- From: Emil Lundberg <emil@yubico.com>
- Date: Wed, 24 Apr 2024 20:03:54 +0200
- To: nadalin@prodigy.net
- Cc: Michael Jones <michael_b_jones@hotmail.com>, W3C Web Authn WG <public-webauthn@w3.org>, John Fontana <jfontana@yubico.com>, "Phillips, Addison" <addison@lab126.com>, Christiaan Brand <cbrand@google.com>, Ian Jacobs <ij@w3.org>
- Message-ID: <CANMnvkzirSyjbn-BefgonkZDPEVecuigMXLeMV=UczaPf-oJUg@mail.gmail.com>
Hi all,
I noticed just now that in the W3C calendar, today's meeting is listed as
"canceled", so there's no Zoom link to join the meeting. You can still
reach it via the "Joining Instructions" for next week's meeting, around the
middle of this page:
https://www.w3.org/events/meetings/303bd285-b897-4abe-80fc-5b421d49ec21/20240501T150000/
Emil Lundberg
Senior Software Engineer | Yubico <http://www.yubico.com/>
On Wed, Apr 24, 2024 at 3:18 AM <nadalin@prodigy.net> wrote:
> Here is the agenda for the 04/24/2024 W3C Web Authentication WG Meeting,
> that will take place as a 60 minute teleconference. Remember call is at
> *12PM** Pacific Time*. Reminder that we will be using ZOOM from now on,
> please make sure you go to Web Authentication bi-weekly (w3.org)
> <https://www.w3.org/events/meetings/4bab6a90-bdb5-400f-ab87-64a7a852d86a/20230517T150000>
>
>
>
> Select scribe please someone be willing to scribe so we can get down to
> the issues
>
>
>
> 1. Here is the link to the Level 2 Webauthn Recommendation
> https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
> 2. Charter Extension in progress
> 3. 05/08/2024 Meeting CANCELLED (FIDIO)
> 4. 05/29/2024 Meeting CANCELLED (Identiverse)
> 5. WD01 has now been published, https://www.w3.org/TR/webauthn-3/
>
>
> 6. PWG Update (John B., Adam L.)
> 7. We have 49 open issues, 25 of them have been tagged with the @RISK
> label, please review with the link below, if you don’t agree we will
> discuss as the first item on the agenda
>
>
> 1. Issues · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+label%3A%40Risk>
>
>
> 8. W3c WebID proposal for authentication see WebID - W3C Wiki
> <https://www.w3.org/wiki/WebID>
> 9. L3 WD01 open pull requests and open issues
>
>
>
>
>
> Pull requests · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD-02>
>
> 1. adds Related Origin Requests by timcappalli · Pull Request #2040 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2040>
> 2. Update Dependencies section by selfissued · Pull Request
> #2039 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2039>
> 3. Explicitly specify binary encoding for string truncation by
> emlun · Pull Request #2017 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2017>
> 4. Enterprise packed attestation guidance by dwaite · Pull
> Request #1954 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/1954>
> 5. Initial text for conditional create by pascoej · Pull Request
> #1951 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/1951>
>
>
>
> Pull requests · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone>
>
> 1. Don't zero platform-authenticator AAGUIDs. by agl · Pull Request
> #2058 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2058>
> 2. Adds timeSinceUv extension by timcappalli · Pull Request #2052 ·
> w3c/webauthn (github.com) <https://github.com/w3c/webauthn/pull/2052>
> 3. Include enterpriseAttestation in getClientClientCapabilities by
> timcappalli · Pull Request #2051 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2051>
> 4. [WIP] Help RP's understand actionable exceptions from `create()`
> and `get()` by MasterKale · Pull Request #2047 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2047>
> 5. Various improvements to conditionalCreate/Mediation discoverability
> and uniformity by emlun · Pull Request #2046 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2046>
> 6. Improved version of extension for Transaction Confirmation by rlin1
> · Pull Request #2020 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2020>
> 7. Clarify TPM attestation verification instructions by sbweeden ·
> Pull Request #1926 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/1926>
>
>
>
> Issues · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL3-WD-02+>
>
> 1. rp.name, user.name and user.displayName length limit does not state
> binary encoding · Issue #1994 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1994>
> 2. create() and get() return an algorithm, not a credential ·
> Issue #1984 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1984>
> 3. Ambiguous instructions in the Android Key Attestation
> Statement Format verification procedure · Issue #1980 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/1980>
> 4. Are notes in webauthn normative or informative? · Issue #1979
> · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1979>
> 5. Extensions should specify partial dictionaries that modify
> AuthenticationExtensionsClient{Inputs, Outputs}JSON · Issue #1968 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1968>
> 6. [Superset] Updating credential metadata and requesting
> deletion of stale credentials · Issue #1967 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1967>
> 7. Should credentials requested with attestation=none include an
> AAGUID? · Issue #1962 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1962>
> 8. Non-modal registration during conditional assertion · Issue
> #1929 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1929>
> 9. Adding some sentences to describe credential sharing between
> multiple users · Issue #1921 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1921>
> 10. Allow desired attestation format to be an ordered list ·
> Issue #1917 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1917>
> 11. Describe packed enterprise attestation · Issue #1916 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1916>
> 12. Misaligned steps in Section 7.2 · Issue #1913 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/1913>
> 13. Prescriptive behaviours for Autofill UI · Issue #1800 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1800>
> 14. Should enterprise attestation support be flagged explicitly?
