W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2021

Re: [webauthn] Cross origin authentication without iframes (accommodating SPC in WebAuthn) (#1667)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Thu, 02 Dec 2021 16:33:43 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-984793763-1638462814-sysbot+gh@w3.org>
@ianbjacobs if a decision is taken to use a new member then it needs to go to the CTAP TWG.

If we don't change CTAP and use existing elements then the WebAuthn WG should be able to make a decision.  It would be polite to let the CTAP TWG know, but there is significant overlap between the groups.  

On the WebAuthn call, the preference seemed to be to find a way to do this with namespacing and not overload other members.

If we do something like adding a WebAuthn extension like the one for appID where a RP could say that it wants to use credentials in the SPC namespace for authentication that might be a way to proceed.   

Essentially all credentials that are SPC capable would be created in the SPC namespace.  
Normal Webauthn credentials would not be usable by SPC. 

When doing authentication the RP would send the special extension and the WebAuthn client would check the spc: namespace and not the normal one.   

It gets complicated in authentication when you want to check multiple RPID in one request.   The CTAP2.1 spec requires separate authentications for each RPID.   I need to think about how this could work.
The other question is if there is a real desire by banks to have some SPC credentials that only work in the first-party context.

-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-984793763 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 2 December 2021 16:33:45 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC