IETF Logo Mail Archive

Re: [Webauthn-reg-review] Request to add payment extension to WebAuthn Registry

Giridhar Mandyam <mandyam@qti.qualcomm.com> Tue, 23 May 2023 16:20 UTC

Return-Path: <mandyam@qti.qualcomm.com>
X-Original-To: webauthn-reg-review@ietfa.amsl.com
Delivered-To: webauthn-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1581EC151072 for <webauthn-reg-review@ietfa.amsl.com>; Tue, 23 May 2023 09:20:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.697
X-Spam-Level:
X-Spam-Status: No, score=-2.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=qualcomm.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ckB0ynAjYod for <webauthn-reg-review@ietfa.amsl.com>; Tue, 23 May 2023 09:20:20 -0700 (PDT)
Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A613EC151066 for <webauthn-reg-review@ietf.org>; Tue, 23 May 2023 09:20:20 -0700 (PDT)
Received: from pps.filterd (m0279863.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 34NDshdf025228; Tue, 23 May 2023 16:20:19 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=qcppdkim1; bh=CA/3zknv7Yjpr2k8JwB5VsYLypclw5L+KFyHfVipOgE=; b=dR4jVPPodLeTCWb9WUGnw8RSMxC3xkOWBKpoBe/nuL11SvoKFilerco8BvZ2dDIJy1m2 Ugeorl+toeAUOpwE9H6TGHZjgDeuDgKS84Uf999hmx91NLG4+gVnuZ8B+n9SH37NtJ9y z1qddZU/OEW9NeWBrU12e/qeJUPRlonGtDU7mxvWGmUCJ4/ui2ezYmyesGtc8aKr0jUi pDT0IscEEePeuYjRnQALQRbi0Yb8HD1G0cSNqXSCvtFupAfYHc+GmTleGNn8dhnX7MkE zEeYCQU2uFqXdYTtk48l1ylJ6kdV/Kv3wZzK8ao8MeK3TVPyD9NcYImY0wRviuF+B2G5 /Q==
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2046.outbound.protection.outlook.com [104.47.66.46]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3qracsk62w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 23 May 2023 16:20:18 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HulkWGXiRhPnQb1x4gEvfQOOrn+8jBSOXYXU5veSa+y7Jvgc2V+IcC8k0tQl7G8nHfSbxWMsh3h/SPK1TBEgoCHdgOvQZIcABXgkb5LwJpNtLEnYC+bUJUGwmxGGozPyIJBmSu7oh0rHEzXzWDLQP3nhkEYPBlkXhxjtM8NjXsenDe5JZyPHo6UC5twRiXcXBJOKxwPQH1aGHN61Sl8CTyaGRnf1tGAVIvtRDywgPc2McXhFjxHsXzZODVrL+HE3K3b90LXmN+2y/Vy8kmADlhbyYEw61YyhYyZkuGzt01cUcDJ2aWoc+qz2mhkjIl2K6FIXe6ri3yoG+8QKgurrYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CA/3zknv7Yjpr2k8JwB5VsYLypclw5L+KFyHfVipOgE=; b=RKdj2qyrFvn3sBbXL8OtpRWgzAresK0q27dFwtYV5/ytyiC2/eTu0WEFccArzGSrISAC61yw+8wD7PPpcMbfTLqCl/DGSOME8rBAAcaiZC9LT5SIH+i2RX9s4oa493jA4Q9/RUG5eLOZ1rd4ojtAz+4NIKgkOBnXJLOAjfkp4kvVdsLnHcFyfeItUqT/DXa4xA8cKzVwY/vm3W14AA95IfnWYuGw/8a2l6KGnmQODrsLHGQZ0X0kg+SnX3GSPfy6WvOKx0nyQcxnOxCQd/aTLtx90AuzhI/mYAhHWr/lAHMkoXTvN//1MebtZVXEWILSF8qt1Ie2u63X9vDiJUN6Tw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=qti.qualcomm.com; dmarc=pass action=none header.from=qti.qualcomm.com; dkim=pass header.d=qti.qualcomm.com; arc=none
