- From: <nadalin@prodigy.net>
- Date: Tue, 21 Feb 2023 19:08:43 -0800
- To: "'W3C Web Authn WG'" <public-webauthn@w3.org>, "'John Fontana'" <jfontana@yubico.com>, "'Phillips, Addison'" <addison@lab126.com>, "'Christiaan Brand'" <cbrand@google.com>, "'Ian Jacobs'" <ij@w3.org>
- Message-ID: <0d4001d9466a$f9f8cc50$edea64f0$@prodigy.net>
Here is the agenda for the 02/22/2023 W3C Web Authentication WG Meeting, that will take place as a 60 minute teleconference. Remember call is at NOON PDT. Select scribe please someone be willing to scribe so we can get down to the issues 1. Here is the link to the Level 2 Webauthn Recommendation https://www.w3.org/TR/2021/REC-webauthn-2-20210408/ 2. First Public Working Draft of Level 3 has now been published, https://www.w3.org/TR/webauthn-3/ 3. PWG Update (John B.) 4. RSA (4/24-17)and TPAC (9/11-15) in person meetings possibilities 5. L3 WD01 open pull requests and open issues Pull requests <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD -01> . w3c/webauthn (github.com) 1. Allow for credential creation in a cross-origin iframe by stephenmcgruer <https://github.com/w3c/webauthn/pull/1801> . Pull Request #1801 . w3c/webauthn (github.com) 2. Improve guidance around using UV by emlun <https://github.com/w3c/webauthn/pull/1774> . Pull Request #1774 . w3c/webauthn (github.com) Pull requests <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone> . w3c/webauthn . GitHub 1. Recommend duration of challenge validity by emlun <https://github.com/w3c/webauthn/pull/1855> . Pull Request #1855 . w3c/webauthn (github.com) 2. Issue 1817 by sbweeden <https://github.com/w3c/webauthn/pull/1845> . Pull Request #1845 . w3c/webauthn (github.com) 3. Only expose the UV PRF by agl <https://github.com/w3c/webauthn/pull/1836> . Pull Request #1836 . w3c/webauthn (github.com) Issues <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL 3-WD-01> . w3c/webauthn (github.com) 1. Add <https://github.com/w3c/webauthn/issues/1835> "smart-card" to AuthenticatorTransport enum (WebKit) . Issue #1835 . w3c/webauthn (github.com) 2. Prescriptive behaviours for Autofill UI <https://github.com/w3c/webauthn/issues/1800> . Issue #1800 . w3c/webauthn (github.com) 3. Enforce backup eligibility during assertion <https://github.com/w3c/webauthn/issues/1791> . Issue #1791 . w3c/webauthn (github.com) 4. Facility for an RP to indicate a change of displayName to a discoverable credential <https://github.com/w3c/webauthn/issues/1779> . Issue #1779 . w3c/webauthn (github.com) 5. Which <https://github.com/w3c/webauthn/issues/1757> "pubKeyCredParams" to use? . Issue #1757 . w3c/webauthn (github.com) 6. Conditional Mediation feature discovery should really return a promise <https://github.com/w3c/webauthn/issues/1745> . Issue #1745 . w3c/webauthn . GitHub 7. Should enterprise attestation support be flagged explicitly? <https://github.com/w3c/webauthn/issues/1742> . Issue #1742 . w3c/webauthn . GitHub 8. Attestation on Get Assertion <https://github.com/w3c/webauthn/issues/1741> . Issue #1741 . w3c/webauthn . GitHub 9. Discussing mechanisms for enterprise RP's to enforce bound properties of credentials <https://github.com/w3c/webauthn/issues/1739> . Issue #1739 . w3c/webauthn . GitHub 10. Provide passwordless example, or update 1.3.2. to be a passwordless example <https://github.com/w3c/webauthn/issues/1735> . Issue #1735 . w3c/webauthn . GitHub 11. Update top level use cases to account for multi-device credentials <https://github.com/w3c/webauthn/issues/1720> . Issue #1720 . w3c/webauthn . GitHub 12. Public Key Credential Source and Extensions <https://github.com/w3c/webauthn/issues/1719> . Issue #1719 . w3c/webauthn . GitHub 13. RP operations: some extension processing may assume that the encompassing signature is valid <https://github.com/w3c/webauthn/issues/1711> . Issue #1711 . w3c/webauthn . GitHub 14. Switch to permissive copyright license? <https://github.com/w3c/webauthn/issues/1705> . Issue #1705 . w3c/webauthn (github.com) 15. should reference <https://github.com/w3c/webauthn/issues/1689> "attestation statement format" registry instead of "extensions" registry . Issue #1689 . w3c/webauthn . GitHub 16. Should an RP be able to provide finer grained authenticator filtering in attestation options? <https://github.com/w3c/webauthn/issues/1688> . Issue #1688 . w3c/webauthn (github.com) 17. Provide request deserialization, response serialization <https://github.com/w3c/webauthn/issues/1683> . Issue #1683 . w3c/webauthn (github.com) 