Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Register SPC-related WebAuthn extensions in IANA registry #220

Closed
stephenmcgruer opened this issue Dec 29, 2022 · 8 comments
Closed

Register SPC-related WebAuthn extensions in IANA registry #220

stephenmcgruer opened this issue Dec 29, 2022 · 8 comments

Comments

@stephenmcgruer
Copy link
Collaborator

At TPAC, we heard that WebAuthn extensions must be filed in an IANA registry to be official: https://www.iana.org/assignments/webauthn/webauthn.xhtml#webauthn-extension-ids

There are two extensions related to SPC:

  • payment, which is set by the calling website at creation time, and is set internally by the browser at authentication time.
  • thirdPartyPayment, which is spec'd in CTAP 2.1 (yet to be released).

However currently the payment extension does too much, as per SPC: From browser cache to FIDO/WebAuthn integration. Long term, thirdPartyPayment will be the creation-time way to indicate that a credential can be used for third-party payment flows, and payment becomes an authentication-time only extension.

I am not currently sure if we should register these extensions in IANA soon, or wait until we reach some future stable state before doing so, but filing this to track doing the registration.

@ianbjacobs
Copy link
Collaborator

@plehegar re: IANA

@adrianhopebailie
Copy link
Collaborator

I would recommend holding off until things stabilise.

@plehegar
Copy link
Member

plehegar commented Apr 6, 2023

re timing: I would suggest to follow the same way we do for media types, ie a month or two before moving to CR, you should ask IETF folks to comments. If you don't where to do that, I'm happy to dig around and find the proper pointers.

@ianbjacobs
Copy link
Collaborator

@plehegar, we are planning to advance to CR and have not resolved with the Web Authentication WG how to proceed on the IANA registration. I anticipate that we will continue to work on the registration once we have entered CR.

@ianbjacobs
Copy link
Collaborator

Discussed today with the Web Authentication WG [1]. I believe that the WPWG can go ahead and proceed according to RFC 8809 [2] for the 'payment' extension defined in SPC.

[1] https://www.w3.org/2023/05/03-webauthn-irc
[2] https://www.rfc-editor.org/rfc/rfc8809.html

@ianbjacobs
Copy link
Collaborator

With today's publication of the Candidate Recommendation of SPC, I have sent a request to include the 'payment' extension in the IANA registry:
https://mailarchive.ietf.org/arch/msg/webauthn-reg-review/-NFaDPjBGh2CLB6NfW6M8aBd4XU/

@ianbjacobs
Copy link
Collaborator

I believe our application has been approved; I don't have an estimate of the time to implement.

@ianbjacobs
Copy link
Collaborator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants