- From: Ian Jacobs <ij@w3.org>
- Date: Thu, 16 Oct 2025 16:47:57 -0500
- To: Simone Onofri <simone@w3.org>
- Cc: Web Authentication Working Group <public-webauthn@w3.org>, ANTHONY J NADALIN <nadalin@prodigy.net>, Mike Jones <michael_b_jones@hotmail.com>, Christiaan Brand <cbrand@google.com>, Addison Phillips <addisoni18n@gmail.com>
Hi all,
I’d like to share a bit more information to motivate the value of additional meeting time on Tuesday. Here are some of the
topics that we’d like to cover. Names in parentheses are confirmed presenters.
* FIDO requirements for payments (Jean-Luc di Manno)
* Passkeys and VCs (Tim Cappalli)
* Passkeys and Agentic AI (Fahad Saleem)
* Device-Bound Session Credentials update (I’m in the process of confirming the presenter)
* Update on the addition of device binding to Secure Payment Confirmation (either myself or Stephen McGruer)
In addition:
* We’d like to discuss a number of Secure Payment Confirmation issues that relate to WebAuthn.
* We’d like to get an update on the immediate mediation discussion (which would have an impact on SPC’s fallback UX)
* We are interested in the Passkey endpoints spec and existing WebAuthn well-known URL and how SPC might leverage this.
* We would like to hear the latest on WebAuthn L3
* We are interested in hearing the WebAuthn WG’s requirements for L4 and have an opportunity to provide input from the payments
ecosystem perspective.
* Authentication during agentic payments is an interesting topic and work at IETF might be relevant (WebBotAuth, HTTP SIG), and if
those topics are relevant to TPAC attendees, it would be great if there were some shared understanding.
In short, there’s a lot that would be interesting to discuss, and I’d like to suggest that we meet the full afternoon on Tuesday, starting
after lunch, and going until we’ve run out of energy. :)
Thank you,
Ian
> On Oct 8, 2025, at 12:58 PM, Simone Onofri <simone@w3.org> wrote:
>
> Hi all,
>
> Regarding the joint meeting with Web Payments, we can see here the
>
> https://github.com/w3c/webpayments/wiki/Agenda%E2%80%90TPAC2025
>
> Also, with a proposal to anticipate the discussion on Tuesday, 11 November 2025, at 15:00-16:00 in addition to also having the 16:30-18:00 slot.
>
> What do you think?
>
> Thank you,
>
> Simone
>
>
>> On 8 Oct 2025, at 01:32, ANTHONY J NADALIN <nadalin@prodigy.net> wrote:
>>
>> Here is the agenda for the 10/08/2025 W3C Web Authentication. WG Meeting, that will take place as a 30 minute teleconference. Remember call is at 11AM Pacific Time. Reminder that we will be using ZOOM from now on, please make sure you go to Web Authentication bi-weekly (w3.org)
>>
>> Select scribe please someone be willing to scribe so we can get down to the issues
>>
>> • Here is the link to the Level 2 Webauthn Recommendation https://www.w3.org/TR/2021/REC-webaut
>> • Here is the link to the Final L3 draft (use for CR) https://www.w3.org/TR/2025/WD-webauthn-3-20250127/
>> • L3 Target Publication Schedule discussion (SIMONE)
>> • Before publishing CR and after publishing the WD
>> • Asks for horizontal review (after the WD), giving them a minimum of 28 days
>> - Demonstrate implementation, so we need to check if tests are available and, in this case, the situation is already in a good state [2]
>> [1] https://www.w3.org/TR/2023/WD-vc-json-schema-20231115/#revision-history
>> [2] https://wpt.fyi/results/webauthn?label=master&label=experimental&aligned
>> • Consensus to make L3 CR the L4 First Public Working Draft (Done)
>> • 10/15/2025 WebAuthn Meeting CANCELLED (FIDO Authenticate)
>> • 11/12/2025 WebAuthn Meeting CANCELLED (TPAC)
>> • TPAC 2025 November 10-14th Kobe Japan F2F About W3C TPAC | News and events | W3C
>> • Joint meeting with Web Payments WG On Tuesday afternoon (16:30-18:00)
>> • 2 Sessions of WebAuthn WG on Thursday (13:45-15:00 and 15:30 - 16:45)
>>
>> • Canidate Recommendation open pull requests and open issues
>>
>> • L3 Candidate Recommendation Milestone
>> • Prepare for CR · Issue #2225 · w3c/webauthn
>> • [L3 CR] Horizontal Review: Security & Privacy · Issue #2244 · w3c/webauthn
>> • [L3 CR] Horizontal Review: Internationalization (i18n) · Issue #2245 · w3c/webauthn
>> • [L3 CR] Horizontal Review: Accessibility · Issue #2246 · w3c/webauthn
>> • [L3 CR] Horizontal Review: TAG Design Reviews · Issue #2247 · w3c/webauthn
>> • [L3 CR] Horizontal Review: Wide Review · Issue #2248 · w3c/webauthn
>> • [L3 CR] Implementation Requirements · Issue #2249 · w3c/webauthn
>>
>> • L4 Pull requests
>> • Pull requests · w3c/webauthn
>> • Add Immediate Mediation by kenrb · Pull Request #2291 · w3c/webauthn
>> • Add a new optional `rpId` to Credential Record by MasterKale · Pull Request #2258 · w3c/webauthn
