Re: 03/22/2023 W3C Web Authentication Meeting from Emil Lundberg on 2023-03-27 (public-webauthn@w3.org from March 2023)

From: Emil Lundberg <emil@yubico.com>
Date: Mon, 27 Mar 2023 18:44:23 +0200
To: Christiaan Brand <cbrand@google.com>
Cc: Shane B Weeden <sweeden@au1.ibm.com>, ANTHONY NADALIN <nadalin@prodigy.net>, Adam Langley <agl@google.com>, W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <CANMnvkwNHVv0FmrrqaYi8=XFvcj5rYhOUQcyKbottu7u5VSspQ@mail.gmail.com>
Thank you Christiaan, I would like to participate remotely if possible.

Emil Lundberg

Senior Software Engineer | Yubico <http://www.yubico.com/>




On Mon, Mar 27, 2023 at 5:52 PM Christiaan Brand <cbrand@google.com> wrote:

> Hi Shane,
>
> Urgh. No one told me. Not sure where I got 20 April from, but I'll fix it.
>
> Right now I have 18 people confirmed for this event. Tony, are we good to
> proceed with Adam serving a delegated chair?
>
> We can also make video conferencing (Meet) facilities available for folks
> who can't make it in person and want to be part of the discussion.
>
> /christiaan
>
> On Sun, Mar 26, 2023 at 22:15 Shane B Weeden <sweeden@au1.ibm.com> wrote:
>
>> Hi Tony,
>>
>> Can you please confirm that the f2f is going ahead in San Francisco on
>> April 21 (Friday) and that Adam will be delegated chair, and that
>> Christiaan is managing pre-registration?
>>
>> Also @Christiaan - I am fairly sure this has been pointed out before,
>> however your invitation says April 20 (Friday) when actually the Friday is
>> April 21.
>>
>> Thanks,
>> Shane.
>>
>>
>>
>>
>>
>> On 22 Mar 2023, at 12:08 pm, nadalin@prodigy.net wrote:
>>
>> This Message Is From an External Sender
>> This message came from outside your organization.
>>
>> Here is the agenda for the 03/22/2023 W3C Web Authentication WG Meeting,
>> that will take place as a 60 minute teleconference. Remember call is at
>> NOON PDT.
>>
>>
>> Select scribe please someone be willing to scribe so we can get down to
>> the issues
>>
>>
>>    1. Here is the link to the Level 2 Webauthn Recommendation
>>    https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
>>    2. First Public Working Draft of Level 3 has now been published,
>>    https://www.w3.org/TR/webauthn-3/
>>
>>
>>    1. PWG Update (John B.)
>>    2. RSA (4/24-27)and TPAC (9/11-15) in person meetings possibilities
>>    (Adam)
>>    3. Web Payments Joint Meeting 3/27-29th Participation
>>    4. L3 WD01 open pull requests and open issues
>>
>>
>>
>> Pull requests · w3c/webauthn (github.com)
>> <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD-01>
>>
>>    1. Recommend duration of challenge validity by emlun · Pull Request
>>          #1855 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/pull/1855>
>>          2. Improve guidance around using UV by emlun · Pull Request
>>          #1774 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/pull/1774>
>>
>>
>>
>> Pull requests · w3c/webauthn · GitHub
>> <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone>
>>
>>    1. Add links to and update all numbered step references by emlun ·
>>    Pull Request #1864 · w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/pull/1864>
>>    2. Use i18n-glossary definition of [=grapheme cluster=] by emlun ·
>>    Pull Request #1863 · w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/pull/1863>
>>    3. Only expose the UV PRF by agl · Pull Request #1836 · w3c/webauthn
>>    (github.com) <https://github.com/w3c/webauthn/pull/1836>
>>
>>
>>
>> Issues · w3c/webauthn (github.com)
>> <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL3-WD-01>
>>
>>    1. Add "smart-card" to AuthenticatorTransport enum (WebKit) · Issue
>>          #1835 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1835>
>>          2. Prescriptive behaviours for Autofill UI · Issue #1800 ·
>>          w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1800>
>>          3. Enforce backup eligibility during assertion · Issue #1791 ·
>>          w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1791>
>>          4. Facility for an RP to indicate a change of displayName to a
>>          discoverable credential · Issue #1779 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1779>
>>          5. Should enterprise attestation support be flagged explicitly?
>>          · Issue #1742 · w3c/webauthn · GitHub
>>          <https://github.com/w3c/webauthn/issues/1742>
>>          6. Attestation on Get Assertion · Issue #1741 · w3c/webauthn ·
>>          GitHub <https://github.com/w3c/webauthn/issues/1741>
>>          7. Discussing mechanisms for enterprise RP's to enforce bound
>>          properties of credentials · Issue #1739 · w3c/webauthn · GitHub
>>          <https://github.com/w3c/webauthn/issues/1739>
>>          8. Provide passwordless example, or update 1.3.2. to be a
>>          passwordless example · Issue #1735 · w3c/webauthn · GitHub
>>          <https://github.com/w3c/webauthn/issues/1735>
>>          9. Update top level use cases to account for multi-device
>>          credentials · Issue #1720 · w3c/webauthn · GitHub
