Re: [webauthn] Cross origin authentication without iframes (#1667)

@sbweeden The biggest change required by SPC is liberating key domain wise:
https://w3c.github.io/secure-payment-confirmation/#sctn-payment-extension-registration
That is, a payer must be able to exercise his/her payments keys with any merchant.

There are two other alternatives which do not require any updates of WebAuthn:
- Redirect payment requests to the RP.  This was one of the things the SPC folks wanted to avoid.
- Run the _entire_ user authorization process inside of SPC in the same way as **Apple Pay** does.  This option has never been discussed but is IMO a much better idea than building on a severely dated "Card NOT Present" architecture requiring 500 pages of documentation, certified merchant server software, and merchants becoming a part of specific PKI in order to access bank related security services.

-- 
GitHub Notification of comment by cyberphone
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-908841011 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 31 August 2021 02:14:01 UTC