Re: 09/08/2021 W3C Web Authentication Meeting from Christiaan Brand on 2021-09-08 (public-webauthn@w3.org from September 2021)

From: Christiaan Brand <cbrand@google.com>
Date: Wed, 8 Sep 2021 08:03:11 -0700
To: nadalin@prodigy.net
Cc: John Fontana <jfontana@yubico.com>, "Phillips, Addison" <addison@lab126.com>, W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <CAE1XR1kByoJrtC=ZjnTOzErYTEVk=kuN791QNijkrztaKKzbhw@mail.gmail.com>
Thanks, Tony. I’ll join at 12:30 (PT) so if we can hold off on SPC until
then, it’d be great.

On Tue, Sep 7, 2021 at 19:05 <nadalin@prodigy.net> wrote:

>
>
> Here is the agenda for the 09/08/2021 W3C Web Authentication WG Meeting,
> that will take place as a 60 minute teleconference. Remember call is at
> NOON PDT
>
>
>
> Select scribe please someone be willing to scribe so we can get down to
> the issues
>
>
>
>    1. Here is the link to the Level 2 Webauthn Recommendation
>    https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
>    2. First Public Working Draft of Level 3 has now been published,
>    https://www.w3.org/TR/webauthn-3/
>
>
>    1. 2021 TPAC18-22 October: Breakout sessions- 25-29 October: Groups
>    and Joint Meetings (John Fontana)
>    2. SPWG Update (John or Jeff)
>    3. Draft Charter
>    https://w3c.github.io/charter-drafts/2021/webauthn-2021.html
>    4. Christiaan Brand’s Presentation (continued)
>    5. L3 WD01 open pull requests and open issues
>
>
>
> Pull requests · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD-01>
>
>    1. Clarify, simplify and align parameter descriptions by emlun · Pull
>          Request #1621 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/pull/1621>
>          2. conditional UI via mediation by equalsJeffH · Pull Request
>          #1576 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/pull/1576>
>          3. Add recovery extension by emlun · Pull Request #1425 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/pull/1425>
>          4. Ask for tests for normative changes in CONTRIBUTING.md by
>          foolip · Pull Request #653 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/pull/653>
>
>
>
> Pull requests · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone>
>
>    1. Define 1024 bytes to be the maximum credential ID length. by agl ·
>    Pull Request #1664 · w3c/webauthn · GitHub
>    <https://github.com/w3c/webauthn/pull/1664>
>    2. device public key extension by equalsJeffH · Pull Request #1663 ·
>    w3c/webauthn · GitHub <https://github.com/w3c/webauthn/pull/1663>
>    3. Explicitly state that RPs cannot in general choose attestation
>    type/format by emlun · Pull Request #1660 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/pull/1660>
>
>
>
> Issues · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL3-WD-01>
>
>    1. Synced Credentials · Issue #1665 · w3c/webauthn · GitHub
>          <https://github.com/w3c/webauthn/issues/1665>
>          2. Cross-origin credential creation in iframes · Issue #1656 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1656>
>          3. U+ notation incorrect · Issue #1641 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1641>
>          4. reference CTAP2.1 PS spec and fix broken link · Issue #1635 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1635>
>          5. Missing Test Vectors · Issue #1633 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1633>
>          6. CollectedClientData.crossOrigin default value and whether it
>          is required · Issue #1631 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1631>
>          7. Remove tokenBinding integration · Issue #1627 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1627>
>          8. Support for remote desktops · Issue #1577 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1577>
>          9. Prevent browsers from deleting credentials that the RP wanted
>          to be server-side · Issue #1569 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1569>
>          10. Support a "create or get [or replace]" credential
>          re-association operation · Issue #1568 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1568>
>          11. Questions about user handle when supporting usernameless ·
>          Issue #1559 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1559>
>          12. Move step 16 of Registration to between 21 and 22 · Issue
>          #1555 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1555>
>          13. Adding info about HSTS for the RPID to client Data. · Issue
>          #1554 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1554>
>          14. Add support for non-modal UI · Issue #1545 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1545>
>          15. Making PublicKeyCredentialDescriptor.transports mandatory ·
>          Issue #1522 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1522>
>          16. double check whether the Secure Payment Confirmation effort
>          has implications on the WebAuthn spec · Issue #1492 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1492>
>          17. cleanup <pre class=anchors> and use <pre
>          class="link-defaults"> as appropriate · Issue #1489 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1489>
