W3C

- DRAFT -

WebAuthn WG

03 Nov 2021

Attendees

Present
jeffh, wseltzer, jfontana, akshay, davidturner, johnpascoe, raerivera, sbweeden, nina, davidwaite, agl, julienrossi, mikejones, timcappalli, selfissued, nsteele
Regrets
Nadalin
Chair
Fontana
Scribe
wseltzer

Contents

jfontana: report from TPAC meetings

jfontana: pull requests

jeffh: 1621 and 1674 look good to me
... others should review

sbweeden: 1621 looks close to me, waiting for a final review when emlun says it's ready

jfontana: awaiting input from emil

jeffh: nina and I have been collaborating on 1576

nina: worth your attention, it will be ready soon
... also look at companion PR on Credential Management

<jeffh> https://github.com/w3c/webappsec-credential-management/pull/155

nina: PR #155 in CredMan

agl: I filed a TAG review request on 1637

jfontana: over to issues
... 1679

agl: it's a correct observation

jeffh: we went around on this in the early development

jfontana: close?

agl: what's the worst that could happen? attacker learns all the details of the credential except its private key... and the site overwrites with same credential ID, user could interact with attacker account
... so don't overwrite
... I might write a note in the spec about it

jfontana: 1677

sbweeden: not a spec issue

<scribe> ... closed

jfontana: 1676

nsteele: I can respond

jfontana: 1673

sbweeden: I'll make a comment

jfontana: 1671

akshay: look again in 2 weeks

johnbradley: re iframe, a discussion in Apple bug tracker, with argumentation against using webauthn in iframe

johnpascoe: think we'll require storage access API permissions
... speaking for webkit

johnbradley: an additional dialog?

johnpascoe: additional dialog for cookies used cross-origin anyway
... per-site that embeds the iframe

dveditz: users don't necessarily know that a frame is there or what's in it

davidwaite: even login may be embedded in iframe

nsteele: we see that too
... fairly common

johnbradley: do we need to surface this if safari and firefox have behavior changes

dveditz: we're active in discussions of storage access API
... and expect to follow standards that are developed

agl: as I understand, not an API change, but a UI step

jeffh: can we talk aboout 1637?

https://github.com/w3c/webauthn/issues/1637

agl: wondering if Mozilla had thoughts on this issue

dveditz: working to gather those

jfontana: 1667

akshay: two problems with cross-origin authentication
... one, not considering all the authenticators out there
... two, unwanted prompt that could come from websites

timcappalli: this could be a way to make ephemeral keys for not syncing

jfontana: 1665?

jeffh: this comes from 1637, to break out the discussion
... a reminder to come back to this "glue"

jfontana: 1658

jeffh: we have a draft PR, needs review

agl: for blink process, I'll be sending an explainer to TAG for min pin length

<jeffh> minPinLength ctap extension spec text: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-minpinlength-extension

[adjourned]

Summary of Action Items

Summary of Resolutions

    [End of minutes]
    Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
    $Date: 2021/11/03 20:52:53 $