IETF Logo Mail Archive

Re: [Webauthn-reg-review] Request to add payment extension to WebAuthn Registry

Ian Jacobs <ij@w3.org> Wed, 24 May 2023 16:09 UTC

Return-Path: <ij@w3.org>
X-Original-To: webauthn-reg-review@ietfa.amsl.com
Delivered-To: webauthn-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 679D2C151985 for <webauthn-reg-review@ietfa.amsl.com>; Wed, 24 May 2023 09:09:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6xcMTxnDNmd for <webauthn-reg-review@ietfa.amsl.com>; Wed, 24 May 2023 09:09:27 -0700 (PDT)
Received: from tucana.w3.org (tucana.w3.org [128.30.52.33]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C00B5C1D9FC7 for <webauthn-reg-review@ietf.org>; Wed, 24 May 2023 09:09:27 -0700 (PDT)
Received: from 107-195-167-16.lightspeed.cicril.sbcglobal.net ([107.195.167.16] helo=smtpclient.apple) by tucana.w3.org with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <ij@w3.org>) id 1q1r3D-00EIk6-6D; Wed, 24 May 2023 16:09:23 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\))
From: Ian Jacobs <ij@w3.org>
In-Reply-To: <SJ0PR02MB835344D3D5688BC50D4A822B81409@SJ0PR02MB8353.namprd02.prod.outlook.com>
Date: Wed, 24 May 2023 11:09:22 -0500
Cc: "michael_b_jones@hotmail.com" <michael_b_jones@hotmail.com>, "webauthn-reg-review@ietf.org" <webauthn-reg-review@ietf.org>, Stephen McGruer <smcgruer@google.com>, Philippe Le Hégaret <plh@w3.org>
X-Mao-Original-Outgoing-Id: 706637352.282159-0284d2ea771ad173ef4fc39703dea7c5
Content-Transfer-Encoding: quoted-printable
Message-Id: <B34A0B9D-FF17-4B7C-A017-C4ECA857EF88@w3.org>
References: <3C072A37-E257-4915-808F-1313634FF9E7@w3.org> <SJ0PR02MB83532B5F557C73B00F62FC3F81409@SJ0PR02MB8353.namprd02.prod.outlook.com> <8B3FB6B1-A6C1-4AD3-B5E5-89C088185AEC@w3.org> <SJ0PR02MB83534413068CE1C9B4E976EC81409@SJ0PR02MB8353.namprd02.prod.outlook.com> <B3E2CD8D-9714-40C3-B3EA-1309A85BDB59@w3.org> <SJ0PR02MB8353DF6FFE1584C2B560D32A81409@SJ0PR02MB8353.namprd02.prod.outlook.com> <91F93224-BD6D-4566-AF4B-4D40D57436A8@w3.org> <SJ0PR02MB835344D3D5688BC50D4A822B81409@SJ0PR02MB8353.namprd02.prod.outlook.com>
To: Giridhar Mandyam <mandyam@qti.qualcomm.com>
X-Mailer: Apple Mail (2.3731.500.231)
Archived-At: <https://mailarchive.ietf.org/arch/msg/webauthn-reg-review/cSTgQlVnoZcYyjsc6ihQCTaFmxU>
Subject: Re: [Webauthn-reg-review] Request to add payment extension to WebAuthn Registry
X-BeenThere: webauthn-reg-review@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Registration requests should be sent to the mailing list described in \[draft-hodges-webauthn-registries, Section 17\]." <webauthn-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webauthn-reg-review>, <mailto:webauthn-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webauthn-reg-review/>
List-Post: <mailto:webauthn-reg-review@ietf.org>
List-Help: <mailto:webauthn-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webauthn-reg-review>, <mailto:webauthn-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2023 16:09:31 -0000

Hi Giri,

Small update: we merged the pull request to say “cache SPC credential IDs” instead of “cache SPC credentials”; the specification includes the new language.

