19:00:03 RRSAgent has joined #webauthn 19:00:03 logging to https://www.w3.org/2021/09/08-webauthn-irc 19:00:06 RRSAgent, make logs Public 19:00:06 Meeting: Web Authentication WG 19:01:59 wseltzer has changed the topic to: 8 September 19:02:12 Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2021Sep/0010.html 19:02:15 wseltzer has changed the topic to: 8 September: https://lists.w3.org/Archives/Public/public-webauthn/2021Sep/0010.html 19:02:43 matthewmiller has joined #webauthn 19:02:47 present+ 19:03:07 Hmm, that's not it 19:03:35 nsteele has joined #webauthn 19:03:41 present+ 19:04:04 jfontana_ has joined #webauthn 19:04:13 present+ 19:05:13 wendy: still under review for new charter 19:05:39 tony: Pull requests 19:05:53 https://github.com/w3c/webauthn/pull/1664 19:06:03 elundberg has joined #webauthn 19:06:06 tony: has approval by reviewers. we can merge this? 19:06:13 agl: I don't think we should rush 19:06:15 nina has joined #webauthn 19:06:20 ...some open questions 19:06:48 tony: let it hang 19:07:05 agl: what should it be, should it be less than 1024 19:07:29 selfissue: I agree it should be less 19:07:33 agl: I will make the change. 19:07:47 ...I will update and we can revisit 19:07:55 tony: self issue will review 19:08:04 selfissue: yes. with comment 19:08:44 present+ 19:09:01 agl: we need to define it, or someone else will 19:10:44 shane: I have come across where the number is bigger 19:10:59 ...very anecdotal, I don't have data 19:11:27 akshay: I will look from MSFT side 19:11:32 ...microsoft 19:11:59 mattM: I left a comment, maybe needs followup 19:12:08 agl: wil revisit in a couple of weeks 19:12:18 https://github.com/w3c/webauthn/pull/1668 19:13:33 Zach: main reason is if site wants to use caBLE and the site realizes other transport options 19:13:47 ...user can switch to other transport from caBLE. 19:13:59 tony: akshay have you looked at it. 19:14:03 akshay: no 19:14:12 tony: emil have you loked at it. 19:14:48 elundburg: are you looking for list of transports 19:14:53 agl: how do we get that 19:15:07 elundburg: from registration 19:15:14 agl: what is the use case of a full list 19:16:08 mattM: is this for RP to know when to pormpt user to enroll a platform authenticator when available. 19:17:08 ...feels strange. can they rely on only transports. there is divergence. 19:17:36 agl: inthe end the goal is to do smarter things. 19:17:49 ...difference in design comes in difference of goal 19:18:50 elundburg: can you tell which transport to use. 19:19:48 shane: why attestation responses are a bunch of methods, where assurtion you just access the data 19:19:53 agl: it is web IDL rules. 19:22:10 shane: I will open an issue and wait for a response. 19:23:29 shane: well I do understand use case. I am OK here 19:23:50 tony: shane can review 19:23:53 shane: yes 19:24:29 https://github.com/w3c/webauthn/pull/1663 19:25:21 lundberg: still some issues. some open discussions 19:25:41 https://github.com/w3c/webauthn/pull/1660 19:25:56 selfissued has joined #webauthn 19:26:02 present+ 19:29:11 tony: Stephen McGruer to talk about SPC Secure Payment Confirmation 19:29:18 ...from Google 19:30:37 akshay: why do we want to go beyond SPC. 19:30:49 ... I can control the authentication. 19:31:05 ...with this there will be a pop-up. 19:31:30 ...i think all these have to be ok for platform and security keys 19:31:36 ...user experience is a big deal for us. 19:31:59 ...I want to keep the existing control. so no one can ask for creds on my site. 19:32:10 ...can RP opt into these behaviors? 19:32:56 ...the three levels. me as RP controls WebAuthn. second with iFrame. three can go cross origin. 19:33:05 ...how do we do this? 19:33:23 ...I am slightly concerned about user experience 19:33:41 ...we still want to claim phishing resistance 19:34:33 Christiaan: everything that works on the web, works with iFrames 19:34:43 ...web authn credetials work fine in a iFrame 19:35:07 ...I don't care about being embedded in iFrame all the time. we have said SPC can do some logic and credential time. 19:35:19 ...it is an extension you set for how credential is used. 19:35:52 ...akshay it sound if we have opt out we should be good to proceeds 19:36:18 akshay: yes. there should not be any UI that comes up from RP. you have to opt in 19:38:26 christiaan: this is only about internal keys. no other transport, but we could react that 19:38:52 ...we could react to that. 19:39:12 akshay: I am not comfortable to say we can figure it out now. 19:40:00 christaian: if there is something available in browser, then you can use it. we are not talking about all transports 19:41:04 akshay: we still have reservations, what credential you use 19:41:28 christiaan: given complexity, what we are planning to ship, we are not bringing in physical keys rigiht now 19:41:44 elundberg: is we do this layer, is it possible to support later. 19:41:46 ? 19:42:36 ...it may end up that we can't support external keys in the future. we need to consider that design 19:42:57 christiaan: two things here. can you exercise credential in third party context. 19:43:14 ...applies internal and external keys. that is out of scope of websuthn 19:43:51 ...other; if we don't know about credential, in this case how do we prohibit browser to ask users to plug in security key 19:44:28 ...this brings in complexity. 19:45:38 sMcGruer: can't plug in authenticator because the browser does not know it 19:46:42 ...we want to interrogate the credential in some way later 19:47:09 christiaan: external case is lots of complexity, we have not had ask for that yet 19:48:16 akshay: we need to think through this. the user experience and phishing - we have to design for the future and it may be acceptable there. 19:48:26 christiaan: this will involve CTAP 19:49:26 ...we are going ahead with our launch with the internal keys. we can talk external later. 19:49:39 tony: circle about this after the in-person FIDO meeting. 19:51:27 https://github.com/w3c/webauthn/pull/1621 19:51:39 tony: this is emil 19:52:16 tony: a few untriaged issues 19:52:37 https://github.com/w3c/webauthn/issues/1666 19:53:05 Zach: not ready 19:53:30 https://github.com/w3c/webauthn/pull/1660 19:53:36 tony: waiting for this to get done 19:54:30 https://github.com/w3c/webauthn/issues/1657 19:54:51 elungberg: I have not asked for review yet 19:55:44 tony: in two weeks we will talk with internationalization folks. 19:56:19 q+ 19:56:52 ...please look at the PRs #1664 #1643 #1642 #1646 for the Sept. 22 meeting 19:57:46 q+ 19:59:27 tony: for TPAC, they want to talk about Web Payments, they have scheduled a meeting. Any reason not to schedule with Web Payments group. 20:00:17 ...two hours each day. 20:00:50 ...this is our off week. 20:00:56 ...for web authn group 20:01:06 ...it would be 8am in morning 20:01:12 ...eastern time 20:38:03 rrsagent, draft minutes 20:38:03 I have made the request to generate https://www.w3.org/2021/09/08-webauthn-minutes.html wseltzer 20:38:11 chair: Nadalin, Fontana 20:38:15 rrsagent, draft minutes 20:38:15 I have made the request to generate https://www.w3.org/2021/09/08-webauthn-minutes.html wseltzer 22:02:22 Zakim has left #webauthn