10/05/2022 W3C Web Authentication Meeting

Here is the agenda for the 10/05/2022 W3C Web Authentication WG Meeting,
that will take place as a 60 minute teleconference. Remember call is at NOON
PDT

 

Select scribe please someone be willing to scribe so we can get down to the
issues

 

1.	Here is the link to the Level 2 Webauthn Recommendation
https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
2.	First Public Working Draft of Level 3 has now been published,
https://www.w3.org/TR/webauthn-3/
3.	Publish WD01 Discussion 

4.	SPWG Update (John B.)
5.	L3 WD01 open pull requests and open issues

 

Pull requests
<https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD
-01> . w3c/webauthn (github.com)

1.	Move state updates to last in RP verification steps by emlun
<https://github.com/w3c/webauthn/pull/1807> . Pull Request #1807 .
w3c/webauthn (github.com)
2.	Fix incorrect use of options variable: extract signal and mediation
attributes first by emlun  <https://github.com/w3c/webauthn/pull/1806> .
Pull Request #1806 . w3c/webauthn (github.com)
3.	Fix incorrect use of options variable: rename to pkOptions by emlun
<https://github.com/w3c/webauthn/pull/1805> . Pull Request #1805 .
w3c/webauthn (github.com)
4.	Replace obsolete RFC8152 with RFC9052 and RFC9053 by emlun
<https://github.com/w3c/webauthn/pull/1804> . Pull Request #1804 .
w3c/webauthn (github.com)
5.	Fix broken cross-spec references by emlun
<https://github.com/w3c/webauthn/pull/1796> . Pull Request #1796 .
w3c/webauthn (github.com)
6.	Improve guidance around using UV by emlun
<https://github.com/w3c/webauthn/pull/1774> . Pull Request #1774 .
w3c/webauthn (github.com)
7.	device public key extension by equalsJeffH
<https://github.com/w3c/webauthn/pull/1663> . Pull Request #1663 .
w3c/webauthn . GitHub

 

Pull requests
<https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone> .
w3c/webauthn . GitHub

1.	Conditional request allowList credential filtering by nsatragno
<https://github.com/w3c/webauthn/pull/1810> . Pull Request #1810 .
w3c/webauthn (github.com)
2.	Allow for credential creation in a cross-origin iframe by
stephenmcgruer  <https://github.com/w3c/webauthn/pull/1801> . Pull Request
#1801 . w3c/webauthn (github.com)
3.	Fix dangling language in WebAuthn Extensions section by emlun
<https://github.com/w3c/webauthn/pull/1768> . Pull Request #1768 .
w3c/webauthn . GitHub

Issues
<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL
3-WD-01> . w3c/webauthn (github.com)

1.	Bikeshed build failing
<https://github.com/w3c/webauthn/issues/1802> . Issue #1802 . w3c/webauthn
(github.com)
2.	Prescriptive behaviours for Autofill UI
<https://github.com/w3c/webauthn/issues/1800> . Issue #1800 . w3c/webauthn
(github.com)
3.	Enforce backup eligibility during assertion
<https://github.com/w3c/webauthn/issues/1791> . Issue #1791 . w3c/webauthn
(github.com)
4.	Facility for an RP to indicate a change of displayName to a
discoverable credential  <https://github.com/w3c/webauthn/issues/1779> .
Issue #1779 . w3c/webauthn (github.com)
5.	Which  <https://github.com/w3c/webauthn/issues/1757>
"pubKeyCredParams" to use? . Issue #1757 . w3c/webauthn (github.com)
6.	Conditional Mediation feature discovery should really return a
promise  <https://github.com/w3c/webauthn/issues/1745> . Issue #1745 .
w3c/webauthn . GitHub
7.	Should enterprise attestation support be flagged explicitly?
<https://github.com/w3c/webauthn/issues/1742> . Issue #1742 . w3c/webauthn .
GitHub
8.	Attestation on Get Assertion
<https://github.com/w3c/webauthn/issues/1741> . Issue #1741 . w3c/webauthn .
GitHub
9.	Inconsistencies in backup state flags
<https://github.com/w3c/webauthn/issues/1740> . Issue #1740 . w3c/webauthn .
GitHub
10.	Discussing mechanisms for enterprise RP's to enforce bound
properties of credentials  <https://github.com/w3c/webauthn/issues/1739> .
Issue #1739 . w3c/webauthn . GitHub
11.	Provide passwordless example, or update 1.3.2. to be a passwordless
example  <https://github.com/w3c/webauthn/issues/1735> . Issue #1735 .
w3c/webauthn . GitHub
12.	Update top level use cases to account for multi-device credentials
<https://github.com/w3c/webauthn/issues/1720> . Issue #1720 . w3c/webauthn .
GitHub
13.	Public Key Credential Source and Extensions
<https://github.com/w3c/webauthn/issues/1719> . Issue #1719 . w3c/webauthn .
GitHub
14.	RP operations: some extension processing may assume that the
encompassing signature is valid
<https://github.com/w3c/webauthn/issues/1711> . Issue #1711 . w3c/webauthn .
GitHub
15.	Split RP ops  <https://github.com/w3c/webauthn/issues/1710>
"Registering a new credential" into one with and one without attestation .
Issue #1710 . w3c/webauthn . GitHub
16.	Switch to permissive copyright license?
<https://github.com/w3c/webauthn/issues/1705> . Issue #1705 . w3c/webauthn
(github.com)
17.	Platform Errors for attestations.
<https://github.com/w3c/webauthn/issues/1697> . Issue #1697 . w3c/webauthn
(github.com)
18.	should reference  <https://github.com/w3c/webauthn/issues/1689>
"attestation statement format" registry instead of "extensions" registry .
Issue #1689 . w3c/webauthn . GitHub
19.	Should an RP be able to provide finer grained authenticator
filtering in attestation options?
<https://github.com/w3c/webauthn/issues/1688> . Issue #1688 . w3c/webauthn
(github.com)
20.	Provide request deserialization, response serialization
<https://github.com/w3c/webauthn/issues/1683> . Issue #1683 . w3c/webauthn
(github.com)
21.	Lookup Credential Source by Credential ID Algorithm returns
sensitive data such as the credential private key
<https://github.com/w3c/webauthn/issues/1678> . Issue #1678 . w3c/webauthn .
GitHub
22.	Synced Credentials  <https://github.com/w3c/webauthn/issues/1665> .
Issue #1665 . w3c/webauthn . GitHub
23.	Device-bound key extension
<https://github.com/w3c/webauthn/issues/1658> . Issue #1658 . w3c/webauthn
(github.com)
24.	Cross-origin credential creation in iframes
<https://github.com/w3c/webauthn/issues/1656> . Issue #1656 . w3c/webauthn
(github.com)
25.	Trailing position of metadata
<https://github.com/w3c/webauthn/issues/1646> . Issue #1646 . w3c/webauthn
(github.com)
26.	[Editorial] Truncation description inaccurate
<https://github.com/w3c/webauthn/issues/1645> . Issue #1645 . w3c/webauthn
(github.com)
27.	Mechanism for encoding *direction* metadata may need more work
<https://github.com/w3c/webauthn/issues/1644> . Issue #1644 . w3c/webauthn
(github.com)
28.	Use of in-field metadata not preferred
<https://github.com/w3c/webauthn/issues/1643> . Issue #1643 . w3c/webauthn
(github.com)
29.	Unicode  <https://github.com/w3c/webauthn/issues/1642> "tag"
characters are deprecated for language tagging . Issue #1642 . w3c/webauthn
(github.com)
30.	U+ notation incorrect  <https://github.com/w3c/webauthn/issues/1641>
. Issue #1641 . w3c/webauthn (github.com)
31.	Syncing Platform Keys, Recoverability and Security levels
<https://github.com/w3c/webauthn/issues/1640> . Issue #1640 . w3c/webauthn
(github.com)
32.	Possible experiences in a future WebAuthn
