12/13/2023 W3C Web Authentication Meeting

Here is the agenda for the 12/13/2023 W3C Web Authentication WG Meeting,
that will take place as a 60 minute teleconference. Remember call is at 12PM
Pacific Time. Reminder that we will be using ZOOM from now on, please make
sure you go to Web Authentication bi-weekly (w3.org)
<https://www.w3.org/events/meetings/4bab6a90-bdb5-400f-ab87-64a7a852d86a/202
30517T150000> 

 

Select scribe please someone be willing to scribe so we can get down to the
issues

 

1.	Here is the link to the Level 2 Webauthn Recommendation
https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
2.	WD01 has now been published, https://www.w3.org/TR/webauthn-3/
3.	No meeting 12/27/2023 -  CANCELLED

4.	PWG Update (John B.)
5.	We have 49 open issues, 25 of them have been tagged with the @RISK
label, please review with the link below, if you don't agree we will discuss
as the first item on the agenda 

a.	Issues
<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+label%3A%40Ri
sk> . w3c/webauthn (github.com)

6.	W3c WebID proposal for authentication see WebID - W3C Wiki
<https://www.w3.org/wiki/WebID> 
7.	L3 WD01 open pull requests and open issues

 

 

Pull requests
<https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD
-02> . w3c/webauthn (github.com)

1.	Enterprise packed attestation guidance by dwaite
<https://github.com/w3c/webauthn/pull/1954> . Pull Request #1954 .
w3c/webauthn (github.com)
2.	Add packed attestation optional firmware version attribute by dwaite
<https://github.com/w3c/webauthn/pull/1953> . Pull Request #1953 .
w3c/webauthn (github.com)
3.	Initial text for conditional create by pascoej
<https://github.com/w3c/webauthn/pull/1951> . Pull Request #1951 .
w3c/webauthn (github.com)
4.	Recommend duration of challenge validity by emlun
<https://github.com/w3c/webauthn/pull/1855> . Pull Request #1855 .
w3c/webauthn (github.com)

 

Pull requests
<https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone> .
w3c/webauthn (github.com)

1.	Disambiguate  <https://github.com/w3c/webauthn/pull/2005> "this
value" in authenticatorDisplayName description by emlun . Pull Request #2005
. w3c/webauthn (github.com)
2.	Reference CTAP 2.1 errata spec by selfissued
<https://github.com/w3c/webauthn/pull/2004> . Pull Request #2004 .
w3c/webauthn (github.com)
3.	Fix references to credential private key that should be credential
source by emlun  <https://github.com/w3c/webauthn/pull/2003> . Pull Request
#2003 . w3c/webauthn (github.com)
4.	Fix incorrect reference in Add Virtual Authenticator by emlun
<https://github.com/w3c/webauthn/pull/2001> . Pull Request #2001 .
w3c/webauthn (github.com)
5.	Add backup flags to virtual authenticator by nsatragno
<https://github.com/w3c/webauthn/pull/1999> . Pull Request #1999 .
w3c/webauthn (github.com)
6.	Drop assertion-time attestation. by agl
<https://github.com/w3c/webauthn/pull/1997> . Pull Request #1997 .
w3c/webauthn (github.com)
7.	Don't define a [[preventSilentAccess]] internal method by emlun
<https://github.com/w3c/webauthn/pull/1991> . Pull Request #1991 .
w3c/webauthn (github.com)
8.	Make the default value for the attestation member in assertion
options be null by Kieun  <https://github.com/w3c/webauthn/pull/1972> . Pull
Request #1972 . w3c/webauthn (github.com)
9.	Clarify TPM attestation verification instructions by sbweeden
<https://github.com/w3c/webauthn/pull/1926> . Pull Request #1926 .
w3c/webauthn (github.com)
10.	Add new getClientCapabilities method by timcappalli
<https://github.com/w3c/webauthn/pull/1923> . Pull Request #1923 .
w3c/webauthn (github.com)

 

 

Issues
<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL
3-WD-02+> . w3c/webauthn (github.com)

