09/03/2025 W3C Web Authentication Meeting Agenda from ANTHONY NADALIN on 2025-09-03 (public-webauthn@w3.org from September 2025)

From: ANTHONY NADALIN <nadalin@prodigy.net>
Date: Wed, 3 Sep 2025 00:59:22 +0000
To: 'Michael Jones' <michael_b_jones@hotmail.com>, 'W3C Web Authn WG' <public-webauthn@w3.org>, 'Christiaan Brand' <cbrand@google.com>, 'Ian Jacobs' <ij@w3.org>, Addison Phillips <addisoni18n@gmail.com>
Message-ID: <BYAPR16MB275926F816A47D5EBC44EC51AA01A@BYAPR16MB2759.namprd16.prod.outlook.com>
 Here is the agenda for the 09/03/2025 W3C Web Authentication.  WG Meeting, that will take place as a 30 minute teleconference. Remember call is at 12PM  Pacific Time. Reminder that we will be using ZOOM from now on, please make sure you go to Web Authentication bi-weekly (w3.org)<https://www.w3.org/events/meetings/4bab6a90-bdb5-400f-ab87-64a7a852d86a/20230517T150000>

Select scribe please someone be willing to scribe so we can get down to the issues


  1.
Here is the link to the Level 2 Webauthn Recommendation  https://www.w3.org/TR/2021/REC-webaut
  2.  Here is the link to the Final L3 draft (use for CR) https://www.w3.org/TR/2025/WD-webauthn-3-20250127/

  3.
L3 Target Publication Schedule discussion (SIMONE)
     *
Before publishing CR and after publishing the WD
        *
Asks for horizontal review (after the WD), giving them a minimum of 28 days
 - Demonstrate implementation, so we need to check if tests are available and, in this case, the situation is already in a good state [2]
[1] https://www.w3.org/TR/2023/WD-vc-json-schema-20231115/#revision-history
[2] https://wpt.fyi/results/webauthn?label=master&label=experimental&aligned

  1.
Consensus to make L3 CR the L4 First Public Working Draft (Done)
  2.
09/10/2025 WebAuthn Meeting CANCELLED
  3.
09/24/2025 WebAuthn Meeting CANCELLED
  4.
11/12/2025 WebAuthn Meeting CANCELLED
  5.
TPAC 2025 November 10-14th Kobe Japan F2F About W3C TPAC | News and events | W3C<https://www.w3.org/news-events/w3c-tpac/#upcoming>
     *
Joint meeting with Web Payments WG On Tuesday afternoon (16:30-18:00)
     *
2 Sessions of WebAuthn WG on Thursday (13:45-15:00 and 15:30 - 16:45)
  6.

  7.
Canidate Recommendation open pull requests and open issues

  8.
L3 Candidate Recommendation Milestone<https://github.com/w3c/webauthn/milestone/32>
     *
Prepare for CR · Issue #2225 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2225>
     *
[L3 CR] Horizontal Review: Security & Privacy · Issue #2244 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2244>
     *
[L3 CR] Horizontal Review: Internationalization (i18n) · Issue #2245 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2245>
     *
[L3 CR] Horizontal Review: Accessibility · Issue #2246 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2246>
     *
[L3 CR] Horizontal Review: TAG Design Reviews · Issue #2247 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2247>
     *
[L3 CR] Horizontal Review: Wide Review · Issue #2248 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2248>
     *
[L3 CR] Implementation Requirements · Issue #2249 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2249>
     *
Deprecate in-field language/direction metadata by emlun · Pull Request #2308 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2308>
  9.
L4 Pull requests
     *
Pull requests · w3c/webauthn<https://github.com/w3c/webauthn/pulls>
        *
Add Immediate Mediation by kenrb · Pull Request #2291 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2291>
        *
Add a new optional `rpId` to Credential Record by MasterKale · Pull Request #2258 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2258>
        *
Exclude all platform authenticators that use self attesation from hav… by zacknewman · Pull Request #2150 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2150>
        *
Add new error codes by MasterKale · Pull Request #2095 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2095>
        *
Add "sign" extension by emlun · Pull Request #2078 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2078>



