W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2021

Re: [webauthn] Cross origin authentication without iframes (accommodating SPC in WebAuthn) (#1667)

From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
Date: Tue, 14 Dec 2021 20:34:35 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-993959019-1639514073-sysbot+gh@w3.org>
WPWG 1st use case: `Enable a relying party to use a credential for both login (in a 1p context) and SPC (by the RP, or by other parties in a 3p context).`

[Comment in proposal](https://github.com/w3c/secure-payment-confirmation/issues/157#issuecomment-993877775) says this about namespace solution:
`A "namespace" proposal has been discussed on WebAuthn issue 1667. A limitation of this proposal is that it might not be straightforward to address use case 1. Because the namespace proposal does not eliminate the need for enhanced authenticator capabilities, it seems preferable just to pursue the "cross origin bit" in authenticators to address all three use cases.`

I am curious about what is not straightforward in addressing use case 1? Doesn't that use case just amounts to RP always have to look for namespaced-RPID while doing the validation instead of standard RPID. This assumes that WebAuthn WG considers authentication on cross-origin to namespaced-RPID (which is also not ratified). 

I am fine if long term authenticator based solution is being desired. If that's the case, then IMO, this cannot be solved in WebAuthn WG until FIDO2 TWG develops a solution which works for every authenticator (not just platform authenticators). 


-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-993959019 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 14 December 2021 20:34:36 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC