IRC log of webauthn on 2024-01-31

Timestamps are in UTC.

19:03:45 [RRSAgent]
RRSAgent has joined #webauthn
19:03:49 [RRSAgent]
logging to https://www.w3.org/2024/01/31-webauthn-irc
19:04:08 [steele]
Meeting: WebAuthn Weekly WG Meeting
19:04:19 [steele]
Chair: AGL
19:04:25 [steele]
Scribe: steele
19:04:38 [steele]
Topic: Pull Requests
19:05:01 [steele]
https://github.com/w3c/webauthn/pull/2018
19:06:13 [steele]
Anders: We've received negative feedback regarding not assuming that localhost is a secure context, this should change
19:06:31 [steele]
There are pending approvals and comments, will let sit for a week before moving forward on this PR
19:06:40 [steele]
https://github.com/w3c/webauthn/pull/2019
19:07:17 [steele]
Anders: meant to supplement #2018, drafted an example of what would be allowed
19:07:28 [steele]
AGL: I think this is reasonable to be merged in alongside #2018
19:07:34 [steele]
https://github.com/w3c/webauthn/pull/2017
19:08:35 [steele]
present+ Tim,Emil,Anders,Nick,Adam,Shane,DavidWaite,Khaled,Lachlan,James,DavidTurner
19:08:44 [steele]
Emil: Mike Jones wished to review this issue
19:08:51 [steele]
https://github.com/w3c/webauthn/pull/1954
19:09:47 [steele]
David: I have some real world examples on this and will write up a response, plan to re-address this next week to the WG
19:09:55 [steele]
https://github.com/w3c/webauthn/pull/1953
19:10:37 [steele]
David: Wanted to sanity check the example I created, wanted inout by John Bradley, considering merging this sooner although happy to revisit next week alongside #1954
19:11:04 [steele]
Emil: Fine with merging but would like to check the example. I'm fine with merging as we'e delayed quite a bit
19:11:32 [steele]
David: let's plan to merge next week unless there's a push otherwise
19:12:28 [steele]
There may be a delay on this due to FIDO Plenary next week which might cancel the WG meeting
19:12:42 [steele]
present+ Nina
19:13:03 [steele]
No one present to discuss https://github.com/w3c/webauthn/pull/1951
19:13:15 [steele]
https://github.com/w3c/webauthn/pull/1926
19:14:12 [steele]
Shane: no one present from Microsoft to discuss, might reach out to MSFT's Ackshay directly
19:14:40 [steele]
Tim: Monty Wiseman from BeyondIdentity might be able to help with this
19:14:57 [steele]
ACTION: Tim and/or DavidTurner to connect with Monty
19:15:13 [steele]
Nina returns to discuss https://github.com/w3c/webauthn/pull/1951
19:15:37 [steele]
Nina: the API shape seems fine although there will be a request for changes incoming
19:15:44 [steele]
present+ JohnPascoe
19:16:11 [steele]
TOPIC: Issues
19:16:22 [steele]
https://github.com/w3c/webauthn/issues/2016
19:16:56 [steele]
Shane: I don't see anything that necessarily requires a change here.
19:17:07 [steele]
Emil: I have something in mind an am getting around to it
19:17:19 [steele]
https://github.com/w3c/webauthn/issues/2010
19:18:21 [steele]
Nina: we have some internal tests that exercise this behaviour. This would be a browser bug, not a functional issue
19:18:27 [steele]
AGL to close with followup comment
19:18:35 [steele]
https://github.com/w3c/webauthn/issues/1984
19:19:22 [steele]
consensus that this is a real and we'll draft a PR to fix it
19:20:17 [steele]
ACTION: Nina to read through 1984 (the pull request, not the dystopian novella)
19:20:37 [steele]
https://github.com/w3c/webauthn/issues/1980
19:20:55 [steele]
Action: Remind Arnar to follow up with this post-FIDO Plenary
19:21:10 [steele]
https://github.com/w3c/webauthn/issues/1979
19:21:14 [steele]
Tony to follow up
19:21:19 [steele]
https://github.com/w3c/webauthn/issues/1976
19:21:47 [steele]
Nick: I'll follow up on this
19:23:30 [steele]
TOPIC: Issue Backlog Combing
19:23:35 [steele]
https://github.com/w3c/webauthn/issues/1962
19:24:49 [steele]
John: Spec-wise, we still don't spell out the behavior in the spec here, but we now provide an AAGUID and strip it out for hardware keys
19:25:11 [steele]
AGL: so the spec change needed is "zero out the AAGUID in the case of non-platform authenticators?"
