- From: Arshad Noor via GitHub <sysbot+gh@w3.org>
- Date: Thu, 05 Aug 2021 10:50:07 +0000
- To: public-webauthn@w3.org
I think its a little clearer now, Natalie (@ncthbrt). What you want to do is register a Consumer's FIDO credential to _your_ site after the Consumer has completed a transaction successfully on _your_ site within the primary frame/top-level window (if my terminology is right). This is not only feasible, but is encouraged by the standard. The issue being discussed in this thread is to support the creation of a FIDO credential for the ultimate Issuer of the Consumer's payment instrument - perhaps, a credit card - while the Consumer is at the Merchant site. In such a scenario, the Merchant is not the RP for that credential - the Issuer is; and the interaction between the Consumer, the FIDO Authenticator and the Issuer is occurring through an iframe embedded in the Merchant's site. While such direct interaction with the Issuer is technically feasible, there are legal requirements within GDPR and CCPA that require the ultimate RP to provide notices in a specified manner to the Consumer, and to receive unequivocal consent from the Consumer for providing the PII (the _credentialId_) to the RP. In your use-case (as I understand it), the Consumer is registering their FIDO credential with you - hopefully, in the primary frame/top-level window. If you are attempting to register such a credential within an iframe embedded in _your_ customer's (Merchant's) site, then you have the same legal obligations as the Issuer of the credit card. -- GitHub Notification of comment by arshadnoor Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-893359965 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 5 August 2021 10:50:09 UTC