Received: from SJ0PR02MB8353.namprd02.prod.outlook.com (2603:10b6:a03:3e4::7) by CY8PR02MB9106.namprd02.prod.outlook.com (2603:10b6:930:95::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.28; Tue, 23 May 2023 16:20:15 +0000
Received: from SJ0PR02MB8353.namprd02.prod.outlook.com ([fe80::81a6:750c:da74:9e7b]) by SJ0PR02MB8353.namprd02.prod.outlook.com ([fe80::81a6:750c:da74:9e7b%7]) with mapi id 15.20.6411.028; Tue, 23 May 2023 16:20:15 +0000
From: Giridhar Mandyam <mandyam@qti.qualcomm.com>
To: Ian Jacobs <ij@w3.org>
CC: "webauthn-reg-review@ietf.org" <webauthn-reg-review@ietf.org>, Stephen McGruer <smcgruer@google.com>, Philippe Le Hégaret <plh@w3.org>
Thread-Topic: [Webauthn-reg-review] Request to add payment extension to WebAuthn Registry
Thread-Index: AQHZjL3oecRotg+LAEWy8vAMDU1k5q9niFfQgABHyICAAABG0IAAMkOAgAAGqXA=
Date: Tue, 23 May 2023 16:20:15 +0000
Message-ID: <SJ0PR02MB8353DF6FFE1584C2B560D32A81409@SJ0PR02MB8353.namprd02.prod.outlook.com>
References: <3C072A37-E257-4915-808F-1313634FF9E7@w3.org> <SJ0PR02MB83532B5F557C73B00F62FC3F81409@SJ0PR02MB8353.namprd02.prod.outlook.com> <8B3FB6B1-A6C1-4AD3-B5E5-89C088185AEC@w3.org> <SJ0PR02MB83534413068CE1C9B4E976EC81409@SJ0PR02MB8353.namprd02.prod.outlook.com> <B3E2CD8D-9714-40C3-B3EA-1309A85BDB59@w3.org>
In-Reply-To: <B3E2CD8D-9714-40C3-B3EA-1309A85BDB59@w3.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB8353:EE_|CY8PR02MB9106:EE_
x-ms-office365-filtering-correlation-id: 9f648601-5c19-4fe8-30fc-08db5ba997ae
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7wrouCAz4RbnUA/QPORssjRKWHPGYvf85Bn5aCAcoKxuOT6xEnpW5EKkfIC+qnumwIn3Ksws2eGM9zD20RfvXDCgzZsArqLIXMuqH/rCm0/LXrWSbAm/yFtxsGuBVcvLQItGTSOvtrKVQiASL6vX/Y+jla+KoJHYuF16QIkq+WMnDUuIj8Ghyeor4bacR92t54+x20KMjAF2jo2Pc1sa9vcyOimv8CvysaDK6MfZpGu6gkdsd1sBxQ54RGBRZTx3nW4XGHoSimjieTfkLoAUNwgV7wsvYZUVtMLkjhlU7VfsqQ271Meoj10M41Wn3yoYAMBmeNztWKaJbk+Ak23X08RKXtjMqpmUZMANc/Ey/d9JDO7RvtuL4bf0mNpHT3PHrzdDPo/lm0LC8wqV5mVlfW/JT8up1cF4V5Kgg8j9TUQs27vtRfY0YUK0Td4uw/MBDQ6UWwFMJAENSL+xir0nn0JJQK0XO89Ty9SVdgjUl3U8jzvoakhhUEJdtPr52EcO+PftGbJBlVuaLn6Rpb+xoSzBXnIktZjINJSsLMA5OMp+MTU7KfdmbNRV6cdL22U95dbFVfTOro4FN1vWEE7UP7VbKt4Qg2XtAmCabVyIW/hk2mZi1gT9HXDNZ62tIXdo5Fz88eRjFndTVVj8yJ9z0w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR02MB8353.