08/16/2023 W3C Web Authentication Meeting from nadalin@prodigy.net on 2023-08-16 (public-webauthn@w3.org from August 2023)

From: <nadalin@prodigy.net>
Date: Tue, 15 Aug 2023 17:50:13 -0700
To: "'W3C Web Authn WG'" <public-webauthn@w3.org>, "'John Fontana'" <jfontana@yubico.com>, "'Phillips, Addison'" <addison@lab126.com>, "'Christiaan Brand'" <cbrand@google.com>, "'Ian Jacobs'" <ij@w3.org>
Message-ID: <0a3001d9cfdb$9e58afa0$db0a0ee0$@prodigy.net>
 

Here is the agenda for the 08/16/2023 W3C Web Authentication WG Meeting,
that will take place as a 60 minute teleconference. Remember call is at 11AM
Pacific Time. Reminder that we will be using ZOOM from now on, please make
sure you go to Web Authentication bi-weekly (w3.org)
<https://www.w3.org/events/meetings/4bab6a90-bdb5-400f-ab87-64a7a852d86a/202
30517T150000> 

 

. 

Select scribe please someone be willing to scribe so we can get down to the
issues

 

1.	Here is the link to the Level 2 Webauthn Recommendation
https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
2.	First Public Working Draft of Level 3 has now been published,
https://www.w3.org/TR/webauthn-3/
3.	New meeting schedule, weekly now alternating between 11AM PST and
NOON PST 
4.	Joint session with WebPayments WG during TPAC

5.	PWG Update (John B.)
6.	Next F2F at TPAC (TPAC 2023: Overview (w3.org)
<https://www.w3.org/2023/09/TPAC/> , early bird ends price has ended. See
TPAC 2023: Detailed schedule (w3.org)
<https://www.w3.org/2023/09/TPAC/schedule.html>  for schedule.
7.	We have 47 open issues, 25 of them have been tagged with the @RISK
label, please review with the link below, if you don't agree we will discuss
as the first item on the agenda 

a.	Issues
<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+label%3A%40Ri
sk> . w3c/webauthn (github.com)

8.	W3c WebID proposal for authentication see WebID - W3C Wiki
<https://www.w3.org/wiki/WebID> 
9.	L3 WD01 open pull requests and open issues

 

Pull requests
<https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD
-01> . w3c/webauthn (github.com)

1.	Recommend duration of challenge validity by emlun
<https://github.com/w3c/webauthn/pull/1855> . Pull Request #1855 .
w3c/webauthn (github.com)

 

Pull requests
<https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone> .
w3c/webauthn . GitHub

1.	Clarify distinction between PublicKeyCredentialUserEntity name and
displayName by MasterKale  <https://github.com/w3c/webauthn/pull/1932> .
Pull Request #1932 . w3c/webauthn (github.com)
2.	Update Authenticator Definition by nicksteele
<https://github.com/w3c/webauthn/pull/1931> . Pull Request #1931 .
w3c/webauthn (github.com)
3.	Add security consideration section
<https://github.com/w3c/webauthn/pull/1930> "Validating the origin of a
credential" by emlun . Pull Request #1930 . w3c/webauthn (github.com)
4.	Clarify TPM attestation verification instructions by sbweeden
<https://github.com/w3c/webauthn/pull/1926> . Pull Request #1926 .
w3c/webauthn (github.com)
5.	Add new getClientCapabilities method by timcappalli
<https://github.com/w3c/webauthn/pull/1923> . Pull Request #1923 .
w3c/webauthn (github.com)
6.	Add missing fields in dictionaries for JSON representation by Kieun
<https://github.com/w3c/webauthn/pull/1920> . Pull Request #1920 .
w3c/webauthn (github.com)
7.	Address description of uses, and requirements for supplying
userHandle by sbweeden  <https://github.com/w3c/webauthn/pull/1914> . Pull
Request #1914 . w3c/webauthn (github.com)
8.	Add a `hints` element for both `create` and `get`. by agl
<https://github.com/w3c/webauthn/pull/1884> . Pull Request #1884 .
w3c/webauthn (github.com)
9.	Add userDisplayName and vendorDisplayName to credProps by emlun
<https://github.com/w3c/webauthn/pull/1880> . Pull Request #1880 .
w3c/webauthn . GitHub

 

 

Issues
<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL
3-WD-01> . w3c/webauthn (github.com)