  10.
L4 Issues
     *
Issues · w3c/webauthn<https://github.com/w3c/webauthn/issues?q=is%3Aissue%20state%3Aopen%20milestone%3A%22L4%20(First%20Published%20Working%20Draft)%22>
        *
Section 6.5.5. should be moved to section 6.6. · Issue #2318 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2318>
        *
Add onlyCreate to prevent creation of a new key for existing user · Issue #2313 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2313>
        *
Explainer for Level 4 · Issue #2297 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2297>
        *
Conditional creation incompatible with `uvInitialized` semantics in Chapter 7? · Issue #2295 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2295>
        *
Update Credential Record to suggest storing RP ID as well for better Related Origins support · Issue #2257 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2257>
        *
Allow immediate mediation · Issue #2228 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2228>
        *
`credProps` output directions contradict notes · Issue #2213 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2213>
        *
"Verify" is undefined · Issue #2208 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2208>
        *
JSON parsing should be on top of Infra primitives · Issue #2207 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2207>
        *
Use of "valid domain" seems wrong · Issue #2206 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2206>
        *
Usage of "effective domain" seems wrong · Issue #2205 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2205>
        *
Handling of non-fully active documents for PublicKeyCredential methods · Issue #2184 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2184>
        *
[Editorial] platform authenticator relationship to WebAuthn Client and Client Device · Issue #2164 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2164>
        *
Add AAGUID to credProps · Issue #2157 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2157>
        *
Add `challengeUrl` · Issue #2152 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2152>
        *
Allow `platform`-based self attestation with non-zero AAGUID when `AttestationConveyancePreferenceOption` `"none"` is used · Issue #2146 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2146>
        *
Allow Conditional Mediation without autofill · Issue #2144 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2144>
        *
UTF-8 decode should not be required for response.clientDataJSON and cData · Issue #2100 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2100>
        *
Return more nuanced errors · Issue #2096 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2096>
        *
[[Create]] should not access the global object directly · Issue #2092 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2092>
        *
Additional guidance/clarification on RP ID and origin validation · Issue #2059 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2059>
        *
excludeCredentials on Get · Issue #2057 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2057>
        *
CollectedClientData serialization is confusing WebIDL and/or Infra values for ECMAScript values · Issue #2056 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2056>
        *
Deprecate AuthenticatorAttachment in favor of PublicKeyCredentialHints. · Issue #2053 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2053>
        *
Adding some sentences to describe credential sharing between multiple users · Issue #1921 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1921>
        *
Update Authenticator Taxonomy examples section · Issue #1912 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1912>
        *
Clarify the need for truly randomly generated challenges (aka challenge callback issue) · Issue #1856 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1856>
        *
Prescriptive behaviours for Autofill UI · Issue #1800 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1800>
        *
Provide passwordless example, or update 1.3.2. to be a passwordless example · Issue #1735 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1735>
        *
Public Key Credential Source and Extensions · Issue #1719 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1719>
        *
Split RP ops "Registering a new credential" into one with and one without attestation · Issue #1710 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1710>
        *
Switch to permissive copyright license? · Issue #1705 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1705>
        *
Platform Errors for attestations. · Issue #1697 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1697>
        *
Should an RP be able to provide finer grained authenticator filtering in attestation options? · Issue #1688 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1688>
        *
Lookup Credential Source by Credential ID Algorithm returns sensitive data such as the credential private key · Issue #1678 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1678>
        *
Trailing position of metadata · Issue #1646 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1646>
        *
[Editorial] Truncation description inaccurate · Issue #1645 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1645>
        *
Mechanism for encoding *direction* metadata may need more work · Issue #1644 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1644>Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? · Issue #1484 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1484>
        *
Use of in-field metadata not preferred · Issue #1643 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1643>
        *
Unicode "tag" characters are deprecated for language tagging · Issue #1642 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1642>Support for remote desktops · Issue #1577 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1577>
        *
CollectedClientData.crossOrigin default value and whether it is required · Issue #1631 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1631>
        *
Support for remote desktops · Issue #1577 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1577>
        *
double check whether the Secure Payment Confirmation effort has implications on the WebAuthn spec · Issue #1492 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1492>
        *
Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? · Issue #1484 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1484>
        *
Clearly define the way how RP handles the extensions · Issue #1258 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1258>
        *
export definitions? · Issue #1049 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1049>

  11.
Other open issues or discussions
  12.
Adjourn
Received on Wednesday, 3 September 2025 01:00:34 UTC