10/09/2024 W3C Web Authentication Meeting Agenda from ANTHONY NADALIN on 2024-10-08 (public-webauthn@w3.org from October 2024)

From: ANTHONY NADALIN <nadalin@prodigy.net>
Date: Tue, 8 Oct 2024 22:50:18 +0000
To: 'Michael Jones' <michael_b_jones@hotmail.com>, 'W3C Web Authn WG' <public-webauthn@w3.org>, "'Phillips, Addison'" <addison@lab126.com>, 'Christiaan Brand' <cbrand@google.com>, 'Ian Jacobs' <ij@w3.org>
Message-ID: <SA1P223MB097089C5CABF9085653929E9AA7E2@SA1P223MB0970.NAMP223.PROD.OUTLOOK.COM>
Nick will be leading the meeting today

Here is the agenda for the 10/09/2024 W3C Web Authentication WG Meeting, that will take place as a 60 minute teleconference. Remember call is at 11AM Pacific Time. Reminder that we will be using ZOOM from now on, please make sure you go to Web Authentication bi-weekly (w3.org)<https://www.w3.org/events/meetings/4bab6a90-bdb5-400f-ab87-64a7a852d86a/20230517T150000>

Select scribe please someone be willing to scribe so we can get down to the issues


  1.
Here is the link to the Level 2 Webauthn Recommendation  https://www.w3.org/TR/2021/REC-webaut<https://www.w3.org/TR/2021/REC-webauthn-2-20210408/>
  2.
L3 Target Publication Schedule discussion
     *   Deadline for wide review<https://www.w3.org/Consortium/Process/#wide-review>
Sunday, October 27 0024
     *   Group Call for Consensus (CfC)<https://w3c.github.io/charter-drafts/charter-template.html#decisions> to move to Candidate Recommendation, wide review<https://www.w3.org/Consortium/Process/#wide-review> is done
Monday, October 28 0024
     *
Transition request to Candidate Recommendation<https://www.w3.org/Guide/transitions?profile=CR&cr=new>
Thursday, November 7 0024

  1.
10/16/2024 WebAuthn Meeting CANCELLED (FIDO Pleanry)
  2.
L3 WD02 open pull requests and open issues



Pull requests · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD-02>

  1.
Remove apparent reference to non-existent [[Get]] internal method by emlun · Pull Request #2180 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2180>
  2.
Extract macros for referring to [[Create]] and [[DiscoverFromExternalSource]] by emlun · Pull Request #2179 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2179>
  3.
Fix encoding and syntax highlighting of example code by emlun · Pull Request #2175 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2175>
  4.
Add test vectors for PRF extension by emlun · Pull Request #2174 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2174>
  5.
Don't return an algorithm from [[DiscoverFromExternalSource]] by emlun · Pull Request #2168 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2168>
  6.
Move extension processing to after signature verification, and modernize it by emlun · Pull Request #2167 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2167>
  7.
Validate CollectedClientData.crossOrigin in RP ops by emlun · Pull Request #2166 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2166>
  8.
Add [credential record/authenticatorDisplayName] handling to RP operations by emlun · Pull Request #2163 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2163>
  9.
Update Use Cases for L3 by timcappalli · Pull Request #2139 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2139>
  10.
Cleanup: Manual References by timcappalli · Pull Request #2111 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2111>



Pull requests · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone>

  1.
Add warning about sending PRF outputs to server by emlun · Pull Request #2183 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2183>
  2.
Fix typo in reference to variable |effectiveDomain| by emlun · Pull Request #2182 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2182>
  3.
Drop definition "User Credential" unused since PR #2109 by emlun · Pull Request #2181 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2181>
  4.
Non-incrementing signature counters could be due to race condition by sbweeden · Pull Request #2176 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2176>

