W3C

– DRAFT –
Web Authentication WG

06 April 2022

Attendees

Present
agl, andrebuttner, davidturer, davidwaite, emlun, johnbradley, johnpascoe, martinkreichgauer, matthewmiller, nadalin, nsteele, sbweeden, timcappalli, wseltzer
Regrets
-
Chair
Fontana, Nadalin
Scribe
wseltzer

Meeting minutes

nadalin: F2F updates?

nsteele: CG members may be interested in participating

nadalin: please ask them to communicate with the chairs for a formal invitation to participate

timcappalli: please register so we can order food

nadalin: SPWG updates?

johnbradley: nothing relevant to us

nadalin: charter updates?

wseltzer: we extended the existing charter through April 30, aiming for a recharter before then

nadalin: Copyright license?

https://github.com/w3c/webauthn/issues/1705

nadalin: any thoughts from FIDO side?
… would like to hear their input

davidturner: I'll take that for consideration

PRs

nadalin: don't see emlun

https://github.com/w3c/webauthn/pull/1704

sbweeden: no problem with it

nadalin: any objections?
… good to go.

https://github.com/w3c/webauthn/pull/1703

matthewmiller: working on sbweeden's feedback
… would welcome more feedback

martinkreichgauer: I'll take a look

https://github.com/w3c/webauthn/pull/1695

timcappalli: incorporated most feedback
… open question: thinking a credential is single-device until backed up
… but @@

matthewmiller: I thought flag 3 could never change

timcappalli: if a multi-device credential never gets backed up, is it really multi-device

johnbradley: eligibility

timcappalli: is the distinction determiend by bit 3 or bit 4, sounds as though people are leaning toward bit 3

agl: I think bit 3
… don't complicate terminology to "aspiring multi-device"

nadalin: please review

https://github.com/w3c/webauthn/pull/1663

nadalin: what shall we do with JeffH's things?

agl: as JeffH has retired, I'll be taking over his items
… we're still interested in this

https://github.com/w3c/webauthn/pull/1576

nadalin: also waiting for recharter

agl: still interested

nadalin: Untriaged
… 1717

Martin: chrome wants to support remote desktop software in webauthn
… on a desktop or in a data-center
… think there's some general USB passthrough, and some webapps

sbweeden: what does that do for principle of user presence

martin: think it's reasonable in managed enterprise

johnbradley: the user still has to be present with the authenticator. the authenticator is on the remote computer

nsteele: this doesn't break anything to assume the authenticator is proximal to the user

agl: we do have concept of proximity to the user and device being signed in
… as it's already done in practice, bringing it safely to the web

johnbradley: need to assure appropriate permissions, not any website can proxy any RPID

martin: we're still developing explainer, appropriate mechanisms for user, managed enterprise opt in to this privilege

agl: we're experimenting internally, want to figure out how it can be enabled more broadly

johnbradley: are you targeting Level 3?

agl: it's flexible, we wanted to bring the explainer to the group's attention
… not to hold up the work
… informational explainer, should we throw it in the wiki and close the PR?

nadalin: close and move to the wiki

nadalin: 1706

https://github.com/w3c/webauthn/pull/1706

agl: if nina thinks it's a good idea, she's the one who knows most about them

sbweeden: I'd like akshay's review

Untriaged issues

https://github.com/w3c/webauthn/issues/1716

agl: we think it's user's choice, not RP's

matthewmiller: I wouldn't mind being able to limit

agl: in the consumer setting, users choose their authenticator

johnbradley: we'll have to communicate to RPs that "platform-only" may not be the correct choice

[further discussion of cable]

davidwaite: conditional mediation can help

[discussion of communication of platform updates]

nadalin: 1713

https://github.com/w3c/webauthn/issues/1713

agl: he's filed bugs asking for UI wording changes

nadalin: we'll discuss again

[adjourned]

Minutes manually created (not a transcript), formatted by scribe.perl version 185 (Thu Dec 2 18:51:55 2021 UTC).

Diagnostics

Succeeded: s/se/see/

Succeeded: s/706/1706/

Succeeded: s/mediate/mediation/

No scribenick or scribe found. Guessed: wseltzer

Maybe present: davidturner, Martin