WebAuthn Weekly WG Meeting

31 January 2024


Adam, Anders, DavidTurner, DavidWaite, Emil, James, JohnPascoe, Khaled, Lachlan, MatthewMiller, Nick, Nina, Shane, Tim

Meeting minutes

Pull Requests


Anders: We've received negative feedback regarding not assuming that localhost is a secure context, this should change

There are pending approvals and comments, will let sit for a week before moving forward on this PR


Anders: meant to supplement #2018, drafted an example of what would be allowed

AGL: I think this is reasonable to be merged in alongside #2018


Emil: Mike Jones wished to review this issue


David: I have some real world examples on this and will write up a response, plan to re-address this next week to the WG


David: Wanted to sanity check the example I created, wanted inout by John Bradley, considering merging this sooner although happy to revisit next week alongside #1954

Emil: Fine with merging but would like to check the example. I'm fine with merging as we'e delayed quite a bit

David: let's plan to merge next week unless there's a push otherwise

There may be a delay on this due to FIDO Plenary next week which might cancel the WG meeting

No one present to discuss w3c/webauthn#1951


Shane: no one present from Microsoft to discuss, might reach out to MSFT's Ackshay directly

Tim: Monty Wiseman from BeyondIdentity might be able to help with this

ACTION: Tim and/or DavidTurner to connect with Monty

Nina returns to discuss w3c/webauthn#1951

Nina: the API shape seems fine although there will be a request for changes incoming



Shane: I don't see anything that necessarily requires a change here.

Emil: I have something in mind an am getting around to it


Nina: we have some internal tests that exercise this behaviour. This would be a browser bug, not a functional issue

AGL to close with followup comment


consensus that this is a real and we'll draft a PR to fix it

ACTION: Nina to read through 1984 (the pull request, not the dystopian novella)


ACTION: Remind Arnar to follow up with this post-FIDO Plenary


Tony to follow up


Nick: I'll follow up on this

Issue Backlog Combing


John: Spec-wise, we still don't spell out the behavior in the spec here, but we now provide an AAGUID and strip it out for hardware keys

AGL: so the spec change needed is "zero out the AAGUID in the case of non-platform authenticators?"

John, who would have a lot of additional work if he were to write said PR: yes

Shane: I think it's great that platform providers provide an AAGUID, but I don't know if it matters whethere it gets 0'd out or not. If I request att = none, and I got back an AAGUID == 000s, I wouldn't care, because I don't need both

AGL: The identity of the platform authenticator was a forgone conclusion, things are evolving that only the identity of the hardware key is a forgone conclusion

Shane: isn't it okay to say, if att = none, 0 it out?

Matthew: we lose our ability to hint

Nick: I want to show an identifier

Tim: if you as an RP are making changes to an authenticator, then you're probably asking for attestation. What do we want to give guidance to do? Request direct?

Shane: If I really want an AAGUID i'll just request direct

Matthew: that adds additional friction

i.e. additional warning modal for xplatofrm

Discussion around attestation and identifying providers, hardware keys, and platforms

Discussion around prioritizing this value

ACTION: agl to write a pull request to discuss in 2 weeks


Shane: i thought the decision was "if an RP requested enterprise, but the authenticator couldn't provide it, it would provide direct attestation"

discussion that this would be higher priority than the AAGUID work


Emil: chrome and firefox people, please take note

This is a browser issue regarding CSS rendering?

Nina: could possibly ask Bikeshed maintainer about this


We tagged this issue open and then removed the PR, discussion

Emil: my opinion is that this feature wouldn't be impressive enough to motivate developing it further.


Matthew: I would like to discuss this in person at a face to face meeting

AGL: Tony might not be thrilled but we can discuss in two weeks

Discussion around April 19th IIW face to face

Straw polling for Identiverse vs IIW F2F


Nina: Great idea that no one has the time to do because low value

Matthew: you could achieve this with more efficient usage of abort controller in the client

i.e. the browsers

AGL: does anyone wish to fight for this issue?


AGL closes issue

additional topics

No meeting next week

Summary of action items

  1. Tim and/or DavidTurner to connect with Monty
  2. Nina to read through 1984 (the pull request, not the dystopian novella)
  3. Remind Arnar to follow up with this post-FIDO Plenary
  4. agl to write a pull request to discuss in 2 weeks
Minutes manually created (not a transcript), formatted by scribe.perl version 221 (Fri Jul 21 14:01:30 2023 UTC).


Maybe present: AGL, David, John, Matthew

All speakers: AGL, Anders, David, Emil, John, Matthew, Nick, Nina, Shane, Tim

Active on IRC: steele