Issues · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL3-WD-02+>

  1.
Should race condition be added as a reason for a signature counter not increasing? · Issue #2172 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2172>
  2.
[[Get]] method doesn't exist in CredMan · Issue #2169 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2169>
  3.
[Editorial] platform authenticator relationship to WebAuthn Client and Client Device · Issue #2164 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2164>
  4.
Providing AAGUID on Get · Issue #2157 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2157>
  5.
authenticatorDisplayName should use a localizable language map · Issue #2151 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2151>
  6.
CollectedClientData.crossOrigin not referenced in RP ops · Issue #2113 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2113>
  7.
[[Create]] should not access the global object directly · Issue #2092 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2092>
  8.
create() and get() return an algorithm, not a credential · Issue #1984 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1984>
  9.
Are notes in webauthn normative or informative? · Issue #1979 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1979>
  10.
Extensions should specify partial dictionaries that modify AuthenticationExtensionsClient{Inputs, Outputs}JSON · Issue #1968 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1968>
  11.
[Superset] Updating credential metadata and requesting deletion of stale credentials · Issue #1967 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1967>
  12.
Should credentials requested with attestation=none include an AAGUID? · Issue #1962 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1962>
  13.
Adding some sentences to describe credential sharing between multiple users · Issue #1921 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1921>
  14.
Update Authenticator Taxonomy examples section · Issue #1912 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1912>
  15.
Prescriptive behaviours for Autofill UI · Issue #1800 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1800>
  16.
Provide passwordless example, or update 1.3.2. to be a passwordless example · Issue #1735 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1735>
  17.
Update top level use cases to account for multi-device credentials · Issue #1720 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1720>
  18.
Public Key Credential Source and Extensions · Issue #1719 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1719>
  19.
RP operations: some extension processing may assume that the encompassing signature is valid · Issue #1711 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1711>
  20.
Split RP ops "Registering a new credential" into one with and one without attestation · Issue #1710 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1710>
  21.
Switch to permissive copyright license? · Issue #1705 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1705>
  22.
Platform Errors for attestations. · Issue #1697 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1697>
  23.
Lookup Credential Source by Credential ID Algorithm returns sensitive data such as the credential private key · Issue #1678 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1678>
  24.
Synced Credentials · Issue #1665 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1665>
  25.
Trailing position of metadata · Issue #1646 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1646>
  26.
[Editorial] Truncation description inaccurate · Issue #1645 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1645>
  27.
Mechanism for encoding *direction* metadata may need more work · Issue #1644 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1644>
  28.
Use of in-field metadata not preferred · Issue #1643 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1643>
  29.
Unicode "tag" characters are deprecated for language tagging · Issue #1642 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1642>
  30.
U+ notation incorrect · Issue #1641 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1641>
  31.
Syncing Platform Keys, Recoverability and Security levels · Issue #1640 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1640>
  32.
Possible experiences in a future WebAuthn · Issue #1637 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1637>
  33.
Missing Test Vectors · Issue #1633 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1633>
  34.
CollectedClientData.crossOrigin default value and whether it is required · Issue #1631 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1631>
  35.
Prevent browsers from deleting credentials that the RP wanted to be server-side · Issue #1569 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1569>
  36.
Support a "create or get [or replace]" credential re-association operation · Issue #1568 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1568>
  37.
double check whether the Secure Payment Confirmation effort has implications on the WebAuthn spec · Issue #1492 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1492>
  38.
cleanup <pre class=anchors> and use <pre class="link-defaults"> as appropriate · Issue #1489 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1489>
  39.
Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? · Issue #1484 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1484>
  40.
export definitions? · Issue #1049 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1049>


Issues · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat%3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone>

           *
Add cautionary note about extension data in the ceremony criteria · Issue #2177 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2177>
           *
Bit set by the SPC extension should backed up as part of the Public Key Credential Source · Issue #2153 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2153>
           *
Allow `platform`-based self attestation with non-zero AAGUID when `AttestationConveyancePreferenceOption` `"none"` is used · Issue #2146 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2146>
           *
Cross-window `Virtual Authenticator Database` · Issue #2117 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2117>
           *
Make `AuthenticatorAttestationResponseJSON.publicKeyAlgorithm` optional · Issue #2106 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2106>
           *
Additional guidance/clarification on RP ID and origin validation · Issue #2059 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2059>
           *
excludeCredentials on Get · Issue #2057 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2057>
           *
Deprecate AuthenticatorAttachment in favor of PublicKeyCredentialHints. · Issue #2053 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2053>
           *
xtension: Time Since UV · Issue #2034 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2034>
           *
Reflect caching of user gestures in WebAuthn assertion · Issue #2023 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2023>
           *
Revised txAuthSimple extension · Issue #2022 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2022>
           *
Clarify the need for truly randomly generated challenges (aka challenge callback issue) · Issue #1856 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1856>
           *
Cross origin authentication without iframes (accommodating SPC in WebAuthn) · Issue #1667 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1667>



4.   Other open issues or discussions
5.   Adjourn
Received on Tuesday, 8 October 2024 22:51:33 UTC