Re: [Webauthn-reg-review] [IANA #1281661] Request to add payment extension to WebAuthn Registry (webauthn)

[Ian Jacobs <ij@w3.org>]

Thank you all!

Ian

> On Sep 14, 2023, at 1:41 AM, David Dong via RT <iana-prot-param@iana.org> wrote:
> 
> Hi Mike,
> 
> We've added "payment" to the WebAuthn Extension Identifiers registry:
> 
> WebAuthn Extension Identifier: payment
> Description: This extension supports the following functionality defined by the Secure Payment Confirmation API: (1) it allows credential creation in a cross-origin iframe (2) it allows a party other than the Relying Party to use the credential to perform an authentication ceremony on behalf of the Relying Party, and (3) it allows the browser to identify and cache Secure Payment Confirmation credentials. For discussion of important ways in which SPC differs from Web Authentication, see in particular [Secure Payment Confirmation §10 Security Considerations] and [Secure Payment Confirmation §11 Privacy Considerations].
> 
> Reference: [Secure Payment Confirmation] Section §5, WebAuthn Extension - "payment"
> Change Controller: [W3C_Web_Payments_Working_Group]
> 
> [W3C_Web_Payments_Working_Group] W3C Web Payments Working Group mailto:public-payments-wg&w3.org
> 
> Please see:
> https://www.iana.org/assignments/webauthn/
> 
> Please let us know if any changes are needed.
> 
> Best regards,
> 
> David Dong
> IANA Services Sr. Specialist
> 
> On Wed Sep 13 15:48:31 2023, michael_b_jones@hotmail.com wrote:
>> I agree.  IANA - please apply the IANA actions at
>> https://w3c.github.io/secure-payment-confirmation/#sctn-iana-
>> considerations.
>> 
>> Thank you,
>> -- Mike (writing as a Designated Expert)
>> 
>> -----Original Message-----
>> From: Giridhar Mandyam <mandyam@qti.qualcomm.com>
>> Sent: Tuesday, August 22, 2023 9:59 PM
>> To: Ian Jacobs <ij@w3.org>; Michael Jones
>> <michael_b_jones@hotmail.com>
>> Cc: webauthn-reg-review@ietf.org; Stephen McGruer
>> <smcgruer@google.com>; Philippe Le Hégaret <plh@w3.org>
>> Subject: RE: [Webauthn-reg-review] Request to add payment extension to
>> WebAuthn Registry
>> 
>> Thanks.  I think this addresses the requirements of https://www.rfc-
>> editor.org/rfc/rfc8809.html#name-registering-extension-ident, but this
>> is pending Mike's review.
>> 
>> -Giri
>> 
>> -----Original Message-----
>> From: Ian Jacobs <ij@w3.org>
>> Sent: Tuesday, August 22, 2023 7:14 AM
>> To: Michael Jones <michael_b_jones@hotmail.com>
>> Cc: Giridhar Mandyam <mandyam@qti.qualcomm.com>; webauthn-reg-
>> review@ietf.org; Stephen McGruer <smcgruer@google.com>; Philippe Le
>> Hégaret <plh@w3.org>
>> Subject: Re: [Webauthn-reg-review] Request to add payment extension to
>> WebAuthn Registry
>> 
>> WARNING: This email originated from outside of Qualcomm. Please be
>> wary of any links or attachments, and do not enable macros.
>> 
>> Hi Michael,
>> 
>> There is now an IANA Considerations section in the SPC specification:
>>  https://w3c.github.io/secure-payment-confirmation/#sctn-iana-
>> considerations
>> 
>> Thank you!
>> 
>> Ian
>> 
>> 
>>> On Aug 16, 2023, at 3:42 PM, Ian Jacobs <ij@w3.org> wrote:
>>> 
>>> Hi Mike and Giridhar,
>>> 
>>> I've created a pull request to add an IANA considerations section to
>>> the spec:
>>> https://github.com/w3c/secure-payment-confirmation/pull/257
>>> 
>>> All feedback and corrections welcome. Thank you!
>>> 
>>> Ian
>>> 
>>>> On Aug 15, 2023, at 8:19 PM, Michael Jones
>>>> <michael_b_jones@hotmail.com> wrote:
>>>> 
>>>> The specification does not contain an IANA Considerations section
>>>> requesting registration of the extension, nor does it contain the
>>>> information required to register the extension.  In particular, the
>>>> information from the registration template at https://www.rfc-
>>>> editor.org/rfc/rfc8809.html#section-2.2.1 is missing.
>>>> 
>>>> Please update the specification to add an IANA Considerations
>>>> section supplying the information necessary to register the
