- From: Praveena Subrahmanyam <praveena.subrahmanyam@airbnb.com>
- Date: Tue, 2 Aug 2022 10:15:29 -0400
- To: Stephen McGruer <smcgruer@google.com>
- Cc: "Tare, Sameer" <Sameer.Tare@mastercard.com>, Gerhard Oosthuizen <goosthuizen@entersekt.com>, Web Payments Working Group <public-payments-wg@w3.org>
- Message-ID: <CAL_+6tVjAi2hbh7HhEgUr-98WoWoavai0wQbmpOWES_-OtbSng@mail.gmail.com>
+1 on the proposal and the comments made in this thread. On Tue, Aug 2, 2022 at 9:12 AM Stephen McGruer <smcgruer@google.com> wrote: > Hi folks, > > Thanks Sameer and Gerhard for the input so far on this. Would love to hear > other viewpoints (including just agreement). > > > I would also already venture that we make this an agenda point for the > 18th, at least to discuss, but potentially also to make a decision on this. > > Ack, SGTM - let's put this on the agenda for the 18th, preferably to > make a decision :). > > Thanks, > Stephen > > On Fri, 22 Jul 2022 at 15:22, Tare, Sameer <Sameer.Tare@mastercard.com> > wrote: > >> Hi Gerhard, >> >> >> >> Sharing my thoughts on this over email based on an initial read. From a >> Payments/3DS perspective I can see this feature to be of very significant >> value in terms of >> >> >> >> 1) Scaling the use of FIDO based authentication methods in 3ds eco-system >> >> >> >> 2) Making the experience of implementing SPC/WebAuthn authentication >> methods for 3ds providers more cohesive where creation of credential does >> not have to offered separately (potentially more challenging when PSPs are >> involved) >> >> >> >> As this topic evolves, this may require consideration in the EMV 3DSWG. >> The specification as it stands today does not allow registration at the >> time of transaction so that will need to reviewed and we also need to >> consider that the merchants are not negatively impacted from various facets >> of credential creation (user education, latency, errors/cancellation etc) >> >> >> >> *Sameer Tare* >> >> Director >> >> Product Development >> >> >> >> Mastercard | mobile +1 6365158322 <+1%20636-515-8322> >> >> <http://www.mastercard.com> >> >> >> >> *From:* Gerhard Oosthuizen <goosthuizen@entersekt.com> >> *Sent:* Friday, July 22, 2022 10:04 AM >> *To:* Stephen McGruer <smcgruer@google.com>; Web Payments Working Group < >> public-payments-wg@w3.org> >> *Subject:* {EXTERNAL} RE: Re-opening discussion with WebAuthn on >> credential creation in an iframe >> >> >> >> *CAUTION**:* The message originated from an EXTERNAL SOURCE. Please use >> caution when opening attachments, clicking links or responding to this >> email. >> >> >> >> Hi Stephen, >> >> >> >> Thank you for the proposal ( >> https://docs.google.com/document/d/1mMgktymuzspnhfKC9i6_yBfb_VqXcc-DiBBhe0TSv5I/edit >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_1mMgktymuzspnhfKC9i6-5FyBfb-5FVqXcc-2DDiBBhe0TSv5I_edit&d=DwMFAg&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gqWbSFHSMbetiPmPy6bIJs4vs2Rl9a-vEGZwgfOZGVY&m=CYyUzhinCzgLrtnKsK5PsD-Qxh9Z1QTpEA37o__wYx__et5FQsIuR2o_0XnLi_RA&s=rMup2tymS7pQN7WIv6p_p0FoN2_klxTZlkl7CxEdLKU&e=> >> ) >> >> >> >> I will confer with the other chairs on the appropriate mechanism to >> indicate working group support for this/to submit it on behalf of the >> working group. >> >> I would also already venture that we make this an agenda point for the 18 >> th, at least to discuss, but potentially also to make a decision on this.. >> >> >> >> *Request for input:* >> >> It would be great however if we can already get some indications from >> group members on their views on this proposal; including even questions and >> further considerations that we may want to add to this proposal. >> >> So to all of us: please weigh in with some initial views on this matter >> via email. >> >> >> >> *My thoughts:* >> >> The proposal is well-structured