1.	create() and get() return an algorithm, not a credential
<https://github.com/w3c/webauthn/issues/1984> . Issue #1984 . w3c/webauthn
(github.com)
2.	Spec is not specific enough about order of conditional UI autofill
tokens  <https://github.com/w3c/webauthn/issues/1982> . Issue #1982 .
w3c/webauthn (github.com)
3.	Ambiguous instructions in the Android Key Attestation Statement
Format verification procedure  <https://github.com/w3c/webauthn/issues/1980>
. Issue #1980 . w3c/webauthn (github.com)
4.	Are notes in webauthn normative or informative?
<https://github.com/w3c/webauthn/issues/1979> . Issue #1979 . w3c/webauthn
(github.com)
5.	Extensions should specify partial dictionaries that modify
AuthenticationExtensionsClient{Inputs, Outputs}JSON
<https://github.com/w3c/webauthn/issues/1968> . Issue #1968 . w3c/webauthn
(github.com)
6.	Should credentials requested with attestation=none include an
AAGUID?  <https://github.com/w3c/webauthn/issues/1962> . Issue #1962 .
w3c/webauthn (github.com)
7.	Describe firmware OID usage in packed attestation
<https://github.com/w3c/webauthn/issues/1952> . Issue #1952 . w3c/webauthn
(github.com)
8.	Non-modal registration during conditional assertion
<https://github.com/w3c/webauthn/issues/1929> . Issue #1929 . w3c/webauthn
(github.com)
9.	Allow desired attestation format to be an ordered list
<https://github.com/w3c/webauthn/issues/1917> . Issue #1917 . w3c/webauthn
(github.com)
10.	Describe packed enterprise attestation
<https://github.com/w3c/webauthn/issues/1916> . Issue #1916 . w3c/webauthn
(github.com)
11.	Update Authenticator Taxonomy examples section
<https://github.com/w3c/webauthn/issues/1912> . Issue #1912 . w3c/webauthn
(github.com)
12.	Prescriptive behaviours for Autofill UI
<https://github.com/w3c/webauthn/issues/1800> . Issue #1800 . w3c/webauthn
(github.com)
13.	Should enterprise attestation support be flagged explicitly?
<https://github.com/w3c/webauthn/issues/1742> . Issue #1742 . w3c/webauthn .
GitHub
14.	Discussing mechanisms for enterprise RP's to enforce bound
properties of credentials  <https://github.com/w3c/webauthn/issues/1739> .
Issue #1739 . w3c/webauthn . GitHub
15.	Provide passwordless example, or update 1.3.2. to be a passwordless
example  <https://github.com/w3c/webauthn/issues/1735> . Issue #1735 .
w3c/webauthn . GitHub
16.	Update top level use cases to account for multi-device credentials
<https://github.com/w3c/webauthn/issues/1720> . Issue #1720 . w3c/webauthn .
GitHub
17.	Public Key Credential Source and Extensions
<https://github.com/w3c/webauthn/issues/1719> . Issue #1719 . w3c/webauthn .
GitHub
18.	RP operations: some extension processing may assume that the
encompassing signature is valid
<https://github.com/w3c/webauthn/issues/1711> . Issue #1711 . w3c/webauthn .
GitHub
19.	Split RP ops  <https://github.com/w3c/webauthn/issues/1710>
"Registering a new credential" into one with and one without attestation .
Issue #1710 . w3c/webauthn (github.com)
20.	Switch to permissive copyright license?
<https://github.com/w3c/webauthn/issues/1705> . Issue #1705 . w3c/webauthn
(github.com)
21.	Platform Errors for attestations.
<https://github.com/w3c/webauthn/issues/1697> . Issue #1697 . w3c/webauthn
(github.com)
22.	Should an RP be able to provide finer grained authenticator
filtering in attestation options?
<https://github.com/w3c/webauthn/issues/1688> . Issue #1688 . w3c/webauthn
(github.com)
23.	Lookup Credential Source by Credential ID Algorithm returns
sensitive data such as the credential private key
<https://github.com/w3c/webauthn/issues/1678> . Issue #1678 . w3c/webauthn .
GitHub
24.	Synced Credentials  <https://github.com/w3c/webauthn/issues/1665> .
