19:01:05 <RRSAgent> RRSAgent has joined #webauthn
19:01:10 <RRSAgent> logging to https://www.w3.org/2023/05/03-webauthn-irc
19:01:18 <Zakim> Zakim has joined #webauthn
19:01:22 <Ian> Ian has joined #webauthn
19:01:33 <plh> agenda+ PWG Update (John B.)
19:01:42 <plh> agenda+ Discussion on F2F at TPAC (TPAC 2023)
19:01:49 <Ian> present+
19:01:54 <plh> agenda+ Discussion with the WebPayments WG
19:02:05 <plh> agenda+ L3 WD01 open pull requests and open issues
19:02:09 <plh> present+
19:02:21 <plh> me zakim, who's present?
19:03:35 <dwaite> dwaite has joined #webauthn
19:03:37 <dwaite> present+
19:03:47 <dwaite> dwaite has left #webauthn
19:03:51 <steele> present+
19:04:57 <pascoe> pascoe has joined #webauthn
19:05:13 <dwaite> dwaite has joined #webauthn
19:05:23 <pascoe> present+
19:05:32 <dwaite> present+
19:05:59 <plh> present+ Abigail, Adam, Akshay, Anders, David_Turner, Jason, Kevin, Tim, Yusi
19:06:17 <smcgruer_[EST]> present+
19:06:30 <plh> plh has changed the topic to: Agenda: https://www.w3.org/events/meetings/b6fdbc8a-3ec8-4127-ab9a-42bc23037ea4/20230503T150000
19:06:48 <plh> Topic: Payments Working Group
19:07:24 <abigailf_> abigailf_ has joined #webauthn
19:07:27 <steele> Stephen Mcgruer and Ian Jacobs from the Secure Payments Working Group checking in
19:07:37 <plh> scribe: steele
19:07:53 <plh> subtopic: Register SPC-related WebAuthn extensions in IANA registry
19:08:24 <steele> A Payments extension and bit addition in CTAP
19:08:43 <Ian> https://github.com/w3c/secure-payment-confirmation/issues/220
19:08:57 <steele> Topic number 1: Wanted to discuss how to implement this webauthn extension with the working group
19:09:02 <plh> --> https://w3c.github.io/secure-payment-confirmation/#sctn-payment-extension-registration WebAuthn Extension - "payment"
19:09:03 <Ian> smcgruer_[EST]: The 'payment' extension is "client-side"
19:09:45 <steele> Tony: is Apple planning to implement?
19:10:29 <steele> Ian: Apple has expressed growing interest in SPC and has requested a charter change that would allow Apple to join the group, this would give us a clearer answer to this question
19:10:49 <matthewmiller> matthewmiller has joined #webauthn
19:10:54 <steele> Tony: Has FIDO has already implemented this extension?
19:11:21 <steele> Ian: The CTAP revision has an addition of the cross-origin bit, and this is partly implemented in android and chromium
19:11:36 <steele> John Bradley: Contained in CTAP 2.2 Draft
19:12:33 <steele> Ian: There may be multiple ways to answer this- there may be multiple ways to declare and extension "registered". Interested in "registering" this bit with IANA, and interested in hearing anyone who's gone through IANA registration
19:13:11 <steele> Tony & John: This is the first extension (outside of CTAP) that defines a WebAuthn extension not in these other specs
19:13:43 <steele> AGL: The IANA registry is an open standard and you can email the secretary and say "please register this"
19:14:12 <steele> PHL: Is this the step? There's no additional steps for review and registration?
19:14:17 <Ian> https://www.iana.org/assignments/webauthn/webauthn.xhtml
19:14:41 <plh> [[
19:14:41 <plh> Registration requests can be made by following the instructions located there or by sending an email to the webauthn-reg-review@ietf.org mailing list.
19:14:42 <plh> ]]
19:15:27 <steele> AGL + John: It says that Mike Jones and another expert are the experts for IANA, they may contact these experts to "sanity check" a registration request. They have an expert review classification but that's not what is needed here
19:16:29 <steele> Ian discussing the IANA registry page for WebAuthn (URL linked above)
19:16:50 <steele> Topic 2: Does the reference specification need to be a certain status before registration? Before CR?
19:17:15 <steele> PLH: I recommend CR before registration
19:17:38 <steele> ACTION: John Bradley to put Ian Jacobs in touch with Mike Jones
19:17:47 <Ian> https://www.rfc-editor.org/rfc/rfc8809.html
19:18:02 <plh> --> https://www.rfc-editor.org/rfc/rfc8809.html#name-registering-attestation-sta 2.1.1. Registering Attestation Statement Format Identifiers
19:18:02 <steele> Tony: Are you looking for additions/documentations in our spec?
19:18:06 <steele> to Ian
19:18:31 <steele> Ian: we wanted to coordinate as to now "run afoul" of the working group. Mostly wanted to figure out if there was best practices here.
