Web Authentication

03 May 2023


Abigail, Adam, Akshay, Anders, David_Turner, dwaite, Ian, Jason, Kevin, pascoe, plh, smcgruer_[EST], steele, Tim, Yusi

Meeting minutes

<plh> me zakim, who's present?

Payments Working Group

Stephen Mcgruer and Ian Jacobs from the Secure Payments Working Group checking in

Register SPC-related WebAuthn extensions in IANA registry

A Payments extension and bit addition in CTAP

<Ian> w3c/secure-payment-confirmation#220

Topic number 1: Wanted to discuss how to implement this webauthn extension with the working group

<plh> WebAuthn Extension - "payment"

<Ian> smcgruer_[EST]: The 'payment' extension is "client-side"

Tony: is Apple planning to implement?

Ian: Apple has expressed growing interest in SPC and has requested a charter change that would allow Apple to join the group, this would give us a clearer answer to this question

Tony: Has FIDO has already implemented this extension?

Ian: The CTAP revision has an addition of the cross-origin bit, and this is partly implemented in android and chromium

John Bradley: Contained in CTAP 2.2 Draft

Ian: There may be multiple ways to answer this- there may be multiple ways to declare and extension "registered". Interested in "registering" this bit with IANA, and interested in hearing anyone who's gone through IANA registration

Tony & John: This is the first extension (outside of CTAP) that defines a WebAuthn extension not in these other specs

AGL: The IANA registry is an open standard and you can email the secretary and say "please register this"

PHL: Is this the step? There's no additional steps for review and registration?

<Ian> https://www.iana.org/assignments/webauthn/webauthn.xhtml

<plh> Registration requests can be made by following the instructions located there or by sending an email to the webauthn-reg-review@ietf.org mailing list.

AGL + John: It says that Mike Jones and another expert are the experts for IANA, they may contact these experts to "sanity check" a registration request. They have an expert review classification but that's not what is needed here

Ian discussing the IANA registry page for WebAuthn (URL linked above)

Topic 2: Does the reference specification need to be a certain status before registration? Before CR?

PLH: I recommend CR before registration

ACTION: John Bradley to put Ian Jacobs in touch with Mike Jones

<Ian> https://www.rfc-editor.org/rfc/rfc8809.html

<plh> 2.1.1. Registering Attestation Statement Format Identifiers

Tony: Are you looking for additions/documentations in our spec?

to Ian

Ian: we wanted to coordinate as to now "run afoul" of the working group. Mostly wanted to figure out if there was best practices here.

PLH: You don't need us to register this

John Bradley: There's more coordination in the CTAP working group regarding this. The bit documentation should happen in CTAP
… Once you register this, there needs to be additional documentation on requesting responding with this bit, most likely in CTAP

<Ian> https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#sctn-thirdPartyPayment-extension

Ian and Stephen to move forward registering the client-side payment extension.

Ian: what of the extensions being added needs to be in Web Authentication?

John Bradley: No need to register anything in WebAuthn

ACTION: the web payments working group will register the payments extension as defined by SPC. When CTAP 2.2 matures, the SPWG will discuss registering the CTAP-dependent.

Tony: if (SWPG) you're headed to publication, you'll need to show interoperability of this extension

The SPWG is working on this

Any news on WebAuthn L3 worth mentioning to Payments folks?

General Questions from SPWG to WAWG

<Ian> Ian: Should we remove special cross-origin create feature from SPC (cf WebAuth 1801)

We're trying to work closely against creating divergent features. The bit in CTAP if standardized gives us a different way to manage our homegrown special extension. Stephen has been working on a cross-origin PR in WebAuthn #1801. Should we remove our special cross-origin create?

John Bradley: I'm not sure the two features overlap completely
… I wouldn't assume that we don't have any need for the SPC special extension

<smcgruer_[EST]> w3c/webappsec-credential-management#209

Tony: We're not the only ones that are stewards of this

Stephen posts the link above

This deviates from what we have in WebAuthn: the first was allowing creation in a cross origin i-frame, at least for user agents. The other thing we do is a number of checks on the authenticator, different than WebAuthn. We only support platform authenticators right now

Roaming Authenticators - SPC would like to support RA. When discussed at TPAC last fall we discussed UX/I around RA. Wanted to know if there were any updates to RA support.

<Ian> w3c/secure-payment-confirmation#12

John Bradley: Yes there should be ongoing additions in CTAP2.2

John: There are still potentially some gaps around how cable plays into roaming authenticators. Need to discuss with AGL

Ian: If what I'm hearing is that it will "just work" at some point then we'll push forward assuming support, and update when the feature is available for SPC.
… Do you know when this might be available?