1.	Allow desired attestation format to be an ordered list
<https://github.com/w3c/webauthn/issues/1917> . Issue #1917 . w3c/webauthn
(github.com)
2.	Revisit description of userHandle
<https://github.com/w3c/webauthn/issues/1909> . Issue #1909 . w3c/webauthn
(github.com)
3.	Clarify how the given origin in the ClientDataJSON matches to the
expected one  <https://github.com/w3c/webauthn/issues/1889> . Issue #1889 .
w3c/webauthn (github.com)
4.	Emphasize use of `user.name` for RP's to help users distinguish
credentials  <https://github.com/w3c/webauthn/issues/1852> . Issue #1852 .
w3c/webauthn (github.com)
5.	Prescriptive behaviours for Autofill UI
<https://github.com/w3c/webauthn/issues/1800> . Issue #1800 . w3c/webauthn
(github.com)
6.	Enforce backup eligibility during assertion
<https://github.com/w3c/webauthn/issues/1791> . Issue #1791 . w3c/webauthn
(github.com)
7.	Facility for an RP to indicate a change of displayName to a
discoverable credential  <https://github.com/w3c/webauthn/issues/1779> .
Issue #1779 . w3c/webauthn (github.com)
8.	Should enterprise attestation support be flagged explicitly?
<https://github.com/w3c/webauthn/issues/1742> . Issue #1742 . w3c/webauthn .
GitHub
9.	Discussing mechanisms for enterprise RP's to enforce bound
properties of credentials  <https://github.com/w3c/webauthn/issues/1739> .
Issue #1739 . w3c/webauthn . GitHub
10.	Provide passwordless example, or update 1.3.2. to be a passwordless
example  <https://github.com/w3c/webauthn/issues/1735> . Issue #1735 .
w3c/webauthn . GitHub
11.	Update top level use cases to account for multi-device credentials
<https://github.com/w3c/webauthn/issues/1720> . Issue #1720 . w3c/webauthn .
GitHub
12.	Public Key Credential Source and Extensions
<https://github.com/w3c/webauthn/issues/1719> . Issue #1719 . w3c/webauthn .
GitHub
13.	RP operations: some extension processing may assume that the
encompassing signature is valid
<https://github.com/w3c/webauthn/issues/1711> . Issue #1711 . w3c/webauthn .
GitHub
14.	Split RP ops  <https://github.com/w3c/webauthn/issues/1710>
"Registering a new credential" into one with and one without attestation .
Issue #1710 . w3c/webauthn (github.com)
15.	Switch to permissive copyright license?
<https://github.com/w3c/webauthn/issues/1705> . Issue #1705 . w3c/webauthn
(github.com)
16.	Platform Errors for attestations.
<https://github.com/w3c/webauthn/issues/1697> . Issue #1697 . w3c/webauthn
(github.com)
17.	Should an RP be able to provide finer grained authenticator
filtering in attestation options?
<https://github.com/w3c/webauthn/issues/1688> . Issue #1688 . w3c/webauthn
(github.com)
18.	Lookup Credential Source by Credential ID Algorithm returns
sensitive data such as the credential private key
<https://github.com/w3c/webauthn/issues/1678> . Issue #1678 . w3c/webauthn .
GitHub
19.	Synced Credentials  <https://github.com/w3c/webauthn/issues/1665> .
Issue #1665 . w3c/webauthn . GitHub
20.	Cross-origin credential creation in iframes
<https://github.com/w3c/webauthn/issues/1656> . Issue #1656 . w3c/webauthn
(github.com)
21.	Trailing position of metadata
<https://github.com/w3c/webauthn/issues/1646> . Issue #1646 . w3c/webauthn
(github.com)
22.	[Editorial] Truncation description inaccurate
<https://github.com/w3c/webauthn/issues/1645> . Issue #1645 . w3c/webauthn
(github.com)
23.	Mechanism for encoding *direction* metadata may need more work
<https://github.com/w3c/webauthn/issues/1644> . Issue #1644 . w3c/webauthn
(github.com)
24.	Use of in-field metadata not preferred
<https://github.com/w3c/webauthn/issues/1643> . Issue #1643 . w3c/webauthn
(github.com)
25.	Unicode  <https://github.com/w3c/webauthn/issues/1642> "tag"