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(136003)(396003)(366004)(376002)(39860400002)(346002)(451199021)(8936002)(8676002)(52536014)(5660300002)(66574015)(83380400001)(186003)(6506007)(53546011)(9686003)(166002)(86362001)(122000001)(26005)(38100700002)(38070700005)(41300700001)(7696005)(40140700001)(71200400001)(33656002)(55016003)(966005)(66446008)(66476007)(64756008)(66556008)(66946007)(478600001)(316002)(76116006)(6916009)(4326008)(54906003)(2906002)(66899021)(15650500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: k85NNimLOY/XaEe18xkGFXgYl89O4M1yIKErPlJQkL0/D4Dut2TZPTGG1oQM04RV1urn9cdKon89mVmsgcUgu5FVOLPD6aFeXXrnTvJy1c6pwjTfk5YjzewkReOryRjEzRuh+4leQ9dqROrCPoyEDRSAaPJAJW7k0PNl3QqSQj6d99dA6Q1uwrLfUd6HZGC3m1sXbP1LFAC6WTl9/8D2AOz0IIb8Yz6BEgtTCgerOThe5RHQ9B3pSgWdK/Dh/EgpOxVhsERJdXFNZ8awP1OE2rLtOgaZZsYG/Hs131cSohZE1pgpHXaKDGQbPwg2pVQUDYp9jPA5wQNEarJ5QqsfTyi1syChW80o6to4AtHziqVZYw+XP5Qjv7ETAPGiRDmtYXPbA7rJ2EXvzJKZGsWtY9e+4dPWe2kknAcxafsGD9UXOtrNvYnQ8ImIq0+YINenNGSByQKOflQxthl0pZk1/Kp5dDh9PCcbjupZUaEYM+/rx9nWuPL3UavNdo65ludmskizYNoNlAer54XSeu7eAcAgTco1CWNTeSdW4C0tSkkmnrBOu/0Ze/W/KyqHngi83HsJRc80rem95fLEQSel5bwlmwuedNpG4U96QePgem9lOb2jLVZiH+aUYfmEBhzV7EH+SCU5Z5XJSq57TJQbYvtG8knN5e31XfOTrUqWSRbMgXfUI6aoCnQ9e1i2VT4ffWrLNc9AVjdnNd0YsHMIbOkyKOkyxIHnQ1TRqMyU7tiCo/KaumFm+N0xm4gtTP6QphCDpHiPvCVE+BWPAEcrF6KJ8U8mvhpCzfhgz81x9O5n5xO4+nAeyHU/W2LghEjDy6eT5afvVrJwkTMar/OaJpNlLdX48Yg7piJG1EEBWzdEP6mscHEEnzBJDBVhTzHt+GmqlwONcywOVSrAYo2+mvwfFgpPUPH6z8JZeWBAptnqf6+zdg/8E0BsOBbo2R9sS61tm5uy8rwtxabNQxclgbePrQ6+KVx+yuOoRA1iSuAy0bNLIlTb8Hq8GrY5ed/gF55EtWiOelIxJO7+Le5XerSw2YkCuVffPlv+EXERuboNm+TUjjkkCK47tlw2ttuHz9Gn6yXAS+znmwo5ahojL3SbwdcMQxosnUcNl8O5k6YY1sVvgDvsvmQEL/uDPDFyi2M9Mmz0HwLayRtDK3ICfJ/bJfTsJpwqdDzp3rsSCugn2gsbL5c08/IRYOyOpHh8mft1SP9z9fKMMS9WjnFjEob3EQ48168sJh3JbnglC9s+WT8+u7VGv3H4u9zYPPdULOJgS0UNLspqMEGUiYCC05zza5/z23xDZj1BDOtd3/WAI9WabYKUDt3aEdaJ2eHLPJL7Ix+QS5cC6meDl88PwOH+do2PqgYzj1Ckm5wwkBTe4gvqKlw6+FkBVjW0Bpw8vvwYFvax132B5EHp5VmjufPoDVcgPavywCfSuYSReC4zBzD+zTzacH/O0TerNdLSuk74AjhEhss4f5y2/6zRBV2Q9bB4wmk+I8yujvKTWtilz2bTb+MzOMW9qJPPrIGwuYKx+lR5vmBTly9SARpOcuLn1ptLeh3J/fdsjXJhFkAJl20qRswbuIiP4mPXzCNB
