Meeting minutes
SPC BBKs
Ian: I see that both Stephen and I have expressed suppor for pull request #330, which modifies the BBK requirements document based on recent discussions in issue 321.
John: Me too
Darwin: Does this mean there also need to be edits to the SPC specification?
Ian: I think we said in previous discussions that a more explicit note would be useful for the spec.
stephen: Reasonable to do a pull request to make it explicit in the SPC section on BBKs.
stephen: I think it's implicit that there's one BBK per passkey, but we could spell out the implication that this BBK will not be associated with another passkey.
ACTION: John to investigate creating a pull request to align with the new BBK requirement description.
Ian: Should we link to the reqs doc from the spec?
Stephen: Not common to do.
John: From a readability perspective could be a note with link to requirements
(We agree to merge pull request 330, which was done during the call.)
Ian: Anything in the chrome implementation to do?
Stephen: I don't think so.
SPC and WebAuthn extensions
(Relates to Issue 326 on SPC and extensions that could expose private relying party sign in data; see pull request 332.)
stephen: WebAuthn extensions with SPC may create privacy and security issues.
… third parties can have access to private data
… we have identified one that should not be available to non-RP callers of SPC.
… the proposal is to bar third parties from specifying some extensions
… is there anyone who needs to use an extension as a third party?
… most extensions are used at registration time, so that's not as relevant for SPC
… we are unable to identify any extensions that are useful and safe at the same timed
… so the proposal is that non-RPs cannot use webauthn extensions in SPC authentication
Sami: I'm not aware of any necessary extensions from a 3DS perspective.
… I can ask the 3DS WG
stephen: We want to move quickly on this.
Sami: I can get back to you soon.
Stephen: In the future we could make another change to include an allow list.
ACTION: Sami to get back to Stephen re: any web authn extensions needed with SPC from 3DS WG perspective.
ACTION: Bjorn to also review pull request 332 and provide feedback.
SPC and roaming authenticators
Ian: Stephen asked a number of questions based on Bjorn's roaming authenticator requirements described in issue #12
stephen: I need some more time on this topic. I need to draw up "what this would look like from a UX perspective" if we support authenticators that may or may not be immediately available.
… this is a good opportunity to make SPC align more with how web authentication actually works.
… revisiting this is valuable but I need to look more into user journeys
ACTION: Stephen to draw up user journeys for roaming authenticators, taking into account how web authentication actually works today
ACTION: Bjorn to start answering some of the questions in the GitHub issue raised by Stephen.
(We'll come back to this on 2 July meeting)
AI/Ecommerce Workshop reminder
Ian: W3C has announced the Workshop: E-commerce for Humans and AI Agents , which will take place 8-9 September in Zurich. Hybrid participation will be possible. Please see how to participate.
Bjorn: Is the scope of the workshop clearly defined?
… work is happening in a variety of places around Agentic
Ian: Please add suggestions to the open issue for how to ensure that people don't jump immediately into solutions.
Next meeting
2 July