19:18:40 <steele> PLH: You don't need us to register this
19:19:18 <steele> John Bradley: There's more coordination in the CTAP working group regarding this. The bit documentation should happen in CTAP
19:19:56 <steele> ... Once you register this, there needs to be additional documentation on requesting responding with this bit, most likely in CTAP
19:20:02 <Ian> https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#sctn-thirdPartyPayment-extension
19:20:25 <steele> Ian and Stephen to move forward registering the client-side payment extension.
19:20:48 <steele> Ian: what of the extensions being added needs to be in Web Authentication?
19:21:04 <steele> John Bradley: No need to register anything in WebAuthn
19:23:49 <steele> Action: the web payments working group will register the payments extension as defined by SPC. When CTAP 2.2 matures, the SPWG will discuss registering the CTAP-dependent.
19:24:22 <steele> Tony: if (SWPG) you're headed to publication, you'll need to show interoperability of this extension
19:24:41 <steele> The SPWG is working on this
19:25:11 <plh> subtopic: Any news on WebAuthn L3 worth mentioning to Payments folks?
19:25:12 <steele> subtopic: General Questions from SPWG to WAWG
19:26:37 <Ian> Ian: Should we remove special cross-origin create feature from SPC (cf WebAuth 1801)
19:26:52 <steele> We're trying to work closely against creating divergent features. The bit in CTAP if standardized gives us a different way to manage our homegrown special extension. Stephen has been working on a cross-origin PR in WebAuthn #1801. Should we remove our special cross-origin create?
19:27:16 <steele> John Bradley: I'm not sure the two features overlap completely
19:27:39 <steele> ... I wouldn't assume that we don't have any need for the SPC special extension
19:28:30 <smcgruer_[EST]> https://github.com/w3c/webappsec-credential-management/pull/209
19:28:49 <steele> Tony: We're not the only ones that are stewards of this
19:28:55 <steele> Stephen posts the link above
19:30:05 <steele> This deviates from what we have in WebAuthn: the first was allowing creation in a cross origin i-frame, at least for user agents. The other thing we do is a number of checks on the authenticator, different than WebAuthn. We only support platform authenticators right now
19:30:27 <dveditz> dveditz has joined #webauthn
19:31:25 <steele> sub-topic: Roaming Authenticators - SPC would like to support RA. When discussed at TPAC last fall we discussed UX/I around RA. Wanted to know if there were any updates to RA support.
19:31:50 <Ian> https://github.com/w3c/secure-payment-confirmation/issues/12
19:31:50 <steele> John Bradley: Yes there should be ongoing additions in CTAP2.2
19:33:09 <steele> John: There are still potentially some gaps around how cable plays into roaming authenticators. Need to discuss with AGL
19:33:51 <steele> Ian: If what I'm hearing is that it will "just work" at some point then we'll push forward assuming support, and update when the feature is available for SPC.
19:34:00 <steele> ... Do you know when this might be available?
19:34:05 <steele> AGL: No timeline
19:34:30 <steele> Ian asking if the group is ok with SPC having a limitation to platform authenticators
19:34:57 <steele> AGL: There are a variety of authenticators and it is independent of WAWG what is supported
19:36:32 <steele> Stephen: In a world where a user might have a security key for a credential, and we're unable to discover whether a credential does or doesnt exist on a roaming authenticator, how do we solve this? This is probably up to the SPWG
19:37:29 <steele> Discussion around how SPC could solve some of the UX issues where mediated/conditional UI and modals are unavailable
19:38:51 <steele> Discussions around limitations in CTAP/WebAuthn around ability to infer the type/transport of authenticators availible to the client
19:39:40 <steele> sub-topic: What's new with passkeys and how might they affect SPC?
19:39:45 <steele> Time permitting
19:40:21 <steele> Sidebar - Tony: Are we meeting at TPAC?
19:40:25 <steele> Ian: yes on Tuesday
19:40:54 <plh> s/Are we/Is Web Payments/
19:40:57 <steele> Dan Veditz: Mozilla is worried that additions could be made that could fingerprint the user via the authenticator
19:41:29 <steele> Ian: There is dialogue for the user authorizing identifying actions
19:41:50 <steele> Dan Veditz sidebar: w3c meetings will soon lose the use of MIT-sponsored conference hosting such as the mit.webex.com meeting link we're using right now. Chairs need to figure out where we move in the next couple of weeks
19:42:01 <steele> Back to topic
19:42:47 <steele> Ian: SPC has an open issue around how passkeys might affect the SPC API. There have been many ongoing conversations we've been casually watching, but wanted to ask the WG directly
19:43:00 <steele> Tony: are you wanting the payments extension to work with passkeys?
19:43:02 <steele> Ian: yes
19:44:00 <steele> John: Seeing that it works with all platform authenticators and all platform authenticators are essentially passkeys, then the answer is yes. The question should be refined to: is everyone cool with multi-device passkeys that can be shared with 3rd parties and how do we communicate that?
19:44:36 <steele> ... When doing a an assertion, are there additional pieces of information that need to be considered? hasn't yet been discussed in FIDO WGs
19:44:54 <steele> David Turner: regulators might not like some of the data transportability
19:45:37 <steele> Ian: if there are parameters that become available to 3rd parties regarding which authenticators that may be allowed, that might not be allowed. What we're hearing is the conversations are still ongoing
19:45:46 <steele> John: These new parameters are still in flux
19:46:18 <steele> Ian: So there's data/possible parameters in the assertion that might be important to SPC?
19:46:37 <steele> John: There shouldn't be anything that's an obstacle
19:46:49 <steele> Tim: there's no new parameters proposed that would effect you so far
19:47:12 <steele> Ian: Yes we're just watching right now. We'll check in again in a few months (at TPAC)
19:47:26 <steele> SPWG is interested in meeting with WAWG on Monday or Tuesday at TPAC
19:47:59 <steele> Big thanks to Ian Jacobs and Stephen McGruer for dropping by
19:48:08 <plh> --> https://www.w3.org/events/meetings/4bab6a90-bdb5-400f-ab87-64a7a852d86a/20230517T150000 May 17
19:49:16 <steele> PLH has linked to the new meeting invite, this will replace the Webex link as the W3C moves off MIT-sponsored software
19:49:25 <plh> --> https://www.w3.org/users/myprofile/calendar W3C calendar
19:50:01 <steele> Not using Jitsi Meet due to lack of phone support
19:50:07 <steele> The meeting link will remain static
19:50:44 <steele> Tony: half the group showed interest in meeting at TPAC (as per the RSAC F2F meeting results)
19:51:37 <steele> chair: any objection to scheduling a TPAC F2F?
19:51:41 <jasocai> jasocai has joined #webauthn
19:51:42 <steele> none
19:52:08 <steele> ACTION: Chair to schedule F2F meeting at TPAC and coordinate with SPWG for join session
19:52:23 <steele> Topic: Pull Requests and Issues
19:52:30 <steele> AGL: #1878
19:52:54 <steele> If the results of the F2F discussion still hold, I will update this to nullable
19:53:10 <steele> M2: I am happy with this, but if there's any pushback let me know.
19:53:41 <steele> AGL: This PR needs to be changed. These JSON fields become optional and NOT nullable with these changes
19:54:03 <steele> Action: AGL to update #1878, Matt Miller (M2) to approve
19:54:24 <steele> PLH side-bar: Zoom for future calls: https://us02web.zoom.us/j/86300730761?pwd=U2NpYzFYbmpDTHdiMkNpK3Y0SkQ0UT09
19:54:30 <steele> #1855
19:54:57 <steele> https://github.com/w3c/webauthn/pull/1855 Recommend duration of challenge validity
19:55:07 <steele> Currently blocked
19:55:34 <steele> https://github.com/w3c/webauthn/pull/1774 UV Guidance
19:55:36 <plh> s/PLH side-bar: Zoom for future calls: https://us02web.zoom.us/j/86300730761?pwd=U2NpYzFYbmpDTHdiMkNpK3Y0SkQ0UT09//
19:56:19 <steele> Emil: this is ready to go
19:56:30 <steele> ... We have approval from Ackshay and Tim on this
19:56:36 <steele> Chair: issues with merging?
19:56:37 <steele> non
19:56:41 <steele> s/non
19:56:43 <steele> none
19:57:02 <steele> https://github.com/w3c/webauthn/pull/1880 Add authenticatorDisplayName to credProps
20:00:02 <steele> M2: worried about people abusing the credential display name
20:00:27 <steele> Nick Steele against, display name should be presented at the discretion of the RP
20:01:04 <plh> rrsagent, generate minutes
20:01:05 <RRSAgent> I have made the request to generate https://www.w3.org/2023/05/03-webauthn-minutes.html plh
20:03:36 <plh> Meeting: Web Authentication
20:03:43 <plh> Chair: Tony
20:03:48 <plh> rrsagent, generate minutes
20:03:49 <RRSAgent> I have made the request to generate https://www.w3.org/2023/05/03-webauthn-minutes.html plh
20:04:54 <dveditz> If you've subscribed to the team calendar your devices probably already show the new meeting info for next week
20:05:23 <plh> plh has changed the topic to: **New Zoom Room on May 17** See https://www.w3.org/events/meetings/4bab6a90-bdb5-400f-ab87-64a7a852d86a/20230517T150000
20:44:54 <steele> steele has joined #webauthn
20:52:48 <Ian> Ian has left #webauthn
20:52:49 <steele> steele has joined #webauthn
20:59:04 <steele> steele has joined #webauthn
21:08:42 <steele> steele has joined #webauthn
21:33:36 <steele> steele has joined #webauthn
22:04:20 <steele> steele has joined #webauthn
23:10:43 <steele> steele has joined #webauthn