- From: Michael Jones <michael_b_jones@hotmail.com>
- Date: Wed, 1 Apr 2026 18:29:04 +0000
- To: ANTHONY NADALIN <nadalin@prodigy.net>, Web Authentication Working Group <public-webauthn@w3.org>, Christiaan Brand <cbrand@google.com>, Ian Jacobs <ij@w3.org>, Addison Phillips <addisoni18n@gmail.com>
- Message-ID: <MW2PR12MB250891CE1F7873B38243B66BB750A@MW2PR12MB2508.namprd12.prod.outlook.com>
I created the promised PR against branch L3-CR referencing CTAP 2.3: https://github.com/w3c/webauthn/pull/2403.
Let's discuss this on the call.
-- Mike
From: ANTHONY NADALIN <nadalin@prodigy.net>
Sent: Tuesday, March 31, 2026 11:55 AM
To: Michael Jones <michael_b_jones@hotmail.com>; Web Authentication Working Group <public-webauthn@w3.org>; Christiaan Brand <cbrand@google.com>; Ian Jacobs <ij@w3.org>; Addison Phillips <addisoni18n@gmail.com>
Subject: 04/01/2026 W3C Web Authentication Meeting Agenda
Here is the agenda for the 04/012026 W3C Web Authentication. WG Meeting, that will take place as a 30-minute teleconference. Remember, call is 12PM Pacific Time. Reminder that we will be using ZOOM from now on, please make sure you go to Web Authentication bi-weekly (w3.org)<https://www.w3.org/events/meetings/4bab6a90-bdb5-400f-ab87-64a7a852d86a/20230517T150000>
Select scribe please someone be willing to scribe so we can get down to the issues
1. Here is the link to the Level 2 Webauthn Recommendation https://www.w3.org/TR/2021/REC-webaut
1. L3 CR Web Authentication: An API for accessing Public Key Credentials - Level 3<https://www.w3.org/TR/webauthn-3/>
2. Consensus to make L3 CR the L4 First Public Working Draft (Done)
1. Consensus to request submitting for Recommendation (Done)
1. TPAC 2026 - October 26-30th Dublin, Ireland - TPAC 2026 | 2026 | TPAC | Events | W3C<https://www.w3.org/events/tpac/2026/tpac-2026/>
1. WebAuthn Recharter Discussion - Web Authentication Working Group Charter<https://www.w3.org/2024/04/wg-webauthn-charter.html>
* Rechartering WebAuthn * Issue #2388 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2388>
* WebAuthn: Adds L4 items and groups by timcappalli * Pull Request #768 * w3c/charter-drafts<https://github.com/w3c/charter-drafts/pull/768>
1. These were the topics discussed at 2025 TPAC
* Discovery of migrated credentials * Issue #2340 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2340>
* Add Credential Manager Trust Group Key (CMTG) extension * Issue #2338 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2338>
* WebAuthn requestUserInfo -- easier account creation * Issue #2336 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2336>
* Explainer for Level 4 * Issue #2297 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2297>
* Update Credential Record to suggest storing RP ID as well for better Related Origins support * Issue #2257 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2257>
* Should an RP be able to provide finer grained authenticator filtering in attestation options? * Issue #1688 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1688>
1.
1. L3 Recommendation * <https://github.com/w3c/webauthn/milestone/35> Issues and open pull requests and open issues, these must be resolved before we go to Recomendation
* Editors, Contributors and Acknowledgements Review * Issue #2385 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2385>
*
1. L4 Pull requests * w3c/webauthn<https://github.com/w3c/webauthn/pulls>
* Adds additional hints for form factors by timcappalli * Pull Request #2387 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2387>
* Deprecate Authenticator Attachment in favor of Hints by akshayku * Pull Request #2383 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2383>
* Add new credential signature count parameter to Set Credential Properties virtual authenticator endpoint by MasterKale * Pull Request #2382 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2382>
* Add JSON object properties table to Set User Verified virtual authenticator endpoint by MasterKale * Pull Request #2381 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2381>
* Add fallbackUrl client extension for hybrid transport authentication by harshlal028 * Pull Request #2380 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2380>
* Fix missing ASN.1 values in android-key test vector by Unknown-Robot * Pull Request #2379 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2379>
* Fix incorrect ASN.1 encoding in android-key test vector by emlun * Pull Request #2378 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2378>
* Add "Credential Manager Trust Group (CMTG) Key" extension by timcappalli * Pull Request #2377 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2377>
* remoteDesktopClientOverrideJSON Extension by akshayku * Pull Request #2375 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2375>
* Forbid authenticator data from containing cleartext PRF outputs by emlun * Pull Request #2372 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2372>
* Delete inaccurate recommendation to abort on unfocus by emlun * Pull Request #2367 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2367>
* [Do not merge yet] Add `requestUserInfo` by nsatragno * Pull Request #2358 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2358>
* Add Immediate Mediation by kenrb * Pull Request #2291 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2291>
* Exclude all platform authenticators that use self attesation from hav... by zacknewman * Pull Request #2150 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2150>
* Add new error codes by MasterKale * Pull Request #2095 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2095>
* Add "sign" extension by emlun * Pull Request #2078 * w3c/webauthn<https://github.com/w3c/webauthn/pull/2078>
1. L4 Issues * w3c/webauthn<https://github.com/w3c/webauthn/issues?q=is%3Aissue%20state%3Aopen%20milestone%3A%22L4%20WD02%20Milestone%22>s
* Virtual authenticator should allow `counter` to always be `0` * Issue #2363 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2363>
* Client terminology hints for external authenticator form factors * Issue #2360 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2360>
* Add hybrid fallback URL extension * Issue #2341 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2341>
* Discovery of migrated credentials * Issue #2340 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2340>
* Add Credential Manager Trust Group Key (CMTG) extension * Issue #2338 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2338>
