Re: 03/22/2023 W3C Web Authentication Meeting from Christiaan Brand on 2023-03-27 (public-webauthn@w3.org from March 2023)

From: Christiaan Brand <cbrand@google.com>
Date: Mon, 27 Mar 2023 08:51:13 -0700
To: Shane B Weeden <sweeden@au1.ibm.com>
Cc: ANTHONY NADALIN <nadalin@prodigy.net>, Adam Langley <agl@google.com>, W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <CAE1XR1mL46oHE54tTmcbAg6wTTtbentBF10x4KYdsghp8errMQ@mail.gmail.com>
Hi Shane,

Urgh. No one told me. Not sure where I got 20 April from, but I'll fix it.

Right now I have 18 people confirmed for this event. Tony, are we good to
proceed with Adam serving a delegated chair?

We can also make video conferencing (Meet) facilities available for folks
who can't make it in person and want to be part of the discussion.

/christiaan

On Sun, Mar 26, 2023 at 22:15 Shane B Weeden <sweeden@au1.ibm.com> wrote:

> Hi Tony,
>
> Can you please confirm that the f2f is going ahead in San Francisco on
> April 21 (Friday) and that Adam will be delegated chair, and that
> Christiaan is managing pre-registration?
>
> Also @Christiaan - I am fairly sure this has been pointed out before,
> however your invitation says April 20 (Friday) when actually the Friday is
> April 21.
>
> Thanks,
> Shane.
>
>
>
>
>
> On 22 Mar 2023, at 12:08 pm, nadalin@prodigy.net wrote:
>
> This Message Is From an External Sender
> This message came from outside your organization.
>
> Here is the agenda for the 03/22/2023 W3C Web Authentication WG Meeting,
> that will take place as a 60 minute teleconference. Remember call is at
> NOON PDT.
>
>
> Select scribe please someone be willing to scribe so we can get down to
> the issues
>
>
>    1. Here is the link to the Level 2 Webauthn Recommendation
>    https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
>    2. First Public Working Draft of Level 3 has now been published,
>    https://www.w3.org/TR/webauthn-3/
>
>
>    1. PWG Update (John B.)
>    2. RSA (4/24-27)and TPAC (9/11-15) in person meetings possibilities
>    (Adam)
>    3. Web Payments Joint Meeting 3/27-29th Participation
>    4. L3 WD01 open pull requests and open issues
>
>
>
> Pull requests · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD-01>
>
>    1. Recommend duration of challenge validity by emlun · Pull Request
>          #1855 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/pull/1855>
>          2. Improve guidance around using UV by emlun · Pull Request
>          #1774 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/pull/1774>
>
>
>
> Pull requests · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone>
>
>    1. Add links to and update all numbered step references by emlun ·
>    Pull Request #1864 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/pull/1864>
>    2. Use i18n-glossary definition of [=grapheme cluster=] by emlun ·
>    Pull Request #1863 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/pull/1863>
>    3. Only expose the UV PRF by agl · Pull Request #1836 · w3c/webauthn
>    (github.com) <https://github.com/w3c/webauthn/pull/1836>
>
>
>
> Issues · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL3-WD-01>
>
>    1. Add "smart-card" to AuthenticatorTransport enum (WebKit) · Issue
>          #1835 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1835>
>          2. Prescriptive behaviours for Autofill UI · Issue #1800 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1800>
>          3. Enforce backup eligibility during assertion · Issue #1791 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1791>
>          4. Facility for an RP to indicate a change of displayName to a
>          discoverable credential · Issue #1779 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1779>
>          5. Should enterprise attestation support be flagged explicitly?
>          · Issue #1742 · w3c/webauthn · GitHub
>          <https://github.com/w3c/webauthn/issues/1742>
>          6. Attestation on Get Assertion · Issue #1741 · w3c/webauthn ·
>          GitHub <https://github.com/w3c/webauthn/issues/1741>
>          7. Discussing mechanisms for enterprise RP's to enforce bound
>          properties of credentials · Issue #1739 · w3c/webauthn · GitHub
>          <https://github.com/w3c/webauthn/issues/1739>
>          8. Provide passwordless example, or update 1.3.2. to be a
>          passwordless example · Issue #1735 · w3c/webauthn · GitHub
>          <https://github.com/w3c/webauthn/issues/1735>
>          9. Update top level use cases to account for multi-device
>          credentials · Issue #1720 · w3c/webauthn · GitHub
>          <https://github.com/w3c/webauthn/issues/1720>
>          10. Public Key Credential Source and Extensions · Issue #1719 ·
