W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2021

[webauthn] Cross-origin credential creation (#1656)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Tue, 27 Jul 2021 20:35:54 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-954246546-1627418152-sysbot+gh@w3.org>
agl has just created a new issue for https://github.com/w3c/webauthn:

== Cross-origin credential creation ==
In level two we supported cross-origin assertions (when [allowed](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-iframe-guidance) by the top-level) but omitted cross-origin creation because there wasn't anyone with a use-case.

We would like to revisit that and allow cross-origin creation along the same lines as assertion. We believe this will be useful in a payments context.

When making a payment there are three (or four) parties involved. The customer seeks to authorise the payment. They are on the merchant's site. A bank needs to approve the payment, and there might be a payment processor between the merchant and the bank. If the bank can make a cross-origin assertion on the merchant page then that can greatly improve their confidence that the transaction is genuine. However, that assumes that the bank _has_ a credential for the user, and that would be aided by being able to enroll users inline. Thus the desire for cross-origin creation.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 27 July 2021 20:35:55 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:44 UTC