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: raq/M0gNuK7n5xrZVucwa9B1KHta2eM50McbWyWodZZC6tnLwW9fpDiHhPEMEaFluM4jRd0tWojxfGzb5rV1avHbl9zt7bRCkb42f+UKFA7jE4ZyZla08hyOeUzUxyIuBS5EqAKXnTsbgJHMEWlwW/hmp+Dgt+YM4UQCKWfAB1X3GNwOwW1mSRHKXA37CgHiqsyIE4JFgSZQePXjPwSoPH13MYEkxTGZdH2MbXW8BFNxH1G23Ovj+aIL7ynNmkjNDhb6kh7vy91Z5ZV5hotPidMLBsX3/uYnp/JqjRG8CG2s/au4HhYykHsCgAzCB1F74fQcfX0cLYo6B3k7LaTbfUTyP4X70xAaSJlyRzlFofbCCS2+sHTSJMY2iXyZrq18FkPRx1/vtvH3QU1D/kFBfXakIsOVQm4fx6YFxPhStOl/+Udb7H+8bXgNNCc/7WtQvt/B9GzoGlGINOAnNLAhlIB8wI5JCArVcBr2j7i1BU5PXUpFLblCpjQVGZHILVTrqT+r2PT58JAPTgfOAycCHJyRZapKCuUqBA87W+szjtEfNxyCbQr0JSzwgugDzgLIZh7rnP0GTj73RLfV1u2AHnTVxWS8ZFrSp6kmViNsoRAcTV1MzSboQ5Ej/qnrrUk7b0ns4D4LgLfJDuNfjTPZKFIi4Po23+ElG9FsnZ9jVkGqAuDGvAf2fSaDOavp13LMB2vRHeVw7veCsBOi3tPAs/jpfpKzv/rgfpX0Y2T58IcYb6/siL1uq1s6T0XXkEzxL75aK+nlFmuFnLjFGvGgApKJWHF2QwwQxYXyyu7qRTaceZjqVw9gELJGRoQ1h2Oo
X-OriginatorOrg: qti.qualcomm.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB8353.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9f648601-5c19-4fe8-30fc-08db5ba997ae
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 May 2023 16:20:15.4956 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 98e9ba89-e1a1-4e38-9007-8bdabc25de1d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6ECtwme/B/05+wz8MwF1QcqezNyaJmxnYrsOM+WhKr4T8w/xN9/Wi73twwCBUS8bBB9EKml2jUG2AgivJW0z5/XecNQ24MPOEl9C7enKjZw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY8PR02MB9106
X-Proofpoint-GUID: 8DvP2a65I3sXdPQlrwVGxizsAr5OkByI
X-Proofpoint-ORIG-GUID: 8DvP2a65I3sXdPQlrwVGxizsAr5OkByI
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-05-23_10,2023-05-23_02,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 spamscore=0 malwarescore=0 phishscore=0 impostorscore=0 clxscore=1015 adultscore=0 mlxscore=0 bulkscore=0 suspectscore=0 priorityscore=1501 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305230130
Archived-At: <https://mailarchive.ietf.org/arch/msg/webauthn-reg-review/rrYUGG039pHbbDgB6673Hf7K1Bo>
Subject: Re: [Webauthn-reg-review] Request to add payment extension to WebAuthn Registry
X-BeenThere: webauthn-reg-review@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Registration requests should be sent to the mailing list described in \[draft-hodges-webauthn-registries, Section 17\]." <webauthn-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webauthn-reg-review>, <mailto:webauthn-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webauthn-reg-review/>
List-Post: <mailto:webauthn-reg-review@ietf.org>
List-Help: <mailto:webauthn-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webauthn-reg-review>, <mailto:webauthn-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2023 16:20:25 -0000

