Re: RE: Re-opening discussion with WebAuthn on credential creation in an iframe

+1 on the proposal and the comments made in this thread.

On Tue, Aug 2, 2022 at 9:12 AM Stephen McGruer <smcgruer@google.com> wrote:

> Hi folks,
>
> Thanks Sameer and Gerhard for the input so far on this. Would love to hear
> other viewpoints (including just agreement).
>
> > I would also already venture that we make this an agenda point for the
> 18th, at least to discuss, but potentially also to make a decision on this.
>
> Ack, SGTM - let's put this on the agenda for the 18th, preferably to
> make a decision :).
>
> Thanks,
> Stephen
>
> On Fri, 22 Jul 2022 at 15:22, Tare, Sameer <Sameer.Tare@mastercard.com>
> wrote:
>
>> Hi Gerhard,
>>
>>
>>
>> Sharing my thoughts on this over email based on an initial read. From a
>> Payments/3DS perspective I can see this feature to be of very significant
>> value in terms of
>>
>>
>>
>> 1) Scaling the use of FIDO based authentication methods in 3ds eco-system
>>
>>
>>
>> 2) Making the experience of implementing SPC/WebAuthn authentication
>> methods for 3ds providers more cohesive where creation of credential does
>> not have to offered separately (potentially more challenging when PSPs are
>> involved)
>>
>>
>>
>> As this topic evolves, this may require consideration in the EMV 3DSWG.
>> The specification as it stands today does not allow registration at the
>> time of transaction so that will need to reviewed and we also need to
>> consider that the merchants are not negatively impacted from various facets
>> of credential creation (user education, latency, errors/cancellation etc)
>>
>>
>>
>> *Sameer Tare*
>>
>> Director
>>
>> Product Development
>>
>>
>>
>> Mastercard | mobile +1 6365158322 <+1%20636-515-8322>
>>
>> <http://www.mastercard.com>
>>
>>
>>
>> *From:* Gerhard Oosthuizen <goosthuizen@entersekt.com>
>> *Sent:* Friday, July 22, 2022 10:04 AM
>> *To:* Stephen McGruer <smcgruer@google.com>; Web Payments Working Group <
>> public-payments-wg@w3.org>
>> *Subject:* {EXTERNAL} RE: Re-opening discussion with WebAuthn on
>> credential creation in an iframe
>>
>>
>>
>> *CAUTION**:* The message originated from an EXTERNAL SOURCE. Please use
>> caution when opening attachments, clicking links or responding to this
>> email.
>>
>>
>>
>> Hi Stephen,
>>
>>
>>
>> Thank you for the proposal (
>> https://docs.google.com/document/d/1mMgktymuzspnhfKC9i6_yBfb_VqXcc-DiBBhe0TSv5I/edit
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_1mMgktymuzspnhfKC9i6-5FyBfb-5FVqXcc-2DDiBBhe0TSv5I_edit&d=DwMFAg&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gqWbSFHSMbetiPmPy6bIJs4vs2Rl9a-vEGZwgfOZGVY&m=CYyUzhinCzgLrtnKsK5PsD-Qxh9Z1QTpEA37o__wYx__et5FQsIuR2o_0XnLi_RA&s=rMup2tymS7pQN7WIv6p_p0FoN2_klxTZlkl7CxEdLKU&e=>
>> )
>>
>>
>>
>> I will confer with the other chairs on the appropriate mechanism to
>> indicate working group support for this/to submit it on behalf of the
>> working group.
>>
>> I would also already venture that we make this an agenda point for the 18
>> th, at least to discuss, but potentially also to make a decision on this..
>>
>>
>>
>> *Request for input:*
>>
>> It would be great however if we can already get some indications from
>> group members on their views on this proposal; including even questions and
>> further considerations that we may want to add to this proposal.
>>
>> So to all of us: please weigh in with some initial views on this matter
>> via email.
>>
>>
>>
>> *My thoughts:*
>>
>> The proposal is well-structured and considered. The proposal makes sense
>> to me and I can see the benefit to enable certain use-cases. In fact, at
