- From: Emil Lundberg <emil@yubico.com>
- Date: Thu, 25 Apr 2024 12:08:48 +0200
- To: ANTHONY NADALIN <nadalin@prodigy.net>, simone@w3.org
- Cc: Michael Jones <michael_b_jones@hotmail.com>, W3C Web Authn WG <public-webauthn@w3.org>, John Fontana <jfontana@yubico.com>, "Phillips, Addison" <addison@lab126.com>, Christiaan Brand <cbrand@google.com>, Ian Jacobs <ij@w3.org>
- Message-ID: <CANMnvkx0e9PbGp4A9T5J3_LZKYhm5wxpL-QJhvrWvaA+LxsqUA@mail.gmail.com>
Oh, I see now the agenda email says 12PM Pacific time, but the W3C calendar
event was at 11AM. A few of us showed up an hour early, discussed one
editorial-process issue and cut our meeting short:
https://www.w3.org/2024/04/24-webauthn-minutes.html
Simone, can you sync with Tony to make sure the meeting times scheduled in
the WebAuthn WG calendar <https://www.w3.org/groups/wg/webauthn/calendar/>
are accurate?
Emil Lundberg
Senior Software Engineer | Yubico <http://www.yubico.com/>
On Wed, Apr 24, 2024 at 8:35 PM <nadalin@prodigy.net> wrote:
> Todays meeting is confirmed not cancelled
>
>
>
> *From:* Emil Lundberg <emil@yubico.com>
> *Sent:* Wednesday, April 24, 2024 11:04 AM
> *To:* nadalin@prodigy.net
> *Cc:* Michael Jones <michael_b_jones@hotmail.com>; W3C Web Authn WG <
> public-webauthn@w3.org>; John Fontana <jfontana@yubico.com>; Phillips,
> Addison <addison@lab126.com>; Christiaan Brand <cbrand@google.com>; Ian
> Jacobs <ij@w3.org>
> *Subject:* Re: 04/24/2024 W3C Web Authentication Meeting
>
>
>
> Hi all,
>
>
> I noticed just now that in the W3C calendar, today's meeting is listed as
> "canceled", so there's no Zoom link to join the meeting. You can still
> reach it via the "Joining Instructions" for next week's meeting, around the
> middle of this page:
> https://www.w3.org/events/meetings/303bd285-b897-4abe-80fc-5b421d49ec21/20240501T150000/
>
>
> *Emil Lundberg*
>
> Senior Software Engineer | *Yubico* <http://www.yubico.com/>
>
>
>
>
>
>
>
> On Wed, Apr 24, 2024 at 3:18 AM <nadalin@prodigy.net> wrote:
>
> Here is the agenda for the 04/24/2024 W3C Web Authentication WG Meeting,
> that will take place as a 60 minute teleconference. Remember call is at
> *12PM** Pacific Time*. Reminder that we will be using ZOOM from now on,
> please make sure you go to Web Authentication bi-weekly (w3.org)
> <https://www.w3.org/events/meetings/4bab6a90-bdb5-400f-ab87-64a7a852d86a/20230517T150000>
>
>
>
> Select scribe please someone be willing to scribe so we can get down to
> the issues
>
>
>
> 1. Here is the link to the Level 2 Webauthn Recommendation
> https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
> 2. Charter Extension in progress
> 3. 05/08/2024 Meeting CANCELLED (FIDIO)
> 4. 05/29/2024 Meeting CANCELLED (Identiverse)
> 5. WD01 has now been published, https://www.w3.org/TR/webauthn-3/
>
>
> 6. PWG Update (John B., Adam L.)