>          18. Regarding the issue of Credential ID exposure(13.5.6), from
>          what perspective should RP compare RK and NRK and which should be adopted?
>          · Issue #1484 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1484>
>          19. Move PRF Extension into its own specification · Issue #1462
>          · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1462>
>          20. Personal information updates & webauthn · Issue #1456 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1456>
>          21. Requesting properties of created credentials. · Issue #1449
>          · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1449>
>          22. PublicKeyCredentialParameters can't select curve (E.g.
>          ed448) · Issue #1446 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1446>
>          23. "privacy ca" term in images/fido-attestation-structures.svg
>          · Issue #1421 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1421>
>          24. More explicitly document use cases · Issue #1389 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1389>
>          25. Addition of a network transport · Issue #1381 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1381>
>          26. Minor cleanups from PR 1270 review · Issue #1291 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1291>
>          27. Specify authenticator attachment for authentication
>          operation · Issue #1267 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1267>
>          28. Clearly define the way how RP handles the extensions · Issue
>          #1258 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1258>
>          29. add feature detection blurb... · Issue #1208 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1208>
>          30. think about adding note wrt how client platform might obtain
>          authenticator capabilities · Issue #1207 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1207>
>          31. Update name, displayname and icon for RP and user · Issue
>          #1200 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1200>
>          32. export definitions? · Issue #1049 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1049>
>          33. Recovering from Device Loss · Issue #931 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/931>
>          34. undefined terms and terms we really ought to define · Issue
>          #462 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/462>
>
>
>
> Issues · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat%3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone>
>
>    1. Cross origin authentication without iframes · Issue #1667 ·
>    w3c/webauthn · GitHub <https://github.com/w3c/webauthn/issues/1667>
>    2. Assertion Transports on Authentication Success · Issue #1666 ·
>    w3c/webauthn · GitHub <https://github.com/w3c/webauthn/issues/1666>
>    3. Choosing An Attestation Statement Format? · Issue #1659 ·
>    w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1659>
>    4. Device-bound key extension · Issue #1658 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1658>
>    5. Update URL to FIDO registry · Issue #1657 · w3c/webauthn
>    (github.com) <https://github.com/w3c/webauthn/issues/1657>
>    6. Trailing position of metadata · Issue #1646 · w3c/webauthn
>    (github.com) <https://github.com/w3c/webauthn/issues/1646>
>    7. [Editorial] Truncation description inaccurate · Issue #1645 ·
>    w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1645>
>    8. Mechanism for encoding *direction* metadata may need more work ·
>    Issue #1644 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1644>
>    9. Use of in-field metadata not preferred · Issue #1643 · w3c/webauthn
>    (github.com) <https://github.com/w3c/webauthn/issues/1643>
>    10. Unicode "tag" characters are deprecated for language tagging ·
>    Issue #1642 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1642>
>    11. Syncing Platform Keys, Recoverability and Security levels · Issue
>    #1640 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1640>
>    12. Possible experiences in a future WebAuthn · Issue #1637 ·
>    w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1637>
>    13. Managing FIDO keys · Issue #1612 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1612>
>
>
>
> 4.   Other open issues
>
> 5.   Adjourn
>
> Because of toll fraud issues MIT has been experiencing, I've been asked to
> change our call coordinates and password and, as an ongoing thing, not
> distribute the call coordinates publicly. That means not including the
> WebEx call number or URL in our agendas or minutes.
>
>
>
> You can find the new call coordinates at this link, accessible with your
> W3C member login credentials.
>
> https://www.w3.org/2016/01/webauth-password.html
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2F2016%2F01%2Fwebauth-password.html&data=04%7C01%7Ctonynad%40microsoft.com%7C9cd59d2cfccb46b0986d08d82dcf4b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309715629125857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rRnXdea9sqPx%2B7Z8fbc7bv%2F5nY%2BLZStYSARGKVdH1pA%3D&reserved=0>
>
>
>
>
>
>
>
>
>
>
> Get Outlook for Android <https://aka.ms/ghei36>
>
Received on Wednesday, 8 September 2021 15:03:38 UTC