Re: Re-opening discussion with WebAuthn on credential creation in an iframe

Hi folks,

Thanks for the discussion and agreement to re-open this discussion today in
the WPWG meeting. I have incorporated the requested changes to the comment
by Rolf, and have now posted the comment to the WebAuthn issue:

https://github.com/w3c/webauthn/issues/1656#issuecomment-1219682589

Thanks,
Stephen

On Mon, 8 Aug 2022 at 13:07, Stephen McGruer <smcgruer@google.com> wrote:

> Absolutely, please feel free to.
>
> On Mon, 8 Aug 2022 at 13:06, Ian Jacobs <ij@w3.org> wrote:
>
>> Stephen,
>>
>> Can I put the link to your draft document in the agenda of the 18th
>> meeting?
>>
>> Ian
>>
>> > On Aug 2, 2022, at 9:15 AM, Praveena Subrahmanyam <
>> praveena.subrahmanyam@airbnb.com> wrote:
>> >
>> > +1 on the proposal and the comments made in this thread.
>> >
>> > On Tue, Aug 2, 2022 at 9:12 AM Stephen McGruer <smcgruer@google.com>
>> wrote:
>> > Hi folks,
>> >
>> > Thanks Sameer and Gerhard for the input so far on this. Would love to
>> hear other viewpoints (including just agreement).
>> >
>> > > I would also already venture that we make this an agenda point for
>> the 18th, at least to discuss, but potentially also to make a decision on
>> this.
>> >
>> > Ack, SGTM - let's put this on the agenda for the 18th, preferably to
>> make a decision :).
>> >
>> > Thanks,
>> > Stephen
>> >
>> > On Fri, 22 Jul 2022 at 15:22, Tare, Sameer <Sameer.Tare@mastercard..com>
>> wrote:
>> > Hi Gerhard,
>> >
>> >
>> >
>> > Sharing my thoughts on this over email based on an initial read. From a
>> Payments/3DS perspective I can see this feature to be of very significant
>> value in terms of
>> >
>> >
>> >
>> > 1) Scaling the use of FIDO based authentication methods in 3ds
>> eco-system
>> >
>> >
>> >
>> > 2) Making the experience of implementing SPC/WebAuthn authentication
>> methods for 3ds providers more cohesive where creation of credential does
>> not have to offered separately (potentially more challenging when PSPs are
>> involved)
>> >
>> >
>> >
>> > As this topic evolves, this may require consideration in the EMV 3DSWG.
>> The specification as it stands today does not allow registration at the
>> time of transaction so that will need to reviewed and we also need to
>> consider that the merchants are not negatively impacted from various facets
>> of credential creation (user education, latency, errors/cancellation etc)
>> >
>> >
>> >
>> > Sameer Tare
>> >
>> > Director
>> >
>> > Product Development
>> >
>> >
>> >
>> > Mastercard | mobile +1 6365158322 <+1%20636-515-8322>
>> >
>> > <image001.png>
>> >
>> >
>> >
>> > From: Gerhard Oosthuizen <goosthuizen@entersekt.com>
>> > Sent: Friday, July 22, 2022 10:04 AM
>> > To: Stephen McGruer <smcgruer@google.com>; Web Payments Working Group <
>> public-payments-wg@w3.org>
>> > Subject: {EXTERNAL} RE: Re-opening discussion with WebAuthn on
>> credential creation in an iframe
>> >
>> >
>> >
>> > CAUTION: The message originated from an EXTERNAL SOURCE. Please use
>> caution when opening attachments, clicking links or responding to this
>> email.
>> >
>> >
>> >
>> > Hi Stephen,
>> >
>> >
>> >
>> > Thank you for the proposal (
>> https://docs.google.com/document/d/1mMgktymuzspnhfKC9i6_yBfb_VqXcc-DiBBhe0TSv5I/edit
>> )
>> >
>> >
>> >
>> > I will confer with the other chairs on the appropriate mechanism to
>> indicate working group support for this/to submit it on behalf of the
>> working group.
>> >
>> > I would also already venture that we make this an agenda point for the
>> 18th, at least to discuss, but potentially also to make a decision on this.
>> >
>> >
>> >
>> > Request for input:
>> >
>> > It would be great however if we can already get some indications from
>> group members on their views on this proposal; including even questions and
>> further considerations that we may want to add to this proposal.
>> >
>> > So to all of us: please weigh in with some initial views on this matter
>> via email.
>> >
>> >
>> >
>> > My thoughts:
>> >
>> > The proposal is well-structured and considered. The proposal makes
>> sense to me and I can see the benefit to enable certain use-cases. In fact,
>> at this stage I have no suggestions for changes or edits.
>> >
>> >
>> >
>> > Kind regards,
>> >
>> > Gerhard
>> >
>> >
>> >
>> >
>> >
>> > From: Stephen McGruer <smcgruer@google.com>
>> > Sent: Tuesday, 19 July 2022 15:22
>> > To: Web Payments Working Group <public-payments-wg@w3.org>
>> > Subject: Re-opening discussion with WebAuthn on credential creation in
>> an iframe
>> >
>> >
>> >
>> > Hi folks,
>> >
>> >
>> >
>> > (Sending email as the next WG meeting isn't until August 18th and so we
>> cannot discuss live.)
>> >
>> >
>> >
>> > As you may recall, we have discussed a need in the Web Payments WG for
>> WebAuthn credential creation to be available in a cross-origin iframe
>> (e.g., to allow a https://bank.com iframe embedded inside of
>> https://merchant.com to enroll a user during a payment flow). We've
>> heard that this is useful both for SPC as well as users of 'pure' WebAuthn.
>> >
>> >
>> >
>> > To that end, I've drafted the comment below to re-open the discussion
>> with our WebAuthn colleagues on issue 1656. I hope for the comment to be
>> made with the backing of the WPWG, so please do take a look and feel free
>> to give feedback.
>> >
>> >
>> >
>> > [Draft] WebAuthn issue to re-allow credential creation in a
>> cross-origin iframe
>> >
>> >
>> >
>> > I leave it to the chairs how we might want to ratify support for this;
>> I'm happy to wait until the August 18th sync, or perhaps we can just do it
>> over email?
>> >
>> >
>> >
>> > Thanks,
>> >
>> > Stephen
>> >
>> >
>> >
>> > --
>> >
>> > smcgruer • he / him
>> >
>> > CONFIDENTIALITY NOTICE This e-mail message and any attachments are only
>> for the use of the intended recipient and may contain information that is
>> privileged, confidential or exempt from disclosure under applicable law. If
>> you are not the intended recipient, any disclosure, distribution or other
>> use of this e-mail message or attachments is prohibited. If you have
>> received this e-mail message in error, please delete and notify the sender
>> immediately. Thank you.
>> >
>> >
>> > --
>> > smcgruer • he / him
>>
>> --
>> Ian Jacobs <ij@w3.org>
>> https://www.w3.org/People/Jacobs/
>> Tel: +1 917 450 8783 <+1%20917-450-8783>
>>
>>
>>
>>
>>
>>
>
> --
> smcgruer • he / him
>


-- 
smcgruer • he / him

Received on Thursday, 18 August 2022 16:17:25 UTC