- From: Anders Rundgren via GitHub <sysbot+gh@w3.org>
- Date: Tue, 03 Aug 2021 05:40:00 +0000
- To: public-webauthn@w3.org
@arshadnoor From the current spec: _The credential ID could be used as a tracking vector, but to obtain it from the Relying Party the merchant already needs an as-strong identifier to give to the Relying Party (e.g., the credit card number)._ That is, 3DS-inspired systems like SPC depend on the user handing over a GUID linked to the user to every third-party (e.g. merchant), he/she interacts with. Absent from the spec: To secure this process, associated third-party software must be _certified_ and third-parties must be fitted with TLS client certificates in order to access the complex and sensitive support systems required by card not present (CNP) schemes. This obviously doesn't scale well so SPC-based payment processes would in most cases likely be outsourced to payment providers like Stripe or to e-commerce hosts like Shopify. -- GitHub Notification of comment by cyberphone Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-891545813 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 3 August 2021 05:40:01 UTC