17:51:04 RRSAgent has joined #webauthn 17:51:09 logging to https://www.w3.org/2025/06/04-webauthn-irc 17:51:49 zakim, start meeting 17:51:49 RRSAgent, make logs Public 17:51:50 RRSAgent, make logs Pubilc 17:51:50 Meeting: Web Authentication 17:51:51 Meeting: Web Authentication WG 17:52:00 Chair: Tony 18:00:23 addison has joined #webauthn 18:00:45 present+ Addison(I18N) 18:04:27 present+ addison, tony, nina, david, simone 18:05:28 present+ bjorn, pascoe 18:10:18 Topic: Meetings 18:10:19 Tony: June 25 canceled, we have TPAC in November 18:10:19 Topic: Internationalization Review 18:10:19 Tony: Thank you, Addison, for joining. we discussed the issue @@ 18:10:20 Nina: At TPAC, we talked about internationalization of names and display names 18:10:20 ... We should have language and direction, now we have a PR that makes this change 18:10:20 Addison: we're not happy to see a custom serialization scheme to encode the language and direction in the string value. This was from L2, and we strongly recommend to not creating another one, and we recommend metadata fields associated with strings, even if at a cost of complexity, and also difficulties in changing the actual situation 18:12:07 Nina: In these specs, we have different actors: Browsers, Authenticators, and RPs. Adding these features isn't easy with the current status quo. Authenticators don't display it. 18:13:04 Addison: in this situation, it can be optional 18:13:04 Nina: this change can be an issues not for RPs but for authenticators, which are security keys 18:15:37 Addison: We could make that case work if you write native code to the process, if it exists. 18:15:37 Nina: As a user agent, it can be put differently. Having extra fields, we cannot have support from authenticators. It is about compatibility with actual authenticators. We can support the direction, but for actual hardware these are just blobs 18:16:27 ... it is not possible to pass these data to the authenticators, so new fields will be filtered 18:17:04 Addison: Newer authenticators would be able to support it 18:18:04 Pascoe: I tested on the default Apple password credential manager, and it works 18:19:06 Addison: the issue is that if you have some arabic, you need metadata to tell the UA how to show them, not only if they are UNICODE. I have a video with a PoC 18:20:11 ... as the application does not introspect the strings 18:20:42 Nina: In some cases, this is processed by the UA 18:22:04 Addison: If you want to do things with the string, you don't need to look inside the string, just at the metadata. without introspecting the string 18:22:50 Jet: text is going to appear in the Browser UI or OS UI, and this is defined by the RP 18:23:50 Martin: I can't see how this can be implemented, e.g., putting the information in the field or in the metadata. the only difference I see in these two approaches: one is back-compatible, the another one no 18:24:00 s/Jet/Martin/ 18:25:41 Addison: The main point is that custom serialization is never made well, as we said at TPAC this is the better approach, even we didn't objected to the L2, when the issue was inserted 18:25:41 Martin: The problem is to add the metadata now with the existing infrastructure deployed 18:26:24 ... are we trading technical purity for actual use and helpfulness 18:26:28 ... ? 18:27:45 Addison: This can be useful for mapping things from one standard to the next using well-known structures. 18:27:45 Martin: I can see that 18:27:45 Addison: On the flip side, this is the internationalization format 18:28:10 Nina: going to the priority of consistency, if we would like the user first, we can have better user support 18:30:29 Addison: I want to make it easier for the future and the users of the standards to display, i.e., native render to text. I understand that making this change will require some work. But I suspect that the intent is to move the data around and maybe you don't have the good cycle for producing and consuming the metadata 18:31:42 ... if you say that this is the only mechanism in town, okay, but the UI will be cleaner? If we use metadata, yes, and we can provide examples of why you need it. Also, to avoid serialization 18:32:21 David: one of the point, if we consider deployed hardware, they have not space/support for that metadata 18:33:14 Addison: at this point, I would like to ask about what do you want to do? 18:33:52 Nina: The backward compatibility is a point, this will make this position clear but I don't like 18:34:09 s/I don't like /it is not to convince me/ 18:34:22 ... but a Group and other SDOs decisions 18:35:55 Addison: We already talked about on the technical side, if there is an issue within the ecosystem. It is something different. I can't promise that the review group will be happy 18:36:29 ... maybe my group would like to open an issue during transition 18:39:31 Tony: As per my understanding, the group feels that the implementations we have, and the user community, support legacy authenticators from L1 and L2 18:39:31 Martin: Things from 2014 still working 18:39:31 Tony: The main goal is to avoid people buying new authenticators. For the group is important to retain the user base. 18:39:31 Addison: It should not be a breaking change supporting optional fields (?) 18:39:33 David: We have some authenticators that support serialization. 18:39:33 Addison: New authenticators will support it, old authenticators will ignore these metadata fields 18:41:11 Martin: One thing is the web-facing API (i.e., creating usernames), in L3, we have the RP doing no serialization and not using serialization. The question is how to deal with the existing situation with metadata from the other entities. And also on the CTAP 18:42:13 Addison: Maybe a direct mapping between the encoded string and the new metadata 18:42:13 Martin: we need to check if this is possible, but the encoding will still exist 18:42:35 Pascoe: mapping can be straightforward, we can discuss it 18:43:08 Nina: We need to understand also with the RPs to avoid double encoding and avoid contradictions 18:43:51 Martin: This can be a breaking change, so a check from the RP side can be useful, e.g., ignore metadata 18:44:14 Addison: you can use the tag character to understand the situation 18:44:36 Tony: we can kept what we have now, and add the metadata, having both 18:46:19 ... anyone from Safari/Chrome? 18:46:45 Nina: good to simplify the string for the RP, we can think we have an avenue to pursuit. 18:47:23 Tony: I would not want to remove something that we then lose legacy authenticators, as there will be some 18:47:53 Martin: maybe we can do thius conversion at User agent level, even if add complexity, and is a big change for L3 18:48:32 Tony: we should discuss as a group 18:48:32 Martin: talking with the group and other SDOs (i.e., native platforms, as they will not change) 18:48:52 Tony: we need to talk also with Password Managers 18:49:26 Martin: also iOS and Android, on how they implemented internationalization issues 18:49:38 .. but yes, maybe this can be an avenue 18:50:03 Pascoe: translation is straightforward, we can maybe implement and use the same for the Platform API 18:50:20 ... but I don't know if they would like to adopt this approach] 18:50:34 s/approach]/approach/ 18:51:09 Addison: some Native API already have the option to provide direction 18:51:21 ... happy to discuss more, if needed 18:52:25 Addison: We're here to help you ship, do the right thing, and not to keep you from shipping. Keep me updated, mentioning on GitHub, and we 18:52:39 s/, and we// 18:53:20 Nina: Thank you Addison, I appreciated 18:53:20 Pascoe: on, also for the discussion in async 18:53:32 Topic: 2298 18:54:01 Nina: I have some questions for Emul 18:54:20 ... Zach has some good points 18:54:47 ... on HMAC secret and we should fix the output also for backwards compatibility 18:55:31 ... we should check if this is a technical change even if they don't need to change their implementation 18:55:48 Tony: it depends if we need to put in L3 18:57:47 Topic: TAG Review 18:58:11 Simone: we have this request from them, maybe joining in their breakout session https://github.com/w3ctag/design-reviews/issues/1085#issuecomment-2940888464 19:00:01 ... we'll join in a TAG breakout session 19:00:16 present+ Mike 19:00:20 [adjourned] 19:00:24 RRSagent, draft minutes 19:00:26 I have made the request to generate https://www.w3.org/2025/06/04-webauthn-minutes.html simone