- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Tue, 27 Jul 2021 20:35:54 +0000
- To: public-webauthn@w3.org
agl has just created a new issue for https://github.com/w3c/webauthn: == Cross-origin credential creation == In level two we supported cross-origin assertions (when [allowed](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-iframe-guidance) by the top-level) but omitted cross-origin creation because there wasn't anyone with a use-case. We would like to revisit that and allow cross-origin creation along the same lines as assertion. We believe this will be useful in a payments context. When making a payment there are three (or four) parties involved. The customer seeks to authorise the payment. They are on the merchant's site. A bank needs to approve the payment, and there might be a payment processor between the merchant and the bank. If the bank can make a cross-origin assertion on the merchant page then that can greatly improve their confidence that the transaction is genuine. However, that assumes that the bank _has_ a credential for the user, and that would be aided by being able to enroll users inline. Thus the desire for cross-origin creation. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 27 July 2021 20:35:55 UTC