<https://github.com/w3c/webauthn/issues/1637> . Issue #1637 . w3c/webauthn
(github.com)
33.	reference CTAP2.1 PS spec and fix broken link
<https://github.com/w3c/webauthn/issues/1635> . Issue #1635 . w3c/webauthn
(github.com)
34.	Missing Test Vectors  <https://github.com/w3c/webauthn/issues/1633>
. Issue #1633 . w3c/webauthn (github.com)
35.	CollectedClientData.crossOrigin default value and whether it is
required  <https://github.com/w3c/webauthn/issues/1631> . Issue #1631 .
w3c/webauthn (github.com)
36.	Support for remote desktops
<https://github.com/w3c/webauthn/issues/1577> . Issue #1577 . w3c/webauthn
(github.com)
37.	Prevent browsers from deleting credentials that the RP wanted to be
server-side  <https://github.com/w3c/webauthn/issues/1569> . Issue #1569 .
w3c/webauthn (github.com)
38.	Support a  <https://github.com/w3c/webauthn/issues/1568> "create or
get [or replace]" credential re-association operation . Issue #1568 .
w3c/webauthn (github.com)
39.	Questions about user handle when supporting usernameless
<https://github.com/w3c/webauthn/issues/1559> . Issue #1559 . w3c/webauthn
(github.com)
40.	Move step 16 of Registration to between 21 and 22
<https://github.com/w3c/webauthn/issues/1555> . Issue #1555 . w3c/webauthn
(github.com)
41.	Adding info about HSTS for the RPID to client Data.
<https://github.com/w3c/webauthn/issues/1554> . Issue #1554 . w3c/webauthn
(github.com)
42.	Add support for non-modal UI
<https://github.com/w3c/webauthn/issues/1545> . Issue #1545 . w3c/webauthn
(github.com)
43.	Making PublicKeyCredentialDescriptor.transports mandatory
<https://github.com/w3c/webauthn/issues/1522> . Issue #1522 . w3c/webauthn
(github.com)
44.	double check whether the Secure Payment Confirmation effort has
implications on the WebAuthn spec
<https://github.com/w3c/webauthn/issues/1492> . Issue #1492 . w3c/webauthn
(github.com)
45.	cleanup  <https://github.com/w3c/webauthn/issues/1489> <pre
class=anchors> and use <pre class="link-defaults"> as appropriate . Issue
#1489 . w3c/webauthn (github.com)
46.	Regarding the issue of Credential ID exposure(13.5.6), from what
perspective should RP compare RK and NRK and which should be adopted?
<https://github.com/w3c/webauthn/issues/1484> . Issue #1484 . w3c/webauthn
(github.com)
47.	Move PRF Extension into its own specification
<https://github.com/w3c/webauthn/issues/1462> . Issue #1462 . w3c/webauthn
(github.com)
48.	Personal information updates
<https://github.com/w3c/webauthn/issues/1456> & webauthn . Issue #1456 .
w3c/webauthn (github.com)
49.	Requesting properties of created credentials.
<https://github.com/w3c/webauthn/issues/1449> . Issue #1449 . w3c/webauthn
(github.com)
50.	PublicKeyCredentialParameters can't select curve (E.g. ed448)
<https://github.com/w3c/webauthn/issues/1446> . Issue #1446 . w3c/webauthn
(github.com) 
51.	 <https://github.com/w3c/webauthn/issues/1421> "privacy ca" term in
images/fido-attestation-structures.svg . Issue #1421 . w3c/webauthn
(github.com)
52.	More explicitly document use cases
<https://github.com/w3c/webauthn/issues/1389> . Issue #1389 . w3c/webauthn
(github.com)
53.	Addition of a network transport
<https://github.com/w3c/webauthn/issues/1381> . Issue #1381 . w3c/webauthn
(github.com)
54.	Minor cleanups from PR 1270 review
<https://github.com/w3c/webauthn/issues/1291> . Issue #1291 . w3c/webauthn
(github.com)
55.	Specify authenticator attachment for authentication operation
<https://github.com/w3c/webauthn/issues/1267> . Issue #1267 . w3c/webauthn
(github.com)
56.	Clearly define the way how RP handles the extensions
<https://github.com/w3c/webauthn/issues/1258> . Issue #1258 . w3c/webauthn
(github.com)
57.	add feature detection blurb...
<https://github.com/w3c/webauthn/issues/1208> . Issue #1208 . w3c/webauthn
(github.com)
58.	think about adding note wrt how client platform might obtain
authenticator capabilities  <https://github.com/w3c/webauthn/issues/1207> .
Issue #1207 . w3c/webauthn (github.com)
59.	Update name, displayname and icon for RP and user
<https://github.com/w3c/webauthn/issues/1200> . Issue #1200 . w3c/webauthn
(github.com)
60.	export definitions?  <https://github.com/w3c/webauthn/issues/1049> .
Issue #1049 . w3c/webauthn (github.com)
61.	ReIssues  <https://github.com/w3c/webauthn/issues/931> .
w3c/webauthn (github.com)covering from Device Loss . Issue #931 .
w3c/webauthn (github.com)
62.	undefined terms and terms we really ought to define
<https://github.com/w3c/webauthn/issues/462> . Issue #462 . w3c/webauthn
(github.com)

