LGTM2 with similar conditions. On Thursday, October 21, 2021 at 9:23:45 PM UTC+2 Alex Russell wrote:
> Thanks for explaining, Adam. > > I'm LGTM1 contingent on: > > - An explainer being produced with at least the content of Adam's last > post being included. > - An FYI being sent to the TAG w/ that Explainer attached. We don't > have a policy that allows folks to arbitrarily decide not to send things > to > them w/o justification. > > Thanks > > On Friday, October 15, 2021 at 12:15:34 PM UTC-7 Adam Langley wrote: > >> On Thursday, October 14, 2021 at 1:49:39 AM UTC-7 yoav...@chromium.org >> wrote: >> >>> Apologies, but it's not clear to me what this does. A higher-level >>> explainer may be helpful here. >>> >> >> When returning a WebAuthn assertion, browsers will say whether the >> assertion came from a removable device or not. I.e. if you touch a security >> key it'll say "cross-platform", but if you use Touch ID / Windows Hello >> it'll say "platform". >> >> Sites could already figure this out because they learn the supported >> transports of an authenticator during registration and removable devices >> offer things like "usb" or "ble", while the platform authenticators (Touch >> ID / Hello) say "internal". But we want to make this simpler for sites so >> that they have a clear signal when offering to register the platform as an >> authenticator might be useful. >> >> The vision is that, when phones are fully usable as security keys, users >> will be able to sign into sites on a desktop browser with them. But that >> site might want to know that a "removable" device was used (e.g. a phone) >> because registering the platform authenticator for future sign-ins is >> probably a better experience. >> >> >>>> *TAG review* >>>> >>>> N/A >>>> >>> >>> Why is a TAG review not applicable? >>> >> >> Seems like a very minor change and TAG is a very heavy process. >> >> >>> Web developers: No signals >>>> >>> >>> Are developers likely to adopt this? If not, why are we adding this? >>> https://goo.gle/developer-signals >>> >> >> Other parts of an ecosystem need to slot into place in order for >> everything to hang together: phones as security keys, syncing credentials, >> conditional UI, etc. So developers are probably uninterested in this part >> in isolation, but all together there's a fair amount of interest. GitHub, >> at least, are public about WebAuthn L2 being insufficient without several >> of changes in this set: 1 <https://github.com/w3c/webauthn/issues/1568> 2 >> <https://github.com/w3c/webauthn/issues/1567> 3 >> <https://github.com/w3c/webauthn/issues/1565>. >> >> >>> >>>> Edge: Support Signals >>>> >>> Any links? >>> >> >> Microsoft supporting here >> <https://github.com/w3c/webauthn/issues/1637#issuecomment-874804170>. >> (See "Assertion Transports" section; WG discussion changed "transports" to >> "attachment", which is what this thread is talking about.) >> >> >> Cheers >> >> AGL >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dcf59370-4687-4c34-90cf-6ca18635cdfdn%40chromium.org.