and considered. The proposal makes sense >> to me and I can see the benefit to enable certain use-cases. In fact, at >> this stage I have no suggestions for changes or edits. >> >> >> >> Kind regards, >> >> Gerhard >> >> >> >> >> >> *From:* Stephen McGruer <smcgruer@google.com> >> *Sent:* Tuesday, 19 July 2022 15:22 >> *To:* Web Payments Working Group <public-payments-wg@w3.org> >> *Subject:* Re-opening discussion with WebAuthn on credential creation in >> an iframe >> >> >> >> Hi folks, >> >> >> >> (Sending email as the next WG meeting isn't until August 18th and so we >> cannot discuss live.) >> >> >> >> As you may recall, we have discussed a need in the Web Payments WG for >> WebAuthn credential creation to be available in a cross-origin iframe >> (e.g., to allow a https://bank.com >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__eur01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fbank.com-252F-26data-3D05-257C01-257Cgoosthuizen-2540entersekt.com-257C854fde89d381462cbc1b08da698df0d3-257C19c3aeac7d8a4c9e80b99f9510adc7f7-257C1-257C0-257C637938355626302526-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-257C-257C-257C-26sdata-3DSHEucCoc7XmmaoQ29teZVlBfULGJcItjG0EbgG0dr9E-253D-26reserved-3D0&d=DwMFAg&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gqWbSFHSMbetiPmPy6bIJs4vs2Rl9a-vEGZwgfOZGVY&m=CYyUzhinCzgLrtnKsK5PsD-Qxh9Z1QTpEA37o__wYx__et5FQsIuR2o_0XnLi_RA&s=8CU9_HnlMInM22padCFcHdr16PG2gwSAs64Y0WI8tsY&e=> >> iframe embedded inside of https://merchant.com >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__eur01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fmerchant.com-252F-26data-3D05-257C01-257Cgoosthuizen-2540entersekt.com-257C854fde89d381462cbc1b08da698df0d3-257C19c3aeac7d8a4c9e80b99f9510adc7f7-257C1-257C0-257C637938355626302526-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-257C-257C-257C-26sdata-3D-252B4b3Kve8epE6ZN5hKGIC2L3L35dBLqD80aAZT0JugkU-253D-26reserved-3D0&d=DwMFAg&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gqWbSFHSMbetiPmPy6bIJs4vs2Rl9a-vEGZwgfOZGVY&m=CYyUzhinCzgLrtnKsK5PsD-Qxh9Z1QTpEA37o__wYx__et5FQsIuR2o_0XnLi_RA&s=KENWt9v3HCfjfJYDhODraJkluhGf-TpA6Yp4DLjbYok&e=> >> to enroll a user during a payment flow). We've heard that this is useful >> both for SPC as well as users of 'pure' WebAuthn. >> >> >> >> To that end, I've drafted the comment below to re-open the discussion >> with our WebAuthn colleagues on issue 1656 >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_w3c_webauthn_issues_1656&d=DwMFAg&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gqWbSFHSMbetiPmPy6bIJs4vs2Rl9a-vEGZwgfOZGVY&m=CYyUzhinCzgLrtnKsK5PsD-Qxh9Z1QTpEA37o__wYx__et5FQsIuR2o_0XnLi_RA&s=Zc79yqNv5sK07sLT1MmiEhD80tTzAmGD0CZagKYAaVU&e=>. >> I hope for the comment to be made with the backing of the WPWG, so please >> do take a look and feel free to give feedback. >> >> >> >> [Draft] WebAuthn issue to re-allow credential creation in a cross-origin >> iframe >> >> >> >> I leave it to the chairs how we might want to ratify support for this; >> I'm happy to wait until the August 18th sync, or perhaps we can just do it >> over email? >> >> >> >> Thanks, >> >> Stephen >> >> >> >> -- >> >> smcgruer • he / him >> CONFIDENTIALITY NOTICE This e-mail message and any attachments are only >> for the use of the intended recipient and may contain information that is >> privileged, confidential or exempt from disclosure under applicable law. If >> you are not the intended recipient, any disclosure, distribution or other >> use of this e-mail message or attachments is prohibited. If you have >> received this e-mail message in error, please delete and notify the sender >> immediately. Thank you. >> > > > -- > smcgruer • he / him >
Attachments
- image/png attachment: image001.png
Received on Tuesday, 2 August 2022 14:17:21 UTC