 

Issues
<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat
%3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone> . w3c/webauthn . GitHub

1.	Requirements for security of MDC, DPK and attestation
<https://github.com/w3c/webauthn/issues/1808> . Issue #1808 . w3c/webauthn
(github.com)
2.	Clarity on challenge length
<https://github.com/w3c/webauthn/issues/1803> . Issue #1803 . w3c/webauthn
(github.com)
3.	Dependencies section is out of date and duplicates terms index
<https://github.com/w3c/webauthn/issues/1797> . Issue #1797 . w3c/webauthn
(github.com)
4.	Enterprise attestaion is a bool in WebAuthn and an Int in CTAP2.1
<https://github.com/w3c/webauthn/issues/1795> . Issue #1795 . w3c/webauthn
(github.com)
5.	Support Filtering by Username in Conditional UI
<https://github.com/w3c/webauthn/issues/1793> . Issue #1793 . w3c/webauthn
(github.com)
6.	Credential discovery is unclear
<https://github.com/w3c/webauthn/issues/1789> . Issue #1789 . w3c/webauthn
(github.com)
7.	Split the standard by focus driven use cases.
<https://github.com/w3c/webauthn/issues/1751> . Issue #1751 . w3c/webauthn
(github.com)
8.	How to declare that a registration only awaits for a Security Key?
<https://github.com/w3c/webauthn/issues/1750> . Issue #1750 . w3c/webauthn .
GitHub
9.	Better specify what an unknown type credential descriptor being
ignored means  <https://github.com/w3c/webauthn/issues/1748> . Issue #1748 .
w3c/webauthn (github.com)
10.	Use aPAKE/OPAQUE for FIDO multi-device credentials (PassKey)
<https://github.com/w3c/webauthn/issues/1747> . Issue #1747 . w3c/webauthn .
GitHub
11.	Spec abstract is out of date on the eve of multi-device credentials
and cross-device auth  <https://github.com/w3c/webauthn/issues/1743> . Issue
#1743 . w3c/webauthn . GitHub
12.	Cross origin authentication without iframes (accommodating SPC in
WebAuthn)  <https://github.com/w3c/webauthn/issues/1667> . Issue #1667 .
w3c/webauthn . GitHub

 

  

4.   Other open issues

5.   Adjourn

Because of toll fraud issues MIT has been experiencing, I've been asked to
change our call coordinates and password and, as an ongoing thing, not
distribute the call coordinates publicly. That means not including the WebEx
call number or URL in our agendas or minutes.

 

You can find the new call coordinates at this link, accessible with your W3C
member login credentials.

https://www.w3.org/2016/01/webauth-password.html
<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.or
g%2F2016%2F01%2Fwebauth-password.html&data=04%7C01%7Ctonynad%40microsoft.com
%7C9cd59d2cfccb46b0986d08d82dcf4b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7
C0%7C637309715629125857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rRnXdea9sqPx%2B7Z8fbc7bv
%2F5nY%2BLZStYSARGKVdH1pA%3D&reserved=0>  

 

 

 

 

Get Outlook for Android <https://aka.ms/ghei36> 

Received on Wednesday, 5 October 2022 01:37:41 UTC