- From: <nadalin@prodigy.net>
- Date: Tue, 25 Jun 2024 18:46:05 -0700
- To: "'Michael Jones'" <michael_b_jones@hotmail.com>, "'W3C Web Authn WG'" <public-webauthn@w3.org>, "'John Fontana'" <jfontana@yubico.com>, "'Phillips, Addison'" <addison@lab126.com>, "'Christiaan Brand'" <cbrand@google.com>, "'Ian Jacobs'" <ij@w3.org>
- Message-ID: <734501dac76a$9f8d9d90$dea8d8b0$@prodigy.net>
Here is the agenda for the 06/26/2024 W3C Web Authentication WG Meeting,
that will take place as a 60 minute teleconference. Remember call is at 12PM
Pacific Time. Reminder that we will be using ZOOM from now on, please make
sure you go to Web Authentication bi-weekly (w3.org)
<https://www.w3.org/events/meetings/4bab6a90-bdb5-400f-ab87-64a7a852d86a/202
30517T150000>
Select scribe please someone be willing to scribe so we can get down to the
issues
1. Here is the link to the Level 2 Webauthn Recommendation
https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
2. Charter Extension in progress (Web Authentication Working Group
Charter (w3c.github.io)
<https://w3c.github.io/charter-drafts/2024/wg-webauthn.html> )
3. 07/03/2024 CANCEL or KEEP?
4. F2F TPAC 2024 (Sept 24-27, Anaheim CA)
a. Full day on the 24th 9-5 and the payments WG meeting will happen
16:30-18:00 as part of the 24th
5. WD01 has now been published, https://www.w3.org/TR/webauthn-3/
6. PWG Update (John B., Adam L.)
7. L3 Publication Schedule
a. Deadline for <https://www.w3.org/Consortium/Process/#wide-review>
wide review
Sunday, October 27 0024
b.
<https://w3c.github.io/charter-drafts/charter-template.html#decisions> Group
Call for Consensus (CfC) to move to Candidate Recommendation,
<https://www.w3.org/Consortium/Process/#wide-review> wide review is done
Monday, October 28 0024
c. Transition request to
<https://www.w3.org/Guide/transitions?profile=CR&cr=new> Candidate
Recommendation
Thursday, November 7 0024
8. L3 WD01 open pull requests and open issues
Pull requests · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD
-02>
1. Align RP ID string types by emlun · Pull Request #2074 ·
w3c/webauthn · GitHub <https://github.com/w3c/webauthn/pull/2074>
2. Disallow empty strings by selfissued · Pull Request #2073 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/pull/2073>
3. adds Related Origin Requests by timcappalli · Pull Request #2040 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/pull/2040>
4. Explicitly specify binary encoding for string truncation by emlun ·
Pull Request #2017 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/pull/2017>
Pull requests · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone>
1. Remove UVM extension by timcappalli · Pull Request #2085 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/pull/2085>
2. Add <https://github.com/w3c/webauthn/pull/2078> "sign" extension by
emlun · Pull Request #2078 · w3c/webauthn · GitHub
3. Fix type of AuthenticatorAttestationResponseJSON.publicKeyAlgorithm
by emlun · Pull Request #2071 · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/pull/2071>
4. Adds timeSinceUv extension by timcappalli · Pull Request #2052 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/pull/2052>
5. Include enterpriseAttestation in getClientClientCapabilities by
timcappalli · Pull Request #2051 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/pull/2051>
6. [WIP] Help RP's understand actionable exceptions from `create()` and
`get()` by MasterKale · Pull Request #2047 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/pull/2047>
7. Various improvements to conditionalCreate/Mediation discoverability
and uniformity by emlun · Pull Request #2046 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/pull/2046>
8. Improved version of extension for Transaction Confirmation by rlin1
· Pull Request #2020 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/pull/2020>
9. Clarify TPM attestation verification instructions by sbweeden · Pull
Request #1926 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/pull/1926>
Issues · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL
3-WD-02+>
1. CredentialCreationOptions/mediation not yet defined in CredMan ·
Issue #2079 · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/issues/2079>
2. Make PublicKeyCredentialRequestOptions.rpId a DOMString · Issue
#2066 · w3c/webauthn · GitHub <https://github.com/w3c/webauthn/issues/2066>
3. Make AuthenticatorAttestationResponseJSON.publicKeyAlgorithm a long
· Issue #2065 · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/issues/2065>
4. §6.1. Steps to generate authenticator data should include BE and BS
flags · Issue #2064 · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/issues/2064>
5. create() and get() return an algorithm, not a credential · Issue
#1984 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1984>
6. Ambiguous instructions in the Android Key Attestation Statement
Format verification procedure · Issue #1980 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1980>
7. Are notes in webauthn normative or informative? · Issue #1979 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1979>
