W3C

– DRAFT –
WebAuthn Bi-Weekly

09 August 2023

Attendees

Present
(web, AbigailF, AckshayKumar, AdamLangley, AndersAberg, DavidWaite, DavidWaiter, EmilLundberg, IanJacobs, IanJacobs (web payments), JohnBradley, JohnPascoe, KosukeKoiwai, MatthewMiller, MattMiller, MikeFist, MikeJones, NickSteele, payments), PhilippeLeHegaret, selfissued, ShaneWeeden, TimCappalli, TonyEngland, TonyNadalin
Regrets
-
Chair
Tony Nadalin
Scribe
Nick Steele, soba

Meeting minutes

Adding meeting times

Discussion around adding 30 minutes to the existing Bi-Weekly meeting, or meeting on a weekly basis

Mike Jones: If we move to weekly, it will conflict with the Verifiable Credential Working Group, which is purposefully staggered to not conflict with WAWG

Discussion to move to weekly with different times

this seems to work for most

no objections

ACTION: Tony and Philippe to update calendar to account for weekly meetings with an hour (earlier) offset every 1 week

TPAC Joint Meeting Agenda

Ian Jacobs: The WG is meeting on Monday and Tuesday, when we last met in May, we discussed the following: https://lists.w3.org/Archives/Public/public-payments-wg/2023May/0008.html

Discussion of updates on the topics covered in May

John Grossar from Visa to discuss SPC and WebAuthn at TPAC possibly

IanJacobs: Wanted to discuss PSD3 (on Thurs) but the vibe we got is that EU is not immediately interested in discussion right now

Ian: Push payments fraud has been a topic of interest in the SPCWG lately

Ian: another topic is FedCM. I've reached out to chairs, because in some flows there's concerns around returning user recognition when cookies aren't present and in iFrames

Ian: raising awareness in SPCWG about FedCM concerns, they're willing to show a demo at TPAC, everyone can attend at TPAC but maybe that's too many people

Ian: Bit of a brain dump on what agenda could be for Monday and Tuesday meetings

Tony: could be good to include CG in these meetings

Nick Steele and Matt Miller on call, can use CG timeslots on Monday and Tuesday to discuss some of this agenda

Tuesday Afternoon seems like best time for joint meeting between cg/wg groups

ACTION: Ian to find adequate meeting space

farewell, Ian Jacobs

Standard Agenda

w3c/webauthn#1938

Tim: there isn't anything novel in terms of arguments and generally negative sentiment (via emoji) for this PR

Discussion from Matt Miller on how this differs from existing infernece methods and the definition of passkey.

Matt: It makes sense to have this match the Discoverable Key definition

Kosuke Koiwai posts a link to FIDO internal dovument

Koiwai: This document outlines passkey definition, which is different

TimC: This is a technical document, and the messaging in this document, which is a marketing document, varies from what we want to technically define

JohnBradley: there are some differences between the marketing and technical definitions

AGL and John: Discvoverable is mentioned in document, and for technical intent and purpose is synonymous with discoverable

MattM: Spec should become the source of truth for this, and currently developers will rely on technical docs like MDN

KosukeKoiwai: Google dev documents use the term passkey but then in the API, the use of passkey is not present

AGL: Which API?

Kowwai: Android API

API: We use the term passkey a lot, but we follow the API laid out by WebAuthn

Koiwai: I don't think defining passkey in W3C is good but am not interested in pushing on this

Currently the term passkey does not correspond to an existing reference, but the necessity should appear when another ongoing PR lands

Shane: rhetorically, why should we keep the term?

Steele: The W3C spec should be a source of truth for this term, and providing words that _allude_ to the use of the term passkey is more complex than not using the term passkey

ACTION: Steele to close #1939

Discussion around objections to remove the term passkey and how decisions are made on the standard (decisions are made on the call)

<plh> Tim will merge #1936 into #1923

ACTION: Tim will merge #1936 into #1923

ACTION: Matt to point w3c/webauthn#1936 to 1923

w3c/webauthn#1907

Matt: this is ready to merge and approved

Tony: any issues?

<matthewmiller> w3c/webauthn#1932

Tony: shane's issues resolved?

Shane: yes, I resolved

MattM: looking for formal approval here

AGL: I believe you have user.name and user.DisplayName spun around here

Matt: The usecase I had in my mind was different. In android's case, they use user.DisplayName and it's ambiguous

Discussion around wording in the PR around which name is more ambiguous

absolutely riveting stuff

<steele> Discussion around how some RPs provide user.name's to their accounts and how they should distinguish credentials

<steele> MattMiller: is there an example for Display name that can signify what you should put in the case of multi-tenancy/accounts

<steele> AGL: perhaps we should've gotten rid of it, Apple has, we have not

<steele> TimC: This is something that may be helpful discussion in FIDO UXWG

ACTION: Matt Miller to revisit #1932

Conclusions

<steele> Emil: Does someone want to review 1911 real quick

<steele> Matt and Tim approved

<steele> Tony: We'll meet next wednesday at 11am PT / 2pm ET

<steele> Tim: need IDL assistance with #1923

<steele> meeting conclusion

Summary of action items

  1. Tony and Philippe to update calendar to account for weekly meetings with an hour (earlier) offset every 1 week
  2. Ian to find adequate meeting space
  3. Steele to close #1939
  4. Tim will merge #1936 into #1923
  5. Matt to point w3c/webauthn#1936 to 1923
  6. Matt Miller to revisit #1932
Minutes manually created (not a transcript), formatted by scribe.perl version 221 (Fri Jul 21 14:01:30 2023 UTC).

Diagnostics

No scribenick or scribe found. Guessed: soba

Maybe present: AGL, API, Ian, Koiwai, Kowwai, Matt, MattM, Shane, Steele, Tim, TimC, Tony

All speakers: AGL, API, Ian, IanJacobs, JohnBradley, Koiwai, KosukeKoiwai, Kowwai, Matt, MattM, Shane, Steele, Tim, TimC, Tony

Active on IRC: matthewmiller, plh, selfissued, soba, steele