Meeting minutes
ACTION: plh and Tony to publish a revised WebAuthn 3 Working Draft
Joint meeting with WP WG at TPAC
Tony: any comments on the proposed joint agenda?
Matthew: we'll give an update from the CG, sure
Tony: ok, adopted
Agenda for TPAC
Tim: I'd like some times for a few items @1
Tony: Normal weekly is cancelled on Sep 13
Pull requests
Tim: needs time for that one
Tim: not ready. any concern?
… we had a single attestation statement traditionally
… we don't have a way to have multiple
… proposal is to add a format called compund, which is an array
… basic definition in the spec and validation
… pending question: Is verification considered successful when all or any attestation statement is valid?
… anyone think it should be more strict?
Tony: will you propose a new format for the JWT one?
Tim: @yes@, based on IETF JWT
Tim: ultimately we'll need a subtype for the JWT
… based on a registry
… we'll to update the RFC that defines the registry
… will try to get that PR done before TPAC
Tony: anyone looked at it?
(none heard)
Tony: looks like it's editorial
Tim: I'll look at it
John: still a question whether we want to do 1945 and 1946
… it's an idea
… since it's a halfway solution...
Tim: we had 10 issues around raw signatures. is that even in our scope?
Tony: I believe it is, will check
Tony: waiting Adams approval
Matthew: Gotta jump, I'm hoping Adam and Emil can look at w3c/
Tim: waiting to hear back
Tim: been looking into this
… struggling to set up this up in WebIDL. hoping to have an update for TPAC
Pending issues
Tony: no further progress?
… John, is that something we can do?
John: the question what does the authenticator do?
… the PR doesn't send anything
… does the browser set it to none ?
… or new attestation?
… not returning an attestation would be the most expected but not sure if that's what we're asked
Tony: next step?
John: do we want to do different things here?
… we don't get anything in the attestation type
Tony: let's leave it for triage and see what comes out of it
Tim: holding waiting on the PR
Tony: waiting on Adam
Tim: we can tweak some existing langugage. clarification
Tony: looks editorial
Tim: I'll work on this one
Tim: Armar will be back on September 18
Tim: might be editorial...
[back and forth between Tim and Matthew]
Tim: seems Nina thought it was a bad idea...
… open question: is there any reason why you couldn't use the same challenge (retrieved once from the server) for both these requests?
… I'll follow up to see if we still want to pursue this
Tony: not sure if it's an issue with our spec
… some clarification on the attestation
John: we have to decide what to do with this
… it maybe mute if we're changing the attestation reference
… I'll take another look
Tony: we need a PR. John?
John: I'l look at it and see if the changes we made have made this not relevant
… it may be that we'd want to change the CTAP side inside of the WebAuthn side
… we have a mismatch and people have to know to convert
… maybe it's making it clear
… will follow
Tony: can we close this?
… sounds we took care of this
TOny: I'll ut this at risk since no one worked on it
Matthew: I believe this was addressed. can we close?
Tim: ok
Tony: ok
Tim: this still needs looked at
… Matthew, let's work on those editorials together
Matthew
Matthew: sure
John: can this be part of the capability?
… Safari throws a type error if you use an enterprise attestation
DavidWaite: webkit will update this in his next release
John: do we still want to be part of the capability anyway?
… ie the browser won't blow up if it receives it
Tim: if the browser doesn't, the assumption would be not to send it?
Matthew: yes
Tim: no concern with that
Matthew: let's link that to the capabilities and see if we want to address it there
Tim: I'll link to w3c/
Tony: ok, let's leave the issue open for now
DavidWaite: I opened a PR 1954 for that one
… w3c/
… and open a new issue w3c/
… and PR w3c/
… welcome feedback on those
… want to make sure Apple gets to review those
Tim: we still don't say what a packed attestation since you can have multiple formats
DavidWaite: the actual validation rule could be weird indeed
Matthew: I wonder if the compound PR could help here, as a wrapper
Tim: +1
Matthew: we'll need what Yubico would say to that
John: rumor that how to validate those may vary among vendors. we may want to say something that
… @@
… some IDPs might not be able to validate them
… should we say what the root needs to be or is it up to FIDO?
[some conversation about AAGUI (sp?) ]
<selfissued> We're way over time and conflicting with the VCWG call
<selfissued> I need to drop
[adjourned]