W3C

– DRAFT –
WebAuthn WG weekly meeting

13 November 2024

Attendees

Present
Adam, Akshay, David_Turner, David_Waite, Emil, Jaimin, John, Lanchlan, Matthew, Michael_Jones, Mike, Monty, Nina, Pascoe, Simone, Sweeden, Tim, Tony
Regrets
-
Chair
Tony
Scribe
simone

Meeting minutes

Canceled Meetings

Tony: we're going to cancel meetings on 12/04/2024 and 12/25/2024

<nina> > Tony: we're going to cancel meetings on 15/2024/12/25/2024/04/2024 and 12/25/2024

<nina> didn't he say 25th? the 15th is a Sunday.

TPM Clarifications · w3c/webauthn

[Monty explained some concepts about migration]

Delete authenticatorDisplayName #2194

Adam: fine for me

Tim: it is the status quo

Pascoe: fine to me

Tony: if anyone any issues, we can merge it

Clarify use creating and verifying TPM attestation statements. #2193

Sweeden: ok for me

Emil: approved

Update Use Cases for L3 by timcappalli · Pull Request #2139 · w3c/webauthn (github.com)

Tony: it is editorial, we can prioritize before January

Cleanup: Manual References by timcappalli · Pull Request #2111 · w3c/webauthn (github.com)

Tim: this one is the same. It is editorial and to be done later

Adam: we're going to create the L3 branch, if it is ok
… we need to check if all the PRs was applied to the correct branch

Emil: to solve it, I am going to merge main into L3

Drop outdated "Issue 1" from spec #2195

Tony: we agreed that this will be in L3

Mozilla feedback: Related Origins #2186

Tim: already merged

The authenticator may hide the credential even if the RP signals unknown credentials · Issue #2192 · w3c/webauthn

Nina: in general, the signal api cannot guarantee it. I can answer it but this will not change the spec

Tim: I agree with you. We should leave it as it is

Nina: ok I am going to comment, close and tag L3

Bit set by the SPC extension should backed up as part of the Public Key Credential Source · Issue #2153 · w3c/webauthn (github.com)

Tim: this is just a reminder to talk with SPC people, we can close it

Allow `platform`-based self attestation with non-zero AAGUID when `AttestationConveyancePreferenceOption` `"none"` is used · Issue #2146 · w3c/webauthn (github.com)

Tony: is this still valid?

Matthew: I am not aware of any authenticator that fills into this scenario
… who wants to prive attestation when there is no attestation?

John: self-attestation don't have AA GUID

Sweeden: for the purpose of RP trust, this has no meaning

John: do we have somewhere that authentication cannot return it?

Matthew: Is the PR 2150, but it is in the future

Akshay: move to the future is ok for me, with the PR mentioning it
… are both platform authenticators and security keys allowed to do that?

Tim: we decided no, but desire to yes

John: default behaviour should be a AA GUID

Tim: going to create a new issue for that
… but not committing on PR

John: can we say that AA GUID must be a 16 zero bytes?

Emil: removed for platform authentication specifically
… it was 2058

John: but it not says what is the default

Akshay: it is on the IDL

Tim: [sharing screen] looking at the editor's draft as it was merged

Nina: this is to avoid fingerprinting of the key vendor

Tim: This is also for spec match

John: the word is for the dialog, as discussed at TPAC

Tim: created issue 2198 to describe the results of the discussion in the call

Tony: we can approve today or last week

Mike: ok I'll read it, approve and merge

Emil: I can do a quick PR to remove the sentence, to close 2146 or move to future?

Make AuthenticatorAttestationResponseJSON.publicKeyAlgorithm optional #2106

Tony: move to the future?

Emil: I can comment and close

Additional guidance or clarification on RP ID and origin validation #2059

Tim: future at this point

CollectedClientData serialization is confusing WebIDL and/_r Infra values for ECMAScript values #2056

Sweeden: something for browser vendors

Tony: in the future

<nina> I'll close #2192 during the next meeting, to give OP some time to respond.

Tony: we are going to close all the technical PRs

Any objection to publish a Working Draft, ask the Wide Review, then go to Candidate Recommendation?

