Meeting minutes
* thank you
<wseltzer> nadalin: Week of June 6, RSA, considering a Thurs/Fri F2F
tony: Tim will take on finding meeting spot in SF
tony: nothing new on the charter
… open pull requests.
https://
JeffH: added verficaiton, need some responses
https://
jeffH: conditional UI. nominally ready to go. waiting on review. it is feature complete
… still waiting for reviews, but comments are pending.
tony: have some triage
https://
timC: this addresses some feedback coming in on multi-device credentials
… some assurance the cred is backed up
… bit 3 is static, bit 4 is can change
akshay: we will soon have back-up.
timC: soon flag still requires a check for backup
agl: if msft does not need that 4th state can it go?
shane: less states is better
jBradley: we need to be specific in the validation.
shane 7.2 is where we should look.
timC: this is meant to guide users
… it is not designating what the key can do
jbradely: we could have another approach
… could force autheticators to have multiple AAGUIDs.
shane: an appealing patten for RPs, provides options
akshay: looking if it can be backed up or not
timc: should we be more explict that its not a security property
shane: it is something RPs want to know
timC: not just on the RP side, the user can decide what to do
jeffH: what is the model we are talking about
… bit 3 is it capable of being a single stautus
… yes
jbradley: imagine RPs will make diff decisions depending on what comes back.
nickS: think vast majority of RPs will not evaluate this.
jbradley: that could be true
timC: I will work on this in the section
… 7.2
tony: we have a couple of un-triaged issues.
https://
jeffH: M.jones said he would do this.
https://
jbradley: appears safari on ios and OSx there are attestation issues
… outcome is you don't get a credential made.
… cold be issues for RPs
agl: that reflects my understanding. is this an apple bug
?
jbradley: were we too vague in the spec
?
… need to be explicit
… in CTAP can't ask for an attestation type
<dwaite> WebKit issue @ https://
agl: perhaps add wording.
jbradley: OK. I will work on this and talk to apple
jbradley: I will write the PR
https://
jbradley: not planning on sync for non-discoverable creds
agl: that is right
agl: our guidance will be to request discoverable creds.
https://
agl: this is deleting
tony: yes
jbradley: we have said no to this in the past
tony: any new insight?
agl: new API for deletion; prescriptive
agl: having channel at RP to send something back.
timC: concepts are there, but we should be open to some of this
agl: don't want users to get locked out.