18:06:05 RRSAgent has joined #webauthn 18:06:09 logging to https://www.w3.org/2023/08/30-webauthn-irc 18:06:09 Zakim has joined #webauthn 18:06:18 Meeting: Web Authn weekly 18:06:22 Chair: Tony 18:06:40 ACTION: plh and Tony to publish a revised WebAuthn 3 Working Draft 18:07:34 selfissued has joined #webauthn 18:07:38 present+ 18:07:50 scribeNick: plh 18:07:54 present+ 18:08:31 present: Tony, Tim, Matthew, David Waite, Michael, John, David Turner , Yusi, Anders 18:08:44 Topic: Joint meeting with WP WG at TPAC 18:09:08 Tony: any comments on the proposed joint agenda? 18:09:46 Matthew: we'll give an update from the CG, sure 18:10:25 Tony: ok, adopted 18:10:29 Topic: Agenda for TPAC 18:10:44 Tim: I'd like some times for a few items @1 18:11:48 Tony: Normal weekly is cancelled on Sep 13 18:12:17 Topic: Pull requests 18:12:35 https://github.com/w3c/webauthn/pull/1951 18:12:44 Tim: needs time for that one 18:12:51 https://github.com/w3c/webauthn/pull/1950 18:13:01 Tim: not ready. any concern? 18:13:21 ... we had a single attestation statement traditionally 18:13:34 ... we don't have a way to have multiple 18:13:46 ... proposal is to add a format called compund, which is an array 18:14:07 ... basic definition in the spec and validation 18:15:00 ... pending question: Is verification considered successful when all or any attestation statement is valid? 18:15:12 ... anyone think it should be more strict? 18:15:43 Tony: will you propose a new format for the JWT one? 18:16:11 Tim: @yes@, based on IETF JWT 18:16:36 Tim: ultimately we'll need a subtype for the JWT 18:16:48 ... based on a registry 18:17:10 ... we'll to update the RFC that defines the registry 18:17:20 ... will try to get that PR done before TPAC 18:17:39 https://github.com/w3c/webauthn/pull/1948 18:17:52 Tony: anyone looked at it? 18:18:05 (none heard) 18:18:29 Tony: looks like it's editorial 18:18:44 Tim: I'll look at it 18:19:05 https://github.com/w3c/webauthn/pull/1946 18:19:47 John: still a question whether we want to do 1945 and 1946 18:19:52 ... it's an idea 18:20:03 ... since it's a halfway solution... 18:20:40 Tim: we had 10 issues around raw signatures. is that even in our scope? 18:20:49 Tony: I believe it is, will check 18:21:12 -> https://www.w3.org/2022/04/webauthn-wg-charter.html wg charter 18:21:25 https://github.com/w3c/webauthn/pull/1944 18:21:37 Tony: waiting Adams approval 18:21:50 https://github.com/w3c/webauthn/pull/1932 18:22:16 John: Gotta jump, I'm hoping Adam and Emil can look at https://github.com/w3c/webauthn/pull/1932 and approve so we can merge if it's fine 18:22:33 https://github.com/w3c/webauthn/pull/1926 18:22:38 Tim: waiting to hear back 18:22:51 https://github.com/w3c/webauthn/pull/1923 18:22:57 Tim: been looking into this 18:23:27 ... struggling to set up this up in WebIDL. hoping to have an update for TPAC 18:23:49 Topic: Pending issues 18:23:55 https://github.com/w3c/webauthn/issues/1941 18:24:09 Tony: no further progress? 18:25:25 ... John, is that something we can do? 18:25:57 John: the question what does the authenticator do? 18:26:02 ... the PR doesn't send anything 18:26:17 ... does the browser set it to none ? 18:26:26 ... or new attestation? 18:26:47 ... not returning an attestation would be the most expected but not sure if that's what we're asked 18:27:17 Tony: next step? 18:27:44 John: do we want to do different things here? 18:28:06 ... we don't get anything in the attestation type 18:28:29 Tony: let's leave it for triage and see what comes out of it 18:28:38 https://github.com/w3c/webauthn/issues/1937 18:28:44 Tim: holding waiting on the PR 18:29:03 https://github.com/w3c/webauthn/issues/1933 18:30:07 Tony: waiting on Adam 18:30:23 https://github.com/w3c/webauthn/issues/1921 18:31:04 Tim: we can tweak some existing langugage. clarification 18:31:17 https://github.com/w3c/webauthn/issues/1913 18:31:30 Tony: looks editorial 18:31:45 https://github.com/w3c/webauthn/issues/1912 18:32:06 Tim: I'll work on this one 18:32:38 https://github.com/w3c/webauthn/issues/1888 18:32:58 Tim: Armar will be back on September 18 18:33:11 https://github.com/w3c/webauthn/issues/1859 18:33:57 s/John: Gotta jump/Matthew: Gotta jump/ 18:34:14 https://github.com/w3c/webauthn/issues/1856 18:35:54 Tim: might be editorial... 