>>>> extension.  Quoting from RFC 8809, that information is:
>>>> 
>>>> WebAuthn Extension Identifier:
>>>>   An identifier meeting the requirements given in Section 2.2.
>>>> 
>>>> Description:
>>>>   A relatively short description of the extension.
>>>> 
>>>> Specification Document(s):
>>>>   Reference to the document or documents that specify the
>>>> extension.
>>>> 
>>>> Change Controller:
>>>>   For Standards Track RFCs, list "IETF".  For others, give the name
>>>>   of the responsible party.  Other details (e.g., postal address,
>>>>   email address, home page URI) may also be included.
>>>> 
>>>> Notes:
>>>>   [optional]
>>>> 
>>>> After the specification is updated, I should be able to approve the
>>>> registration.
>>>> 
>>>> -- Mike
>>>> 
>>>> -----Original Message-----
>>>> From: Giridhar Mandyam <mandyam@qti.qualcomm.com>
>>>> Sent: Tuesday, August 15, 2023 1:03 PM
>>>> To: Ian Jacobs <ij@w3.org>; michael_b_jones@hotmail.com
>>>> Cc: webauthn-reg-review@ietf.org; Stephen McGruer
>>>> <smcgruer@google.com>; Philippe Le Hégaret <plh@w3.org>
>>>> Subject: RE: [Webauthn-reg-review] Request to add payment extension
>>>> to WebAuthn Registry
>>>> 
>>>> Nothing from my end.  Awaiting Mike's review.
>>>> 
>>>> -Giri
>>>> 
>>>> -----Original Message-----
>>>> From: Ian Jacobs <ij@w3.org>
>>>> Sent: Tuesday, August 15, 2023 10:08 AM
>>>> To: Giridhar Mandyam <mandyam@qti.qualcomm.com>;
>>>> michael_b_jones@hotmail.com
>>>> Cc: webauthn-reg-review@ietf.org; Stephen McGruer
>>>> <smcgruer@google.com>; Philippe Le Hégaret <plh@w3.org>
>>>> Subject: Re: [Webauthn-reg-review] Request to add payment extension
>>>> to WebAuthn Registry
>>>> 
>>>> WARNING: This email originated from outside of Qualcomm. Please be
>>>> wary of any links or attachments, and do not enable macros.
>>>> 
>>>> Hi Giridhar,
>>>> 
>>>> I wanted to let you know that we've merged the pull request, so the
>>>> statement you referred to below no longer appears.
>>>> 
>>>> If there's any other information you need to complete your
>>>> evaluation, let me know. Thanks again!
>>>> 
>>>> Ian
>>>> 
>>>>> On Jul 31, 2023, at 8:59 AM, Ian Jacobs <ij@w3.org> wrote:
>>>>> 
>>>>> Thanks Giridhar,
>>>>> 
>>>>> I've proposed a pull request to remove the note:
>>>>> https://github.com/w3c/secure-payment-confirmation/pull/255
>>>>> 
>>>>> Ian
>>>>> 
>>>>>> On Jul 27, 2023, at 1:32 AM, Giridhar Mandyam
>>>>>> <mandyam@qti.qualcomm.com> wrote:
>>>>>> 
>>>>>> Hi Ian,
>>>>>> 
>>>>>> Mike needs to sign off,  but I have reviewed this an am satisfied
>>>>>> that the extension can be registered.
>>>>>> 
>>>>>> Please consider removing the following in any future revision:
>>>>>> 
>>>>>> "Note: Reading [webauthn-3] literally, these steps don't work;
>>>>>> extensions are injected at step 12 of [[Create]] and cannot really
>>>>>> modify anything. However other extensions ignore that entirely and
>>>>>> assume they can modify any part of any WebAuthn algorithm!"
>>>>>> 
>>>>>> I don't think the above statement is an accurate reading of the
>>>>>> WebAuthn spec, as the steps outlined in the Webauthn spec do not
>>>>>> have to be executed in sequence.  This is because the cited
>>>>>> section in Webauthn is for an internal method, which as per the
>>>>>> ECMA description is left up to the implementation
>>>>>> (https://tc39.es/ecma262/#sec-object-internal-methods-and-
>>>>>> internal-slots).
>>>>>> 
>>>>>> Mike,
>>>>>> Please provide your feedback.
>>>>>> 
>>>>>> -Giri
>>>> 
>>>> --
>>>> Ian Jacobs <ij@w3.org>
>>>> https://www.w3.org/People/Jacobs/
>>>> Tel: +1 917 450 8783
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> --
>>> Ian Jacobs <ij@w3.org>
>>> https://www.w3.org/People/Jacobs/
>>> Tel: +1 917 450 8783
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> --
>> Ian Jacobs <ij@w3.org>
>> https://www.w3.org/People/Jacobs/
>> Tel: +1 917 450 8783
> 

--
Ian Jacobs <ij@w3.org>
https://www.w3.org/People/Jacobs/
Tel: +1 917 450 8783