Meeting minutes
nadalin: F2F updates?
nsteele: CG members may be interested in participating
nadalin: please ask them to communicate with the chairs for a formal invitation to participate
timcappalli: please register so we can order food
nadalin: SPWG updates?
johnbradley: nothing relevant to us
nadalin: charter updates?
wseltzer: we extended the existing charter through April 30, aiming for a recharter before then
nadalin: Copyright license?
https://
nadalin: any thoughts from FIDO side?
… would like to hear their input
davidturner: I'll take that for consideration
PRs
nadalin: don't see emlun
https://
sbweeden: no problem with it
nadalin: any objections?
… good to go.
https://
matthewmiller: working on sbweeden's feedback
… would welcome more feedback
martinkreichgauer: I'll take a look
https://
timcappalli: incorporated most feedback
… open question: thinking a credential is single-device until backed up
… but @@
matthewmiller: I thought flag 3 could never change
timcappalli: if a multi-device credential never gets backed up, is it really multi-device
johnbradley: eligibility
timcappalli: is the distinction determiend by bit 3 or bit 4, sounds as though people are leaning toward bit 3
agl: I think bit 3
… don't complicate terminology to "aspiring multi-device"
nadalin: please review
https://
nadalin: what shall we do with JeffH's things?
agl: as JeffH has retired, I'll be taking over his items
… we're still interested in this
https://
nadalin: also waiting for recharter
agl: still interested
nadalin: Untriaged
… 1717
Martin: chrome wants to support remote desktop software in webauthn
… on a desktop or in a data-center
… think there's some general USB passthrough, and some webapps
sbweeden: what does that do for principle of user presence
martin: think it's reasonable in managed enterprise
johnbradley: the user still has to be present with the authenticator. the authenticator is on the remote computer
nsteele: this doesn't break anything to assume the authenticator is proximal to the user
agl: we do have concept of proximity to the user and device being signed in
… as it's already done in practice, bringing it safely to the web
johnbradley: need to assure appropriate permissions, not any website can proxy any RPID
martin: we're still developing explainer, appropriate mechanisms for user, managed enterprise opt in to this privilege
agl: we're experimenting internally, want to figure out how it can be enabled more broadly
johnbradley: are you targeting Level 3?
agl: it's flexible, we wanted to bring the explainer to the group's attention
… not to hold up the work
… informational explainer, should we throw it in the wiki and close the PR?
nadalin: close and move to the wiki
nadalin: 1706
https://
agl: if nina thinks it's a good idea, she's the one who knows most about them
sbweeden: I'd like akshay's review
Untriaged issues
https://
agl: we think it's user's choice, not RP's
matthewmiller: I wouldn't mind being able to limit
agl: in the consumer setting, users choose their authenticator
johnbradley: we'll have to communicate to RPs that "platform-only" may not be the correct choice
[further discussion of cable]
davidwaite: conditional mediation can help
[discussion of communication of platform updates]
nadalin: 1713
https://
agl: he's filed bugs asking for UI wording changes
nadalin: we'll discuss again
[adjourned]