Cancelled Re: 11/02/2022 W3C Web Authentication Meeting from Wendy Seltzer on 2022-11-02 (public-webauthn@w3.org from November 2022)

From: Wendy Seltzer <wseltzer@w3.org>
Date: Wed, 2 Nov 2022 12:11:54 -0400
To: nadalin@prodigy.net, 'W3C Web Authn WG' <public-webauthn@w3.org>, 'John Fontana' <jfontana@yubico.com>, "'Phillips, Addison'" <addison@lab126.com>, 'Christiaan Brand' <cbrand@google.com>, 'Ian Jacobs' <ij@w3.org>
Message-ID: <f8de71ca-3da4-7f42-e35d-a7d802c9d8a8@w3.org>
With apologies from the chairs, today's meeting is cancelled.

--Wendy

On 11/1/22 18:13, nadalin@prodigy.net wrote:
> Here is the agenda for the 11/02/2022 W3C Web Authentication WG Meeting,
> that will take place as a 60 minute teleconference. Remember call is at NOON
> PDT
> 
>   
> 
> Select scribe please someone be willing to scribe so we can get down to the
> issues
> 
>   
> 
> 1. Here is the link to the Level 2 Webauthn Recommendation
> https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
> 2. First Public Working Draft of Level 3 has now been published,
> https://www.w3.org/TR/webauthn-3/
> 3. Publish WD01 Discussion
> 
> 4. SPWG Update (John B.)
> 5. L3 WD01 open pull requests and open issues
> 
>   
> 
> Pull requests
> <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD
> -01> . w3c/webauthn (github.com)
> 
> 1. Fix incorrectly described reference to attStmt formats registry by
> emlun  <https://github.com/w3c/webauthn/pull/1814> . Pull Request #1814 .
> w3c/webauthn (github.com)
> 2. Improve guidance around using UV by emlun
> <https://github.com/w3c/webauthn/pull/1774> . Pull Request #1774 .
> w3c/webauthn (github.com)
> 
>   
> 
> Pull requests
> <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone> .
> w3c/webauthn . GitHub
> 
> 1. Give flag items in credential record more descriptive names by emlun
> <https://github.com/w3c/webauthn/pull/1813> . Pull Request #1813 .
> w3c/webauthn (github.com)
> 2. Use credential record abstraction in devicePubKey extension by emlun
> <https://github.com/w3c/webauthn/pull/1812> . Pull Request #1812 .
> w3c/webauthn (github.com)
> 3. Allow for credential creation in a cross-origin iframe by
> stephenmcgruer  <https://github.com/w3c/webauthn/pull/1801> . Pull Request
> #1801 . w3c/webauthn (github.com)
> 
>   
> 
> Issues
> <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL
> 3-WD-01> . w3c/webauthn (github.com)
> 
> 1. Prescriptive behaviours for Autofill UI
> <https://github.com/w3c/webauthn/issues/1800> . Issue #1800 . w3c/webauthn
> (github.com)
> 2. Enforce backup eligibility during assertion
> <https://github.com/w3c/webauthn/issues/1791> . Issue #1791 . w3c/webauthn
> (github.com)
> 3. Facility for an RP to indicate a change of displayName to a
> discoverable credential  <https://github.com/w3c/webauthn/issues/1779> .
> Issue #1779 . w3c/webauthn (github.com)
> 4. Which  <https://github.com/w3c/webauthn/issues/1757>
> "pubKeyCredParams" to use? . Issue #1757 . w3c/webauthn (github.com)
> 5. Conditional Mediation feature discovery should really return a
> promise  <https://github.com/w3c/webauthn/issues/1745> . Issue #1745 .
> w3c/webauthn . GitHub
> 6. Should enterprise attestation support be flagged explicitly?
> <https://github.com/w3c/webauthn/issues/1742> . Issue #1742 . w3c/webauthn .
> GitHub
> 7. Attestation on Get Assertion
> <https://github.com/w3c/webauthn/issues/1741> . Issue #1741 . w3c/webauthn .
