- From: Anders Rundgren <notifications@github.com>
- Date: Fri, 10 Sep 2021 23:19:09 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/544/917350657@github.com>
Hello Ian and Marcos, Before you cast me off from the W3C in its entirety, may I finish by briefly describing how SPC works from a User and Merchant perspective, here in a 3DS setting? ### User Enrollment - The User authenticates to their Bank using a bank-specific verification method - The enrollment process creates a FIDO authenticator and associates that with a card number, credentialId, logotype, etc. - 👁 After this process the only remaining item on the client side is the FIDO authenticator, _the rest is stored on the Bank-server only_. ### Payment Authorization - 👁 Through pretty complex communication with external systems, as well as typically also requiring typing card numbers (the key to an account), _the Merchant retrieves the previously created Bank-server data_. - SPC is invoked. Concrete payment methods like Apple Pay and hundreds of lesser-known brands, do not need the steps marked with 👁 _since the required data associated with a payment key (authenticator) is stored locally_. Although this may look like a "detail", the consequences of this design choice are actually *extremely far-fetching*. However, since most of this happens _outside_ of the SPC API, it is probably not an item for TAG. Unfortunately, _Users_, _Merchants_, and _Banks_ do not enjoy the same luxury. Cheers, Anders / leaving this thread 😺 @stephenmcgruer -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/544#issuecomment-917350657
Received on Saturday, 11 September 2021 06:19:23 UTC