>> this stage I have no suggestions for changes or edits.
>>
>>
>>
>> Kind regards,
>>
>> Gerhard
>>
>>
>>
>>
>>
>> *From:* Stephen McGruer <smcgruer@google.com>
>> *Sent:* Tuesday, 19 July 2022 15:22
>> *To:* Web Payments Working Group <public-payments-wg@w3.org>
>> *Subject:* Re-opening discussion with WebAuthn on credential creation in
>> an iframe
>>
>>
>>
>> Hi folks,
>>
>>
>>
>> (Sending email as the next WG meeting isn't until August 18th and so we
>> cannot discuss live.)
>>
>>
>>
>> As you may recall, we have discussed a need in the Web Payments WG for
>> WebAuthn credential creation to be available in a cross-origin iframe
>> (e.g., to allow a https://bank.com
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__eur01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fbank.com-252F-26data-3D05-257C01-257Cgoosthuizen-2540entersekt.com-257C854fde89d381462cbc1b08da698df0d3-257C19c3aeac7d8a4c9e80b99f9510adc7f7-257C1-257C0-257C637938355626302526-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-257C-257C-257C-26sdata-3DSHEucCoc7XmmaoQ29teZVlBfULGJcItjG0EbgG0dr9E-253D-26reserved-3D0&d=DwMFAg&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gqWbSFHSMbetiPmPy6bIJs4vs2Rl9a-vEGZwgfOZGVY&m=CYyUzhinCzgLrtnKsK5PsD-Qxh9Z1QTpEA37o__wYx__et5FQsIuR2o_0XnLi_RA&s=8CU9_HnlMInM22padCFcHdr16PG2gwSAs64Y0WI8tsY&e=>
>> iframe embedded inside of https://merchant.com
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__eur01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fmerchant.com-252F-26data-3D05-257C01-257Cgoosthuizen-2540entersekt.com-257C854fde89d381462cbc1b08da698df0d3-257C19c3aeac7d8a4c9e80b99f9510adc7f7-257C1-257C0-257C637938355626302526-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-257C-257C-257C-26sdata-3D-252B4b3Kve8epE6ZN5hKGIC2L3L35dBLqD80aAZT0JugkU-253D-26reserved-3D0&d=DwMFAg&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gqWbSFHSMbetiPmPy6bIJs4vs2Rl9a-vEGZwgfOZGVY&m=CYyUzhinCzgLrtnKsK5PsD-Qxh9Z1QTpEA37o__wYx__et5FQsIuR2o_0XnLi_RA&s=KENWt9v3HCfjfJYDhODraJkluhGf-TpA6Yp4DLjbYok&e=>
>> to enroll a user during a payment flow). We've heard that this is useful
>> both for SPC as well as users of 'pure' WebAuthn.
>>
>>
>>
>> To that end, I've drafted the comment below to re-open the discussion
>> with our WebAuthn colleagues on issue 1656
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_w3c_webauthn_issues_1656&d=DwMFAg&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=gqWbSFHSMbetiPmPy6bIJs4vs2Rl9a-vEGZwgfOZGVY&m=CYyUzhinCzgLrtnKsK5PsD-Qxh9Z1QTpEA37o__wYx__et5FQsIuR2o_0XnLi_RA&s=Zc79yqNv5sK07sLT1MmiEhD80tTzAmGD0CZagKYAaVU&e=>.
>> I hope for the comment to be made with the backing of the WPWG, so please
>> do take a look and feel free to give feedback.
>>
>>
>>
>> [Draft] WebAuthn issue to re-allow credential creation in a cross-origin
>> iframe
>>
>>
>>
>> I leave it to the chairs how we might want to ratify support for this;
>> I'm happy to wait until the August 18th sync, or perhaps we can just do it
>> over email?
>>
>>
>>
>> Thanks,
>>
>> Stephen
>>
>>
>>
>> --
>>
>> smcgruer • he / him
>> CONFIDENTIALITY NOTICE This e-mail message and any attachments are only
>> for the use of the intended recipient and may contain information that is
>> privileged, confidential or exempt from disclosure under applicable law. If
>> you are not the intended recipient, any disclosure, distribution or other
>> use of this e-mail message or attachments is prohibited. If you have
>> received this e-mail message in error, please delete and notify the sender
>> immediately. Thank you.
>>
>
>
> --
> smcgruer • he / him
>

Received on Tuesday, 2 August 2022 14:17:21 UTC