> GitHub
> 8. Discussing mechanisms for enterprise RP's to enforce bound
> properties of credentials  <https://github.com/w3c/webauthn/issues/1739> .
> Issue #1739 . w3c/webauthn . GitHub
> 9. Provide passwordless example, or update 1.3.2. to be a passwordless
> example  <https://github.com/w3c/webauthn/issues/1735> . Issue #1735 .
> w3c/webauthn . GitHub
> 10. Update top level use cases to account for multi-device credentials
> <https://github.com/w3c/webauthn/issues/1720> . Issue #1720 . w3c/webauthn .
> GitHub
> 11. Public Key Credential Source and Extensions
> <https://github.com/w3c/webauthn/issues/1719> . Issue #1719 . w3c/webauthn .
> GitHub
> 12. RP operations: some extension processing may assume that the
> encompassing signature is valid
> <https://github.com/w3c/webauthn/issues/1711> . Issue #1711 . w3c/webauthn .
> GitHub
> 13. Switch to permissive copyright license?
> <https://github.com/w3c/webauthn/issues/1705> . Issue #1705 . w3c/webauthn
> (github.com)
> 14. should reference  <https://github.com/w3c/webauthn/issues/1689>
> "attestation statement format" registry instead of "extensions" registry .
> Issue #1689 . w3c/webauthn . GitHub
> 15. Should an RP be able to provide finer grained authenticator
> filtering in attestation options?
> <https://github.com/w3c/webauthn/issues/1688> . Issue #1688 . w3c/webauthn
> (github.com)
> 16. Provide request deserialization, response serialization
> <https://github.com/w3c/webauthn/issues/1683> . Issue #1683 . w3c/webauthn
> (github.com)
> 17. Lookup Credential Source by Credential ID Algorithm returns
> sensitive data such as the credential private key
> <https://github.com/w3c/webauthn/issues/1678> . Issue #1678 . w3c/webauthn .
> GitHub
> 18. Synced Credentials  <https://github.com/w3c/webauthn/issues/1665> .
> Issue #1665 . w3c/webauthn . GitHub
> 19. Cross-origin credential creation in iframes
> <https://github.com/w3c/webauthn/issues/1656> . Issue #1656 . w3c/webauthn
> (github.com)
> 20. Trailing position of metadata
> <https://github.com/w3c/webauthn/issues/1646> . Issue #1646 . w3c/webauthn
> (github.com)
> 21. [Editorial] Truncation description inaccurate
> <https://github.com/w3c/webauthn/issues/1645> . Issue #1645 . w3c/webauthn
> (github.com)
> 22. Mechanism for encoding *direction* metadata may need more work
> <https://github.com/w3c/webauthn/issues/1644> . Issue #1644 . w3c/webauthn
> (github.com)
> 23. Use of in-field metadata not preferred
> <https://github.com/w3c/webauthn/issues/1643> . Issue #1643 . w3c/webauthn
> (github.com)
> 24. Unicode  <https://github.com/w3c/webauthn/issues/1642> "tag"
> characters are deprecated for language tagging . Issue #1642 . w3c/webauthn
> (github.com)
> 25. U+ notation incorrect  <https://github.com/w3c/webauthn/issues/1641>
> . Issue #1641 . w3c/webauthn (github.com)
> 26. Syncing Platform Keys, Recoverability and Security levels
> <https://github.com/w3c/webauthn/issues/1640> . Issue #1640 . w3c/webauthn
> (github.com)
> 27. reference CTAP2.1 PS spec and fix broken link
> <https://github.com/w3c/webauthn/issues/1635> . Issue #1635 . w3c/webauthn
> (github.com)
> 28. Missing Test Vectors  <https://github.com/w3c/webauthn/issues/1633>
> . Issue #1633 . w3c/webauthn (github.com)
> 29. CollectedClientData.crossOrigin default value and whether it is
> required  <https://github.com/w3c/webauthn/issues/1631> . Issue #1631 .
> w3c/webauthn (github.com)
> 30. Support for remote desktops
> <https://github.com/w3c/webauthn/issues/1577> . Issue #1577 . w3c/webauthn
> (github.com)
> 31. Prevent browsers from deleting credentials that the RP wanted to be
> server-side  <https://github.com/w3c/webauthn/issues/1569> . Issue #1569 .
