- From: ANTHONY NADALIN <nadalin@prodigy.net>
- Date: Wed, 11 Sep 2024 02:57:17 +0000
- To: 'Michael Jones' <michael_b_jones@hotmail.com>, 'W3C Web Authn WG' <public-webauthn@w3.org>, "'Phillips, Addison'" <addison@lab126.com>, 'Christiaan Brand' <cbrand@google.com>, 'Ian Jacobs' <ij@w3.org>
- Message-ID: <SA1P223MB09700B5E07B799577B1FBAF9AA9B2@SA1P223MB0970.NAMP223.PROD.OUTLOOK.COM>
Here is the agenda for the 09/11/2024 W3C Web Authentication WG Meeting, that will take place as a 60 minute teleconference. Remember call is at 11AM Pacific Time. Reminder that we will be using ZOOM from now on, please make sure you go to Web Authentication bi-weekly (w3.org)<https://www.w3.org/events/meetings/4bab6a90-bdb5-400f-ab87-64a7a852d86a/20230517T150000>
Select scribe please someone be willing to scribe so we can get down to the issues
1. Here is the link to the Level 2 Webauthn Recommendation https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
2. Charter Extension in progress (Web Authentication Working Group Charter (w3c.github.io)<https://w3c.github.io/charter-drafts/2024/wg-webauthn.html>)
3. 08/21/2024 CANCELLED
4. F2F TPAC 2024 (Sept 24-27, Anaheim CA)
*
Full day on the 24th 9-5 and the payments WG meeting will happen 16:30-18:00 as part of the 24th
*
Mask Policy at meeting room is left up to the individual while in the room
1. WD01 has now been published, https://www.w3.org/TR/webauthn-3/
2. PWG Update (John B., Adam L.)
3. L3 Publication Schedule
* Deadline for wide review<https://www.w3.org/Consortium/Process/#wide-review>
Sunday, October 27 0024
* Group Call for Consensus (CfC)<https://w3c.github.io/charter-drafts/charter-template.html#decisions> to move to Candidate Recommendation, wide review<https://www.w3.org/Consortium/Process/#wide-review> is done
Monday, October 28 0024
* Transition request to Candidate Recommendation<https://www.w3.org/Guide/transitions?profile=CR&cr=new>
Thursday, November 7 0024
1. L3 WD02 open pull requests and open issues
Pull requests · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+milestone%3AL3-WD-02>
1.
Cleanup: Manual References by timcappalli · Pull Request #2111 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2111>
2.
Add topOrigin to the limited verification algorithm. by zacknewman · Pull Request #2104 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/pull/2104>
3.
Enterprise packed attestation guidance by dwaite · Pull Request #1954 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/1954>
4.
Pull requests · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pulls?q=is%3Aopen+is%3Apr+no%3Amilestone>
1.
Add BE/BS steps to authData generation by timcappalli · Pull Request #2141 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2141>Add BE/BS steps to authData generation by timcappalli · Pull Request #2141 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2141>
2.
Update Use Cases for L3 by timcappalli · Pull Request #2139 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2139>
3.
Adds dfn for passkey in passkey platform authenticator and exports by timcappalli · Pull Request #2138 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2138>
4.
Update obsolete privacy concerns about throwing errors early by emlun · Pull Request #2134 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2134>
5.
Rename PublicKeyCredentialHints to PublicKeyCredentialHint by timcappalli · Pull Request #2129 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2129>
6.
Codify semantic line breaks as editorial convention by emlun · Pull Request #2127 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2127>
7.
Clarify meaning of "unless" in UP flag validation by emlun · Pull Request #2126 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2126>
8.
Add new error codes by MasterKale · Pull Request #2095 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/2095>
9.
Clarify TPM attestation verification instructions by sbweeden · Pull Request #1926 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/pull/1926>
Issues · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+milestone%3AL3-WD-02+>
1.
UTF-8 decode should not be required for response.clientDataJSON and cData · Issue #2100 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2100>
2.
[[Create]] should not access the global object directly · Issue #2092 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2092>
3.
Add examples for PRF extension · Issue #2088 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2088>
4.
§6.1. Steps to generate authenticator data should include BE and BS flags · Issue #2064 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/2064>
5.
create() and get() return an algorithm, not a credential · Issue #1984 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1984>
6.
Ambiguous instructions in the Android Key Attestation Statement Format verification procedure · Issue #1980 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1980>
7.
Are notes in webauthn normative or informative? · Issue #1979 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1979>
8.
Extensions should specify partial dictionaries that modify AuthenticationExtensionsClient{Inputs, Outputs}JSON · Issue #1968 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1968>
9.
Should credentials requested with attestation=none include an AAGUID? · Issue #1962 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1962>
10.
Adding some sentences to describe credential sharing between multiple users · Issue #1921 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1921>
11.
Allow desired attestation format to be an ordered list · Issue #1917 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1917>
12.
Describe packed enterprise attestation · Issue #1916 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1916>
13.
Misaligned steps in Section 7.2 · Issue #1913 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1913>
14.
Update Authenticator Taxonomy examples section · Issue #1912 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1912>
15.
Prescriptive behaviours for Autofill UI · Issue #1800 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1800>
16.
Provide passwordless example, or update 1.3.2. to be a passwordless example · Issue #1735 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1735>
17.
