Adam Langley

To give an example: Modern sign-in systems are risk-analysis systems that ingest a lot of signals before deciding whether to allow a sign-in. (And, usually, continue to collect risk signals...

> If they have to implement FIDO for their own users to interact with them directly, why would they not simply require that the Consumer register with them first We...

> Is this proposing that a site can create an iframe with the feature-policy publickey-credentials-create to allow the origin of the iframe to make a credential? Yes, this one.

> QR codes are the simplest, easiest way to solve this problem From the perspective of the _Web_ Authentication group, a solution that assumes that RPs have to have a...

I think this issue results from a misunderstanding. The truncation in question here is the result of authenticators blindly truncating these fields at a given byte length. Since the language...

This was discussed on the call of 2022-09-07. This style of continuous assertion is certainly interesting for dealing with cookie-theft, but for a variety of reasons the WG doesn't feel...

> Sorry, I meant to submit https://github.com/w3c/webauthn/commit/88be1a6dd6701059482c7bbbb1961ea08f84863d as a meta-PR but accidentally pushed it directly into the PR. Let me know if I should roll it back. Nope, that's totally...

From the call of 2022-10-05: address https://github.com/w3c/webauthn/pull/1663/files#r790893167 and then work with Wendy to get this landed.

> https://github.com/w3c/secure-payment-confirmation will most likely require a bunch of updates as well. Yes we are discussing this with SPC people already, thanks.

> Just promote the user whenever the user has authenticated with the roaming authenticator? This, within reason, I believe. (Personal opinion.) [Conditional UI](https://github.com/w3c/webauthn/pull/1576) support should make using local credentials easy...