> w3c/webauthn (github.com)
> 32. Support a  <https://github.com/w3c/webauthn/issues/1568> "create or
> get [or replace]" credential re-association operation . Issue #1568 .
> w3c/webauthn (github.com)
> 33. Questions about user handle when supporting usernameless
> <https://github.com/w3c/webauthn/issues/1559> . Issue #1559 . w3c/webauthn
> (github.com)
> 34. Move step 16 of Registration to between 21 and 22
> <https://github.com/w3c/webauthn/issues/1555> . Issue #1555 . w3c/webauthn
> (github.com)
> 35. Adding info about HSTS for the RPID to client Data.
> <https://github.com/w3c/webauthn/issues/1554> . Issue #1554 . w3c/webauthn
> (github.com)
> 36. Add support for non-modal UI
> <https://github.com/w3c/webauthn/issues/1545> . Issue #1545 . w3c/webauthn
> (github.com)
> 37. Making PublicKeyCredentialDescriptor.transports mandatory
> <https://github.com/w3c/webauthn/issues/1522> . Issue #1522 . w3c/webauthn
> (github.com)
> 38. double check whether the Secure Payment Confirmation effort has
> implications on the WebAuthn spec
> <https://github.com/w3c/webauthn/issues/1492> . Issue #1492 . w3c/webauthn
> (github.com)
> 39. cleanup  <https://github.com/w3c/webauthn/issues/1489> <pre
> class=anchors> and use <pre class="link-defaults"> as appropriate . Issue
> #1489 . w3c/webauthn (github.com)
> 40. Regarding the issue of Credential ID exposure(13.5.6), from what
> perspective should RP compare RK and NRK and which should be adopted?
> <https://github.com/w3c/webauthn/issues/1484> . Issue #1484 . w3c/webauthn
> (github.com)
> 41. Personal information updates
> <https://github.com/w3c/webauthn/issues/1456> & webauthn . Issue #1456 .
> w3c/webauthn (github.com)
> 42. Requesting properties of created credentials.
> <https://github.com/w3c/webauthn/issues/1449> . Issue #1449 . w3c/webauthn
> (github.com)
> 43. More explicitly document use cases
> <https://github.com/w3c/webauthn/issues/1389> . Issue #1389 . w3c/webauthn
> (github.com)
> 44. Addition of a network transport
> <https://github.com/w3c/webauthn/issues/1381> . Issue #1381 . w3c/webauthn
> (github.com)
> 45. Minor cleanups from PR 1270 review
> <https://github.com/w3c/webauthn/issues/1291> . Issue #1291 . w3c/webauthn
> (github.com)
> 46. Clearly define the way how RP handles the extensions
> <https://github.com/w3c/webauthn/issues/1258> . Issue #1258 . w3c/webauthn
> (github.com)
> 47. add feature detection blurb...
> <https://github.com/w3c/webauthn/issues/1208> . Issue #1208 . w3c/webauthn
> (github.com)
> 48. think about adding note wrt how client platform might obtain
> authenticator capabilities  <https://github.com/w3c/webauthn/issues/1207> .
> Issue #1207 . w3c/webauthn (github.com)
> 49. Update name, displayname and icon for RP and user
> <https://github.com/w3c/webauthn/issues/1200> . Issue #1200 . w3c/webauthn
> (github.com)
> 50. export definitions?  <https://github.com/w3c/webauthn/issues/1049> .
> Issue #1049 . w3c/webauthn (github.com)
> 51. ReIssues  <https://github.com/w3c/webauthn/issues/931> .
> w3c/webauthn (github.com)covering from Device Loss . Issue #931 .
