On Mon, Mar 22, 2021 at 5:51 PM Fred Le Tamanoir <fredletamanoir@gmail.com> wrote: > "The WG consensus is that these payments-oriented discussions are not > relevant to the webauthn WG" > And that's partially why each webauthn specifications update is often a > strange/bad surprise: extensions description/support can come and > go/disappear (like the hope to be implemented inside browsers). > To be fair, it was more a clarification that there was never much hope that the extensions in question would be implemented inside browsers. Mixing system-level security UI with unverified, dynamic remote content is a dangerous user experience. IMHO, other extensions which do not provide a user experience based on mixed security contexts are still possible. However, these would not use the WebAuthn API but rather the payments API. With invocation via the payments API, it is no longer a mixed context issue - the client is involved in both the payment request and the authenticator interaction. -DW -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
Received on Tuesday, 23 March 2021 08:59:21 UTC