- From: Emil Lundberg <emil@yubico.com>
- Date: Wed, 25 Jan 2023 20:59:09 +0100
- To: ANTHONY NADALIN <nadalin@prodigy.net>
- Cc: W3C Web Authn WG <public-webauthn@w3.org>, John Fontana <jfontana@yubico.com>, "Phillips, Addison" <addison@lab126.com>, Christiaan Brand <cbrand@google.com>, Ian Jacobs <ij@w3.org>
- Message-ID: <CANMnvkzQXKceJbn0SJYfJTuHL548x-v0bAcDHPRb6JEx+gXK0Q@mail.gmail.com>
Hi everyone, I'm sick and can't make it to the meeting today. I'll see you in the next one. /Emil On Wed, 25 Jan 2023, 00:52 , <nadalin@prodigy.net> wrote: > > > Here is the agenda for the 01/25/2023 W3C Web Authentication WG Meeting, > that will take place as a 60 minute teleconference. Remember call is at > NOON PDT. > > > > > > Select scribe please someone be willing to scribe so we can get down to > the issues > > > > 1. Here is the link to the Level 2 Webauthn Recommendation > https://www.w3.org/TR/2021/REC-webauthn-2-20210408/ > 2. First Public Working Draft of Level 3 has now been published, > https://www.w3.org/TR/webauthn-3/ > > > 1. PWG Update (John B.) > 2. L3 WD01 open pull requests and open issues > > > > Pull requests · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD-01> > > 1. Allow for credential creation in a cross-origin iframe by > stephenmcgruer · Pull Request #1801 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/pull/1801> > 2. Improve guidance around using UV by emlun · Pull Request > #1774 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/pull/1774> > > > > Pull requests · w3c/webauthn · GitHub > <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone> > > 1. Don't be so strict about uv with the PRF extension. by agl · Pull > Request #1836 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/pull/1836> > > > > Issues · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL3-WD-01> > > 1. Prescriptive behaviours for Autofill UI · Issue #1800 · > w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1800> > 2. Enforce backup eligibility during assertion · Issue #1791 · > w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1791> > 3. Facility for an RP to indicate a change of displayName to a > discoverable credential · Issue #1779 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1779> > 4. Which "pubKeyCredParams" to use? · Issue #1757 · w3c/webauthn > (github.com) <https://github.com/w3c/webauthn/issues/1757> > 5. Conditional Mediation feature discovery should really return > a promise · Issue #1745 · w3c/webauthn · GitHub > <https://github.com/w3c/webauthn/issues/1745> > 6. Should enterprise attestation support be flagged explicitly? > · Issue #1742 · w3c/webauthn · GitHub > <https://github.com/w3c/webauthn/issues/1742> > 7. Attestation on Get Assertion · Issue #1741 · w3c/webauthn · > GitHub <https://github.com/w3c/webauthn/issues/1741> > 8. Discussing mechanisms for enterprise RP's to enforce bound > properties of credentials · Issue #1739 · w3c/webauthn · GitHub > <https://github.com/w3c/webauthn/issues/1739> > 9. Provide passwordless example, or update 1.3.2. to be a > passwordless example · Issue #1735 · w3c/webauthn · GitHub > <https://github.com/w3c/webauthn/issues/1735> > 10. Update top level use cases to account for multi-device > credentials · Issue #1720 · w3c/webauthn · GitHub > <https://github.com/w3c/webauthn/issues/1720> > 11. Public Key Credential Source and Extensions · Issue #1719 · > w3c/webauthn · GitHub > <https://github.com/w3c/webauthn/issues/1719> > 12. RP operations: some extension processing may assume that the > encompassing signature is valid · Issue #1711 · w3c/webauthn · GitHub > <https://github.com/w3c/webauthn/issues/1711> > 13. Switch to permissive copyright license? · Issue #1705 · > w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1705> > 14. should reference "attestation statement format" registry > instead of "extensions" registry · Issue #1689 · w3c/webauthn · GitHub > <https://github.com/w3c/webauthn/issues/1689> > 15. Should an RP be able to provide finer grained authenticator > filtering in attestation options? · Issue #1688 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1688> > 16. Provide request deserialization, response serialization · > Issue #1683 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1683> > 17. Lookup Credential Source by Credential ID Algorithm returns > sensitive data such as the credential private key · Issue #1678 · > w3c/webauthn · GitHub > <https://github.com/w3c/webauthn/issues/1678> > 18. Synced Credentials · Issue #1665 · w3c/webauthn · GitHub > <https://github.com/w3c/webauthn/issues/1665> > 19. Cross-origin credential creation in iframes · Issue #1656 · > w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1656> > 20. Trailing position of metadata · Issue #1646 · w3c/webauthn > (github.com) <https://github.com/w3c/webauthn/issues/1646> > 21. [Editorial] Truncation description inaccurate · Issue #1645 > · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1645> > 22. Mechanism for encoding *direction* metadata may need more > work · Issue #1644 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1644> > 23. Use of in-field metadata not preferred · Issue #1643 · > w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1643> > 24. Unicode "tag" characters are deprecated for language tagging > · Issue #1642 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1642> > 25. U+ notation incorrect · Issue #1641 · w3c/webauthn > (github.com) <https://github.com/w3c/webauthn/issues/1641> > 26. Syncing Platform Keys, Recoverability and Security levels · > Issue #1640 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1640> > 27. reference CTAP2.1 PS spec and fix broken link · Issue #1635 > · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1635> > 28. Missing Test Vectors · Issue #1633 · w3c/webauthn > (github.com) <https://github.com/w3c/webauthn/issues/1633> > 29. CollectedClientData.crossOrigin default value and whether it > is required · Issue #1631 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1631> > 30. Support for remote desktops · Issue #1577 · w3c/webauthn > (github.com) <https://github.com/w3c/webauthn/issues/1577> > 31. Prevent browsers from deleting credentials that the RP > wanted to be server-side · Issue #1569 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1569> > 32. Support a "create or get [or replace]" credential > re-association