Issue #1665 . w3c/webauthn . GitHub
25.	Cross-origin credential creation in iframes
<https://github.com/w3c/webauthn/issues/1656> . Issue #1656 . w3c/webauthn
(github.com)
26.	Trailing position of metadata
<https://github.com/w3c/webauthn/issues/1646> . Issue #1646 . w3c/webauthn
(github.com)
27.	[Editorial] Truncation description inaccurate
<https://github.com/w3c/webauthn/issues/1645> . Issue #1645 . w3c/webauthn
(github.com)
28.	Mechanism for encoding *direction* metadata may need more work
<https://github.com/w3c/webauthn/issues/1644> . Issue #1644 . w3c/webauthn
(github.com)
29.	Use of in-field metadata not preferred
<https://github.com/w3c/webauthn/issues/1643> . Issue #1643 . w3c/webauthn
(github.com)
30.	Unicode  <https://github.com/w3c/webauthn/issues/1642> "tag"
characters are deprecated for language tagging . Issue #1642 . w3c/webauthn
(github.com)
31.	U+ notation incorrect  <https://github.com/w3c/webauthn/issues/1641>
. Issue #1641 . w3c/webauthn (github.com)
32.	Syncing Platform Keys, Recoverability and Security levels
<https://github.com/w3c/webauthn/issues/1640> . Issue #1640 . w3c/webauthn
(github.com)
33.	Possible experiences in a future WebAuthn
<https://github.com/w3c/webauthn/issues/1637> . Issue #1637 . w3c/webauthn
(github.com)
34.	reference CTAP2.1 PS spec and fix broken link
<https://github.com/w3c/webauthn/issues/1635> . Issue #1635 . w3c/webauthn
(github.com)
35.	Missing Test Vectors  <https://github.com/w3c/webauthn/issues/1633>
. Issue #1633 . w3c/webauthn (github.com)
36.	CollectedClientData.crossOrigin default value and whether it is
required  <https://github.com/w3c/webauthn/issues/1631> . Issue #1631 .
w3c/webauthn (github.com)
37.	Support for remote desktops
<https://github.com/w3c/webauthn/issues/1577> . Issue #1577 . w3c/webauthn
(github.com)
38.	Prevent browsers from deleting credentials that the RP wanted to be
server-side  <https://github.com/w3c/webauthn/issues/1569> . Issue #1569 .
w3c/webauthn (github.com)
39.	Support a  <https://github.com/w3c/webauthn/issues/1568> "create or
get [or replace]" credential re-association operation . Issue #1568 .
w3c/webauthn (github.com)
40.	Adding info about HSTS for the RPID to client Data.
<https://github.com/w3c/webauthn/issues/1554> . Issue #1554 . w3c/webauthn
(github.com)
41.	Making PublicKeyCredentialDescriptor.transports mandatory
<https://github.com/w3c/webauthn/issues/1522> . Issue #1522 . w3c/webauthn
(github.com)
42.	cleanup  <https://github.com/w3c/webauthn/issues/1489> <pre
class=anchors> and use <pre class="link-defaults"> as appropriate . Issue
#1489 . w3c/webauthn (github.com)
43.	Regarding the issue of Credential ID exposure(13.5.6), from what
perspective should RP compare RK and NRK and which should be adopted?
<https://github.com/w3c/webauthn/issues/1484> . Issue #1484 . w3c/webauthn
(github.com)
44.	Requesting properties of created credentials.
<https://github.com/w3c/webauthn/issues/1449> . Issue #1449 . w3c/webauthn
(github.com)
45.	PublicKeyCredentialParameters can't select curve (E.g. ed448)
<https://github.com/w3c/webauthn/issues/1446> . Issue #1446 . w3c/webauthn
(github.com)
46.	Minor cleanups from PR 1270 review
<https://github.com/w3c/webauthn/issues/1291> . Issue #1291 . w3c/webauthn
(github.com)
47.	Clearly define the way how RP handles the extensions
<https://github.com/w3c/webauthn/issues/1258> . Issue #1258 . w3c/webauthn
(github.com)
48.	export definitions?  <https://github.com/w3c/webauthn/issues/1049> .
Issue #1049 . w3c/webauthn (github.com)
49.	undefined terms and terms we really ought to define
<https://github.com/w3c/webauthn/issues/462> . Issue #462 . w3c/webauthn
(github.com)

