- From: Ian Jacobs <ij@w3.org>
- Date: Thu, 4 May 2023 09:13:32 -0500
- To: Payments WG <public-payments-wg@w3.org>
- Cc: Anthony Nadalin <nadalin@prodigy.net>, John Fontana <jfontana@yubico.com>, Philippe Le Hégaret <plh@w3.org>
Dear Web Payments Working Group, Stephen McGruer and I attended the Web Authentication WG meeting yesterday (see minutes [1]) to discuss several SPC-related topics. Below is my short summary. Ian [1] https://www.w3.org/2023/05/03-webauthn-minutes#t01 ======== Registration of SPC-related extensions with IANA https://github.com/w3c/secure-payment-confirmation/issues/220 IANA maintains a registry of Web Authentication Extensions, all of which to date have been defined by the Web Authentication Working Group. However, SPC defines the 'payment' extension. Our goals in the conversation were: * Make sure the Web Authentication WG was aware of our extension and supported our registration of it. * Learn from them the right way to register the extension. We learned that RFC 8809 defines the process for registering Web Authentication extensions: https://www.rfc-editor.org/rfc/rfc8809.html No concerns were raised about the WPWG registering the ‘payment' extension, so I expect to work with the Editors to do so. We also discussed registration of the thirdPartyPayment extension that was recently added to a draft CTAP specification: https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#sctn-thirdPartyPayment-extension At this time, it appears that, if the registration of that SPC-related extension happens, it would be handled as part of the FIDO Alliance’s process of registering extensions. ======== On the addition of cross-origin creation capabilities to Web Authentication SPC allows cross-origin credential creation within an iframe (because Web Authentication Level 2 does not). However, this capability was recently added to Web Authentication Level 3: https://github.com/w3c/webauthn/pull/1801 The goal of this discussion was to find out whether and when we could remove this special power from SPC. My takeaway was that the answer is "not yet". I expect to work with the Editors to add an informative Note to SPC indicating that the cross-origin create capability is in the process of being added to Web Authentication and in the future SPC may evolve to rely on that. ======== Roaming Authenticators Relates to: https://github.com/w3c/secure-payment-confirmation/issues/12 The WPWG has a goal that SPC work with all authenticators. Today’s implementation of SPC in Chromium does not support roaming authenticators out of concerns related to the UX. We asked the Web Authentication WG if there is any news about UX for roaming authenticators and the answer was "yes," there is ongoing work in CTAP 2.2. Stephen suggested that the next steps for this topic are most likely for the Web Payments Working Group, and that discussion of roaming authenticators could be merged into discussions about fallback UX: https://www.w3.org/2023/03/27-wpwg-minutes.html#t04 ======== Passkeys Relates to: https://github.com/w3c/secure-payment-confirmation/issues/174 We asked about whether any passkey-related developments would have an impact on SPC. Those discussions are ongoing, so the answer was "nothing to report yet." > On May 2, 2023, at 10:12 PM, Ian Jacobs <ij@w3.org> wrote: > > Dear Web Payments WG, > > First, I apologize for this late notice. I did not receive confirmation of this opportunity until today. > > On two recent occasions we have invited the Web Authentication WG to come to the usual WPWG meeting > for a joint discussion of a number of topics; neither opportunity worked out. > > Instead, we have been invited to join the Web Authentication WG at their 3 May meeting (3-4pm ET). Here is the agenda, > which includes a link to meeting details: > https://lists.w3.org/Archives/Public/public-webauthn/2023May/0008.html [snip the rest] -- Ian Jacobs <ij@w3.org> https://www.w3.org/People/Jacobs/ Tel: +1 917 450 8783
Received on Thursday, 4 May 2023 14:13:36 UTC