Re: [Webauthn-reg-review] Request to add payment extension to WebAuthn Registry
Ian Jacobs <ij@w3.org> Mon, 31 July 2023 13:59 UTC
Return-Path: <ij@w3.org>
X-Original-To: webauthn-reg-review@ietfa.amsl.com
Delivered-To: webauthn-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A7D7C151996 for <webauthn-reg-review@ietfa.amsl.com>; Mon, 31 Jul 2023 06:59:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 84epNvMotkjE for <webauthn-reg-review@ietfa.amsl.com>; Mon, 31 Jul 2023 06:59:16 -0700 (PDT)
Received: from tucana.w3.org (tucana.w3.org [128.30.52.33]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2742C15198D for <webauthn-reg-review@ietf.org>; Mon, 31 Jul 2023 06:59:16 -0700 (PDT)
Received: from 107-195-167-16.lightspeed.cicril.sbcglobal.net ([107.195.167.16] helo=smtpclient.apple) by tucana.w3.org with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <ij@w3.org>) id 1qQTQW-000Pcn-UY; Mon, 31 Jul 2023 13:59:12 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
From: Ian Jacobs <ij@w3.org>
In-Reply-To: <SJ0PR02MB8353B04770B85C82BA4519328101A@SJ0PR02MB8353.namprd02.prod.outlook.com>
Date: Mon, 31 Jul 2023 08:59:12 -0500
Cc: "michael_b_jones@hotmail.com" <michael_b_jones@hotmail.com>, "webauthn-reg-review@ietf.org" <webauthn-reg-review@ietf.org>, Stephen McGruer <smcgruer@google.com>, Philippe Le Hégaret <plh@w3.org>
X-Mao-Original-Outgoing-Id: 712504742.541366-3ff3ed8333c22d6cd38c4a82472938a6
Content-Transfer-Encoding: quoted-printable
Message-Id: <91F71F16-E748-4F07-99DC-68B6CA946627@w3.org>
References: <3C072A37-E257-4915-808F-1313634FF9E7@w3.org> <SJ0PR02MB83532B5F557C73B00F62FC3F81409@SJ0PR02MB8353.namprd02.prod.outlook.com> <8B3FB6B1-A6C1-4AD3-B5E5-89C088185AEC@w3.org> <SJ0PR02MB83534413068CE1C9B4E976EC81409@SJ0PR02MB8353.namprd02.prod.outlook.com> <B3E2CD8D-9714-40C3-B3EA-1309A85BDB59@w3.org> <SJ0PR02MB8353DF6FFE1584C2B560D32A81409@SJ0PR02MB8353.namprd02.prod.outlook.com> <91F93224-BD6D-4566-AF4B-4D40D57436A8@w3.org> <SJ0PR02MB835344D3D5688BC50D4A822B81409@SJ0PR02MB8353.namprd02.prod.outlook.com> <B34A0B9D-FF17-4B7C-A017-C4ECA857EF88@w3.org> <38F5B4F5-BD99-44FA-A646-03AEEA012C8D@w3.org> <2442E340-BE6E-44DA-A123-2107A20DC9EA@w3.org> <SJ0PR02MB8353B04770B85C82BA4519328101A@SJ0PR02MB8353.namprd02.prod.outlook.com>
To: Giridhar Mandyam <mandyam@qti.qualcomm.com>
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/webauthn-reg-review/lpQU5D2SgLg9pEuZdtn8ffyrH40>
Subject: Re: [Webauthn-reg-review] Request to add payment extension to WebAuthn Registry
X-BeenThere: webauthn-reg-review@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Registration requests should be sent to the mailing list described in \[draft-hodges-webauthn-registries, Section 17\]." <webauthn-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webauthn-reg-review>, <mailto:webauthn-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webauthn-reg-review/>
List-Post: <mailto:webauthn-reg-review@ietf.org>
List-Help: <mailto:webauthn-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webauthn-reg-review>, <mailto:webauthn-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2023 13:59:20 -0000
Thanks Giridhar, I’ve proposed a pull request to remove the note: https://github.com/w3c/secure-payment-confirmation/pull/255 Ian > On Jul 27, 2023, at 1:32 AM, Giridhar Mandyam <mandyam@qti.qualcomm.com> wrote: > > Hi Ian, > > Mike needs to sign off, but I have reviewed this an am satisfied that the extension can be registered. > > Please consider removing the following in any future revision: > > "Note: Reading [webauthn-3] literally, these steps don’t work; extensions are injected at step 12 of [[Create]] and cannot really modify anything. However other extensions ignore that entirely and assume they can modify any part of any WebAuthn algorithm!" > > I don't think the above statement is an accurate reading of the WebAuthn spec, as the steps outlined in the Webauthn spec do not have to be executed in sequence. This is because the cited section in Webauthn is for an internal method, which as per the ECMA description is left up to the implementation (https://tc39.es/ecma262/#sec-object-internal-methods-and-internal-slots). > > Mike, > Please provide your feedback. > > -Giri > > -----Original Message----- > From: Ian Jacobs <ij@w3.org> > Sent: Monday, July 17, 2023 10:08 PM > To: Giridhar Mandyam <mandyam@qti.qualcomm.com>; michael_b_jones@hotmail.com > Cc: webauthn-reg-review@ietf.org; Stephen McGruer <smcgruer@google.com>; Philippe Le Hégaret <plh@w3.org> > Subject: Re: [Webauthn-reg-review] Request to add payment extension to WebAuthn Registry > > WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros. > > Hi Giridhar and Michael, > > I wanted to see whether there are any updates regarding this request to add the ‘payment’ extension to the WebAuthn extension registry. Thank you, > > Ian > >> On Jun 15, 2023, at 7:41 AM, Ian Jacobs <ij@w3.org> wrote: >> >> Hi Giridhar and Michael, >> >> Today W3C published the Candidate Recommendation of Secure Payment Confirmation: >> https://www.w3.org/TR/2023/CR-secure-payment-confirmation-20230615/ >> >> With that publication I’d like to request addition of the “payment” extension to the WebAuthn registry. >> >> I have re-included below the proposed registry data. Please let me >> know if you’d like any additional information or if anything needs correction. >> >> Thank you, >> Ian >> >> ======================== >> Extension identifier: payment >> >> Description: This extension supports the following functionality defined by the Secure Payment Confirmation API: (1) it allows credential creation in a cross-origin iframe (2) it allows a party other than the Relying Party to use the credential to perform an authentication ceremony on behalf of the Relying Party, and (3) it allows the browser to identify and cache Secure Payment Confirmation credentials. For discussion of important ways in which SPC differs from Web Authentication, see in particular the <a href="https://www.w3.org/TR/secure-payment-confirmation/#sctn-security-considerations”>Security Considerations</a> and <a href="https://www.w3.org/TR/secure-payment-confirmation/#sctn-privacy-considerations”>Privacy Considerations</a>. >> >> Reference: [<a href="https://www.w3.org/TR/secure-payment-confirmation/“>Secure Payment Confirmation</a>] Section §5, WebAuthn Extension - "payment" >> >> Change Controller: [<a >> href="https://www.w3.org/groups/wg/">W3C_Web_Payments_Working_Group</a >>> ] >> >> Notes: Registration follows <a href="https://www.w3.org/2023/05/03-webauthn-minutes#t01">3 May 2023 discussion</a> with the Web Authentication Working Group. >> >> ======================== >> For Contact Information >> >> Id: [<a >> href="https://www.w3.org/groups/wg/">W3C_Web_Payments_Working_Group</a >>> ] >> >> Name: W3C Web Payments Working Group >> >> Contact URI: mailto: public-payments-wg@w3.org >> >> Last Updated: <date> >> >> -- >> Ian Jacobs <ij@w3.org> >> https://www.w3.org/People/Jacobs/ >> Tel: +1 917 450 8783 >> >> >> >> >> > > -- > Ian Jacobs <ij@w3.org> > https://www.w3.org/People/Jacobs/ > Tel: +1 917 450 8783 > > > > > -- Ian Jacobs <ij@w3.org> https://www.w3.org/People/Jacobs/ Tel: +1 917 450 8783
- [Webauthn-reg-review] Request to add payment exte… Ian Jacobs
- Re: [Webauthn-reg-review] Request to add payment … Giridhar Mandyam
- Re: [Webauthn-reg-review] Request to add payment … Ian Jacobs
- Re: [Webauthn-reg-review] Request to add payment … Giridhar Mandyam
- Re: [Webauthn-reg-review] Request to add payment … Ian Jacobs
- Re: [Webauthn-reg-review] Request to add payment … Giridhar Mandyam
- Re: [Webauthn-reg-review] Request to add payment … Ian Jacobs
- Re: [Webauthn-reg-review] Request to add payment … Giridhar Mandyam
- Re: [Webauthn-reg-review] Request to add payment … Ian Jacobs
- Re: [Webauthn-reg-review] Request to add payment … Ian Jacobs
- Re: [Webauthn-reg-review] Request to add payment … Ian Jacobs
- Re: [Webauthn-reg-review] Request to add payment … Giridhar Mandyam
- Re: [Webauthn-reg-review] Request to add payment … Giridhar Mandyam
- Re: [Webauthn-reg-review] Request to add payment … Ian Jacobs
- Re: [Webauthn-reg-review] Request to add payment … Ian Jacobs
- Re: [Webauthn-reg-review] Request to add payment … Giridhar Mandyam
- Re: [Webauthn-reg-review] Request to add payment … Michael Jones
- Re: [Webauthn-reg-review] Request to add payment … Ian Jacobs
- Re: [Webauthn-reg-review] Request to add payment … Ian Jacobs
- Re: [Webauthn-reg-review] Request to add payment … Ian Jacobs
- Re: [Webauthn-reg-review] Request to add payment … Giridhar Mandyam
- Re: [Webauthn-reg-review] Request to add payment … Michael Jones
- [Webauthn-reg-review] [IANA #1281661] RE: Request… David Dong via RT
- Re: [Webauthn-reg-review] [IANA #1281661] Request… Ian Jacobs