn extension 20:00:14 [to be continued] 20:00:24 [adjourned] 20:06:44 rrsagent, draft minutes 20:06:44 I have made the request to generate https://www.w3.org/2021/08/25-webauthn-minutes.html wseltzer