Adam Langley

> Would it be reasonable to suggest this is loosely akin to the FedCM experience? Yes, albeit with the important qualifier that this would _only_ appear if the user has...

> That is to say, if an RP doesn't specify autocomplete tokens to indicate explicitly where the conditional UI should be displayed, then e.g. "the user agent is free to...

> Or more specifically, the password manager's UI would prevail over the ambient UI? If an extension hooked `get()` then it must also hook `getClientCapabilities()`. If it didn't support this...

The use of this term in the spec is pretty old. I think the authors were trying to communicate that the RP ID (which doesn't have to be related to...

> You can get away with generating client-side challenges if they're based on a timestamp. Each step away from "randomly generated at the server" costs some bit of security: |...

Assign to @agl: update spec to say zero out only for non-platform authenticators. Think about enterprise attestation.

@agl to file this as a crbug and ask Tab.

> @agl of the chrome team [directs developers who want to communicate with U2F (FIDO/WebAuthN device) to use WebHID](https://bugs.chromium.org/p/chromium/issues/detail?id=1179077). I don't think that's an accurate summary of the quoted text...

> Why address the question of tunneling over U2F by telling developers to use WebHID when communicating with U2F then forbid WebHID for U2F? People are building devices that are...

Notes, mostly for myself so that I remember things during any discussion today: The explainer currently envisions putting the creation options inside an extension in a conditional(?) get request. That...