18. Lookup Credential Source by Credential ID Algorithm returns sensitive data such as the credential private key <https://github.com/w3c/webauthn/issues/1678> . Issue #1678 . w3c/webauthn . GitHub 19. Synced Credentials <https://github.com/w3c/webauthn/issues/1665> . Issue #1665 . w3c/webauthn . GitHub 20. Cross-origin credential creation in iframes <https://github.com/w3c/webauthn/issues/1656> . Issue #1656 . w3c/webauthn (github.com) 21. Trailing position of metadata <https://github.com/w3c/webauthn/issues/1646> . Issue #1646 . w3c/webauthn (github.com) 22. [Editorial] Truncation description inaccurate <https://github.com/w3c/webauthn/issues/1645> . Issue #1645 . w3c/webauthn (github.com) 23. Mechanism for encoding *direction* metadata may need more work <https://github.com/w3c/webauthn/issues/1644> . Issue #1644 . w3c/webauthn (github.com) 24. Use of in-field metadata not preferred <https://github.com/w3c/webauthn/issues/1643> . Issue #1643 . w3c/webauthn (github.com) 25. Unicode <https://github.com/w3c/webauthn/issues/1642> "tag" characters are deprecated for language tagging . Issue #1642 . w3c/webauthn (github.com) 26. U+ notation incorrect <https://github.com/w3c/webauthn/issues/1641> . Issue #1641 . w3c/webauthn (github.com) 27. Syncing Platform Keys, Recoverability and Security levels <https://github.com/w3c/webauthn/issues/1640> . Issue #1640 . w3c/webauthn (github.com) 28. reference CTAP2.1 PS spec and fix broken link <https://github.com/w3c/webauthn/issues/1635> . Issue #1635 . w3c/webauthn (github.com) 29. Missing Test Vectors <https://github.com/w3c/webauthn/issues/1633> . Issue #1633 . w3c/webauthn (github.com) 30. CollectedClientData.crossOrigin default value and whether it is required <https://github.com/w3c/webauthn/issues/1631> . Issue #1631 . w3c/webauthn (github.com) 31. Support for remote desktops <https://github.com/w3c/webauthn/issues/1577> . Issue #1577 . w3c/webauthn (github.com) 32. Prevent browsers from deleting credentials that the RP wanted to be server-side <https://github.com/w3c/webauthn/issues/1569> . Issue #1569 . w3c/webauthn (github.com) 33. Support a <https://github.com/w3c/webauthn/issues/1568> "create or get [or replace]" credential re-association operation . Issue #1568 . w3c/webauthn (github.com) 34. Questions about user handle when supporting usernameless <https://github.com/w3c/webauthn/issues/1559> . Issue #1559 . w3c/webauthn (github.com) 35. Move step 16 of Registration to between 21 and 22 <https://github.com/w3c/webauthn/issues/1555> . Issue #1555 . w3c/webauthn (github.com) 36. Adding info about HSTS for the RPID to client Data. <https://github.com/w3c/webauthn/issues/1554> . Issue #1554 . w3c/webauthn (github.com) 37. Add support for non-modal UI <https://github.com/w3c/webauthn/issues/1545> . Issue #1545 . w3c/webauthn (github.com) 38. Making PublicKeyCredentialDescriptor.transports mandatory <https://github.com/w3c/webauthn/issues/1522> . Issue #1522 . w3c/webauthn (github.com) 39. double check whether the Secure Payment Confirmation effort has implications on the WebAuthn spec <https://github.com/w3c/webauthn/issues/1492> . Issue #1492 . w3c/webauthn (github.com) 40. cleanup <https://github.com/w3c/webauthn/issues/1489> <pre class=anchors> and use <pre class="link-defaults"> as appropriate . Issue #1489 . w3c/webauthn (github.com) 41. Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? <https://github.com/w3c/webauthn/issues/1484> . Issue #1484 . w3c/webauthn (github.com) 42. Personal information updates <https://github.com/w3c/webauthn/issues/1456> & webauthn . Issue #1456 . w3c/webauthn (github.com) 43. Requesting properties of created credentials. <https://github.com/w3c/webauthn/issues/1449> . Issue #1449 . w3c/webauthn (github.com) 44. More explicitly document use cases <https://github.com/w3c/webauthn/issues/1389> . Issue #1389 . w3c/webauthn (github.com) 45. Addition of a network transport <https://github.com/w3c/webauthn/issues/1381> . Issue #1381 . w3c/webauthn (github.com) 46. Minor cleanups from PR 1270 review <https://github.com/w3c/webauthn/issues/1291> . Issue #1291 . w3c/webauthn (github.com) 47. Clearly define the way how RP handles the extensions <https://github.com/w3c/webauthn/issues/1258> . Issue #1258 . w3c/webauthn (github.com) 48. add feature detection blurb... <https://github.com/w3c/webauthn/issues/1208> . Issue #1208 . w3c/webauthn (github.com) 49. think about adding note wrt how client platform might obtain authenticator capabilities <https://github.com/w3c/webauthn/issues/1207> . Issue #1207 . w3c/webauthn (github.com) 50. Update name, displayname and icon for RP and user <https://github.com/w3c/webauthn/issues/1200> . Issue #1200 . w3c/webauthn (github.com) 51. export definitions? <https://github.com/w3c/webauthn/issues/1049> . Issue #1049 . w3c/webauthn (github.com) 52. ReIssues <https://github.com/w3c/webauthn/issues/931> . w3c/webauthn (github.com)covering from Device Loss . Issue #931 . w3c/webauthn (github.com) 53. undefined terms and terms we really ought to define <https://github.com/w3c/webauthn/issues/462> . Issue #462 . w3c/webauthn (github.com) Issues <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat %3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone> . w3c/webauthn . GitHub 1. Clarify the need for truly randomly generated challenges <https://github.com/w3c/webauthn/issues/1856> . Issue #1856 . w3c/webauthn (github.com) 2. Allow conditional and modal flows to run simultaneously <https://github.com/w3c/webauthn/issues/1854> . Issue #1854 . w3c/webauthn (github.com) 3. Redundant step 6 in DPK verification for authentication <https://github.com/w3c/webauthn/issues/1853> . Issue #1853 . w3c/webauthn (github.com) 4. Add a new <https://github.com/w3c/webauthn/issues/1852> "note" to registration options for RP's to help users distinguish credentials . Issue #1852 . w3c/webauthn (github.com) 5. How long the relying party should maintain the challenge and related information? <https://github.com/w3c/webauthn/issues/1848> . Issue #1848 . w3c/webauthn (github.com) 6. Differentiate when devicePubKey unsupported vs. failed? <https://github.com/w3c/webauthn/issues/1846> . Issue #1846 . w3c/webauthn (github.com) 7. Add topOrigin to clientData for cross-origin GET in iframe <https://github.com/w3c/webauthn/issues/1842> . Issue #1842 . w3c/webauthn (github.com) 8. <https://github.com/w3c/webauthn/issues/1819> "android-key" and "android-safetynet" are really basic attestation type support? . Issue #1819 . w3c/webauthn (github.com) 9. Variable reference issue in DPK processing rules <https://github.com/w3c/webauthn/issues/1817> . Issue #1817 . w3c/webauthn (github.com) 10. Possibility to filter diplayed authenticators by certified level <https://github.com/w3c/webauthn/issues/1816> . Issue #1816 . w3c/webauthn (github.com) 11. Dependencies section is out of date and duplicates terms index <https://github.com/w3c/webauthn/issues/1797> . Issue #1797 . w3c/webauthn (github.com) 12. Enterprise attestaion is a bool in WebAuthn and an Int in CTAP2.1 <https://github.com/w3c/webauthn/issues/1795> . Issue #1795 . w3c/webauthn (github.com) 13. Credential discovery is unclear <https://github.com/w3c/webauthn/issues/1789> . Issue #1789 . w3c/webauthn (github.com) 14. Split the standard by focus driven use cases. <https://github.com/w3c/webauthn/issues/1751> . Issue #1751 . w3c/webauthn (github.com) 15. Better specify what an unknown type credential descriptor being ignored means <https://github.com/w3c/webauthn/issues/1748> . Issue #1748 . w3c/webauthn (github.com) 16. Use aPAKE/OPAQUE for FIDO multi-device credentials (PassKey) <https://github.com/w3c/webauthn/issues/1747> . Issue #1747 . w3c/webauthn (github.com) 17. Spec abstract is out of date on the eve of multi-device credentials and cross-device auth <https://github.com/w3c/webauthn/issues/1743> . Issue #1743 . w3c/webauthn (github.com) 18. Cross origin authentication without iframes (accommodating SPC in WebAuthn) <https://github.com/w3c/webauthn/issues/1667> . Issue #1667 . w3c/webauthn . GitHub 4. Other open issues 5. Adjourn Because of toll fraud issues MIT has been experiencing, I've been asked to change our call coordinates and password and, as an ongoing thing, not distribute the call coordinates publicly. That means not including the WebEx call number or URL in our agendas or minutes. You can find the new call coordinates at this link, accessible with your W3C member login credentials. https://www.w3.org/2016/01/webauth-password.html <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.or g%2F2016%2F01%2Fwebauth-password.html&data=04%7C01%7Ctonynad%40microsoft.com %7C9cd59d2cfccb46b0986d08d82dcf4b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7 C0%7C637309715629125857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rRnXdea9sqPx%2B7Z8fbc7bv %2F5nY%2BLZStYSARGKVdH1pA%3D&reserved=0> Get Outlook for Android <https://aka.ms/ghei36>
Received on Wednesday, 22 February 2023 03:09:04 UTC