>          w3c/webauthn · GitHub
>          <https://github.com/w3c/webauthn/issues/1719>
>          11. RP operations: some extension processing may assume that the
>          encompassing signature is valid · Issue #1711 · w3c/webauthn · GitHub
>          <https://github.com/w3c/webauthn/issues/1711>
>          12. Split RP ops "Registering a new credential" into one with
>          and one without attestation · Issue #1710 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1710>
>          13. Switch to permissive copyright license? · Issue #1705 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1705>
>          14. Platform Errors for attestations. · Issue #1697 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1697>
>          15. Should an RP be able to provide finer grained authenticator
>          filtering in attestation options? · Issue #1688 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1688>
>          16. Lookup Credential Source by Credential ID Algorithm returns
>          sensitive data such as the credential private key · Issue #1678 ·
>          w3c/webauthn · GitHub
>          <https://github.com/w3c/webauthn/issues/1678>
>          17. Synced Credentials · Issue #1665 · w3c/webauthn · GitHub
>          <https://github.com/w3c/webauthn/issues/1665>
>          18. Cross-origin credential creation in iframes · Issue #1656 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1656>
>          19. Trailing position of metadata · Issue #1646 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1646>
>          20. [Editorial] Truncation description inaccurate · Issue #1645
>          · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1645>
>          21. Mechanism for encoding *direction* metadata may need more
>          work · Issue #1644 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1644>
>          22. Use of in-field metadata not preferred · Issue #1643 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1643>
>          23. Unicode "tag" characters are deprecated for language tagging
>          · Issue #1642 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1642>
>          24. U+ notation incorrect · Issue #1641 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1641>
>          25. Syncing Platform Keys, Recoverability and Security levels ·
>          Issue #1640 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1640>
>          26. Possible experiences in a future WebAuthn · Issue #1637 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1637>
>          27. reference CTAP2.1 PS spec and fix broken link · Issue #1635
>          · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1635>
>          28. Missing Test Vectors · Issue #1633 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1633>
>          29. CollectedClientData.crossOrigin default value and whether it
>          is required · Issue #1631 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1631>
>          30. Support for remote desktops · Issue #1577 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1577>
>          31. Prevent browsers from deleting credentials that the RP
>          wanted to be server-side · Issue #1569 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1569>
>          32. Support a "create or get [or replace]" credential
>          re-association operation · Issue #1568 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1568>
>          33. Adding info about HSTS for the RPID to client Data. · Issue
>          #1554 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1554>
>          34. Making PublicKeyCredentialDescriptor.transports mandatory ·
>          Issue #1522 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1522>
>          35. double check whether the Secure Payment Confirmation effort
>          has implications on the WebAuthn spec · Issue #1492 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1492>
>          36. cleanup <pre class=anchors> and use <pre
>          class="link-defaults"> as appropriate · Issue #1489 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1489>
>          37. Regarding the issue of Credential ID exposure(13.5.6), from
>          what perspective should RP compare RK and NRK and which should be adopted?
>          · Issue #1484 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1484>
>          38. Personal information updates & webauthn · Issue #1456 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1456>
>          39. Requesting properties of created credentials. · Issue #1449
>          · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1449>
>          40. More explicitly document use cases · Issue #1389 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1389>