operation · Issue #1568 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1568> > 33. Questions about user handle when supporting usernameless · > Issue #1559 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1559> > 34. Move step 16 of Registration to between 21 and 22 · Issue > #1555 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1555> > 35. Adding info about HSTS for the RPID to client Data. · Issue > #1554 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1554> > 36. Add support for non-modal UI · Issue #1545 · w3c/webauthn > (github.com) <https://github.com/w3c/webauthn/issues/1545> > 37. Making PublicKeyCredentialDescriptor.transports mandatory · > Issue #1522 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1522> > 38. double check whether the Secure Payment Confirmation effort > has implications on the WebAuthn spec · Issue #1492 · w3c/webauthn > (github.com) <https://github.com/w3c/webauthn/issues/1492> > 39. cleanup <pre class=anchors> and use <pre > class="link-defaults"> as appropriate · Issue #1489 · w3c/webauthn > (github.com) <https://github.com/w3c/webauthn/issues/1489> > 40. Regarding the issue of Credential ID exposure(13.5.6), from > what perspective should RP compare RK and NRK and which should be adopted? > · Issue #1484 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1484> > 41. Personal information updates & webauthn · Issue #1456 · > w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1456> > 42. Requesting properties of created credentials. · Issue #1449 > · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1449> > 43. More explicitly document use cases · Issue #1389 · > w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1389> > 44. Addition of a network transport · Issue #1381 · w3c/webauthn > (github.com) <https://github.com/w3c/webauthn/issues/1381> > 45. Minor cleanups from PR 1270 review · Issue #1291 · > w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1291> > 46. Clearly define the way how RP handles the extensions · Issue > #1258 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1258> > 47. add feature detection blurb... · Issue #1208 · w3c/webauthn > (github.com) <https://github.com/w3c/webauthn/issues/1208> > 48. think about adding note wrt how client platform might obtain > authenticator capabilities · Issue #1207 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1207> > 49. Update name, displayname and icon for RP and user · Issue > #1200 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1200> > 50. export definitions? · Issue #1049 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1049> > 51. ReIssues · w3c/webauthn (github.com)covering from Device > Loss · Issue #931 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/931> > 52. undefined terms and terms we really ought to define · Issue > #462 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/462> > > > > Issues · w3c/webauthn · GitHub > <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat%3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone> > > > > 1. Add "smart-card" to AuthenticatorTransport enum (WebKit) · Issue > #1835 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1835> > 2. Support for FIDO passkey with HMAC-Secret extension · Issue #1830 · > w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1830> > 3. Being able to access the same public key credentials across > different domains · Issue #1827 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1827> > 4. Provide a way for an RP to set an intention to offer more user > friendly UX · Issue #1823 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1823> > 5. residentKey: "preferred-if-unlimited"? · Issue #1822 · w3c/webauthn > (github.com) <https://github.com/w3c/webauthn/issues/1822> > 6. "android-key" and "android-safetynet" are really basic attestation > type support? · Issue #1819 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1819> > 7. Variable reference issue in DPK processing rules · Issue #1817 · > w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1817> > 8. Possibility to filter diplayed authenticators by certified level · > Issue #1816 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1816> > 9. Dependencies section is out of date and duplicates terms index · > Issue #1797 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1797> > 10. Enterprise attestaion is a bool in WebAuthn and an Int in CTAP2.1 > · Issue #1795 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1795> > 11. Credential discovery is unclear · Issue #1789 · w3c/webauthn > (github.com) <https://github.com/w3c/webauthn/issues/1789> > 12. Split the standard by focus driven use cases. · Issue #1751 · > w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1751> > 13. Better specify what an unknown type credential descriptor being > ignored means · Issue #1748 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1748> > 14. Use aPAKE/OPAQUE for FIDO multi-device credentials (PassKey) · > Issue #1747 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1747> > 15. Spec abstract is out of date on the eve of multi-device > credentials and cross-device auth · Issue #1743 · w3c/webauthn (github.com) > <https://github.com/w3c/webauthn/issues/1743> > 16. Cross origin authentication without iframes (accommodating SPC in > WebAuthn) · Issue #1667 · w3c/webauthn · GitHub > <https://github.com/w3c/webauthn/issues/1667> > > > > > > 4. Other open issues > > 5. Adjourn > > Because of toll fraud issues MIT has been experiencing, I've been asked to > change our call coordinates and password and, as an ongoing thing, not > distribute the call coordinates publicly. That means not including the > WebEx call number or URL in our agendas or minutes. > > > > You can find the new call coordinates at this link, accessible with your > W3C member login credentials. > > https://www.w3.org/2016/01/webauth-password.html > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2F2016%2F01%2Fwebauth-password.html&data=04%7C01%7Ctonynad%40microsoft.com%7C9cd59d2cfccb46b0986d08d82dcf4b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309715629125857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rRnXdea9sqPx%2B7Z8fbc7bv%2F5nY%2BLZStYSARGKVdH1pA%3D&reserved=0> > > > > > > > > > > > Get Outlook for Android <https://aka.ms/ghei36> >
Received on Wednesday, 25 January 2023 19:59:40 UTC