- From: Stephen McGruer via GitHub <sysbot+gh@w3.org>
- Date: Mon, 07 Mar 2022 17:29:43 +0000
- To: public-webauthn@w3.org
Acknowledging that this issue has been long and contains many sub-discussions and proposals, I wanted to be clear on what we (WPWG) think are the next steps here.
At this point, we believe that we need authenticator-level support for the following two things:
1. At creation time, the ability to ask the authenticator to set a bit in the credential, indicating that the credential may be used **cross-origin** for SPC.
1. At authentication time, mechanism(s) to ask an authenticator (or to determine directly from a credential ID), **without** user interaction with the device:
1. [If a credential is SPC-enabled](https://w3c.github.io/secure-payment-confirmation/#steps-to-determine-if-a-credential-is-spc-enabled).
1. [If a credential is available on the authenticator](https://w3c.github.io/secure-payment-confirmation/#steps-to-silently-determine-if-a-credential-is-available-for-the-current-device). (We believe that this similar to that which is required for the [WebAuthn Conditional UI Proposal](https://github.com/w3c/webauthn/issues/1545).)
(Note that the above presumes that SPC in a **1p** context will always be available, and that the bit will indicate that it is also allowed from a **3p** context. As always, login will never be allowed from a 3p context.)
As we understand it, these require CTAP level changes, so our next step is to send a proposal to the FIDO2TWG for these, within the next 2 weeks. Please feel free to give us any input before we move to do that :).
--
GitHub Notification of comment by stephenmcgruer
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-1060941206 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 7 March 2022 17:29:45 UTC