Meeting minutes
Pull Requests
Anders: We've received negative feedback regarding not assuming that localhost is a secure context, this should change
There are pending approvals and comments, will let sit for a week before moving forward on this PR
Anders: meant to supplement #2018, drafted an example of what would be allowed
AGL: I think this is reasonable to be merged in alongside #2018
Emil: Mike Jones wished to review this issue
David: I have some real world examples on this and will write up a response, plan to re-address this next week to the WG
David: Wanted to sanity check the example I created, wanted inout by John Bradley, considering merging this sooner although happy to revisit next week alongside #1954
Emil: Fine with merging but would like to check the example. I'm fine with merging as we'e delayed quite a bit
David: let's plan to merge next week unless there's a push otherwise
There may be a delay on this due to FIDO Plenary next week which might cancel the WG meeting
No one present to discuss w3c/
Shane: no one present from Microsoft to discuss, might reach out to MSFT's Ackshay directly
Tim: Monty Wiseman from BeyondIdentity might be able to help with this
ACTION: Tim and/or DavidTurner to connect with Monty
Nina returns to discuss w3c/
Nina: the API shape seems fine although there will be a request for changes incoming
Issues
Shane: I don't see anything that necessarily requires a change here.
Emil: I have something in mind an am getting around to it
Nina: we have some internal tests that exercise this behaviour. This would be a browser bug, not a functional issue
AGL to close with followup comment
consensus that this is a real and we'll draft a PR to fix it
ACTION: Nina to read through 1984 (the pull request, not the dystopian novella)
ACTION: Remind Arnar to follow up with this post-FIDO Plenary
Tony to follow up
Nick: I'll follow up on this
Issue Backlog Combing
John: Spec-wise, we still don't spell out the behavior in the spec here, but we now provide an AAGUID and strip it out for hardware keys
AGL: so the spec change needed is "zero out the AAGUID in the case of non-platform authenticators?"
John, who would have a lot of additional work if he were to write said PR: yes
Shane: I think it's great that platform providers provide an AAGUID, but I don't know if it matters whethere it gets 0'd out or not. If I request att = none, and I got back an AAGUID == 000s, I wouldn't care, because I don't need both
AGL: The identity of the platform authenticator was a forgone conclusion, things are evolving that only the identity of the hardware key is a forgone conclusion
Shane: isn't it okay to say, if att = none, 0 it out?
Matthew: we lose our ability to hint
Nick: I want to show an identifier
Tim: if you as an RP are making changes to an authenticator, then you're probably asking for attestation. What do we want to give guidance to do? Request direct?
Shane: If I really want an AAGUID i'll just request direct
Matthew: that adds additional friction
i.e. additional warning modal for xplatofrm
Discussion around attestation and identifying providers, hardware keys, and platforms
Discussion around prioritizing this value
ACTION: agl to write a pull request to discuss in 2 weeks
Shane: i thought the decision was "if an RP requested enterprise, but the authenticator couldn't provide it, it would provide direct attestation"
discussion that this would be higher priority than the AAGUID work
Emil: chrome and firefox people, please take note
This is a browser issue regarding CSS rendering?
Nina: could possibly ask Bikeshed maintainer about this
We tagged this issue open and then removed the PR, discussion
Emil: my opinion is that this feature wouldn't be impressive enough to motivate developing it further.
Matthew: I would like to discuss this in person at a face to face meeting
AGL: Tony might not be thrilled but we can discuss in two weeks
Discussion around April 19th IIW face to face
Straw polling for Identiverse vs IIW F2F
Nina: Great idea that no one has the time to do because low value
Matthew: you could achieve this with more efficient usage of abort controller in the client
i.e. the browsers
AGL: does anyone wish to fight for this issue?
none
AGL closes issue
additional topics
No meeting next week