- From: Anders Rundgren via GitHub <sysbot+gh@w3.org>
- Date: Fri, 17 Sep 2021 04:15:35 +0000
- To: public-webauthn@w3.org
Although supporting de-facto standard payment authorization schemes like EMV/Apple Pay has not been considered by the W3C/FIDO community, signature counters fill a nice role here by adding entropy to such authorizations since these do not use challenge/response protocols. Entropy + Unique request and user data + Locally generated time stamps are thus required in order to handle replays of authorizations in a secure and convenient way. **That is, please keep the SHOULD!** Fun fact: In contrast to authentication, replay in authorization based schemes may actually be a "feature". By enabling _idempotent operation_, retransmissions occurring due to network glitches etc., return the same result data without any internal state changes, potentially adding robustness to payment ecosystems . -- GitHub Notification of comment by cyberphone Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1590#issuecomment-921445984 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 17 September 2021 04:15:37 UTC