- From: Stephen McGruer via GitHub <sysbot+gh@w3.org>
- Date: Mon, 22 Nov 2021 17:45:25 +0000
- To: public-webauthn@w3.org
This was discussed today in the SPC Task Force (part of the Web Payments WG). There were two main outcomes of the discussion: 1. A desire that an RP should be able to access SPC in a first-party setting (e.g. on `rp.com`), using an existing and 'normal' WebAuthn credential. That is, to use a credential C in the following cases: | | First Party-usage | Third Party-usage | | ------------- | ------------- | ------------- | | **Login** | No bit needed | Never! | | **Payments** | No bit needed | Needs a bit set at creation-time | 2. A desire that a third-party enabled credential should **also** be usable in a first-party context for login. That is, if `rp.com` creates a third-party enabled credential C so that `not-rp.com` can use it in a payments context, it should also be possible for a user to visit `rp.com` and do a login authentication flow using C. The first of these is possible by changing the namespace solution to be about the 3p-powers rather than payment abilities (i.e`3p://rp.com` rather than `payment://rp.com`). The second of these, however, is not compatible with a namespace solution as it requires interoperating across two dimensions. @ve7jtb did come up with a new proposal during the meeting, which I believe he plans to mull on and then post here if he's happy enough with it :). -- GitHub Notification of comment by stephenmcgruer Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-975770111 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 22 November 2021 17:45:27 UTC