- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Thu, 27 Mar 2025 16:31:51 +0000
- To: public-webauthn@w3.org
This has no impact on Secure Payment confirmation. That W3C specification is built on top of the existing WebAuthn spec not using these extensions. The browsers are OK with displaying that as the transaction information is tightly scoped and presented to the user as financial transaction information. That is different from having freeform text presented to the user during an authentication interaction. Part of the problem is getting the user to understand that WebAuthn now is doing two things 1) authentication and now 2) Digital signature. Could it be done, yes, but it requires significant UX work to make it understandable. Work is being done in the EWC Large Scale Pilot and other pilots to to do transaction signing based on Verifiable Credentials. That is using transaction signing as part of openID4VP over the W3C Digital Crtedentials API. That API is also part of the Credential Management API that WebAuthn is under. That work also is also not use the Tx Signing extension. These extensions don't exist in practice and never have been deployed in WebAuthn (yes there was a short lived Android experiment that is the exception). They were part of an older Fido UAF specification that were documented but never implemented for users. The GBIC probably wants something more specific than general transaction signing, like Secure Transaction Confirmation. I think that could be looked at. I would like to understand why Secure Transaction Confirmation is not good enough for them before starting on something else. I also happen to be working with SPRIN-D on using Digital credentials for financial transactions. So, Germany is looking at multiple things in parallel. @petrdvorak I would be cautious with this approach. It won't work with discoverable credentials, and large credential ID currently trigger bugs in iOS and MacOS processing of allow and exclude lists(I hope that gets fixed soon). It likely also violates CTAP requirements for certification ( This is a Fido discussion). Authenticators have tried similar things in the past and have been blocked by Chrome and other browsers. Just giving you a heads up. Given that the Digital Credentials API is working on Transaction signing and other qualified digital signature applications, trying to retrofit something into WebAuthn may just add to the confusion. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2020#issuecomment-2758670080 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 27 March 2025 16:31:51 UTC