Web Authentication WG
  • Past
  • Confirmed
  • Group Meetings

Meeting

Event details

Date:
Central European Summer Time
Status:
Confirmed
Location:
Giralda III, Level -2
Groups:
Web Authentication Working Group ( View calendar)
Participants:
Mike Fisk, Rew Islam, Jimmy Mooney, John Rochford, Swapneel Sheth, Tawanda Brandon Sibanda
Big meeting:
TPAC 2023 (Calendar)

Agenda

 View agenda

Here is the agenda for the 09/11/2023 W3C Web Authentication WG TPAC Meeting,

Select scribe please someone be willing to scribe so we can get down to the issues

  1. Here is the link to the Level 2 Webauthn Recommendation https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
  2. First Public Working Draft of Level 3 has now been published, https://www.w3.org/TR/webauthn-3/
  3. Joint session with WebPayments WG during TPAC
  4. PWG Update (John B.)
  5. We have 47 open issues, 25 of them have been tagged with the @RISK label, please review with the link below, if you don’t agree we will discuss as the first item on the agenda
    a. Issues · w3c/webauthn (github.com)
  6. W3c WebID proposal for authentication see WebID - W3C Wiki
  7. L3 WD01 open pull requests and open issues

Pull requests · w3c/webauthn (github.com)

  1. devicePubKey → supplementalPubKeys by agl · Pull Request #1957 · w3c/webauthn (github.com)
  2. Enterprise packed attestation guidance by dwaite · Pull Request #1954 · w3c/webauthn (github.com)
  3. Add packed attestation optional firmware version attribute by dwaite · Pull Request #1953 · w3c/webauthn (github.com)
  4. Initial text for conditional create by pascoej · Pull Request #1951 · w3c/webauthn (github.com)
  5. Recommend duration of challenge validity by emlun · Pull Request #1855 · w3c/webauthn (github.com)

Pull requests · w3c/webauthn · GitHub

  1. Add compound attestation format by timcappalli · Pull Request #1950 · w3c/webauthn (github.com)
  2. Fix inconsistent usage of options variable by Kieun · Pull Request #1948 · w3c/webauthn (github.com)
  3. Add importCryptoKey input to PRF extension by emlun · Pull Request #1945 · w3c/webauthn (github.com)
  4. Delete outdated note about checking registration UV with PRF extension by emlun · Pull Request #1944 · w3c/webauthn (github.com)
  5. Clarify distinction between PublicKeyCredentialUserEntity name and displayName by MasterKale · Pull Request #1932 · w3c/webauthn (github.com)
  6. Clarify TPM attestation verification instructions by sbweeden · Pull Request #1926 · w3c/webauthn (github.com)
  7. Add new getClientCapabilities method by timcappalli · Pull Request #1923 · w3c/webauthn (github.com)
  8. Add userDisplayName and vendorDisplayName to credProps by emlun · Pull Request #1880 · w3c/webauthn · GitHub

Issues · w3c/webauthn (github.com)

