IRC log of webauthn on 2023-11-29

Timestamps are in UTC.

20:04:52 [RRSAgent]
RRSAgent has joined #webauthn
20:04:57 [RRSAgent]
logging to https://www.w3.org/2023/11/29-webauthn-irc
20:05:22 [plh]
Topic: Next week meeting
20:05:30 [plh]
Tony: I can't make it next week...
20:06:04 [plh]
... we'll cancel unless someone speaks up now
20:06:23 [plh]
(none heard))
20:07:29 [plh]
Topic: Web Identity Credential Working Group Charter
20:07:41 [plh]
Tim: it's essentially the FedCM API WG.
20:07:56 [jfontana]
jfontana has joined #webauthn
20:08:08 [plh]
--> https://github.com/w3c/strategy/issues/427 Web Identity Credential Working Group Charter
20:10:23 [plh]
Tony: +1 to list WebAuthn as a depencency
20:11:26 [soba]
soba has joined #webauthn
20:11:50 [steele]
is anyone scribing?
20:12:14 [steele]
I'll scribe
20:12:23 [steele]
no problem!
20:12:28 [jfontana_]
jfontana_ has joined #webauthn
20:12:38 [plh]
Agenda: https://lists.w3.org/Archives/Public/public-webauthn/2023Nov/0145.html
20:12:57 [steele]
Meeting: WebAuthn Weekly
20:13:02 [steele]
Chair: Tony Nadalin
20:14:00 [plh]
rrsagent, generate minutes
20:14:01 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/11/29-webauthn-minutes.html plh
20:14:05 [steele]
Discussion around Web Identity Working Group Charter before pull requests
20:14:11 [steele]
TOPIC: Pull Requests
20:14:17 [steele]
Discussing https://github.com/w3c/webauthn/pull/2001
20:14:39 [selfissued]
selfissued has joined #webauthn
20:14:41 [selfissued]
present+
20:14:42 [steele]
AGL: Want to discuss with Nina Satragno, John Bradley & Tim Cappalli to review
20:15:48 [steele]
present+ ShaneWeeden,JasonCai,TimCappalli,AGL,TonyNadalin,PLH,AnderAberg,JaiminBhatt,DavidTurner
20:15:57 [steele]
present+ JohnPascoe
20:16:14 [steele]
present+ JohnSchanck
20:16:34 [steele]
Discussion of https://github.com/w3c/webauthn/pulls
20:16:40 [steele]
Shane making editorial change
20:16:55 [steele]
Tim Cappalli approved, ready to merge
20:17:57 [steele]
https://github.com/w3c/webauthn/pull/1992
20:18:03 [steele]
Matthew on PTO this week
20:18:23 [steele]
Ready to Merge
20:18:59 [steele]
Nick Steele to merge
20:19:57 [steele]
https://github.com/w3c/webauthn/pull/1998
20:20:29 [steele]
https://github.com/w3c/webauthn/pull/1988
20:20:48 [steele]
Not been merged, ready for merge
20:20:55 [steele]
Nick Steele merging
20:21:47 [steele]
https://github.com/w3c/webauthn/pull/1972
20:21:52 [steele]
Still pending
20:22:03 [steele]
https://github.com/w3c/webauthn/pull/1945
20:22:14 [steele]
Closed
20:22:23 [steele]
https://github.com/w3c/webauthn/pull/1926
20:22:29 [steele]
Tim: we're still waiting for a response
20:23:05 [steele]
https://github.com/w3c/webauthn/pull/1923
20:23:16 [steele]
Tim: I need to add the privacy statement, will add before next call.
20:23:37 [steele]
TOPIC: Issues
20:23:53 [steele]
https://github.com/w3c/webauthn/issues/1998
20:24:06 [steele]
Shane: this has been closed
20:24:22 [steele]
https://github.com/w3c/webauthn/issues/1994
20:24:26 [steele]
Emlun not present to discuss
20:24:49 [steele]
https://github.com/w3c/webauthn/issues/1987
20:25:12 [steele]
AGL: this would be resolved by #1999
20:25:20 [steele]
Matt not present
20:25:48 [steele]
https://github.com/w3c/webauthn/issues/1967
20:25:59 [steele]
AGL: Nina will be present in 2 weeks to discuss
20:26:09 [steele]
https://github.com/w3c/webauthn/issues/1965
20:28:09 [steele]
Shane: Our security model does not extend to a man in the browser model
20:28:21 [steele]
ACTION: Nick steele to relay this message and close #1965
20:28:28 [steele]
https://github.com/w3c/webauthn/issues/1964
20:28:56 [steele]
AGL: This is in the CTAP spec, we could point to this if there's a recently published CTAP spec
20:29:24 [steele]
Tony: Do you want to respond?
20:29:30 [steele]
AGL: I can address in 2 weeks
20:29:34 [steele]
Issue to remain open
20:29:36 [steele]
https://github.com/w3c/webauthn/issues/1942
20:30:10 [steele]
Tim: this issue was brought up the other day on Stack Overflow
20:30:24 [steele]
Tim: I think we should close this issue
20:30:44 [steele]
AGL: this could cause UI breakage
20:30:56 [steele]
Action: Tim Cappalli to draft response
20:32:40 [steele]
Discussion around requests for getOrCreate methd
20:33:07 [steele]
AGL: if hordes of developers are calling for it, Google would consider it
20:33:28 [steele]
MikeJones: becomes an issue when you have a multitude of accounts for an RP
20:35:29 [steele]
https://github.com/w3c/webauthn/issues/1921
20:36:03 [steele]
Tim: I don't think this is appropriate for WebAuthn
20:36:11 [steele]
Shane agrees, this is out of scope
20:37:02 [steele]
JohnBradley: I disagree with tim that this is a security key issue, I think this is fundamentally different than sharing a hardware key. This is a FIDO issue
20:37:41 [steele]
Shane: we should get Emlun's opinion on this
20:38:06 [steele]
...he has some proposed chaanges to the wording
20:38:09 [steele]
https://github.com/w3c/webauthn/issues/1912
20:38:11 [steele]
https://github.com/w3c/webauthn/issues/1913
20:38:26 [steele]
Emlun to address
20:39:08 [steele]
Tim: I know that there was an issue in bikeshed regarding indenting? Has this been addressed?