Update top level use cases to account for multi-device credentials · Issue #1720 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1720>
18.
RP operations: some extension processing may assume that the encompassing signature is valid · Issue #1711 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1711>
19.
Split RP ops "Registering a new credential" into one with and one without attestation · Issue #1710 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1710>
20.
Switch to permissive copyright license? · Issue #1705 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1705>
21.
Should an RP be able to provide finer grained authenticator filtering in attestation options? · Issue #1688 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1688>
22.
Lookup Credential Source by Credential ID Algorithm returns sensitive data such as the credential private key · Issue #1678 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1678>
23.
Synced Credentials · Issue #1665 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1665>
24.
Cross-origin credential creation in iframes · Issue #1656 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1656>
25.
Trailing position of metadata · Issue #1646 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1646>
26.
[Editorial] Truncation description inaccurate · Issue #1645 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1645>
27.
Mechanism for encoding *direction* metadata may need more work · Issue #1644 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1644>
28.
Use of in-field metadata not preferred · Issue #1643 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1643>
29.
Unicode "tag" characters are deprecated for language tagging · Issue #1642 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1642>
30.
U+ notation incorrect · Issue #1641 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1641>
31.
Syncing Platform Keys, Recoverability and Security levels · Issue #1640 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1640>
32.
Possible experiences in a future WebAuthn · Issue #1637 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1637>
33.
Missing Test Vectors · Issue #1633 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1633>
34.
CollectedClientData.crossOrigin default value and whether it is required · Issue #1631 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1631>
35.
Support for remote desktops · Issue #1577 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1577>
36.
Prevent browsers from deleting credentials that the RP wanted to be server-side · Issue #1569 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1569>
37.
Support a "create or get [or replace]" credential re-association operation · Issue #1568 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1568>
38.
double check whether the Secure Payment Confirmation effort has implications on the WebAuthn spec · Issue #1492 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1492>
39.
cleanup <pre class=anchors> and use <pre class="link-defaults"> as appropriate · Issue #1489 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1489>
40.
Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? · Issue #1484 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1484>
41.
Requesting properties of created credentials. · Issue #1449 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1449>
42.
PublicKeyCredentialParameters can't select curve (E.g. ed448) · Issue #1446 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1446>
43.
Clearly define the way how RP handles the extensions · Issue #1258 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1258>
Issues · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues?q=is%3Aopen+is%3Aissue+-label%3Astat%3AOnGoing+-label%3Astat%3Apr-open+no%3Amilestone>
*
Allow Conditional Mediation without autofill · Issue #2144 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2144>
*
Add `userName` and `userDisplayName` to WebDriver's `Credential Parameters` JSON object · Issue #2143 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2143>
*
Add dfn for passkey in passkey platform authenticator · Issue #2136 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2136>
*
Clarify behaviour of duplicate hints · Issue #2135 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2135>
*
Enum values that ignore naming conventions in Web Authentication: An API for accessing Public Key Credentials - Level 3 · Issue #2133 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2133>
*
Review privacy concerns around error conditions · Issue #2132 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2132>
*
Remove rp.name · Issue #2121 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2121>
*
Cross-window `Virtual Authenticator Database` · Issue #2117 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2117>
*
CollectedClientData.crossOrigin not referenced in RP ops · Issue #2113 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2113>
*
Rename PublicKeyCredentialHints to PublicKeyCredentialHint? · Issue #2112 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2112>
*
Make `AuthenticatorAttestationResponseJSON.publicKeyAlgorithm` optional · Issue #2106 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2106>
*
Add `topOrigin` to the limited verification algorithm · Issue #2102 · w3c/webauthn (github.co<https://github.com/w3c/webauthn/issues/2102>m)<https://github.com/w3c/webauthn/issues/2101>
*
Additional guidance/clarification on RP ID and origin validation · Issue #2059 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2059>
*
excludeCredentials on Get · Issue #2057 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/2057>
*
CollectedClientData serialization is confusing WebIDL and/or Infra values for ECMAScript values · Issue #2056 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2056>
*
Deprecate AuthenticatorAttachment in favor of PublicKeyCredentialHints. · Issue #2053 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2053>
*
Editorial convention: Semantic line breaks · Issue #2045 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2045>
*
New Authenticator Extension: Time Since UV · Issue #2034 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2034>
*
Revised txAuthSimple extension · Issue #2022 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/2022>
*
Clarify the need for truly randomly generated challenges (aka challenge callback issue) · Issue #1856 · w3c/webauthn (github.com)<https://github.com/w3c/webauthn/issues/1856>
*
Cross origin authentication without iframes (accommodating SPC in WebAuthn) · Issue #1667 · w3c/webauthn · GitHub<https://github.com/w3c/webauthn/issues/1667>
4. Other open issues
5. Adjourn
Because of toll fraud issues MIT has been experiencing, I've been asked to change our call coordinates and password and, as an ongoing thing, not distribute the call coordinates publicly. That means not including the WebEx call number or URL in our agendas or minutes.
You can find the new call coordinates at this link, accessible with your W3C member login credentials.
https://www.w3.org/2016/01/webauth-password.html
Get Outlook for Android<https://aka.ms/ghei36>
Received on Wednesday, 11 September 2024 02:58:17 UTC