>> • Exclude all platform authenticators that use self attesation from hav… by zacknewman · Pull Request #2150 · w3c/webauthn
>> • Add new error codes by MasterKale · Pull Request #2095 · w3c/webauthn
>> • Add "sign" extension by emlun · Pull Request #2078 · w3c/webauthn
>>
>>
>>
>> • L4 Issues
>> • Issues · w3c/webauthn
>> • Section 6.5.5. should be moved to section 6.6. · Issue #2318 · w3c/webauthn
>> • Add onlyCreate to prevent creation of a new key for existing user · Issue #2313 · w3c/webauthn
>> • Explainer for Level 4 · Issue #2297 · w3c/webauthn
>> • Conditional creation incompatible with `uvInitialized` semantics in Chapter 7? · Issue #2295 · w3c/webauthn
>> • Update Credential Record to suggest storing RP ID as well for better Related Origins support · Issue #2257 · w3c/webauthn
>> • Allow immediate mediation · Issue #2228 · w3c/webauthn
>> • `credProps` output directions contradict notes · Issue #2213 · w3c/webauthn
>> • "Verify" is undefined · Issue #2208 · w3c/webauthn
>> • JSON parsing should be on top of Infra primitives · Issue #2207 · w3c/webauthn
>> • Use of "valid domain" seems wrong · Issue #2206 · w3c/webauthn
>> • Usage of "effective domain" seems wrong · Issue #2205 · w3c/webauthn
>> • Handling of non-fully active documents for PublicKeyCredential methods · Issue #2184 · w3c/webauthn
>> • [Editorial] platform authenticator relationship to WebAuthn Client and Client Device · Issue #2164 · w3c/webauthn
>> • Add AAGUID to credProps · Issue #2157 · w3c/webauthn
>> • Add `challengeUrl` · Issue #2152 · w3c/webauthn
>> • Allow `platform`-based self attestation with non-zero AAGUID when `AttestationConveyancePreferenceOption` `"none"` is used · Issue #2146 · w3c/webauthn
>> • Allow Conditional Mediation without autofill · Issue #2144 · w3c/webauthn
>> • UTF-8 decode should not be required for response.clientDataJSON and cData · Issue #2100 · w3c/webauthn
>> • Return more nuanced errors · Issue #2096 · w3c/webauthn
>> • [[Create]] should not access the global object directly · Issue #2092 · w3c/webauthn
>> • Additional guidance/clarification on RP ID and origin validation · Issue #2059 · w3c/webauthn
>> • excludeCredentials on Get · Issue #2057 · w3c/webauthn
>> • CollectedClientData serialization is confusing WebIDL and/or Infra values for ECMAScript values · Issue #2056 · w3c/webauthn
>> • Deprecate AuthenticatorAttachment in favor of PublicKeyCredentialHints. · Issue #2053 · w3c/webauthn
>> • Adding some sentences to describe credential sharing between multiple users · Issue #1921 · w3c/webauthn
>> • Update Authenticator Taxonomy examples section · Issue #1912 · w3c/webauthn
>> • Clarify the need for truly randomly generated challenges (aka challenge callback issue) · Issue #1856 · w3c/webauthn
>> • Prescriptive behaviours for Autofill UI · Issue #1800 · w3c/webauthn
>> • Provide passwordless example, or update 1.3.2. to be a passwordless example · Issue #1735 · w3c/webauthn
>> • Public Key Credential Source and Extensions · Issue #1719 · w3c/webauthn
>> • Split RP ops "Registering a new credential" into one with and one without attestation · Issue #1710 · w3c/webauthn
>> • Switch to permissive copyright license? · Issue #1705 · w3c/webauthn
>> • Platform Errors for attestations. · Issue #1697 · w3c/webauthn
>> • Should an RP be able to provide finer grained authenticator filtering in attestation options? · Issue #1688 · w3c/webauthn
>> • Lookup Credential Source by Credential ID Algorithm returns sensitive data such as the credential private key · Issue #1678 · w3c/webauthn
>> • Trailing position of metadata · Issue #1646 · w3c/webauthn
>> • [Editorial] Truncation description inaccurate · Issue #1645 · w3c/webauthn
>> • Mechanism for encoding *direction* metadata may need more work · Issue #1644 · w3c/webauthnRegarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? · Issue #1484 · w3c/webauthn
>> • Use of in-field metadata not preferred · Issue #1643 · w3c/webauthn
>> • Unicode "tag" characters are deprecated for language tagging · Issue #1642 · w3c/webauthnSupport for remote desktops · Issue #1577 · w3c/webauthn
>> • CollectedClientData.crossOrigin default value and whether it is required · Issue #1631 · w3c/webauthn
>> • Support for remote desktops · Issue #1577 · w3c/webauthn
>> • double check whether the Secure Payment Confirmation effort has implications on the WebAuthn spec · Issue #1492 · w3c/webauthn
>> • Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? · Issue #1484 · w3c/webauthn
>> • Clearly define the way how RP handles the extensions · Issue #1258 · w3c/webauthn
>> • export definitions? · Issue #1049 · w3c/webauthn
>>
>> • Other open issues or discussions
>> • Adjourn
>
>
--
Ian Jacobs <ij@w3.org>
https://www.w3.org/People/Jacobs/
Tel: +1 917 450 8783
Received on Thursday, 16 October 2025 21:48:09 UTC