  1. Describe firmware OID usage in packed attestation · Issue #1952 · w3c/webauthn (github.com)
  2. Non-modal registration during conditional assertion · Issue #1929 · w3c/webauthn (github.com)
  3. Allow desired attestation format to be an ordered list · Issue #1917 · w3c/webauthn (github.com)
  4. Describe packed enterprise attestation · Issue #1916 · w3c/webauthn (github.com)
  5. Emphasize use of user.name for RP's to help users distinguish credentials · Issue #1852 · w3c/webauthn (github.com)
  6. Prescriptive behaviours for Autofill UI · Issue #1800 · w3c/webauthn (github.com)
  7. Enforce backup eligibility during assertion · Issue #1791 · w3c/webauthn (github.com)
  8. Facility for an RP to indicate a change of displayName to a discoverable credential · Issue #1779 · w3c/webauthn (github.com)
  9. Should enterprise attestation support be flagged explicitly? · Issue #1742 · w3c/webauthn · GitHub
  10. Discussing mechanisms for enterprise RP's to enforce bound properties of credentials · Issue #1739 · w3c/webauthn · GitHub
  11. Provide passwordless example, or update 1.3.2. to be a passwordless example · Issue #1735 · w3c/webauthn · GitHub
  12. Update top level use cases to account for multi-device credentials · Issue #1720 · w3c/webauthn · GitHub
  13. Public Key Credential Source and Extensions · Issue #1719 · w3c/webauthn · GitHub
  14. RP operations: some extension processing may assume that the encompassing signature is valid · Issue #1711 · w3c/webauthn · GitHub
  15. Split RP ops "Registering a new credential" into one with and one without attestation · Issue #1710 · w3c/webauthn (github.com)
  16. Switch to permissive copyright license? · Issue #1705 · w3c/webauthn (github.com)
  17. Platform Errors for attestations. · Issue #1697 · w3c/webauthn (github.com)
  18. Should an RP be able to provide finer grained authenticator filtering in attestation options? · Issue #1688 · w3c/webauthn (github.com)
  19. Lookup Credential Source by Credential ID Algorithm returns sensitive data such as the credential private key · Issue #1678 · w3c/webauthn · GitHub
  20. Synced Credentials · Issue #1665 · w3c/webauthn · GitHub
  21. Cross-origin credential creation in iframes · Issue #1656 · w3c/webauthn (github.com)
  22. Trailing position of metadata · Issue #1646 · w3c/webauthn (github.com)
  23. [Editorial] Truncation description inaccurate · Issue #1645 · w3c/webauthn (github.com)
  24. Mechanism for encoding direction metadata may need more work · Issue #1644 · w3c/webauthn (github.com)
  25. Use of in-field metadata not preferred · Issue #1643 · w3c/webauthn (github.com)
  26. Unicode "tag" characters are deprecated for language tagging · Issue #1642 · w3c/webauthn (github.com)
  27. U+ notation incorrect · Issue #1641 · w3c/webauthn (github.com)
  28. Syncing Platform Keys, Recoverability and Security levels · Issue #1640 · w3c/webauthn (github.com)
  29. Possible experiences in a future WebAuthn · Issue #1637 · w3c/webauthn (github.com)
  30. reference CTAP2.1 PS spec and fix broken link · Issue #1635 · w3c/webauthn (github.com)
  31. Missing Test Vectors · Issue #1633 · w3c/webauthn (github.com)
  32. CollectedClientData.crossOrigin default value and whether it is required · Issue #1631 · w3c/webauthn (github.com)
  33. Support for remote desktops · Issue #1577 · w3c/webauthn (github.com)
  34. Prevent browsers from deleting credentials that the RP wanted to be server-side · Issue #1569 · w3c/webauthn (github.com)
  35. Support a "create or get [or replace]" credential re-association operation · Issue #1568 · w3c/webauthn (github.com)
  36. Adding info about HSTS for the RPID to client Data. · Issue #1554 · w3c/webauthn (github.com)
  37. Making PublicKeyCredentialDescriptor.transports mandatory · Issue #1522 · w3c/webauthn (github.com)
  38. cleanup <pre class=anchors> and use <pre class="link-defaults"> as appropriate · Issue #1489 · w3c/webauthn (github.com)
  39. Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? · Issue #1484 · w3c/webauthn (github.com)
  40. Adding info about HSTS for the RPID to client Data. · Issue #1554 · w3c/webauthn (github.com)
  41. Requesting properties of created credentials. · Issue #1449 · w3c/webauthn (github.com)
  42. More explicitly document use cases · Issue #1389 · w3c/webauthn (github.com)
  43. Addition of a network transport · Issue #1381 · w3c/webauthn (github.com)
  44. Minor cleanups from PR 1270 review · Issue #1291 · w3c/webauthn (github.com)
  45. Clearly define the way how RP handles the extensions · Issue #1258 · w3c/webauthn (github.com)
  46. add feature detection blurb... · Issue #1208 · w3c/webauthn (github.com)
  47. think about adding note wrt how client platform might obtain authenticator capabilities · Issue #1207 · w3c/webauthn (github.com)
  48. Update name, displayname and icon for RP and user · Issue #1200 · w3c/webauthn (github.com)
  49. export definitions? · Issue #1049 · w3c/webauthn (github.com)
  50. ReIssues · w3c/webauthn (github.com)covering from Device Loss · Issue #931 · w3c/webauthn (github.com)
  51. undefined terms and terms we really ought to define · Issue #462 · w3c/webauthn (github.com)

Issues · w3c/webauthn · GitHub

  1. PublicKeyCredentialJSON is an invalid WebIDL construct · Issue #1958 · w3c/webauthn (github.com)

  2. [[preventSilentAccess]] seems incorrect · Issue #1956 · w3c/webauthn (github.com)

  3. make username fields optional (do not delete them, but do not force their usage, either, which is hostile against usernameless services) · Issue #1942 · w3c/webauthn (github.com)

  4. The default value of attestation member in PublicKeyCredentialRequestOptions should be null or must not have default value · Issue #1941 · w3c/webauthn (github.com)

  5. Remove isPPAA() and expand getClientCapabilities() · Issue #1937 · w3c/webauthn (github.com)

  6. Indicate that the credential could be backed up and restored, but not synchronized · Issue #1933 · w3c/webauthn (github.com)

  7. Adding some sentences to describe credential sharing between multiple users · Issue #1921 · w3c/webauthn (github.com)

  8. Misaligned steps in Section 7.2 · Issue #1913 · w3c/webauthn (github.com)

  9. Clarify browser behavior when an authenticators return equivalent of "InvalidStateError" · Issue #1888 · w3c/webauthn (github.com)

  10. Clarify how to differentiate between exceptions · Issue #1859 · w3c/webauthn (github.com)

  11. Clarify the need for truly randomly generated challenges (aka challenge callback issue) · Issue #1856 · w3c/webauthn (github.com)

  12. Allow conditional and modal flows to run simultaneously · Issue #1854 · w3c/webauthn (github.com)

  13. "android-key" and "android-safetynet" are really basic attestation type support? · Issue #1819 · w3c/webauthn (github.com)

  14. Dependencies section is out of date and duplicates terms index · Issue #1797 · w3c/webauthn (github.com)

  15. Enterprise attestaion is a bool in WebAuthn and an Int in CTAP2.1 · Issue #1795 · w3c/webauthn (github.com)

  16. Better specify what an unknown type credential descriptor being ignored means · Issue #1748 · w3c/webauthn (github.com)

  17. Spec abstract is out of date on the eve of multi-device credentials and cross-device auth · Issue #1743 · w3c/webauthn (github.com)

  18. Cross origin authentication without iframes (accommodating SPC in WebAuthn) · Issue #1667 · w3c/webauthn · GitHub

  19. Other open issues

  20. Adjourn

Minutes

 Read minutes

Export options

Personal Links

Please log in to export this event with all the information you have access to.

Public Links

The following links do not contain any sensitive information and can be shared publicly.

Feedback

Report feedback and issues on GitHub.