Re: [webauthn] Cross origin authentication without iframes (accommodating SPC in WebAuthn) (#1667)

@ianbjacobs if a decision is taken to use a new member then it needs to go to the CTAP TWG.

If we don't change CTAP and use existing elements then the WebAuthn WG should be able to make a decision.  It would be polite to let the CTAP TWG know, but there is significant overlap between the groups.  

On the WebAuthn call, the preference seemed to be to find a way to do this with namespacing and not overload other members.

If we do something like adding a WebAuthn extension like the one for appID where a RP could say that it wants to use credentials in the SPC namespace for authentication that might be a way to proceed.   

Essentially all credentials that are SPC capable would be created in the SPC namespace.  
Normal Webauthn credentials would not be usable by SPC. 

When doing authentication the RP would send the special extension and the WebAuthn client would check the spc: namespace and not the normal one.   

It gets complicated in authentication when you want to check multiple RPID in one request.   The CTAP2.1 spec requires separate authentications for each RPID.   I need to think about how this could work.
The other question is if there is a real desire by banks to have some SPC credentials that only work in the first-party context.

GitHub Notification of comment by ve7jtb
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Thursday, 2 December 2021 16:33:45 UTC