AGL: No timeline

Ian asking if the group is ok with SPC having a limitation to platform authenticators

AGL: There are a variety of authenticators and it is independent of WAWG what is supported

Stephen: In a world where a user might have a security key for a credential, and we're unable to discover whether a credential does or doesnt exist on a roaming authenticator, how do we solve this? This is probably up to the SPWG

Discussion around how SPC could solve some of the UX issues where mediated/conditional UI and modals are unavailable

Discussions around limitations in CTAP/WebAuthn around ability to infer the type/transport of authenticators availible to the client

What's new with passkeys and how might they affect SPC?

Time permitting

Sidebar - Tony: Is Web Payments meeting at TPAC?

Ian: yes on Tuesday

Dan Veditz: Mozilla is worried that additions could be made that could fingerprint the user via the authenticator

Ian: There is dialogue for the user authorizing identifying actions

Dan Veditz sidebar: w3c meetings will soon lose the use of MIT-sponsored conference hosting such as the mit.webex.com meeting link we're using right now. Chairs need to figure out where we move in the next couple of weeks

Back to topic

Ian: SPC has an open issue around how passkeys might affect the SPC API. There have been many ongoing conversations we've been casually watching, but wanted to ask the WG directly

Tony: are you wanting the payments extension to work with passkeys?

Ian: yes

John: Seeing that it works with all platform authenticators and all platform authenticators are essentially passkeys, then the answer is yes. The question should be refined to: is everyone cool with multi-device passkeys that can be shared with 3rd parties and how do we communicate that?
… When doing a an assertion, are there additional pieces of information that need to be considered? hasn't yet been discussed in FIDO WGs

David Turner: regulators might not like some of the data transportability

Ian: if there are parameters that become available to 3rd parties regarding which authenticators that may be allowed, that might not be allowed. What we're hearing is the conversations are still ongoing

John: These new parameters are still in flux

Ian: So there's data/possible parameters in the assertion that might be important to SPC?

John: There shouldn't be anything that's an obstacle

Tim: there's no new parameters proposed that would effect you so far

Ian: Yes we're just watching right now. We'll check in again in a few months (at TPAC)

SPWG is interested in meeting with WAWG on Monday or Tuesday at TPAC

Big thanks to Ian Jacobs and Stephen McGruer for dropping by

<plh> May 17

PLH has linked to the new meeting invite, this will replace the Webex link as the W3C moves off MIT-sponsored software

<plh> W3C calendar

Not using Jitsi Meet due to lack of phone support

The meeting link will remain static

Tony: half the group showed interest in meeting at TPAC (as per the RSAC F2F meeting results)


ACTION: Chair to schedule F2F meeting at TPAC and coordinate with SPWG for join session

Pull Requests and Issues

AGL: #1878

If the results of the F2F discussion still hold, I will update this to nullable

M2: I am happy with this, but if there's any pushback let me know.

AGL: This PR needs to be changed. These JSON fields become optional and NOT nullable with these changes

ACTION: AGL to update #1878, Matt Miller (M2) to approve



w3c/webauthn#1855 Recommend duration of challenge validity

Currently blocked

w3c/webauthn#1774 UV Guidance

Emil: this is ready to go
… We have approval from Ackshay and Tim on this




w3c/webauthn#1880 Add authenticatorDisplayName to credProps

M2: worried about people abusing the credential display name

Nick Steele against, display name should be presented at the discretion of the RP

Summary of action items

  1. John Bradley to put Ian Jacobs in touch with Mike Jones
  2. the web payments working group will register the payments extension as defined by SPC. When CTAP 2.2 matures, the SPWG will discuss registering the CTAP-dependent.
  3. Chair to schedule F2F meeting at TPAC and coordinate with SPWG for join session
  4. AGL to update #1878, Matt Miller (M2) to approve
Minutes manually created (not a transcript), formatted by scribe.perl version 210 (Wed Jan 11 19:21:32 2023 UTC).


Succeeded: s/Are we/Is Web Payments/

Succeeded: s/PLH side-bar: Zoom for future calls: https://us02web.zoom.us/j/86300730761?pwd=U2NpYzFYbmpDTHdiMkNpK3Y0SkQ0UT09//

Maybe present: AGL, Emil, John, M2, PHL, Stephen, Tony

All speakers: AGL, Emil, Ian, John, M2, PHL, PLH, Stephen, Tim, Tony

Active on IRC: dwaite, Ian, pascoe, plh, smcgruer_[EST], steele