18:36:46 [back and forth between Tim and Matthew] 18:37:25 https://github.com/w3c/webauthn/issues/1854 18:38:18 Tim: seems Nina thought it was a bad idea... 18:38:39 ... open question: is there any reason why you couldn't use the same challenge (retrieved once from the server) for both these requests? 18:38:59 ... I'll follow up to see if we still want to pursue this 18:39:10 https://github.com/w3c/webauthn/issues/1819 18:40:34 Tony: not sure if it's an issue with our spec 18:40:42 ... some clarification on the attestation 18:41:01 https://github.com/w3c/webauthn/issues/1797 18:41:27 John: we have to decide what to do with this 18:41:49 .... it maybe mute if we're changing the attestation reference 18:41:50 matthewmiller has joined #webauthn 18:41:58 ... I'll take another look 18:42:39 https://github.com/w3c/webauthn/issues/1795 18:42:55 Tony: we need a PR. John? 18:43:24 John: I'l look at it and see if the changes we made have made this not relevant 18:43:47 ... it may be that we'd want to change the CTAP side inside of the WebAuthn side 18:43:58 ... we have a mismatch and people have to know to convert 18:44:03 ... maybe it's making it clear 18:44:27 ... will follow 18:45:09 https://github.com/w3c/webauthn/issues/1794 18:45:38 Tony: can we close this? 18:46:22 ... sounds we took care of this 18:46:25 dwaite has joined #webauthn 18:46:50 dwaite has left #webauthn 18:47:14 https://github.com/w3c/webauthn/issues/1748 18:48:01 TOny: I'll ut this at risk since no one worked on it 18:48:10 https://github.com/w3c/webauthn/issues/1791 18:48:24 Matthew: I believe this was addressed. can we close? 18:48:48 Tim: ok 18:48:50 Tony: ok 18:49:06 https://github.com/w3c/webauthn/issues/1743 18:50:19 Tim: this still needs looked at 18:50:42 ... Matthew, let's work on those editorials together 18:50:46 Matthew 18:50:50 Matthew: sure 18:51:04 https://github.com/w3c/webauthn/issues/1742 18:51:18 John: can this be part of the capability? 18:51:42 ... Safari throws a type error if you use an enterprise attestation 18:52:08 DavidWaite: webkit will update this in his next release 18:52:33 John: do we still want to be part of the capability anyway? 18:52:58 ... ie the browser won't blow up if it receives it 18:53:31 Tim: if the browser doesn't, the assumption would be not to send it? 18:53:34 Matthew: yes 18:53:39 Tim: no concern with that 18:54:00 Matthew: let's link that to the capabilities and see if we want to address it there 18:54:55 Tim: I'll link to https://github.com/w3c/webauthn/pull/1923 18:55:05 Tony: ok, let's leave the issue open for now 18:55:48 https://github.com/w3c/webauthn/issues/1916 18:56:14 DavidWaite: I opened a PR 1954 for that one 18:56:30 ... https://github.com/w3c/webauthn/pull/1954 18:57:18 ... and open a new issue https://github.com/w3c/webauthn/issues/1952 18:57:32 ... and PR https://github.com/w3c/webauthn/pull/1953 is to address that one 18:58:39 ... welcome feedback on those 18:58:51 ... want to make sure Apple gets to review those 19:00:29 Tim: we still don't say what a packed attestation since you can have multiple formats 19:00:49 DavidWaite: the actual validation rule could be weird indeed 19:01:25 Matthew: I wonder if the compound PR could help here, as a wrapper 19:01:45 Tim: +1 19:02:15 Matthew: we'll need what Yubico would say to that 19:03:03 John: rumor that how to validate those may vary among vendors. we may want to say something that 19:03:31 .... @@ 19:03:45 .... some IDPs might not be able to validate them 19:04:07 ... should we say what the root needs to be or is up to FIDO? 19:04:15 s/is up/is it up/ 19:06:28 [some conversation about AAGUI (sp?) ] 19:07:11 We're way over time and conflicting with the VCWG call 19:07:14 I need to drop 19:07:31 [adjourned] 19:07:47 rrsagent, generate minutes 19:07:48 I have made the request to generate https://www.w3.org/2023/08/30-webauthn-minutes.html plh 19:15:16 kaiju has joined #webauthn