Meeting minutes
Preparing for remote meeting
https://
What topics to bring forward?
John: WebAuthn has competing opinions on cross-origin.
… what is the mechanism by which the relying party mints a credential so that it may later be used cross-origin.
… what we have now is suitable for an experiment but is probably not the right long-term solution
… at least being able to use these cross-origin credentials cross-browser.
… also enabling these credentials on roaming authenticators would be good
https://
For issue 128, one question is whether user activation required for FIDO/SPC on registration
John: Is this user activation coming from a particular browser behavior?
Stephen: The concern with cross-origin credential is for any iframe creating a tracking credential
… just because it can come from an iframe it's not unreasonable to request a user activation
John: SPC doesn't specifically deal with cross-origin create; that's a webauthn thing
Stephen: But SPC does allow cross-origin create (on Chrome)
[Discussion of WebAuthn cross-origin registration in iframe]
Next meeting
18 October