>>          <https://github.com/w3c/webauthn/issues/1720>
>>          10. Public Key Credential Source and Extensions · Issue #1719 ·
>>          w3c/webauthn · GitHub
>>          <https://github.com/w3c/webauthn/issues/1719>
>>          11. RP operations: some extension processing may assume that
>>          the encompassing signature is valid · Issue #1711 · w3c/webauthn · GitHub
>>          <https://github.com/w3c/webauthn/issues/1711>
>>          12. Split RP ops "Registering a new credential" into one with
>>          and one without attestation · Issue #1710 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1710>
>>          13. Switch to permissive copyright license? · Issue #1705 ·
>>          w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1705>
>>          14. Platform Errors for attestations. · Issue #1697 ·
>>          w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1697>
>>          15. Should an RP be able to provide finer grained authenticator
>>          filtering in attestation options? · Issue #1688 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1688>
>>          16. Lookup Credential Source by Credential ID Algorithm returns
>>          sensitive data such as the credential private key · Issue #1678 ·
>>          w3c/webauthn · GitHub
>>          <https://github.com/w3c/webauthn/issues/1678>
>>          17. Synced Credentials · Issue #1665 · w3c/webauthn · GitHub
>>          <https://github.com/w3c/webauthn/issues/1665>
>>          18. Cross-origin credential creation in iframes · Issue #1656 ·
>>          w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1656>
>>          19. Trailing position of metadata · Issue #1646 · w3c/webauthn
>>          (github.com) <https://github.com/w3c/webauthn/issues/1646>
>>          20. [Editorial] Truncation description inaccurate · Issue #1645
>>          · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1645>
>>          21. Mechanism for encoding *direction* metadata may need more
>>          work · Issue #1644 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1644>
>>          22. Use of in-field metadata not preferred · Issue #1643 ·
>>          w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1643>
>>          23. Unicode "tag" characters are deprecated for language
>>          tagging · Issue #1642 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1642>
>>          24. U+ notation incorrect · Issue #1641 · w3c/webauthn
>>          (github.com) <https://github.com/w3c/webauthn/issues/1641>
>>          25. Syncing Platform Keys, Recoverability and Security levels ·
>>          Issue #1640 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1640>
>>          26. Possible experiences in a future WebAuthn · Issue #1637 ·
>>          w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1637>
>>          27. reference CTAP2.1 PS spec and fix broken link · Issue #1635
>>          · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1635>
>>          28. Missing Test Vectors · Issue #1633 · w3c/webauthn
>>          (github.com) <https://github.com/w3c/webauthn/issues/1633>
>>          29. CollectedClientData.crossOrigin default value and whether
>>          it is required · Issue #1631 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1631>
>>          30. Support for remote desktops · Issue #1577 · w3c/webauthn
>>          (github.com) <https://github.com/w3c/webauthn/issues/1577>
>>          31. Prevent browsers from deleting credentials that the RP
>>          wanted to be server-side · Issue #1569 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1569>
>>          32. Support a "create or get [or replace]" credential
>>          re-association operation · Issue #1568 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1568>
>>          33. Adding info about HSTS for the RPID to client Data. · Issue
>>          #1554 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1554>
>>          34. Making PublicKeyCredentialDescriptor.transports mandatory ·
>>          Issue #1522 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1522>
>>          35. double check whether the Secure Payment Confirmation effort
>>          has implications on the WebAuthn spec · Issue #1492 · w3c/webauthn
>>          (github.com) <https://github.com/w3c/webauthn/issues/1492>
>>          36. cleanup <pre class=anchors> and use <pre
>>          class="link-defaults"> as appropriate · Issue #1489 · w3c/webauthn
>>          (github.com) <https://github.com/w3c/webauthn/issues/1489>
>>          37. Regarding the issue of Credential ID exposure(13.5.6), from
>>          what perspective should RP compare RK and NRK and which should be adopted?
>>          · Issue #1484 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1484>
>>          38. Personal information updates & webauthn · Issue #1456 ·
>>          w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1456>
>>          39. Requesting properties of created credentials. · Issue #1449
>>          · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1449>
>>          40. More explicitly document use cases · Issue #1389 ·
