On Mon, Mar 22, 2021 at 5:51 PM Fred Le Tamanoir <fredletamanoir@gmail.com>
wrote:
> "The WG consensus is that these payments-oriented discussions are not
> relevant to the webauthn WG"
> And that's partially why each webauthn specifications update is often a
> strange/bad surprise: extensions description/support can come and
> go/disappear (like the hope to be implemented inside browsers).
>
To be fair, it was more a clarification that there was never much hope that
the extensions in question would be implemented inside browsers. Mixing
system-level security UI with unverified, dynamic remote content is a
dangerous user experience.
IMHO, other extensions which do not provide a user experience based on
mixed security contexts are still possible. However, these would not use
the WebAuthn API but rather the payments API. With invocation via the
payments API, it is no longer a mixed context issue - the client is
involved in both the payment request and the authenticator interaction.
-DW
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._