>          41. Addition of a network transport · Issue #1381 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1381>
>          42. Minor cleanups from PR 1270 review · Issue #1291 ·
>          w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1291>
>          43. Clearly define the way how RP handles the extensions · Issue
>          #1258 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1258>
>          44. add feature detection blurb... · Issue #1208 · w3c/webauthn
>          (github.com) <https://github.com/w3c/webauthn/issues/1208>
>          45. think about adding note wrt how client platform might obtain
>          authenticator capabilities · Issue #1207 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1207>
>          46. Update name, displayname and icon for RP and user · Issue
>          #1200 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1200>
>          47. export definitions? · Issue #1049 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/1049>
>          48. ReIssues · w3c/webauthn (github.com)covering from Device
>          Loss · Issue #931 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/931>
>          49. undefined terms and terms we really ought to define · Issue
>          #462 · w3c/webauthn (github.com)
>          <https://github.com/w3c/webauthn/issues/462>
>
>
> Issues · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat%3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone>
>
>
>    1. WebAuthn Autofill (Conditional UI) for credential registration ·
>    Issue #1862 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1862>
>    2. Clarify how to differentiate between exceptions · Issue #1859 ·
>    w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1859>
>    3. Clarify the need for truly randomly generated challenges · Issue
>    #1856 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1856>
>    4. Allow conditional and modal flows to run simultaneously · Issue
>    #1854 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1854>
>    5. Add a new "note" to registration options for RP's to help users
>    distinguish credentials · Issue #1852 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1852>
>    6. Add topOrigin to clientData for cross-origin GET in iframe · Issue
>    #1842 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1842>
>    7. "android-key" and "android-safetynet" are really basic attestation
>    type support? · Issue #1819 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1819>
>    8. Variable reference issue in DPK processing rules · Issue #1817 ·
>    w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1817>
>    9. Possibility to filter diplayed authenticators by certified level ·
>    Issue #1816 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1816>
>    10. Dependencies section is out of date and duplicates terms index ·
>    Issue #1797 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1797>
>    11. Enterprise attestaion is a bool in WebAuthn and an Int in CTAP2.1
>    · Issue #1795 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1795>
>    12. Credential discovery is unclear · Issue #1789 · w3c/webauthn
>    (github.com) <https://github.com/w3c/webauthn/issues/1789>
>    13. Better specify what an unknown type credential descriptor being
>    ignored means · Issue #1748 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1748>
>    14. Spec abstract is out of date on the eve of multi-device
>    credentials and cross-device auth · Issue #1743 · w3c/webauthn (github.com)
>    <https://github.com/w3c/webauthn/issues/1743>
>    15. Cross origin authentication without iframes (accommodating SPC in
>    WebAuthn) · Issue #1667 · w3c/webauthn · GitHub
>    <https://github.com/w3c/webauthn/issues/1667>
>
>
>
>
> 4.   Other open issues
>
> 5.   Adjourn
>
> Because of toll fraud issues MIT has been experiencing, I've been asked to
> change our call coordinates and password and, as an ongoing thing, not
> distribute the call coordinates publicly. That means not including the
> WebEx call number or URL in our agendas or minutes.
>
>
>
> You can find the new call coordinates at this link, accessible with your
> W3C member login credentials.
>
> https://www.w3.org/2016/01/webauth-password.html
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2F2016%2F01%2Fwebauth-password.html&data=04%7C01%7Ctonynad%40microsoft.com%7C9cd59d2cfccb46b0986d08d82dcf4b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309715629125857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rRnXdea9sqPx%2B7Z8fbc7bv%2F5nY%2BLZStYSARGKVdH1pA%3D&reserved=0>
>
>
>
>
>
>
> Get Outlook for Android <https://aka.ms/ghei36>
>
>
>
Received on Monday, 27 March 2023 15:51:39 UTC