IETF Logo Mail Archive

Re: [Webauthn-reg-review] Request to add payment extension to WebAuthn Registry

Ian Jacobs <ij@w3.org> Tue, 22 August 2023 14:13 UTC

Return-Path: <ij@w3.org>
X-Original-To: webauthn-reg-review@ietfa.amsl.com
Delivered-To: webauthn-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35607C15107D for <webauthn-reg-review@ietfa.amsl.com>; Tue, 22 Aug 2023 07:13:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j6Fy9GDp0Rb3 for <webauthn-reg-review@ietfa.amsl.com>; Tue, 22 Aug 2023 07:13:38 -0700 (PDT)
Received: from tucana.w3.org (tucana.w3.org [128.30.52.33]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49127C151085 for <webauthn-reg-review@ietf.org>; Tue, 22 Aug 2023 07:13:37 -0700 (PDT)
Received: from 107-195-167-16.lightspeed.cicril.sbcglobal.net ([107.195.167.16] helo=smtpclient.apple) by tucana.w3.org with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <ij@w3.org>) id 1qYS8U-00AeDR-6V; Tue, 22 Aug 2023 14:13:34 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Ian Jacobs <ij@w3.org>
In-Reply-To: <F6715EF3-F66D-43CD-8FA7-87657A3BB358@w3.org>
Date: Tue, 22 Aug 2023 09:13:33 -0500
Cc: Giridhar Mandyam <mandyam@qti.qualcomm.com>, "webauthn-reg-review@ietf.org" <webauthn-reg-review@ietf.org>, Stephen McGruer <smcgruer@google.com>, Philippe Le Hégaret <plh@w3.org>
X-Mao-Original-Outgoing-Id: 714406403.398672-1bc04a07f13ea4b6167c4c517de6b508
Content-Transfer-Encoding: quoted-printable
Message-Id: <240DCB22-3C7E-4972-AB72-51D9F0D1779A@w3.org>
References: <3C072A37-E257-4915-808F-1313634FF9E7@w3.org> <SJ0PR02MB83532B5F557C73B00F62FC3F81409@SJ0PR02MB8353.namprd02.prod.outlook.com> <8B3FB6B1-A6C1-4AD3-B5E5-89C088185AEC@w3.org> <SJ0PR02MB83534413068CE1C9B4E976EC81409@SJ0PR02MB8353.namprd02.prod.outlook.com> <B3E2CD8D-9714-40C3-B3EA-1309A85BDB59@w3.org> <SJ0PR02MB8353DF6FFE1584C2B560D32A81409@SJ0PR02MB8353.namprd02.prod.outlook.com> <91F93224-BD6D-4566-AF4B-4D40D57436A8@w3.org> <SJ0PR02MB835344D3D5688BC50D4A822B81409@SJ0PR02MB8353.namprd02.prod.outlook.com> <B34A0B9D-FF17-4B7C-A017-C4ECA857EF88@w3.org> <38F5B4F5-BD99-44FA-A646-03AEEA012C8D@w3.org> <2442E340-BE6E-44DA-A123-2107A20DC9EA@w3.org> <SJ0PR02MB8353B04770B85C82BA4519328101A@SJ0PR02MB8353.namprd02.prod.outlook.com> <91F71F16-E748-4F07-99DC-68B6CA946627@w3.org> <02B1ECC6-7EF9-4467-8280-23067E53C826@w3.org> <SJ0PR02MB8353A8B4884ABE1D1F386DCD8114A@SJ0PR02MB8353.namprd02.prod.outlook.com> <MW4PR02MB7428F9F937371AE0FCFD21AAB715A@MW4PR02MB7428.namprd02.prod.outlook.com> <F6715EF3-F66D-43CD-8FA7-87657A3BB358@w3.org>
To: Michael Jones <michael_b_jones@hotmail.com>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/webauthn-reg-review/Fo_7VOSnHM5zcMt7W4-EXNJkcx0>
Subject: Re: [Webauthn-reg-review] Request to add payment extension to WebAuthn Registry
X-BeenThere: webauthn-reg-review@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Registration requests should be sent to the mailing list described in \[draft-hodges-webauthn-registries, Section 17\]." <webauthn-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webauthn-reg-review>, <mailto:webauthn-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webauthn-reg-review/>
List-Post: <mailto:webauthn-reg-review@ietf.org>
List-Help: <mailto:webauthn-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webauthn-reg-review>, <mailto:webauthn-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Aug 2023 14:13:42 -0000

Hi Michael,

There is now an IANA Considerations section in the SPC specification:
  https://w3c.github.io/secure-payment-confirmation/#sctn-iana-considerations

Thank you!