8. Extensions should specify partial dictionaries that modify
AuthenticationExtensionsClient{Inputs, Outputs}JSON · Issue #1968 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1968>
9. [Superset] Updating credential metadata and requesting deletion of
stale credentials · Issue #1967 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1967>
10. Should credentials requested with attestation=none include an
AAGUID? · Issue #1962 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1962>
11. Non-modal registration during conditional assertion · Issue #1929 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1929>
12. Adding some sentences to describe credential sharing between
multiple users · Issue #1921 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1921>
13. Allow desired attestation format to be an ordered list · Issue #1917
· w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1917>
14. Describe packed enterprise attestation · Issue #1916 · w3c/webauthn
(github.com) <https://github.com/w3c/webauthn/issues/1916>
15. Misaligned steps in Section 7.2 · Issue #1913 · w3c/webauthn
(github.com) <https://github.com/w3c/webauthn/issues/1913>
16. Prescriptive behaviours for Autofill UI · Issue #1800 · w3c/webauthn
(github.com) <https://github.com/w3c/webauthn/issues/1800>
17. Should enterprise attestation support be flagged explicitly? · Issue
#1742 · w3c/webauthn · GitHub <https://github.com/w3c/webauthn/issues/1742>
18. Discussing mechanisms for enterprise RP's to enforce bound
properties of credentials · Issue #1739 · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/issues/1739>
19. Provide passwordless example, or update 1.3.2. to be a passwordless
example · Issue #1735 · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/issues/1735>
20. Update top level use cases to account for multi-device credentials ·
Issue #1720 · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/issues/1720>
21. Public Key Credential Source and Extensions · Issue #1719 ·
w3c/webauthn · GitHub <https://github.com/w3c/webauthn/issues/1719>
22. RP operations: some extension processing may assume that the
encompassing signature is valid · Issue #1711 · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/issues/1711>
23. Split RP ops <https://github.com/w3c/webauthn/issues/1710>
"Registering a new credential" into one with and one without attestation ·
Issue #1710 · w3c/webauthn (github.com)
24. Switch to permissive copyright license? · Issue #1705 · w3c/webauthn
(github.com) <https://github.com/w3c/webauthn/issues/1705>
25. Should an RP be able to provide finer grained authenticator
filtering in attestation options? · Issue #1688 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1688>
26. Lookup Credential Source by Credential ID Algorithm returns
sensitive data such as the credential private key · Issue #1678 ·
w3c/webauthn · GitHub <https://github.com/w3c/webauthn/issues/1678>
27. Synced Credentials · Issue #1665 · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/issues/1665>
28. Cross-origin credential creation in iframes · Issue #1656 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1656>
29. Trailing position of metadata · Issue #1646 · w3c/webauthn
(github.com) <https://github.com/w3c/webauthn/issues/1646>
30. [Editorial] Truncation description inaccurate · Issue #1645 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1645>
31. Mechanism for encoding *direction* metadata may need more work ·
Issue #1644 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1644>
32. Use of in-field metadata not preferred · Issue #1643 · w3c/webauthn
(github.com) <https://github.com/w3c/webauthn/issues/1643>
33. Unicode <https://github.com/w3c/webauthn/issues/1642> "tag"
characters are deprecated for language tagging · Issue #1642 · w3c/webauthn
(github.com)
34. U+ notation incorrect · Issue #1641 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1641>
35. Syncing Platform Keys, Recoverability and Security levels · Issue
#1640 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1640>
36. Possible experiences in a future WebAuthn · Issue #1637 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1637>
37. Missing Test Vectors · Issue #1633 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1633>
38. CollectedClientData.crossOrigin default value and whether it is
required · Issue #1631 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1631>
39. Support for remote desktops · Issue #1577 · w3c/webauthn
(github.com) <https://github.com/w3c/webauthn/issues/1577>
40. Prevent browsers from deleting credentials that the RP wanted to be
server-side · Issue #1569 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1569>
41. Support a <https://github.com/w3c/webauthn/issues/1568> "create or
get [or replace]" credential re-association operation · Issue #1568 ·
w3c/webauthn (github.com)
42. Adding info about HSTS for the RPID to client Data. · Issue #1554 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1554>
43. Making PublicKeyCredentialDescriptor.transports mandatory · Issue