Tony: as we all agree and there are no objections, we can go! We'll work on the editorial, and for the technical part, we'll have on L4

<simone> s/Topic: 2193/Topic: Clarify use creating and verifying TPM attestation statements. #2193/

<simone> s/Topic: 2193/Topic: Clarify use creating and verifying TPM attestation statements. #2193

<simone> s/Topic: 2193/Topic: Clarify use creating and verifying TPM attestation statements. #2193/

<simone> s/Topic: 2056/Topic: CollectedClientData serialization is confusing WebIDL and_or Infra values for ECMAScript values #2056/

<simone> s/Topic: 2193/Topic: Clarify use creating and verifying TPM attestation statements. #2193/g

Minutes manually created (not a transcript), formatted by scribe.perl version 238 (Fri Oct 18 20:51:13 2024 UTC).

Diagnostics

Succeeded: s/../.../

Succeeded: s/ a GUID/AA GUID/

Warning: ‘s/12/15/2024/12/25/2024/’ interpreted as replacing ‘12’ by ‘15/2024/12/25/2024’

Succeeded: s/12/15/2024/12/25/2024/

Succeeded 1 times: s/tony/Tony/g

Succeeded: s/haveAA/have AA/

Succeeded: s/Topic: 2186/Topic: Mozilla feedback: Related Origins #2186/

Succeeded: s/akshay/Akshay/

Succeeded: s|12/15/2024|12/25/2024|

Succeeded: s/Topic: 2195/Drop outdated "Issue 1" from spec #2195/

Failed: s/Topic: 2193/Topic: Clarify use creating and verifying TPM attestation statements. #2193/

Succeeded: s/Topic: 2194/Topic: Delete authenticatorDisplayName #2194/

Succeeded: s/Topic: Clarify use creating and verifying TPM attestation statements. by mwiseman-byid · Pull Request #2193/TPM discussion/

Succeeded: s/TPM discussion/Topic: TPM Clarifications/

Succeeded: i|Tony: we're going to cancel meetings|Topic: Meetings plan|

Failed: s/Topic: 2193/Topic: Clarify use creating and verifying TPM attestation statements. #2193

Failed: s/Topic: 2193/Topic: Clarify use creating and verifying TPM attestation statements. #2193/

Warning: ‘s/Topic: 2056/Topic: CollectedClientData serialization is confusing WebIDL and/_r Infra values for ECMAScript values #2056/’ interpreted as replacing ‘Topic: 2056’ by ‘Topic: CollectedClientData serialization is confusing WebIDL and/_r Infra values for ECMAScript values #2056’

Succeeded: s/Topic: 2056/Topic: CollectedClientData serialization is confusing WebIDL and/_r Infra values for ECMAScript values #2056/

Failed: s/Topic: 2056/Topic: CollectedClientData serialization is confusing WebIDL and_or Infra values for ECMAScript values #2056/

Succeeded: s/Topic: 2059/Topic: Additional guidance or clarification on RP ID and origin validation #2059/

Succeeded: s/Topic: 2106/Topic: Make AuthenticatorAttestationResponseJSON.publicKeyAlgorithm optional #2106/

Failed: s/Topic: 2193/Topic: Clarify use creating and verifying TPM attestation statements. #2193/g

Succeeded: s/topic: 2193/Topic: Clarify use creating and verifying TPM attestation statements. #2193/

Succeeded: s|Tony: we're going to cancel meetings on 12/04/2024 and 12/15/2024|Tony: we're going to cancel meetings on 12/04/2024 and 12/25/2024|

Succeeded: i|Tony: we're going to cancel meetings on 12/04/2024 and 12/25/2024|Topic: Canceled Meetings|

Succeeded: s/Topic: Meetings plan//

Succeeded: s/any objection to go in create a/Any objection to/

Succeeded: s/Any objection to WD/Any objection to publish a Working Draft/

Succeeded: s/having the Wide Review, then going to Candidate Recommendation?/ask the Wide Review, then go to Candidate Recommendation?/

No scribenick or scribe found. Guessed: simone

All speakers: Adam, Akshay, Emil, John, Matthew, Mike, Nina, Pascoe, Sweeden, Tim, Tony

Active on IRC: nina, simone