20:39:12 [steele]
AGL: I've seen them
20:39:21 [steele]
Tim: next time I see them I'll try to remove them
20:39:24 [steele]
https://github.com/w3c/webauthn/issues/1888
20:40:15 [steele]
Arnar assigned, still pending a reviewer. Tim to assign MatthewMiller who had opinions on the topic
20:40:21 [steele]
https://github.com/w3c/webauthn/issues/1859
20:40:47 [steele]
https://github.com/w3c/webauthn/issues/1856
20:41:04 [steele]
Tim bumping issue with Ackshay
20:41:46 [steele]
AGL: There is some amount of consternation happening because this introduces latency. Some RPs find this a problem. Idea of having a challenge callback is making an emergence again. We're still discussing
20:41:57 [steele]
Tony: would it align with this issue?
20:42:01 [steele]
AGL: maybe not directly
20:42:33 [steele]
https://github.com/w3c/webauthn/issues/1854
20:43:07 [steele]
AGL: At some point we might want to decide to ignore or remove legacy issues
20:43:16 [steele]
Tony: Nina has responded
20:43:26 [steele]
AGL: waiting to put energy behind this
20:43:35 [steele]
Tony: is this something that folks want to do?
20:43:53 [steele]
... it's at risk, although unsure if people have time and capacity
20:43:59 [steele]
... can also leave undecided
20:44:38 [steele]
AGL: no objections, haven't heard about it in feedback, the utility is small. I wouldn't prioritize it for L3
20:44:42 [steele]
https://github.com/w3c/webauthn/issues/1819
20:45:13 [steele]
AGL: When Arnar returns in two weeks you can bug him about this
20:45:32 [steele]
Tony assigns Arnar to the issue, the wily fellow
20:45:45 [steele]
https://github.com/w3c/webauthn/issues/1797
20:45:56 [steele]
Tony: this is just a process and editorial change
20:46:01 [steele]
https://github.com/w3c/webauthn/issues/1795
20:47:19 [steele]
John: we might want to just say that the type changes when we talk to CTAP2
20:47:26 [steele]
AGL okay with this
20:47:43 [steele]
ACTION: John Bradley to write a PR for issue #1795
20:47:52 [steele]
https://github.com/w3c/webauthn/issues/1748
20:47:56 [steele]
Waiting for Nina
20:48:16 [steele]
AGL: issue not wrong, will bother Nina about it
20:48:21 [steele]
Tony: issue is at risk
20:48:28 [steele]
AGL will follow up with Nina
20:50:23 [steele]
https://github.com/w3c/webauthn/issues/1743
20:50:30 [steele]
Action: Nick Steele to close
20:51:18 [steele]
https://github.com/w3c/webauthn/issues/1667
20:51:44 [steele]
This issue is primordial but still valid
20:52:27 [steele]
Tony: I'll ping Ian Jacobs
20:52:46 [steele]
issue to remain open, a relic of the old world
20:53:01 [selfissued]
https://github.com/w3c/webauthn/issues/1635
20:53:43 [steele]
MikeJones: For one thing, we have a reference to large per credential blobs that I am unable to find in the CTAP2 spec. Did that occur? was it deleted?
20:54:10 [steele]
AGL: At the webauthn layer we have largblob, at CTAP this gets abstracted down into a different format
20:55:05 [steele]
Mike Jones posts a note from the issue to chat: NOTE: In order to interoperate, user agents storing large blobs on authenticators using [FIDO-CTAP] are expected to use the provisions detailed in that specification for storing large, per-credential blobs.
20:55:30 [selfissued]
https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#large-blob
20:55:51 [steele]
Adam Langley points to RD (review draft) https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#authenticatorLargeBlobs
20:56:04 [steele]
David Turner: That's the 2.0 version, Mike, not 2.1
20:56:26 [steele]
From David Turner, https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#conformance
20:56:33 [plh]
--> https://w3c.github.io/webauthn/#sctn-large-blob-extension 10.1.5. Large blob storage extension (largeBlob)
20:56:37 [selfissued]
https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html
20:57:08 [steele]
AGL posts to 2.1 draft https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorLargeBlobs
20:57:39 [steele]
Mike Jones should have what he needs now to make a PR regarding largeblob
20:57:55 [steele]
MikeJones: there's also a different link to responses
20:58:51 [steele]
MikeJones: I need to fix the CTAP references, will sort out other issues async
20:59:21 [steele]
We will cancel next two weeks of meetings as discussed, resume in two weeks
20:59:24 [plh]
rrsagent, generate minutes
20:59:25 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/11/29-webauthn-minutes.html plh
20:59:58 [steele]
adjourn
21:00:00 [steele]
RRSAgent, make logs public
21:06:36 [steele]
steele has joined #webauthn
21:41:32 [steele]
steele has joined #webauthn
21:49:59 [steele]
steele has joined #webauthn
21:51:02 [steele_]
steele_ has joined #webauthn
23:44:17 [Zakim]
Zakim has left #webauthn