Ian
  

> On Aug 16, 2023, at 3:42 PM, Ian Jacobs <ij@w3.org> wrote:
> 
> Hi Mike and Giridhar,
> 
> I’ve created a pull request to add an IANA considerations section to the spec:
> https://github.com/w3c/secure-payment-confirmation/pull/257
> 
> All feedback and corrections welcome. Thank you!
> 
> Ian
> 
>> On Aug 15, 2023, at 8:19 PM, Michael Jones <michael_b_jones@hotmail.com> wrote:
>> 
>> The specification does not contain an IANA Considerations section requesting registration of the extension, nor does it contain the information required to register the extension.  In particular, the information from the registration template at https://www.rfc-editor.org/rfc/rfc8809.html#section-2.2.1 is missing.
>> 
>> Please update the specification to add an IANA Considerations section supplying the information necessary to register the extension.  Quoting from RFC 8809, that information is:
>> 
>>  WebAuthn Extension Identifier:
>>     An identifier meeting the requirements given in Section 2.2.
>> 
>>  Description:
>>     A relatively short description of the extension.
>> 
>>  Specification Document(s):
>>     Reference to the document or documents that specify the extension.
>> 
>>  Change Controller:
>>     For Standards Track RFCs, list "IETF".  For others, give the name
>>     of the responsible party.  Other details (e.g., postal address,
>>     email address, home page URI) may also be included.
>> 
>>  Notes:
>>     [optional]
>> 
>> After the specification is updated, I should be able to approve the registration.
>> 
>>                               -- Mike
>> 
>> -----Original Message-----
>> From: Giridhar Mandyam <mandyam@qti.qualcomm.com>
>> Sent: Tuesday, August 15, 2023 1:03 PM
>> To: Ian Jacobs <ij@w3.org>; michael_b_jones@hotmail.com
>> Cc: webauthn-reg-review@ietf.org; Stephen McGruer <smcgruer@google.com>; Philippe Le Hégaret <plh@w3.org>
>> Subject: RE: [Webauthn-reg-review] Request to add payment extension to WebAuthn Registry
>> 
>> Nothing from my end.  Awaiting Mike's review.
>> 
>> -Giri
>> 
>> -----Original Message-----
>> From: Ian Jacobs <ij@w3.org>
>> Sent: Tuesday, August 15, 2023 10:08 AM
>> To: Giridhar Mandyam <mandyam@qti.qualcomm.com>; michael_b_jones@hotmail.com
>> Cc: webauthn-reg-review@ietf.org; Stephen McGruer <smcgruer@google.com>; Philippe Le Hégaret <plh@w3.org>
>> Subject: Re: [Webauthn-reg-review] Request to add payment extension to WebAuthn Registry
>> 
>> WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.
>> 
>> Hi Giridhar,
>> 
>> I wanted to let you know that we've merged the pull request, so the statement you referred to below no longer appears.
>> 
>> If there's any other information you need to complete your evaluation, let me know. Thanks again!
>> 
>> Ian
>> 
>>> On Jul 31, 2023, at 8:59 AM, Ian Jacobs <ij@w3.org> wrote:
>>> 
>>> Thanks Giridhar,
>>> 
>>> I've proposed a pull request to remove the note:
>>> https://github.com/w3c/secure-payment-confirmation/pull/255
>>> 
>>> Ian
>>> 
>>>> On Jul 27, 2023, at 1:32 AM, Giridhar Mandyam <mandyam@qti.qualcomm.com> wrote:
>>>> 
>>>> Hi Ian,
>>>> 
>>>> Mike needs to sign off,  but I have reviewed this an am satisfied that the extension can be registered.
>>>> 
>>>> Please consider removing the following in any future revision:
>>>> 
>>>> "Note: Reading [webauthn-3] literally, these steps don't work; extensions are injected at step 12 of [[Create]] and cannot really modify anything. However other extensions ignore that entirely and assume they can modify any part of any WebAuthn algorithm!"
>>>> 
>>>> I don't think the above statement is an accurate reading of the WebAuthn spec, as the steps outlined in the Webauthn spec do not have to be executed in sequence.  This is because the cited section in Webauthn is for an internal method, which as per the ECMA description is left up to the implementation (https://tc39.es/ecma262/#sec-object-internal-methods-and-internal-slots).
>>>> 
>>>> Mike,
>>>> Please provide your feedback.
>>>> 
>>>> -Giri
>> 
>> --
>> Ian Jacobs <ij@w3.org>
>> https://www.w3.org/People/Jacobs/
>> Tel: +1 917 450 8783
>> 
>> 
>> 
>> 
>> 
> 
> --
> Ian Jacobs <ij@w3.org>
> https://www.w3.org/People/Jacobs/
> Tel: +1 917 450 8783
> 
> 
> 
> 
> 

--
Ian Jacobs <ij@w3.org>
https://www.w3.org/People/Jacobs/
Tel: +1 917 450 8783

v2.23.0 | Report a Bug | By Email