#1522 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1522>
44. cleanup <https://github.com/w3c/webauthn/issues/1489> <pre
class=anchors> and use <pre class="link-defaults"> as appropriate · Issue
#1489 · w3c/webauthn (github.com)
45. Regarding the issue of Credential ID exposure(13.5.6), from what
perspective should RP compare RK and NRK and which should be adopted? ·
Issue #1484 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1484>
46. Requesting properties of created credentials. · Issue #1449 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1449>
47. PublicKeyCredentialParameters can't select curve (E.g. ed448) ·
Issue #1446 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1446>
48. Minor cleanups from PR 1270 review · Issue #1291 · w3c/webauthn
(github.com) <https://github.com/w3c/webauthn/issues/1291>
49. Clearly define the way how RP handles the extensions · Issue #1258 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1258>
50. export definitions? · Issue #1049 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1049>
51. undefined terms and terms we really ought to define · Issue #462 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/462>
Issues · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat
%3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone>
1. Add support for IDNs and display domain names in Unicode for a more
user friendly UX · Issue #2087 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/2087>
2. Add support for hinting at verbiage other than
<https://github.com/w3c/webauthn/issues/2086> "sign in" during
authentication · Issue #2086 · w3c/webauthn (github.com)
3. Allow conditional mediation flow without username or password field,
I.E. from button press · Issue #2084 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/2084>
4. Align the order of fields in PublicKeyCredentialDescriptorJSON with
PublicKeyCredentialDescriptor · Issue #2082 · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/issues/2082>
5. supplementalPubKeys attestation incompatible with most verification
procedures · Issue #2075 · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/issues/2075>
6. Support for WebDriver BiDi · Issue #2072 · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/issues/2072>
7. Remove the UVM extension from WebAuthn L3 (potentially) · Issue
#2069 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/2069>
8. Empty strings are not valid RFC 8266 Nicknames · Issue #2068 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/2068>
9. Support NoCredentialsError and UserCancelledError codes · Issue
#2062 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/2062>
10. Additional guidance/clarification on RP ID and origin validation ·
Issue #2059 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/2059>
11. excludeCredentials on Get · Issue #2057 · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/issues/2057>
12. CollectedClientData serialization is confusing WebIDL and/or Infra
values for ECMAScript values · Issue #2056 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/2056>
13. Deprecate AuthenticatorAttachment in favor of
PublicKeyCredentialHints. · Issue #2053 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/2053>
14. Editorial convention: Semantic line breaks · Issue #2045 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/2045>
15. How to guarantee created resident key is actually received by RP in
adverse networking conditions? · Issue #2038 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/2038>
16. New Authenticator Extension: Time Since UV · Issue #2034 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/2034>
17. Defining new OIDs to facilitate WebAuthn interoperability with CMS ·
Issue #2026 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/2026>
18. Reflect caching of user gestures in WebAuthn assertion · Issue #2023
· w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/2023>
19. Revised txAuthSimple extension · Issue #2022 · w3c/webauthn
(github.com) <https://github.com/w3c/webauthn/issues/2022>
20. Clarify how to differentiate between exceptions · Issue #1859 ·
w3c/webauthn (github.com) <https://github.com/w3c/webauthn/issues/1859>
21. Clarify the need for truly randomly generated challenges (aka
challenge callback issue) · Issue #1856 · w3c/webauthn (github.com)
<https://github.com/w3c/webauthn/issues/1856>
22. Cross origin authentication without iframes (accommodating SPC in
WebAuthn) · Issue #1667 · w3c/webauthn · GitHub
<https://github.com/w3c/webauthn/issues/1667>
4. Other open issues
5. Adjourn
Because of toll fraud issues MIT has been experiencing, I've been asked to
change our call coordinates and password and, as an ongoing thing, not
distribute the call coordinates publicly. That means not including the WebEx
call number or URL in our agendas or minutes.
You can find the new call coordinates at this link, accessible with your W3C
member login credentials.
https://www.w3.org/2016/01/webauth-password.html
Get Outlook for Android <https://aka.ms/ghei36>
Received on Wednesday, 26 June 2024 01:46:27 UTC