 

Issues
<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat
%3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone> . w3c/webauthn . GitHub

1.	rp.name, user.name and user.displayName length limit does not state
binary encoding  <https://github.com/w3c/webauthn/issues/1994> . Issue #1994
. w3c/webauthn (github.com)
2.	Virtual Authenticator API does not expose a way to set
backup-eligible or backup-status flags
<https://github.com/w3c/webauthn/issues/1987> . Issue #1987 . w3c/webauthn
(github.com)
3.	[Superset] Updating credential metadata and requesting deletion of
stale credentials  <https://github.com/w3c/webauthn/issues/1967> . Issue
#1967 . w3c/webauthn (github.com)
4.	Further clarification of Unsigned Extension Outputs
<https://github.com/w3c/webauthn/issues/1964> . Issue #1964 . w3c/webauthn
(github.com)
5.	make username fields optional (do not delete them, but do not force
their usage, either, which is hostile against usernameless services)
<https://github.com/w3c/webauthn/issues/1942> . Issue #1942 . w3c/webauthn
(github.com)
6.	Remove isPPAA() and expand getClientCapabilities()
<https://github.com/w3c/webauthn/issues/1937> . Issue #1937 . w3c/webauthn
(github.com)
7.	Indicate that the credential could be backed up and restored, but
not synchronized  <https://github.com/w3c/webauthn/issues/1933> . Issue
#1933 . w3c/webauthn (github.com)
8.	Adding some sentences to describe credential sharing between
multiple users  <https://github.com/w3c/webauthn/issues/1921> . Issue #1921
. w3c/webauthn (github.com) 
9.	Misaligned steps in Section 7.2
<https://github.com/w3c/webauthn/issues/1913> . Issue #1913 . w3c/webauthn
(github.com)
10.	Clarify browser behavior when an authenticators return equivalent of
<https://github.com/w3c/webauthn/issues/1888> "InvalidStateError" . Issue
#1888 . w3c/webauthn (github.com)
11.	Clarify how to differentiate between exceptions
<https://github.com/w3c/webauthn/issues/1859> . Issue #1859 . w3c/webauthn
(github.com)
12.	Clarify the need for truly randomly generated challenges (aka
challenge callback issue)  <https://github.com/w3c/webauthn/issues/1856> .
Issue #1856 . w3c/webauthn (github.com)
13.	 <https://github.com/w3c/webauthn/issues/1819> "android-key" and
"android-safetynet" are really basic attestation type support? . Issue #1819
. w3c/webauthn (github.com)
14.	Dependencies section is out of date and duplicates terms index
<https://github.com/w3c/webauthn/issues/1797> . Issue #1797 . w3c/webauthn
(github.com)
15.	Enterprise attestaion is a bool in WebAuthn and an Int in CTAP2.1
<https://github.com/w3c/webauthn/issues/1795> . Issue #1795 . w3c/webauthn
(github.com)
16.	Better specify what an unknown type credential descriptor being
ignored means  <https://github.com/w3c/webauthn/issues/1748> . Issue #1748 .
w3c/webauthn (github.com)
17.	Cross origin authentication without iframes (accommodating SPC in
WebAuthn)  <https://github.com/w3c/webauthn/issues/1667> . Issue #1667 .
w3c/webauthn . GitHub

 

  

4.   Other open issues

5.   Adjourn

Because of toll fraud issues MIT has been experiencing, I've been asked to
change our call coordinates and password and, as an ongoing thing, not
distribute the call coordinates publicly. That means not including the WebEx
call number or URL in our agendas or minutes.

 

You can find the new call coordinates at this link, accessible with your W3C
member login credentials.

https://www.w3.org/2016/01/webauth-password.html
<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.or
g%2F2016%2F01%2Fwebauth-password.html&data=04%7C01%7Ctonynad%40microsoft.com
%7C9cd59d2cfccb46b0986d08d82dcf4b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7
C0%7C637309715629125857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rRnXdea9sqPx%2B7Z8fbc7bv
%2F5nY%2BLZStYSARGKVdH1pA%3D&reserved=0>  

 

 

 

 

Get Outlook for Android <https://aka.ms/ghei36> 

Received on Wednesday, 13 December 2023 01:24:44 UTC