W3C

– DRAFT –
WebAuthn Weekly WG Meeting

31 January 2024

Attendees

Present
Adam, Anders, DavidTurner, DavidWaite, Emil, James, JohnPascoe, Khaled, Lachlan, MatthewMiller, Nick, Nina, Shane, Tim
Regrets
-
Chair
AGL
Scribe
steele

Meeting minutes

Pull Requests

w3c/webauthn#2018

Anders: We've received negative feedback regarding not assuming that localhost is a secure context, this should change

There are pending approvals and comments, will let sit for a week before moving forward on this PR

w3c/webauthn#2019

Anders: meant to supplement #2018, drafted an example of what would be allowed

AGL: I think this is reasonable to be merged in alongside #2018

w3c/webauthn#2017

Emil: Mike Jones wished to review this issue

w3c/webauthn#1954

David: I have some real world examples on this and will write up a response, plan to re-address this next week to the WG

w3c/webauthn#1953

David: Wanted to sanity check the example I created, wanted inout by John Bradley, considering merging this sooner although happy to revisit next week alongside #1954

Emil: Fine with merging but would like to check the example. I'm fine with merging as we'e delayed quite a bit

David: let's plan to merge next week unless there's a push otherwise

There may be a delay on this due to FIDO Plenary next week which might cancel the WG meeting

No one present to discuss w3c/webauthn#1951

w3c/webauthn#1926

Shane: no one present from Microsoft to discuss, might reach out to MSFT's Ackshay directly

Tim: Monty Wiseman from BeyondIdentity might be able to help with this

ACTION: Tim and/or DavidTurner to connect with Monty

Nina returns to discuss w3c/webauthn#1951

Nina: the API shape seems fine although there will be a request for changes incoming

Issues

w3c/webauthn#2016

Shane: I don't see anything that necessarily requires a change here.

Emil: I have something in mind an am getting around to it

w3c/webauthn#2010

Nina: we have some internal tests that exercise this behaviour. This would be a browser bug, not a functional issue

AGL to close with followup comment

w3c/webauthn#1984

consensus that this is a real and we'll draft a PR to fix it

ACTION: Nina to read through 1984 (the pull request, not the dystopian novella)

w3c/webauthn#1980

ACTION: Remind Arnar to follow up with this post-FIDO Plenary

w3c/webauthn#1979

Tony to follow up

w3c/webauthn#1976

Nick: I'll follow up on this

Issue Backlog Combing

w3c/webauthn#1962

John: Spec-wise, we still don't spell out the behavior in the spec here, but we now provide an AAGUID and strip it out for hardware keys

AGL: so the spec change needed is "zero out the AAGUID in the case of non-platform authenticators?"

John, who would have a lot of additional work if he were to write said PR: yes

Shane: I think it's great that platform providers provide an AAGUID, but I don't know if it matters whethere it gets 0'd out or not. If I request att = none, and I got back an AAGUID == 000s, I wouldn't care, because I don't need both

AGL: The identity of the platform authenticator was a forgone conclusion, things are evolving that only the identity of the hardware key is a forgone conclusion

Shane: isn't it okay to say, if att = none, 0 it out?

Matthew: we lose our ability to hint

Nick: I want to show an identifier

Tim: if you as an RP are making changes to an authenticator, then you're probably asking for attestation. What do we want to give guidance to do? Request direct?

Shane: If I really want an AAGUID i'll just request direct

Matthew: that adds additional friction

i.e. additional warning modal for xplatofrm

Discussion around attestation and identifying providers, hardware keys, and platforms

Discussion around prioritizing this value

ACTION: agl to write a pull request to discuss in 2 weeks

w3c/webauthn#1917

Shane: i thought the decision was "if an RP requested enterprise, but the authenticator couldn't provide it, it would provide direct attestation"

discussion that this would be higher priority than the AAGUID work

w3c/webauthn#1913

Emil: chrome and firefox people, please take note

This is a browser issue regarding CSS rendering?

Nina: could possibly ask Bikeshed maintainer about this

w3c/webauthn#1895

We tagged this issue open and then removed the PR, discussion

Emil: my opinion is that this feature wouldn't be impressive enough to motivate developing it further.

w3c/webauthn#1859

Matthew: I would like to discuss this in person at a face to face meeting

AGL: Tony might not be thrilled but we can discuss in two weeks

Discussion around April 19th IIW face to face

Straw polling for Identiverse vs IIW F2F

w3c/webauthn#1854

Nina: Great idea that no one has the time to do because low value

Matthew: you could achieve this with more efficient usage of abort controller in the client

i.e. the browsers

AGL: does anyone wish to fight for this issue?

none

AGL closes issue

additional topics

No meeting next week

Summary of action items

  1. Tim and/or DavidTurner to connect with Monty
  2. Nina to read through 1984 (the pull request, not the dystopian novella)
  3. Remind Arnar to follow up with this post-FIDO Plenary
  4. agl to write a pull request to discuss in 2 weeks
Minutes manually created (not a transcript), formatted by scribe.perl version 221 (Fri Jul 21 14:01:30 2023 UTC).

Diagnostics

Maybe present: AGL, David, John, Matthew

All speakers: AGL, Anders, David, Emil, John, Matthew, Nick, Nina, Shane, Tim

Active on IRC: steele