> 7. We have 49 open issues, 25 of them have been tagged with the @RISK
> label, please review with the link below, if you don’t agree we will
> discuss as the first item on the agenda
>
>
> 1. Issues · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+label%3A%40Risk>
>
>
> 8. W3c WebID proposal for authentication see WebID - W3C Wiki
> <https://www.w3.org/wiki/WebID>
> 9. L3 WD01 open pull requests and open issues
>
>
>
>
>
> Pull requests · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD-02>
>
> 1. adds Related Origin Requests by timcappalli · Pull Request #2040 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2040>
> 2. Update Dependencies section by selfissued · Pull Request
> #2039 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2039>
> 3. Explicitly specify binary encoding for string truncation by
> emlun · Pull Request #2017 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2017>
> 4. Enterprise packed attestation guidance by dwaite · Pull
> Request #1954 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/1954>
> 5. Initial text for conditional create by pascoej · Pull Request
> #1951 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/1951>
>
>
>
> Pull requests · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone>
>
> 1. Don't zero platform-authenticator AAGUIDs. by agl · Pull Request
> #2058 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2058>
>
> 2. Adds timeSinceUv extension by timcappalli · Pull Request #2052 ·
> w3c/webauthn (github.com) <https://github.com/w3c/webauthn/pull/2052>
>
> 3. Include enterpriseAttestation in getClientClientCapabilities by
> timcappalli · Pull Request #2051 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2051>
>
> 4. [WIP] Help RP's understand actionable exceptions from `create()`
> and `get()` by MasterKale · Pull Request #2047 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2047>
>
> 5. Various improvements to conditionalCreate/Mediation
> discoverability and uniformity by emlun · Pull Request #2046 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/pull/2046>
>
> 6. Improved version of extension for Transaction Confirmation by
> rlin1 · Pull Request #2020 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/2020>
>
> 7. Clarify TPM attestation verification instructions by sbweeden ·
> Pull Request #1926 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/pull/1926>
>
>
>
> Issues · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL3-WD-02+>
>
> 1. rp.name, user.name and user.displayName length limit does not state
> binary encoding · Issue #1994 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1994>
> 2. create() and get() return an algorithm, not a credential ·
> Issue #1984 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1984>
> 3. Ambiguous instructions in the Android Key Attestation
> Statement Format verification procedure · Issue #1980 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/1980>
> 4. Are notes in webauthn normative or informative? · Issue #1979
> · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1979>
> 5. Extensions should specify partial dictionaries that modify
> AuthenticationExtensionsClient{Inputs, Outputs}JSON · Issue #1968 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1968>
> 6. [Superset] Updating credential metadata and requesting
> deletion of stale credentials · Issue #1967 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1967>
> 7. Should credentials requested with attestation=none include an
> AAGUID? · Issue #1962 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1962>
> 8. Non-modal registration during conditional assertion · Issue
> #1929 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1929>
> 9. Adding some sentences to describe credential sharing between
> multiple users · Issue #1921 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1921>
> 10. Allow desired attestation format to be an ordered list ·
> Issue #1917 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1917>
> 11. Describe packed enterprise attestation · Issue #1916 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1916>
> 12. Misaligned steps in Section 7.2 · Issue #1913 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/1913>
> 13. Prescriptive behaviours for Autofill UI · Issue #1800 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1800>
> 14. Should enterprise attestation support be flagged explicitly?
> · Issue #1742 · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1742>
> 15. Discussing mechanisms for enterprise RP's to enforce bound
> properties of credentials · Issue #1739 · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1739>
> 16. Provide passwordless example, or update 1.3.2. to be a
> passwordless example · Issue #1735 · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1735>
> 17. Update top level use cases to account for multi-device
> credentials · Issue #1720 · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1720>
> 18. Public Key Credential Source and Extensions · Issue #1719 ·
> w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1719>
> 19. RP operations: some extension processing may assume that the
> encompassing signature is valid · Issue #1711 · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1711>
> 20. Split RP ops "Registering a new credential" into one with
> and one without attestation · Issue #1710 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1710>
> 21. Switch to permissive copyright license? · Issue #1705 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1705>
> 22. Should an RP be able to provide finer grained authenticator
> filtering in attestation options? · Issue #1688 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1688>
> 23. Lookup Credential Source by Credential ID Algorithm returns
> sensitive data such as the credential private key · Issue #1678 ·
> w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1678>
> 24. Synced Credentials · Issue #1665 · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1665>
> 25. Cross-origin credential creation in iframes · Issue #1656 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1656>
> 26. Trailing position of metadata · Issue #1646 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/1646>
> 27. [Editorial] Truncation description inaccurate · Issue #1645
> · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1645>
> 28. Mechanism for encoding *direction* metadata may need more
> work · Issue #1644 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1644>
> 29. Use of in-field metadata not preferred · Issue #1643 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1643>
> 30. Unicode "tag" characters are deprecated for language tagging
> · Issue #1642 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1642>
> 31. U+ notation incorrect · Issue #1641 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/1641>
> 32. Syncing Platform Keys, Recoverability and Security levels ·
> Issue #1640 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1640>
> 33. Possible experiences in a future WebAuthn · Issue #1637 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1637>
> 34. Missing Test Vectors · Issue #1633 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/1633>
> 35. CollectedClientData.crossOrigin default value and whether it
> is required · Issue #1631 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1631>
> 36. Support for remote desktops · Issue #1577 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/1577>
> 37. Prevent browsers from deleting credentials that the RP
> wanted to be server-side · Issue #1569 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1569>
> 38. Support a "create or get [or replace]" credential
> re-association operation · Issue #1568 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1568>
> 39. Adding info about HSTS for the RPID to client Data. · Issue
> #1554 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1554>
> 40. Making PublicKeyCredentialDescriptor.transports mandatory ·
> Issue #1522 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1522>
> 41. cleanup <pre class=anchors> and use <pre
> class="link-defaults"> as appropriate · Issue #1489 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/1489>
> 42. Regarding the issue of Credential ID exposure(13.5.6), from
> what perspective should RP compare RK and NRK and which should be adopted?