>>          w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1389>
>>          41. Addition of a network transport · Issue #1381 ·
>>          w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1381>
>>          42. Minor cleanups from PR 1270 review · Issue #1291 ·
>>          w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1291>
>>          43. Clearly define the way how RP handles the extensions ·
>>          Issue #1258 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1258>
>>          44. add feature detection blurb... · Issue #1208 · w3c/webauthn
>>          (github.com) <https://github.com/w3c/webauthn/issues/1208>
>>          45. think about adding note wrt how client platform might
>>          obtain authenticator capabilities · Issue #1207 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1207>
>>          46. Update name, displayname and icon for RP and user · Issue
>>          #1200 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/1200>
>>          47. export definitions? · Issue #1049 · w3c/webauthn
>>          (github.com) <https://github.com/w3c/webauthn/issues/1049>
>>          48. ReIssues · w3c/webauthn (github.com)covering from Device
>>          Loss · Issue #931 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/931>
>>          49. undefined terms and terms we really ought to define · Issue
>>          #462 · w3c/webauthn (github.com)
>>          <https://github.com/w3c/webauthn/issues/462>
>>
>>
>> Issues · w3c/webauthn · GitHub
>> <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat%3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone>
>>
>>
>>    1. WebAuthn Autofill (Conditional UI) for credential registration ·
>>    Issue #1862 · w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/issues/1862>
>>    2. Clarify how to differentiate between exceptions · Issue #1859 ·
>>    w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/issues/1859>
>>    3. Clarify the need for truly randomly generated challenges · Issue
>>    #1856 · w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/issues/1856>
>>    4. Allow conditional and modal flows to run simultaneously · Issue
>>    #1854 · w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/issues/1854>
>>    5. Add a new "note" to registration options for RP's to help users
>>    distinguish credentials · Issue #1852 · w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/issues/1852>
>>    6. Add topOrigin to clientData for cross-origin GET in iframe · Issue
>>    #1842 · w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/issues/1842>
>>    7. "android-key" and "android-safetynet" are really basic attestation
>>    type support? · Issue #1819 · w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/issues/1819>
>>    8. Variable reference issue in DPK processing rules · Issue #1817 ·
>>    w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/issues/1817>
>>    9. Possibility to filter diplayed authenticators by certified level ·
>>    Issue #1816 · w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/issues/1816>
>>    10. Dependencies section is out of date and duplicates terms index ·
>>    Issue #1797 · w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/issues/1797>
>>    11. Enterprise attestaion is a bool in WebAuthn and an Int in CTAP2.1
>>    · Issue #1795 · w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/issues/1795>
>>    12. Credential discovery is unclear · Issue #1789 · w3c/webauthn
>>    (github.com) <https://github.com/w3c/webauthn/issues/1789>
>>    13. Better specify what an unknown type credential descriptor being
>>    ignored means · Issue #1748 · w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/issues/1748>
>>    14. Spec abstract is out of date on the eve of multi-device
>>    credentials and cross-device auth · Issue #1743 · w3c/webauthn (github.com)
>>    <https://github.com/w3c/webauthn/issues/1743>
>>    15. Cross origin authentication without iframes (accommodating SPC in
>>    WebAuthn) · Issue #1667 · w3c/webauthn · GitHub
>>    <https://github.com/w3c/webauthn/issues/1667>
>>
>>
>>
>>
>> 4.   Other open issues
>>
>> 5.   Adjourn
>>
>> Because of toll fraud issues MIT has been experiencing, I've been asked
>> to change our call coordinates and password and, as an ongoing thing, not
>> distribute the call coordinates publicly. That means not including the
>> WebEx call number or URL in our agendas or minutes.
>>
>>
>>
>> You can find the new call coordinates at this link, accessible with your
>> W3C member login credentials.
>>
>> https://www.w3.org/2016/01/webauth-password.html
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2F2016%2F01%2Fwebauth-password.html&data=04%7C01%7Ctonynad%40microsoft.com%7C9cd59d2cfccb46b0986d08d82dcf4b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309715629125857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rRnXdea9sqPx%2B7Z8fbc7bv%2F5nY%2BLZStYSARGKVdH1pA%3D&reserved=0>
>>
>>
>>
>>
>>
>>
>> Get Outlook for Android <https://aka.ms/ghei36>
>>
>>
>>
Received on Monday, 27 March 2023 16:45:14 UTC