Re: RE: Re-opening discussion with WebAuthn on credential creation in an iframe from Stephen McGruer on 2022-08-02 (public-payments-wg@w3.org from August 2022)

From: Stephen McGruer <smcgruer@google.com>
Date: Tue, 2 Aug 2022 09:11:18 -0400
To: "Tare, Sameer" <Sameer.Tare@mastercard.com>
Cc: Gerhard Oosthuizen <goosthuizen@entersekt.com>, Web Payments Working Group <public-payments-wg@w3.org>
Message-ID: <CADY3Mac=R-5tmYaKre6mR0gDkgHi+0pqUz0GP9karVWb5i4uxg@mail.gmail.com>
Hi folks,

Thanks Sameer and Gerhard for the input so far on this. Would love to hear
other viewpoints (including just agreement).

> I would also already venture that we make this an agenda point for the
18th, at least to discuss, but potentially also to make a decision on this.

Ack, SGTM - let's put this on the agenda for the 18th, preferably to make a
decision :).

Thanks,
Stephen

On Fri, 22 Jul 2022 at 15:22, Tare, Sameer <Sameer.Tare@mastercard.com>
wrote:

> Hi Gerhard,
>
>
>
> Sharing my thoughts on this over email based on an initial read. From a
> Payments/3DS perspective I can see this feature to be of very significant
> value in terms of
>
>
>
> 1) Scaling the use of FIDO based authentication methods in 3ds eco-system
>
>
>
> 2) Making the experience of implementing SPC/WebAuthn authentication
> methods for 3ds providers more cohesive where creation of credential does
> not have to offered separately (potentially more challenging when PSPs are
> involved)
>
>
>
> As this topic evolves, this may require consideration in the EMV 3DSWG.
> The specification as it stands today does not allow registration at the
> time of transaction so that will need to reviewed and we also need to
> consider that the merchants are not negatively impacted from various facets
> of credential creation (user education, latency, errors/cancellation etc)
>
>
>
> *Sameer Tare*
>
> Director
>
> Product Development
>
>
>
> Mastercard | mobile +1 6365158322 <+1%20636-515-8322>
>
> <http://www.mastercard.com>
>
>
>
> *From:* Gerhard Oosthuizen <goosthuizen@entersekt.com>
> *Sent:* Friday, July 22, 2022 10:04 AM
> *To:* Stephen McGruer <smcgruer@google.com>; Web Payments Working Group <
> public-payments-wg@w3.org>
> *Subject:* {EXTERNAL} RE: Re-opening discussion with WebAuthn on
> credential creation in an iframe
>
>
>
> *CAUTION**:* The message originated from an EXTERNAL SOURCE. Please use
> caution when opening attachments, clicking links or responding to this
> email.
>
>
>
> Hi Stephen,
>
>
>
> Thank you for the proposal (
> https://docs.google.com/document/d/1mMgktymuzspnhfKC9i6_yBfb_VqXcc-DiBBhe0TSv5I/edit
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_1mMgktymuzspnhfKC9i6-5FyBfb-5FVqXcc-2DDiBBhe0TSv5I_edit&d=DwMFAg&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gqWbSFHSMbetiPmPy6bIJs4vs2Rl9a-vEGZwgfOZGVY&m=CYyUzhinCzgLrtnKsK5PsD-Qxh9Z1QTpEA37o__wYx__et5FQsIuR2o_0XnLi_RA&s=rMup2tymS7pQN7WIv6p_p0FoN2_klxTZlkl7CxEdLKU&e=>
> )
>
>
>
> I will confer with the other chairs on the appropriate mechanism to
> indicate working group support for this/to submit it on behalf of the
> working group.
>
> I would also already venture that we make this an agenda point for the 18
> th, at least to discuss, but potentially also to make a decision on this.
>
>
>
> *Request for input:*
>
> It would be great however if we can already get some indications from
> group members on their views on this proposal; including even questions and
> further considerations that we may want to add to this proposal.
>
> So to all of us: please weigh in with some initial views on this matter
> via email.
>
>
>
> *My thoughts:*
>
> The proposal is well-structured and considered. The proposal makes sense