Hi Ian,
> Apologies if I have missed this: what is the To Do item? Do you mean publication as a Candidate Recommendation?

Per  https://w3c.github.io/secure-payment-confirmation/#sctn-payment-extension-registration:

"TODO: Find a better way to do this. Needed currently because other members are auth-time only"

> I’m not sure what you mean by “caching/freshness of assertions.” SPC does not involve caching of assertions. Is there a passage in the specification that is raising a concern?

"... and also allows the browser to identify and cache Secure Payment Confirmation credentials".  I may have overloaded the significance of what is intended behind caching of credentials.  I assumed that if credentials are cached then their usage (assertions) may also be cached.  

> We endeavor to address these topics in our Security Considerations [1] and Privacy Considerations [2] sections, including:

OK.  Might be good to put a reference to those sections in the extension registration.

-Giri

-----Original Message-----
From: Ian Jacobs <ij@w3.org> 
Sent: Tuesday, May 23, 2023 8:49 AM
To: Giridhar Mandyam <mandyam@qti.qualcomm.com>
Cc: webauthn-reg-review@ietf.org; Stephen McGruer <smcgruer@google.com>; Philippe Le Hégaret <plh@w3.org>
Subject: Re: [Webauthn-reg-review] Request to add payment extension to WebAuthn Registry

WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.

Hi Giri,

> On May 23, 2023, at 10:31 AM, Giridhar Mandyam <mandyam@qti.qualcomm.com> wrote:
>
> Thanks Ian.
>
> I would like to see the "To Do"  item addressed before it is added to the registry.

Apologies if I have missed this: what is the To Do item? Do you mean publication as a Candidate Recommendation?

> There also seem to be some proposed departure from the Webauthn security model (e.g. strict RPID binding upon creation versus cross-origin iFrame registration, caching/freshness of assertions).  As per Sec. 2.2.1 of https://datatracker.ietf.org/doc/rfc8809/ requires a separate security/privacy considerations section to fully document such considerations.  Can you all make such an edit before CR?

We endeavor to address these topics in our Security Considerations [1] and Privacy Considerations [2] sections, including:

10.1: Cross-origin authentication ceremony 11.1. Registration in a Cross-Origin iframe

If there are subjects we are not adequately addressing there, perhaps we could jump on a call to discuss.

I’m not sure what you mean by “caching/freshness of assertions.” SPC does not involve caching of assertions. Is there a passage in the specification that is raising a concern?

Thanks again!

Ian

[1] https://w3c.github.io/secure-payment-confirmation/#sctn-security-considerations
[2] https://w3c.github.io/secure-payment-confirmation/#sctn-privacy-considerations