> w3c/webauthn (github.com)
> 52. undefined terms and terms we really ought to define
> <https://github.com/w3c/webauthn/issues/462> . Issue #462 . w3c/webauthn
> (github.com)
> 
>   
> 
> Issues
> <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat
> %3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone> . w3c/webauthn . GitHub
> 
>   
> 
> 1.  <https://github.com/w3c/webauthn/issues/1819> "android-key" and
> "android-safetynet" are really basic attestation type support? . Issue #1819
> . w3c/webauthn (github.com)
> 2. Is there a way to store user secret key in the authenticator
> with/without an extension?  <https://github.com/w3c/webauthn/issues/1818> .
> Issue #1818 . w3c/webauthn (github.com)
> 3. Variable reference issue in DPK processing rules
> <https://github.com/w3c/webauthn/issues/1817> . Issue #1817 . w3c/webauthn
> (github.com)
> 4. Possibility to filter diplayed authenticators by certified level
> <https://github.com/w3c/webauthn/issues/1816> . Issue #1816 . w3c/webauthn
> (github.com)
> 5. Requirements for security of MDC, DPK and attestation
> <https://github.com/w3c/webauthn/issues/1808> . Issue #1808 . w3c/webauthn
> (github.com)
> 6. Clarity on challenge length
> <https://github.com/w3c/webauthn/issues/1803> . Issue #1803 . w3c/webauthn
> (github.com)
> 7. Dependencies section is out of date and duplicates terms index
> <https://github.com/w3c/webauthn/issues/1797> . Issue #1797 . w3c/webauthn
> (github.com)
> 8. Enterprise attestaion is a bool in WebAuthn and an Int in CTAP2.1
> <https://github.com/w3c/webauthn/issues/1795> . Issue #1795 . w3c/webauthn
> (github.com)
> 9. Credential discovery is unclear
> <https://github.com/w3c/webauthn/issues/1789> . Issue #1789 . w3c/webauthn
> (github.com)
> 10. Split the standard by focus driven use cases.
> <https://github.com/w3c/webauthn/issues/1751> . Issue #1751 . w3c/webauthn
> (github.com)
> 11. How to declare that a registration only awaits for a Security Key?
> <https://github.com/w3c/webauthn/issues/1750> . Issue #1750 . w3c/webauthn .
> GitHub
> 12. Better specify what an unknown type credential descriptor being
> ignored means  <https://github.com/w3c/webauthn/issues/1748> . Issue #1748 .
> w3c/webauthn (github.com)
> 13. Use aPAKE/OPAQUE for FIDO multi-device credentials (PassKey)
> <https://github.com/w3c/webauthn/issues/1747> . Issue #1747 . w3c/webauthn
> (github.com)
> 14. Spec abstract is out of date on the eve of multi-device credentials
> and cross-device auth  <https://github.com/w3c/webauthn/issues/1743> . Issue
> #1743 . w3c/webauthn (github.com)
> 15. Cross origin authentication without iframes (accommodating SPC in
> WebAuthn)  <https://github.com/w3c/webauthn/issues/1667> . Issue #1667 .
> w3c/webauthn . GitHub
> 
>   
> 
>    
> 
> 4.   Other open issues
> 
> 5.   Adjourn
> 
> Because of toll fraud issues MIT has been experiencing, I've been asked to
> change our call coordinates and password and, as an ongoing thing, not
> distribute the call coordinates publicly. That means not including the WebEx
> call number or URL in our agendas or minutes.
> 
>   
> 
> You can find the new call coordinates at this link, accessible with your W3C
> member login credentials.
> 
> https://www.w3.org/2016/01/webauth-password.html
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.or
> g%2F2016%2F01%2Fwebauth-password.html&data=04%7C01%7Ctonynad%40microsoft.com
> %7C9cd59d2cfccb46b0986d08d82dcf4b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7
> C0%7C637309715629125857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
> V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rRnXdea9sqPx%2B7Z8fbc7bv
> %2F5nY%2BLZStYSARGKVdH1pA%3D&reserved=0>
> 
>   
> 
>   
> 
>   
> 
>   
> 
> Get Outlook for Android <https://aka.ms/ghei36>
> 
> 

-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Strategy Lead and Counsel, World Wide Web Consortium (W3C)
https://wendy.seltzer.org/        +1.617.863.0613 (mobile)
Received on Wednesday, 2 November 2022 16:12:01 UTC