Re: W3C WebAuthn Proposed Charter Updates from Jeff Hodges on 2019-08-07 (public-webauthn@w3.org from August 2019)

From: Jeff Hodges <jdhodges@google.com>
Date: Wed, 7 Aug 2019 11:45:12 -0700
To: Anthony Nadalin <tonynad@microsoft.com>
Cc: W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <CAOt3QXuB66-kSeWHV_HUV2j1ve1o+xSGxzesPpN6pvsyFB-=tQ@mail.gmail.com>

On Tue, Aug 6, 2019 at 10:25 AM Anthony Nadalin <tonynad@microsoft.com>
wrote:

> Here are the proposed charter updates (marked in red), please review as we
> will discuss on the WebAuthn call on 8/7/2019
>

some feedback on the proposed charter changes, the below appears twice...

> ... the Same Origin Policy that is guided by the behavior of the Feature
> Policy that is in place at the time of the request..

Hm. Well, we already "relax" the Same Origin Policy by checking if the RP
ID  is a registrable domain suffix of or is equal to (that's a link) the
origin
<https://www.w3.org/TR/webauthn/#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised>
's effective domain
<https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain>.
The feature policy usage is to  allow for cross-origin iFrame usage of
webauthn given the top-level browsing context's explicit permission.

This is all qualifies as "respecting the SOP" it seems to me, but if we
need to acknowledge relaxation, then perhaps we could say:

...the Same Origin Policy by default and allowing for explicit, constrained
SOP relaxation.

..?

WRT...

> Level 2 Recommendation specification by 1Q2020 incorporating errata of
Level 1
> Specification and additional authenticator selection criteria.

I'm not sure what "additional authenticator selection criteria" refers to,
plus there's a number of Level 2 features we've added, see here:
<https://lists.w3.org/Archives/Public/public-webauthn/2019Jun/0248.html>
"PSA: Summary of new features in WebAuthn L2 FPWD relative to the WebAuthn
Level 1 Recommendation
<https://lists.w3.org/Archives/Public/public-webauthn/2019Jun/0248.html>"

> Web Payments Interest Group <https://www.w3.org/Payments/WG/>

To liaison over issues related to strong authentication for payments and
tokenization with FIDO, W3C and EMVCo

the link is incorrect, and the title ought to be WEB PAYMENT SECURITY
INTEREST GROUP  https://www.w3.org/securepay/

> Decentralized Identifier Working Group <https://www.w3.org/Payments/WG/>

To liaison over issues related to strong authentication and proof of
ownership of decentralized identifiers

the link is incorrect, shud be: https://w3c-ccg.github.io/did-wg-charter/
plus that WG is only proposed, not yet approved, so this is contingent on
approval -- or maybe we oughta linkto the existing interest group?

HTH,

=JeffH

 HTH,

=JeffH

Received on Wednesday, 7 August 2019 18:46:02 UTC