characters are deprecated for language tagging . Issue #1642 . w3c/webauthn
(github.com)
26.	U+ notation incorrect  <https://github.com/w3c/webauthn/issues/1641>
. Issue #1641 . w3c/webauthn (github.com)
27.	Syncing Platform Keys, Recoverability and Security levels
<https://github.com/w3c/webauthn/issues/1640> . Issue #1640 . w3c/webauthn
(github.com)
28.	Possible experiences in a future WebAuthn
<https://github.com/w3c/webauthn/issues/1637> . Issue #1637 . w3c/webauthn
(github.com)
29.	reference CTAP2.1 PS spec and fix broken link
<https://github.com/w3c/webauthn/issues/1635> . Issue #1635 . w3c/webauthn
(github.com)
30.	Missing Test Vectors  <https://github.com/w3c/webauthn/issues/1633>
. Issue #1633 . w3c/webauthn (github.com)
31.	CollectedClientData.crossOrigin default value and whether it is
required  <https://github.com/w3c/webauthn/issues/1631> . Issue #1631 .
w3c/webauthn (github.com)
32.	Support for remote desktops
<https://github.com/w3c/webauthn/issues/1577> . Issue #1577 . w3c/webauthn
(github.com)
33.	Prevent browsers from deleting credentials that the RP wanted to be
server-side  <https://github.com/w3c/webauthn/issues/1569> . Issue #1569 .
w3c/webauthn (github.com)
34.	Support a  <https://github.com/w3c/webauthn/issues/1568> "create or
get [or replace]" credential re-association operation . Issue #1568 .
w3c/webauthn (github.com)
35.	Adding info about HSTS for the RPID to client Data.
<https://github.com/w3c/webauthn/issues/1554> . Issue #1554 . w3c/webauthn
(github.com)
36.	Making PublicKeyCredentialDescriptor.transports mandatory
<https://github.com/w3c/webauthn/issues/1522> . Issue #1522 . w3c/webauthn
(github.com)
37.	cleanup  <https://github.com/w3c/webauthn/issues/1489> <pre
class=anchors> and use <pre class="link-defaults"> as appropriate . Issue
#1489 . w3c/webauthn (github.com)
38.	Regarding the issue of Credential ID exposure(13.5.6), from what
perspective should RP compare RK and NRK and which should be adopted?
<https://github.com/w3c/webauthn/issues/1484> . Issue #1484 . w3c/webauthn
(github.com)
39.	Adding info about HSTS for the RPID to client Data.
<https://github.com/w3c/webauthn/issues/1554> . Issue #1554 . w3c/webauthn
(github.com)
40.	Requesting properties of created credentials.
<https://github.com/w3c/webauthn/issues/1449> . Issue #1449 . w3c/webauthn
(github.com)
41.	More explicitly document use cases
<https://github.com/w3c/webauthn/issues/1389> . Issue #1389 . w3c/webauthn
(github.com)
42.	Addition of a network transport
<https://github.com/w3c/webauthn/issues/1381> . Issue #1381 . w3c/webauthn
(github.com)
43.	Minor cleanups from PR 1270 review
<https://github.com/w3c/webauthn/issues/1291> . Issue #1291 . w3c/webauthn
(github.com)
44.	Clearly define the way how RP handles the extensions
<https://github.com/w3c/webauthn/issues/1258> . Issue #1258 . w3c/webauthn
(github.com)
45.	add feature detection blurb...
<https://github.com/w3c/webauthn/issues/1208> . Issue #1208 . w3c/webauthn
(github.com)
46.	think about adding note wrt how client platform might obtain
authenticator capabilities  <https://github.com/w3c/webauthn/issues/1207> .
Issue #1207 . w3c/webauthn (github.com)
47.	Update name, displayname and icon for RP and user
<https://github.com/w3c/webauthn/issues/1200> . Issue #1200 . w3c/webauthn
(github.com)
48.	export definitions?  <https://github.com/w3c/webauthn/issues/1049> .
Issue #1049 . w3c/webauthn (github.com)
49.	ReIssues  <https://github.com/w3c/webauthn/issues/931> .
w3c/webauthn (github.com)covering from Device Loss . Issue #931 .
w3c/webauthn (github.com)
50.	undefined terms and terms we really ought to define
<https://github.com/w3c/webauthn/issues/462> . Issue #462 . w3c/webauthn
(github.com)

