Meeting minutes
Next week meeting
<plh> Tony: I can't make it next week...
<plh> ... we'll cancel unless someone speaks up now
<plh> (none heard))
Web Identity Credential Working Group Charter
<plh> Tim: it's essentially the FedCM API WG.
<plh> Tony: +1 to list WebAuthn as a depencency
is anyone scribing?
I'll scribe
no problem!
Discussion around Web Identity Working Group Charter before pull requests
Pull Requests
Discussing w3c/
AGL: Want to discuss with Nina Satragno, John Bradley & Tim Cappalli to review
Discussion of https://
Shane making editorial change
Tim Cappalli approved, ready to merge
Matthew on PTO this week
Ready to Merge
Nick Steele to merge
Not been merged, ready for merge
Nick Steele merging
Still pending
Closed
Tim: we're still waiting for a response
Tim: I need to add the privacy statement, will add before next call.
Issues
Shane: this has been closed
Emlun not present to discuss
AGL: this would be resolved by #1999
Matt not present
AGL: Nina will be present in 2 weeks to discuss
Shane: Our security model does not extend to a man in the browser model
ACTION: Nick steele to relay this message and close #1965
AGL: This is in the CTAP spec, we could point to this if there's a recently published CTAP spec
Tony: Do you want to respond?
AGL: I can address in 2 weeks
Issue to remain open
Tim: this issue was brought up the other day on Stack Overflow
Tim: I think we should close this issue
AGL: this could cause UI breakage
ACTION: Tim Cappalli to draft response
Discussion around requests for getOrCreate methd
AGL: if hordes of developers are calling for it, Google would consider it
MikeJones: becomes an issue when you have a multitude of accounts for an RP
Tim: I don't think this is appropriate for WebAuthn
Shane agrees, this is out of scope
JohnBradley: I disagree with tim that this is a security key issue, I think this is fundamentally different than sharing a hardware key. This is a FIDO issue
Shane: we should get Emlun's opinion on this
… he has some proposed chaanges to the wording
Emlun to address
Tim: I know that there was an issue in bikeshed regarding indenting? Has this been addressed?
AGL: I've seen them
Tim: next time I see them I'll try to remove them
Arnar assigned, still pending a reviewer. Tim to assign MatthewMiller who had opinions on the topic
Tim bumping issue with Ackshay
AGL: There is some amount of consternation happening because this introduces latency. Some RPs find this a problem. Idea of having a challenge callback is making an emergence again. We're still discussing
Tony: would it align with this issue?
AGL: maybe not directly
AGL: At some point we might want to decide to ignore or remove legacy issues
Tony: Nina has responded
AGL: waiting to put energy behind this
Tony: is this something that folks want to do?
… it's at risk, although unsure if people have time and capacity
… can also leave undecided
AGL: no objections, haven't heard about it in feedback, the utility is small. I wouldn't prioritize it for L3
AGL: When Arnar returns in two weeks you can bug him about this
Tony assigns Arnar to the issue, the wily fellow
Tony: this is just a process and editorial change
John: we might want to just say that the type changes when we talk to CTAP2
AGL okay with this
ACTION: John Bradley to write a PR for issue #1795
Waiting for Nina
AGL: issue not wrong, will bother Nina about it
Tony: issue is at risk
AGL will follow up with Nina
ACTION: Nick Steele to close
This issue is primordial but still valid
Tony: I'll ping Ian Jacobs
issue to remain open, a relic of the old world
<selfissued> w3c/
MikeJones: For one thing, we have a reference to large per credential blobs that I am unable to find in the CTAP2 spec. Did that occur? was it deleted?
AGL: At the webauthn layer we have largblob, at CTAP this gets abstracted down into a different format
Mike Jones posts a note from the issue to chat: NOTE: In order to interoperate, user agents storing large blobs on authenticators using [FIDO-CTAP] are expected to use the provisions detailed in that specification for storing large, per-credential blobs.
Adam Langley points to RD (review draft) https://
David Turner: That's the 2.0 version, Mike, not 2.1
From David Turner, https://
<selfissued> https://
AGL posts to 2.1 draft https://
Mike Jones should have what he needs now to make a PR regarding largeblob
MikeJones: there's also a different link to responses
MikeJones: I need to fix the CTAP references, will sort out other issues async
We will cancel next two weeks of meetings as discussed, resume in two weeks