> · Issue #1484 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1484>
> 43. Requesting properties of created credentials. · Issue #1449
> · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1449>
> 44. PublicKeyCredentialParameters can't select curve (E.g.
> ed448) · Issue #1446 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1446>
> 45. Minor cleanups from PR 1270 review · Issue #1291 ·
> w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1291>
> 46. Clearly define the way how RP handles the extensions · Issue
> #1258 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1258>
> 47. export definitions? · Issue #1049 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1049>
> 48. undefined terms and terms we really ought to define · Issue
> #462 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/462>
>
>
>
> Issues · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat%3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone>
>
> 1. Additional guidance/clarification on RP ID and origin validation
> · Issue #2059 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/2059>
>
> 2. excludeCredentials on Get · Issue #2057 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/2057>
>
> 3. CollectedClientData serialization is confusing WebIDL and/or
> Infra values for ECMAScript values · Issue #2056 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/2056>
>
> 4. Deprecate AuthenticatorAttachment in favor of
> PublicKeyCredentialHints. · Issue #2053 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/2053>
>
> 5. Editorial convention: Semantic line breaks · Issue #2045 ·
> w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/2045>
>
> 6. How to guarantee created resident key is actually received by RP
> in adverse networking conditions? · Issue #2038 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/2038>
>
> 7. Show only passkey based autofill · Issue #2037 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/2037>
>
> 8. New Authenticator Extension: Time Since UV · Issue #2034 ·
> w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/2034>
>
> 9. Defining new OIDs to facilitate WebAuthn interoperability with
> CMS · Issue #2026 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/2026>
>
> 10. Reflect caching of user gestures in WebAuthn assertion · Issue #2023
> · w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/2023>
>
> 11. Revised txAuthSimple extension · Issue #2022 · w3c/webauthn
> (github.com) <https://github.com/w3c/webauthn/issues/2022>
>
> 12. Clarify how to differentiate between exceptions · Issue #1859 ·
> w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1859>
>
> 13. Clarify the need for truly randomly generated challenges (aka
> challenge callback issue) · Issue #1856 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1856>
>
> 14. Dependencies section is out of date and duplicates terms index ·
> Issue #1797 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1797>
>
> 15. Enterprise attestaion is a bool in WebAuthn and an Int in CTAP2.1 ·
> Issue #1795 · w3c/webauthn (github.com)
> <https://github.com/w3c/webauthn/issues/1795>
>
> 16. Cross origin authentication without iframes (accommodating SPC in
> WebAuthn) · Issue #1667 · w3c/webauthn · GitHub
> <https://github.com/w3c/webauthn/issues/1667>
>
>
>
>
>
> 4. Other open issues
>
> 5. Adjourn
>
> Because of toll fraud issues MIT has been experiencing, I've been asked to
> change our call coordinates and password and, as an ongoing thing, not
> distribute the call coordinates publicly. That means not including the
> WebEx call number or URL in our agendas or minutes.
>
>
>
> You can find the new call coordinates at this link, accessible with your
> W3C member login credentials.
>
> https://www.w3.org/2016/01/webauth-password.html
>
>
>
>
>
>
>
>
>
> Get Outlook for Android <https://aka.ms/ghei36>
>
>
Received on Thursday, 25 April 2024 10:09:09 UTC