Ian


> On May 23, 2023, at 11:52 AM, Giridhar Mandyam <mandyam@qti.qualcomm.com> wrote:
> 
> 
> 
> Sent from my Verizon, Samsung Galaxy smartphone
> Get Outlook for Android
> From: Ian Jacobs <ij@w3.org>
> Sent: Tuesday, May 23, 2023 5:44:42 PM
> To: Giridhar Mandyam <mandyam@qti.qualcomm.com>
> Cc: webauthn-reg-review@ietf.org <webauthn-reg-review@ietf.org>; Stephen McGruer <smcgruer@google.com>; Philippe Le Hégaret <plh@w3.org>
> Subject: Re: [Webauthn-reg-review] Request to add payment extension to WebAuthn Registry   WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.
> 
> Hi Giri,
> 
> > On May 23, 2023, at 11:20 AM, Giridhar Mandyam <mandyam@qti.qualcomm.com> wrote:
> >
> > Hi Ian,
> >> Apologies if I have missed this: what is the To Do item? Do you mean publication as a Candidate Recommendation?
> >
> > Per  https://w3c.github.io/secure-payment-confirmation/#sctn-payment-extension-registration:
> >
> > "TODO: Find a better way to do this. Needed currently because other members are auth-time only"
> 
> Good catch! Because we expect that member to be required for some time, we will simply remove the TODO note. We’ve just merged
> a pull request removing the note; the spec should be updated shortly:
>  https://github.com/w3c/secure-payment-confirmation/pull/244
> 
> >> I’m not sure what you mean by “caching/freshness of assertions.” SPC does not involve caching of assertions. Is there a passage in the specification that is raising a concern?
> >
> > "... and also allows the browser to identify and cache Secure Payment Confirmation credentials".  I may have overloaded the significance of what is intended behind caching of credentials.  I assumed that if credentials are cached then their usage (assertions) may also be cached.
> 
> Another good catch. Only credential IDs are cached. We will change the specification to say "cache SPC credential IDs” and I hope that will address
> the concern.
> 
> >> We endeavor to address these topics in our Security Considerations [1] and Privacy Considerations [2] sections, including:
> >
> > OK.  Might be good to put a reference to those sections in the extension registration.
> 
> Thank you for the suggestion. I’ve updated the extension registration draft (below) to include those links.
> 
> Ian
> 
> 
> ========================
> Extension identifier: payment
> 
> Description: This extension supports the following functionality defined by the Secure Payment Confirmation API: (1) it allows credential creation in a cross-origin iframe (2) it allows a party other than the Relying Party to use the credential to perform an authentication ceremony on behalf of the Relying Party, and (3) it allows the browser to identify and cache Secure Payment Confirmation credentials. For discussion of important ways in which SPC differs from Web Authentication, see in particular the <a href="https://www.w3.org/TR/secure-payment-confirmation/#sctn-security-considerations”>Security Considerations</a> and <a href="https://www.w3.org/TR/secure-payment-confirmation/#sctn-privacy-considerations”>Privacy Considerations</a>.
> 
> Reference: [<a href="https://www.w3.org/TR/secure-payment-confirmation/“>Secure Payment Confirmation</a>] Section §5, WebAuthn Extension - "payment"
> 
> Change Controller: [<a href="https://www.w3.org/groups/wg/">W3C_Web_Payments_Working_Group</a>]
> 
> Notes: Registration follows <a href="https://www.w3.org/2023/05/03-webauthn-minutes#t01">3 May 2023 discussion</a> with the Web Authentication Working Group.
> 
> ========================
> For Contact Information
> 
> Id: [<a href="https://www.w3.org/groups/wg/">W3C_Web_Payments_Working_Group</a>]
> 
> Name: W3C Web Payments Working Group
> 
> Contact URI: mailto: public-payments-wg@w3.org
> 
> Last Updated: <date>
> 
> --
> Ian Jacobs <ij@w3.org>
> https://www.w3.org/People/Jacobs/
> Tel: +1 917 450 8783
> 
> 
> 
> 
> 

--
Ian Jacobs <ij@w3.org>
https://www.w3.org/People/Jacobs/
Tel: +1 917 450 8783

v2.23.0 | Report a Bug | By Email