* WebAuthn requestUserInfo -- easier account creation * Issue #2336 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2336>
* Section 6.5.5. should be moved to section 6.6. * Issue #2318 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2318>
* Add onlyCreate to prevent creation of a new key for existing user * Issue #2313 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2313>
* Explainer for Level 4 * Issue #2297 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2297>
* Conditional creation incompatible with `uvInitialized` semantics in Chapter 7? * Issue #2295 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2295>
* Update Credential Record to suggest storing RP ID as well for better Related Origins support * Issue #2257 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2257>
* Allow immediate mediation * Issue #2228 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2228>
* `credProps` output directions contradict notes * Issue #2213 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2213>
* "Verify" is undefined * Issue #2208 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2208>
* JSON parsing should be on top of Infra primitives * Issue #2207 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2207>
* Use of "valid domain" seems wrong * Issue #2206 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2206>
* Usage of "effective domain" seems wrong * Issue #2205 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2205>
* Handling of non-fully active documents for PublicKeyCredential methods * Issue #2184 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2184>
* [Editorial] platform authenticator relationship to WebAuthn Client and Client Device * Issue #2164 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2164>
* Add AAGUID to credProps * Issue #2157 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2157>
* Add `challengeUrl` * Issue #2152 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2152>
* Allow `platform`-based self attestation with non-zero AAGUID when `AttestationConveyancePreferenceOption` `"none"` is used * Issue #2146 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2146>
* Allow Conditional Mediation without autofill * Issue #2144 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2144>
* UTF-8 decode should not be required for response.clientDataJSON and cData * Issue #2100 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2100>
* Return more nuanced errors * Issue #2096 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2096>
* [[Create]] should not access the global object directly * Issue #2092 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2092>
* Additional guidance/clarification on RP ID and origin validation * Issue #2059 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2059>
* excludeCredentials on Get * Issue #2057 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2057>
* CollectedClientData serialization is confusing WebIDL and/or Infra values for ECMAScript values * Issue #2056 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2056>
* Deprecate AuthenticatorAttachment in favor of PublicKeyCredentialHints. * Issue #2053 * w3c/webauthn<https://github.com/w3c/webauthn/issues/2053>
* Adding some sentences to describe credential sharing between multiple users * Issue #1921 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1921>
* Update Authenticator Taxonomy examples section * Issue #1912 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1912>
* Clarify the need for truly randomly generated challenges (aka challenge callback issue) * Issue #1856 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1856>
* Prescriptive behaviours for Autofill UI * Issue #1800 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1800>
* Provide passwordless example, or update 1.3.2. to be a passwordless example * Issue #1735 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1735>
* Public Key Credential Source and Extensions * Issue #1719 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1719>
* Split RP ops "Registering a new credential" into one with and one without attestation * Issue #1710 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1710>
* Switch to permissive copyright license? * Issue #1705 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1705>
* Platform Errors for attestations. * Issue #1697 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1697>
* Should an RP be able to provide finer grained authenticator filtering in attestation options? * Issue #1688 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1688>
* Lookup Credential Source by Credential ID Algorithm returns sensitive data such as the credential private key * Issue #1678 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1678>
* Trailing position of metadata * Issue #1646 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1646>
* [Editorial] Truncation description inaccurate * Issue #1645 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1645>
* Mechanism for encoding *direction* metadata may need more work * Issue #1644 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1644>Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? * Issue #1484 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1484>
* Use of in-field metadata not preferred * Issue #1643 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1643>
* Unicode "tag" characters are deprecated for language tagging * Issue #1642 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1642>Support for remote desktops * Issue #1577 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1577>
* CollectedClientData.crossOrigin default value and whether it is required * Issue #1631 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1631>
* Support for remote desktops * Issue #1577 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1577>
* double check whether the Secure Payment Confirmation effort has implications on the WebAuthn spec * Issue #1492 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1492>
* Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? * Issue #1484 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1484>
* Clearly define the way how RP handles the extensions * Issue #1258 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1258>
* export definitions? * Issue #1049 * w3c/webauthn<https://github.com/w3c/webauthn/issues/1049>
1. Other open issues or discussions
1. Adjourn
Received on Wednesday, 1 April 2026 18:29:10 UTC