LGTM3 even On Thursday, October 28, 2021 at 8:28:32 PM UTC+2 Yoav Weiss wrote:
> LGTM2 with similar conditions. > > On Thursday, October 21, 2021 at 9:23:45 PM UTC+2 Alex Russell wrote: > >> Thanks for explaining, Adam. >> >> I'm LGTM1 contingent on: >> >> - An explainer being produced with at least the content of Adam's >> last post being included. >> - An FYI being sent to the TAG w/ that Explainer attached. We don't >> have a policy that allows folks to arbitrarily decide not to send things >> to >> them w/o justification. >> >> Thanks >> >> On Friday, October 15, 2021 at 12:15:34 PM UTC-7 Adam Langley wrote: >> >>> On Thursday, October 14, 2021 at 1:49:39 AM UTC-7 yoav...@chromium.org >>> wrote: >>> >>>> Apologies, but it's not clear to me what this does. A higher-level >>>> explainer may be helpful here. >>>> >>> >>> When returning a WebAuthn assertion, browsers will say whether the >>> assertion came from a removable device or not. I.e. if you touch a security >>> key it'll say "cross-platform", but if you use Touch ID / Windows Hello >>> it'll say "platform". >>> >>> Sites could already figure this out because they learn the supported >>> transports of an authenticator during registration and removable devices >>> offer things like "usb" or "ble", while the platform authenticators (Touch >>> ID / Hello) say "internal". But we want to make this simpler for sites so >>> that they have a clear signal when offering to register the platform as an >>> authenticator might be useful. >>> >>> The vision is that, when phones are fully usable as security keys, users >>> will be able to sign into sites on a desktop browser with them. But that >>> site might want to know that a "removable" device was used (e.g. a phone) >>> because registering the platform authenticator for future sign-ins is >>> probably a better experience. >>> >>> >>>>> *TAG review* >>>>> >>>>> N/A >>>>> >>>> >>>> Why is a TAG review not applicable? >>>> >>> >>> Seems like a very minor change and TAG is a very heavy process. >>> >>> >>>> Web developers: No signals >>>>> >>>> >>>> Are developers likely to adopt this? If not, why are we adding this? >>>> https://goo.gle/developer-signals >>>> >>> >>> Other parts of an ecosystem need to slot into place in order for >>> everything to hang together: phones as security keys, syncing credentials, >>> conditional UI, etc. So developers are probably uninterested in this part >>> in isolation, but all together there's a fair amount of interest. GitHub, >>> at least, are public about WebAuthn L2 being insufficient without several >>> of changes in this set: 1 <https://github.com/w3c/webauthn/issues/1568> >>> 2 <https://github.com/w3c/webauthn/issues/1567> 3 >>> <https://github.com/w3c/webauthn/issues/1565>. >>> >>> >>>> >>>>> Edge: Support Signals >>>>> >>>> Any links? >>>> >>> >>> Microsoft supporting here >>> <https://github.com/w3c/webauthn/issues/1637#issuecomment-874804170>. >>> (See "Assertion Transports" section; WG discussion changed "transports" to >>> "attachment", which is what this thread is talking about.) >>> >>> >>> Cheers >>> >>> AGL >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/23cf4a6f-a874-43c8-a5ce-134af98632edn%40chromium.org.