> to me and I can see the benefit to enable certain use-cases. In fact, at
> this stage I have no suggestions for changes or edits.
>
>
>
> Kind regards,
>
> Gerhard
>
>
>
>
>
> *From:* Stephen McGruer <smcgruer@google.com>
> *Sent:* Tuesday, 19 July 2022 15:22
> *To:* Web Payments Working Group <public-payments-wg@w3.org>
> *Subject:* Re-opening discussion with WebAuthn on credential creation in
> an iframe
>
>
>
> Hi folks,
>
>
>
> (Sending email as the next WG meeting isn't until August 18th and so we
> cannot discuss live.)
>
>
>
> As you may recall, we have discussed a need in the Web Payments WG for
> WebAuthn credential creation to be available in a cross-origin iframe
> (e.g., to allow a https://bank.com
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__eur01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fbank.com-252F-26data-3D05-257C01-257Cgoosthuizen-2540entersekt.com-257C854fde89d381462cbc1b08da698df0d3-257C19c3aeac7d8a4c9e80b99f9510adc7f7-257C1-257C0-257C637938355626302526-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-257C-257C-257C-26sdata-3DSHEucCoc7XmmaoQ29teZVlBfULGJcItjG0EbgG0dr9E-253D-26reserved-3D0&d=DwMFAg&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gqWbSFHSMbetiPmPy6bIJs4vs2Rl9a-vEGZwgfOZGVY&m=CYyUzhinCzgLrtnKsK5PsD-Qxh9Z1QTpEA37o__wYx__et5FQsIuR2o_0XnLi_RA&s=8CU9_HnlMInM22padCFcHdr16PG2gwSAs64Y0WI8tsY&e=>
> iframe embedded inside of https://merchant.com
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__eur01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fmerchant.com-252F-26data-3D05-257C01-257Cgoosthuizen-2540entersekt.com-257C854fde89d381462cbc1b08da698df0d3-257C19c3aeac7d8a4c9e80b99f9510adc7f7-257C1-257C0-257C637938355626302526-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-257C-257C-257C-26sdata-3D-252B4b3Kve8epE6ZN5hKGIC2L3L35dBLqD80aAZT0JugkU-253D-26reserved-3D0&d=DwMFAg&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gqWbSFHSMbetiPmPy6bIJs4vs2Rl9a-vEGZwgfOZGVY&m=CYyUzhinCzgLrtnKsK5PsD-Qxh9Z1QTpEA37o__wYx__et5FQsIuR2o_0XnLi_RA&s=KENWt9v3HCfjfJYDhODraJkluhGf-TpA6Yp4DLjbYok&e=>
> to enroll a user during a payment flow). We've heard that this is useful
> both for SPC as well as users of 'pure' WebAuthn.
>
>
>
> To that end, I've drafted the comment below to re-open the discussion with
> our WebAuthn colleagues on issue 1656
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_w3c_webauthn_issues_1656&d=DwMFAg&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gqWbSFHSMbetiPmPy6bIJs4vs2Rl9a-vEGZwgfOZGVY&m=CYyUzhinCzgLrtnKsK5PsD-Qxh9Z1QTpEA37o__wYx__et5FQsIuR2o_0XnLi_RA&s=Zc79yqNv5sK07sLT1MmiEhD80tTzAmGD0CZagKYAaVU&e=>.
> I hope for the comment to be made with the backing of the WPWG, so please
> do take a look and feel free to give feedback.
>
>
>
> [Draft] WebAuthn issue to re-allow credential creation in a cross-origin
> iframe
>
>
>
> I leave it to the chairs how we might want to ratify support for this; I'm
> happy to wait until the August 18th sync, or perhaps we can just do it over
> email?
>
>
>
> Thanks,
>
> Stephen
>
>
>
> --
>
> smcgruer • he / him
> CONFIDENTIALITY NOTICE This e-mail message and any attachments are only
> for the use of the intended recipient and may contain information that is
> privileged, confidential or exempt from disclosure under applicable law. If
> you are not the intended recipient, any disclosure, distribution or other
> use of this e-mail message or attachments is prohibited. If you have
> received this e-mail message in error, please delete and notify the sender
> immediately. Thank you.
>


-- 
smcgruer • he / him
Attachments

image/png attachment: image001.png
Received on Tuesday, 2 August 2022 13:11:45 UTC