>
> -Giri
>
> -----Original Message-----
> From: Ian Jacobs <ij@w3.org>
> Sent: Tuesday, May 23, 2023 5:48 AM
> To: Giridhar Mandyam <mandyam@qti.qualcomm.com>
> Cc: webauthn-reg-review@ietf.org; Stephen McGruer 
> <smcgruer@google.com>; Philippe Le Hégaret <plh@w3.org>
> Subject: Re: [Webauthn-reg-review] Request to add payment extension to 
> WebAuthn Registry
>
> WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.
>
> Hi Giri,
>
> I expect the specification to become a Candidate Recommendation the second week of June. I do not have a sense of when the final Recommendation will be published.
>
> While a Candidate Recommendation may still change it is "a document that satisfies the technical requirements of the Working Group that produced it and their dependencies, and has already received wide review.” [1]. There will be a “this version” URI for the publication, and that dated version of the specification will remain unchanged.
>
> Thank you,
> Ian
>
> [1] https://www.w3.org/2021/Process-20211102/#RecsCR
>
>> On May 23, 2023, at 3:36 AM, Giridhar Mandyam <mandyam@qti.qualcomm.com> wrote:
>>
>> Thanks for the heads' up.  It looks like as per https://w3c.github.io/secure-payment-confirmation/#sctn-payment-extension-registration, it is still a work in progress.  Do you have insight as to when the extension specification will be complete?
>>
>> -Giri
>>
>> -----Original Message-----
>> From: Webauthn-reg-review <webauthn-reg-review-bounces@ietf.org> On 
>> Behalf Of Ian Jacobs
>> Sent: Monday, May 22, 2023 7:58 AM
>> To: webauthn-reg-review@ietf.org
>> Cc: Stephen McGruer <smcgruer@google.com>; Philippe Le Hégaret 
>> <plh@w3.org>
>> Subject: [Webauthn-reg-review] Request to add payment extension to 
>> WebAuthn Registry
>>
>> WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.
>>
>> Mike, Giridhar,
>>
>> The W3C Web Payments Working Group has received Director approval [1] to publish Secure Payment Confirmation (SPC) [2] as a Candidate Recommendation. We expect this publication to take place in early June.
>>
>> SPC defines a "payment" WebAuthn extension [3]. After discussion with the Web Authentication Working Group [4] we would like to register this extension in the WebAuthn Extension Identifiers registry [5], following the procedures defined in section 2.2.1 (Registering Extension Identifiers [6]) of RFC 8809 [7].
>>
>> Below is a draft of the information for the "payment" extension. I welcome your feedback on whether it satisfies the requirements for registration.
>>
>> I also have some questions:
>>
>> * My expectation is that we would first publish SPC as a Candidate Recommendation, then I would notify you to complete the registration. Does that work for you?
>>
>> * Because this will be the first extension registered by a group other than the Web Authentication Working Group, I have included a Note that the WebAuthn WG has discussed this extension (with a link to the meeting minutes). Is that useful?
>>
>> Thank you,
>>
>> Ian
>>
>> [1]
>> https://github.com/w3c/transitions/issues/504#issuecomment-1545729323
>> [2] https://w3c.github.io/secure-payment-confirmation/
>> [3]
>> https://w3c.github.io/secure-payment-confirmation/#sctn-payment-exten
>> s ion-registration [4] 
>> https://www.w3.org/2023/05/03-webauthn-minutes#t0
>> [5] https://www.iana.org/assignments/webauthn/webauthn.xhtml
>> [6] https://www.rfc-editor.org/rfc/rfc8809.html#section-2.2.1
>> [7] https://www.rfc-editor.org/rfc/rfc8809.html
>>
>> ========================
>> Extension identifier: payment
>>
>> Description: This extension supports the following functionality defined by the Secure Payment Confirmation API: (1) it allows credential creation in a cross-origin iframe (2) it allows a party other than the Relying Party to use the credential to perform an authentication ceremony on behalf of the Relying Party, and (3) it allows the browser to identify and cache Secure Payment Confirmation credentials.
>>
>> Reference: [<a href="https://www.w3.org/TR/secure-payment-confirmation/“>Secure Payment Confirmation</a>] Section §5, WebAuthn Extension - "payment"
>>
>> Change Controller: [<a
>> href="https://www.w3.org/groups/wg/">W3C_Web_Payments_Working_Group</
>> a
>>> ]
>>
>> Notes: Registration follows <a href="https://www.w3.org/2023/05/03-webauthn-minutes#t01">3 May 2023 discussion</a> with the Web Authentication Working Group.
>>
>> ========================
>> For Contact Information
>>
>> Id: [<a
>> href="https://www.w3.org/groups/wg/">W3C_Web_Payments_Working_Group</
>> a
>>> ]
>>
>> Name: W3C Web Payments Working Group
>>
>> Contact URI: mailto: public-payments-wg@w3.org
>>
>> Last Updated: <date>
>>
>> --
>> Ian Jacobs <ij@w3.org>
>> https://www.w3.org/People/Jacobs/
>> Tel: +1 917 450 8783
>>
>>
>>
>>
>>
>> --
>> Webauthn-reg-review mailing list
>> Webauthn-reg-review@ietf.org
>> https://www.ietf.org/mailman/listinfo/webauthn-reg-review
>
> --
> Ian Jacobs <ij@w3.org>
> https://www.w3.org/People/Jacobs/
> Tel: +1 917 450 8783
>
>
>
>
>

--
Ian Jacobs <ij@w3.org>
https://www.w3.org/People/Jacobs/
Tel: +1 917 450 8783

v2.23.0 | Report a Bug | By Email