WebAuthn Weekly

29 November 2023


AGL, AnderAberg, DavidTurner, JaiminBhatt, JasonCai, JohnPascoe, JohnSchanck, PLH, selfissued, ShaneWeeden, TimCappalli, TonyNadalin
Tony Nadalin

Meeting minutes

Next week meeting

<plh> Tony: I can't make it next week...

<plh> ... we'll cancel unless someone speaks up now

<plh> (none heard))

Web Identity Credential Working Group Charter

<plh> Tim: it's essentially the FedCM API WG.

<plh> Web Identity Credential Working Group Charter

<plh> Tony: +1 to list WebAuthn as a depencency

is anyone scribing?

I'll scribe

no problem!

Discussion around Web Identity Working Group Charter before pull requests

Pull Requests

Discussing w3c/webauthn#2001

AGL: Want to discuss with Nina Satragno, John Bradley & Tim Cappalli to review

Discussion of https://github.com/w3c/webauthn/pulls

Shane making editorial change

Tim Cappalli approved, ready to merge


Matthew on PTO this week

Ready to Merge

Nick Steele to merge



Not been merged, ready for merge

Nick Steele merging


Still pending




Tim: we're still waiting for a response


Tim: I need to add the privacy statement, will add before next call.



Shane: this has been closed


Emlun not present to discuss


AGL: this would be resolved by #1999

Matt not present


AGL: Nina will be present in 2 weeks to discuss


Shane: Our security model does not extend to a man in the browser model

ACTION: Nick steele to relay this message and close #1965


AGL: This is in the CTAP spec, we could point to this if there's a recently published CTAP spec

Tony: Do you want to respond?

AGL: I can address in 2 weeks

Issue to remain open


Tim: this issue was brought up the other day on Stack Overflow

Tim: I think we should close this issue

AGL: this could cause UI breakage

ACTION: Tim Cappalli to draft response

Discussion around requests for getOrCreate methd

AGL: if hordes of developers are calling for it, Google would consider it

MikeJones: becomes an issue when you have a multitude of accounts for an RP


Tim: I don't think this is appropriate for WebAuthn

Shane agrees, this is out of scope

JohnBradley: I disagree with tim that this is a security key issue, I think this is fundamentally different than sharing a hardware key. This is a FIDO issue

Shane: we should get Emlun's opinion on this
… he has some proposed chaanges to the wording



Emlun to address

Tim: I know that there was an issue in bikeshed regarding indenting? Has this been addressed?

AGL: I've seen them

Tim: next time I see them I'll try to remove them


Arnar assigned, still pending a reviewer. Tim to assign MatthewMiller who had opinions on the topic



Tim bumping issue with Ackshay

AGL: There is some amount of consternation happening because this introduces latency. Some RPs find this a problem. Idea of having a challenge callback is making an emergence again. We're still discussing

Tony: would it align with this issue?

AGL: maybe not directly


AGL: At some point we might want to decide to ignore or remove legacy issues

Tony: Nina has responded

AGL: waiting to put energy behind this

Tony: is this something that folks want to do?
… it's at risk, although unsure if people have time and capacity
… can also leave undecided

AGL: no objections, haven't heard about it in feedback, the utility is small. I wouldn't prioritize it for L3


AGL: When Arnar returns in two weeks you can bug him about this

Tony assigns Arnar to the issue, the wily fellow


Tony: this is just a process and editorial change


John: we might want to just say that the type changes when we talk to CTAP2

AGL okay with this

ACTION: John Bradley to write a PR for issue #1795


Waiting for Nina

AGL: issue not wrong, will bother Nina about it

Tony: issue is at risk

AGL will follow up with Nina


ACTION: Nick Steele to close


This issue is primordial but still valid

Tony: I'll ping Ian Jacobs

issue to remain open, a relic of the old world

<selfissued> w3c/webauthn#1635

MikeJones: For one thing, we have a reference to large per credential blobs that I am unable to find in the CTAP2 spec. Did that occur? was it deleted?

AGL: At the webauthn layer we have largblob, at CTAP this gets abstracted down into a different format

Mike Jones posts a note from the issue to chat: NOTE: In order to interoperate, user agents storing large blobs on authenticators using [FIDO-CTAP] are expected to use the provisions detailed in that specification for storing large, per-credential blobs.

<selfissued> https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#large-blob

Adam Langley points to RD (review draft) https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#authenticatorLargeBlobs

David Turner: That's the 2.0 version, Mike, not 2.1

From David Turner, https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#conformance

<plh> 10.1.5. Large blob storage extension (largeBlob)

<selfissued> https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html

AGL posts to 2.1 draft https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorLargeBlobs

Mike Jones should have what he needs now to make a PR regarding largeblob

MikeJones: there's also a different link to responses

MikeJones: I need to fix the CTAP references, will sort out other issues async

We will cancel next two weeks of meetings as discussed, resume in two weeks

Summary of action items

  1. Nick steele to relay this message and close #1965
  2. Tim Cappalli to draft response
  3. John Bradley to write a PR for issue #1795
  4. Nick Steele to close
Minutes manually created (not a transcript), formatted by scribe.perl version 221 (Fri Jul 21 14:01:30 2023 UTC).


No scribenick or scribe found. Guessed: steele

Maybe present: John, JohnBradley, MikeJones, Shane, Tim, Tony

All speakers: AGL, John, JohnBradley, MikeJones, Shane, Tim, Tony

Active on IRC: plh, selfissued, steele