19:25:39 [steele]
John, who would have a lot of additional work if he were to write said PR: yes
19:27:11 [steele]
Shane: I think it's great that platform providers provide an AAGUID, but I don't know if it matters whethere it gets 0'd out or not. If I request att = none, and I got back an AAGUID == 000s, I wouldn't care, because I don't need both
19:27:46 [steele]
AGL: The identity of the platform authenticator was a forgone conclusion, things are evolving that only the identity of the hardware key is a forgone conclusion
19:28:01 [steele]
Shane: isn't it okay to say, if att = none, 0 it out?
19:28:10 [steele]
present+ MatthewMiller
19:28:27 [steele]
Matthew: we lose our ability to hint
19:29:58 [steele]
Nick: I want to show an identifier
19:31:38 [steele]
Tim: if you as an RP are making changes to an authenticator, then you're probably asking for attestation. What do we want to give guidance to do? Request direct?
19:32:22 [steele]
Shane: If I really want an AAGUID i'll just request direct
19:32:32 [steele]
Matthew: that adds additional friction
19:33:12 [steele]
i.e. additional warning modal for xplatofrm
19:40:05 [steele]
Discussion around attestation and identifying providers, hardware keys, and platforms
19:40:22 [steele]
Discussion around prioritizing this value
19:40:49 [steele]
ACTION: agl to write a pull request to discuss in 2 weeks
19:41:15 [steele]
https://github.com/w3c/webauthn/issues/1917
19:41:50 [steele]
Shane: i thought the decision was "if an RP requested enterprise, but the authenticator couldn't provide it, it would provide direct attestation"
19:42:20 [steele]
discussion that this would be higher priority than the AAGUID work
19:42:29 [steele]
https://github.com/w3c/webauthn/issues/1913
19:42:50 [steele]
Emil: chrome and firefox people, please take note
19:43:25 [steele]
This is a browser issue regarding CSS rendering?
19:44:52 [steele]
Nina: could possibly ask Bikeshed maintainer about this
19:45:00 [steele]
https://github.com/w3c/webauthn/issues/1895
19:45:28 [steele]
We tagged this issue open and then removed the PR, discussion
19:45:58 [steele]
Emil: my opinion is that this feature wouldn't be impressive enough to motivate developing it further.
19:47:19 [steele]
https://github.com/w3c/webauthn/issues/1859
19:47:29 [steele]
Matthew: I would like to discuss this in person at a face to face meeting
19:47:56 [steele]
AGL: Tony might not be thrilled but we can discuss in two weeks
19:48:40 [steele]
Discussion around April 19th IIW face to face
19:51:16 [steele]
Straw polling for Identiverse vs IIW F2F
19:55:05 [steele]
https://github.com/w3c/webauthn/issues/1854
19:55:16 [steele]
Nina: Great idea that no one has the time to do because low value
19:55:41 [steele]
Matthew: you could achieve this with more efficient usage of abort controller in the client
19:55:51 [steele]
i.e. the browsers
19:57:44 [steele]
AGL: does anyone wish to fight for this issue?
19:57:47 [steele]
none
19:57:56 [steele]
AGL closes issue
20:03:06 [steele]
TOPIC: additional topics
20:03:10 [steele]
No meeting next week
20:03:20 [steele]
Zakim, list participants
20:03:20 [Zakim]
As of this point the attendees have been Tim, Emil, Anders, Nick, Adam, Shane, DavidWaite, Khaled, Lachlan, James, DavidTurner, Nina, JohnPascoe, MatthewMiller
20:03:28 [steele]
RRSAgent, make logs public
20:03:33 [steele]
RRSAgent, generate minutes
20:03:34 [RRSAgent]
I have made the request to generate https://www.w3.org/2024/01/31-webauthn-minutes.html steele
23:09:54 [steele]
steele has joined #webauthn