- From: Adrian Hope-Bailie <adrian@coil.com>
- Date: Wed, 16 Sep 2020 09:42:10 +0200
- To: Ian Jacobs <ij@w3.org>
- Cc: public-webauthn-pay@w3.org
- Message-ID: <CAFYU5zZFkEWVsPRDyOS+ULTw6f+Aq9wcOU7khdcisXTQpq-yag@mail.gmail.com>
To clarify the proposed agenda item and provide some opportunity to prepare, we want to clarify the specific requirements for the challenge generation in a FIDO authN. Our understanding is that the purpose of the challenge (or specifically the nonce in the challenge) is to provide some randomness to the signed data to prevent replays. We'd like to understand the constraints here and what is allowed by FIDO or where there is wiggle room. Our goal is to come up with a scheme for generating the client data without a server round-trip by: a) having the client (specifically the browser) generate the nonce b) the FIDO server protecting itself from replays by not allowing the same nonce (likely within some time bounded period) Any other suggestions to help us achieve this goal are welcome On Tue, 15 Sep 2020 at 17:48, Ian Jacobs <ij@w3.org> wrote: > Hi all, > > Minutes from today’s discussion (on TPAC planning and QR code agenda): > https://www.w3.org/2020/09/15-webauthn-pay-minutes > > Next call of this task force: 29 September. > > Candidate agenda item: > * Secure Payment Confirmation and the challenge created for Web > Authentication. > > Thank you, > > Ian > > -- > Ian Jacobs <ij@w3.org> > https://www.w3.org/People/Jacobs/ > Tel: +1 718 260 9447 > > > > > >
Received on Wednesday, 16 September 2020 07:42:40 UTC