 

Issues
<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat
%3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone> . w3c/webauthn . GitHub

1.	Remove isPPAA() and expand getClientCapabilities()
<https://github.com/w3c/webauthn/issues/1937> . Issue #1937 . w3c/webauthn
(github.com)
2.	Indicate that the credential could be backed up and restored, but
not synchronized  <https://github.com/w3c/webauthn/issues/1933> . Issue
#1933 . w3c/webauthn (github.com)
3.	Non-modal registration during conditional assertion
<https://github.com/w3c/webauthn/issues/1929> . Issue #1929 . w3c/webauthn
(github.com)
4.	Return public key in attestedCredentialData on
authenticatorGetAssertion  <https://github.com/w3c/webauthn/issues/1928> .
Issue #1928 . w3c/webauthn (github.com)
5.	TPM attestation verification steps inconsistent with FIDO
conformance testing tool  <https://github.com/w3c/webauthn/issues/1925> .
Issue #1925 . w3c/webauthn (github.com)
6.	Signaling when user credentials are shared between users to the
`relying party`  <https://github.com/w3c/webauthn/issues/1922> . Issue #1922
. w3c/webauthn (github.com)
7.	Describe packed enterprise attestation
<https://github.com/w3c/webauthn/issues/1916> . Issue #1916 . w3c/webauthn
(github.com)
8.	username and display name should not be mandatory (rp, challange
either) and OS UX should be simplified if not present
<https://github.com/w3c/webauthn/issues/1915> . Issue #1915 . w3c/webauthn
(github.com)
9.	Misaligned steps in Section 7.2
<https://github.com/w3c/webauthn/issues/1913> . Issue #1913 . w3c/webauthn
(github.com)
10.	Misaligned steps in Section 7.2
<https://github.com/w3c/webauthn/issues/1913> . Issue #1913 . w3c/webauthn
(github.com)
11.	Update Authenticator Taxonomy examples section
<https://github.com/w3c/webauthn/issues/1912> . Issue #1912 . w3c/webauthn
(github.com)
12.	Proposal/discussion: non-extractable CryptoKey output from the prf
extension  <https://github.com/w3c/webauthn/issues/1895> . Issue #1895 .
w3c/webauthn (github.com)
13.	Add Changed Flag to UVM Entry
<https://github.com/w3c/webauthn/issues/1890> . Issue #1890 . w3c/webauthn
(github.com)
14.	Clarify browser behavior when an authenticators return equivalent of
<https://github.com/w3c/webauthn/issues/1888> "InvalidStateError" . Issue
#1888 . w3c/webauthn (github.com)
15.	Clarify how to differentiate between exceptions
<https://github.com/w3c/webauthn/issues/1859> . Issue #1859 . w3c/webauthn
(github.com)
16.	Clarify the need for truly randomly generated challenges (aka
challenge callback issue)  <https://github.com/w3c/webauthn/issues/1856> .
Issue #1856 . w3c/webauthn (github.com)
17.	Allow conditional and modal flows to run simultaneously
<https://github.com/w3c/webauthn/issues/1854> . Issue #1854 . w3c/webauthn
(github.com)
18.	 <https://github.com/w3c/webauthn/issues/1819> "android-key" and
"android-safetynet" are really basic attestation type support? . Issue #1819
. w3c/webauthn (github.com)
19.	Dependencies section is out of date and duplicates terms index
<https://github.com/w3c/webauthn/issues/1797> . Issue #1797 . w3c/webauthn
(github.com)
20.	Enterprise attestaion is a bool in WebAuthn and an Int in CTAP2.1
<https://github.com/w3c/webauthn/issues/1795> . Issue #1795 . w3c/webauthn
(github.com)
21.	Broken references in Web Authentication: An API for accessing Public
Key Credentials - Level  <https://github.com/w3c/webauthn/issues/1794> .
Issue #1794 . w3c/webauthn (github.com)
22.	Better specify what an unknown type credential descriptor being
ignored means  <https://github.com/w3c/webauthn/issues/1748> . Issue #1748 .
w3c/webauthn (github.com)
23.	Spec abstract is out of date on the eve of multi-device credentials
and cross-device auth  <https://github.com/w3c/webauthn/issues/1743> . Issue
#1743 . w3c/webauthn (github.com)
24.	Cross origin authentication without iframes (accommodating SPC in
WebAuthn)  <https://github.com/w3c/webauthn/issues/1667> . Issue #1667 .
w3c/webauthn . GitHub

 

  

4.   Other open issues

5.   Adjourn

Because of toll fraud issues MIT has been experiencing, I've been asked to
change our call coordinates and password and, as an ongoing thing, not
distribute the call coordinates publicly. That means not including the WebEx
call number or URL in our agendas or minutes.

 

You can find the new call coordinates at this link, accessible with your W3C
member login credentials.

https://www.w3.org/2016/01/webauth-password.html
<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.or
g%2F2016%2F01%2Fwebauth-password.html&data=04%7C01%7Ctonynad%40microsoft.com
%7C9cd59d2cfccb46b0986d08d82dcf4b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7
C0%7C637309715629125857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rRnXdea9sqPx%2B7Z8fbc7bv
%2F5nY%2BLZStYSARGKVdH1pA%3D&reserved=0>  

 

 

 

 

Get Outlook for Android <https://aka.ms/ghei36>
Received on Wednesday, 16 August 2023 00:50:33 UTC