> · Issue #1742 · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1742>
> 15. Discussing mechanisms for enterprise RP's to enforce bound
> properties of credentials · Issue #1739 · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1739>
> 16. Provide passwordless example, or update 1.3.2. to be a
> passwordless example · Issue #1735 · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1735>
> 17. Update top level use cases to account for multi-device
> credentials · Issue #1720 · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1720>
> 18. Public Key Credential Source and Extensions · Issue #1719 ·
> w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1719>
> 19. RP operations: some extension processing may assume that the
> encompassing signature is valid · Issue #1711 · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1711>
> 20. Split RP ops "Registering a new credential" into one with
> and one without attestation · Issue #1710 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1710>
> 21. Switch to permissive copyright license? · Issue #1705 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1705>
> 22. Should an RP be able to provide finer grained authenticator
> filtering in attestation options? · Issue #1688 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1688>
> 23. Lookup Credential Source by Credential ID Algorithm returns
> sensitive data such as the credential private key · Issue #1678 ·
> w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1678>
> 24. Synced Credentials · Issue #1665 · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1665>
> 25. Cross-origin credential creation in iframes · Issue #1656 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1656>
> 26. Trailing position of metadata · Issue #1646 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/1646>
> 27. [Editorial] Truncation description inaccurate · Issue #1645
> · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1645>
> 28. Mechanism for encoding *direction* metadata may need more
> work · Issue #1644 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1644>
> 29. Use of in-field metadata not preferred · Issue #1643 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1643>
> 30. Unicode "tag" characters are deprecated for language tagging
> · Issue #1642 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1642>
> 31. U+ notation incorrect · Issue #1641 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/1641>
> 32. Syncing Platform Keys, Recoverability and Security levels ·
> Issue #1640 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1640>
> 33. Possible experiences in a future WebAuthn · Issue #1637 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1637>
> 34. Missing Test Vectors · Issue #1633 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/1633>
> 35. CollectedClientData.crossOrigin default value and whether it
> is required · Issue #1631 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1631>
> 36. Support for remote desktops · Issue #1577 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/1577>
> 37. Prevent browsers from deleting credentials that the RP
> wanted to be server-side · Issue #1569 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1569>
> 38. Support a "create or get [or replace]" credential
> re-association operation · Issue #1568 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1568>
> 39. Adding info about HSTS for the RPID to client Data. · Issue
> #1554 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1554>
> 40. Making PublicKeyCredentialDescriptor.transports mandatory ·
> Issue #1522 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1522>
> 41. cleanup <pre class=anchors> and use <pre
> class="link-defaults"> as appropriate · Issue #1489 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/1489>
> 42. Regarding the issue of Credential ID exposure(13.5.6), from
> what perspective should RP compare RK and NRK and which should be adopted?
> · Issue #1484 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1484>
> 43. Requesting properties of created credentials. · Issue #1449
> · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1449>
> 44. PublicKeyCredentialParameters can't select curve (E.g.
> ed448) · Issue #1446 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1446>
> 45. Minor cleanups from PR 1270 review · Issue #1291 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1291>
> 46. Clearly define the way how RP handles the extensions · Issue
> #1258 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1258>
> 47. export definitions? · Issue #1049 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1049>
> 48. undefined terms and terms we really ought to define · Issue
> #462 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/462>
>
>
>
> Issues · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat%3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone>
>
> 1. Additional guidance/clarification on RP ID and origin validation ·
> Issue #2059 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/2059>
> 2. excludeCredentials on Get · Issue #2057 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/2057>
> 3. CollectedClientData serialization is confusing WebIDL and/or Infra
> values for ECMAScript values · Issue #2056 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/2056>
> 4. Deprecate AuthenticatorAttachment in favor of
> PublicKeyCredentialHints. · Issue #2053 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/2053>
> 5. Editorial convention: Semantic line breaks · Issue #2045 ·
> w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/2045>
> 6. How to guarantee created resident key is actually received by RP in
> adverse networking conditions? · Issue #2038 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/2038>
> 7. Show only passkey based autofill · Issue #2037 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/2037>
> 8. New Authenticator Extension: Time Since UV · Issue #2034 ·
> w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/2034>
> 9. Defining new OIDs to facilitate WebAuthn interoperability with CMS
> · Issue #2026 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/2026>
> 10. Reflect caching of user gestures in WebAuthn assertion · Issue
> #2023 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/2023>
> 11. Revised txAuthSimple extension · Issue #2022 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/2022>
> 12. Clarify how to differentiate between exceptions · Issue #1859 ·
> w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1859>
> 13. Clarify the need for truly randomly generated challenges (aka
> challenge callback issue) · Issue #1856 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1856>
> 14. Dependencies section is out of date and duplicates terms index ·
> Issue #1797 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1797>
> 15. Enterprise attestaion is a bool in WebAuthn and an Int in CTAP2.1
> · Issue #1795 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1795>
> 16. Cross origin authentication without iframes (accommodating SPC in
> WebAuthn) · Issue #1667 · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1667>
>
>
>
>
>
> 4. Other open issues
>
> 5. Adjourn
>
> Because of toll fraud issues MIT has been experiencing, I've been asked to
> change our call coordinates and password and, as an ongoing thing, not
> distribute the call coordinates publicly. That means not including the
> WebEx call number or URL in our agendas or minutes.
>
>
>
> You can find the new call coordinates at this link, accessible with your
> W3C member login credentials.
>
> https://www.w3.org/2016/01/webauth-password.html
>
>
>
>
>
>
>
>
>
> Get Outlook for Android <https://aka.ms/ghei36>
>
Received on Wednesday, 24 April 2024 18:04:16 UTC