-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Register SPC-related WebAuthn extensions in IANA registry #220
Comments
@plehegar re: IANA |
I would recommend holding off until things stabilise. |
re timing: I would suggest to follow the same way we do for media types, ie a month or two before moving to CR, you should ask IETF folks to comments. If you don't where to do that, I'm happy to dig around and find the proper pointers. |
@plehegar, we are planning to advance to CR and have not resolved with the Web Authentication WG how to proceed on the IANA registration. I anticipate that we will continue to work on the registration once we have entered CR. |
Discussed today with the Web Authentication WG [1]. I believe that the WPWG can go ahead and proceed according to RFC 8809 [2] for the 'payment' extension defined in SPC. [1] https://www.w3.org/2023/05/03-webauthn-irc |
With today's publication of the Candidate Recommendation of SPC, I have sent a request to include the 'payment' extension in the IANA registry: |
I believe our application has been approved; I don't have an estimate of the time to implement. |
This has been completed: |
At TPAC, we heard that WebAuthn extensions must be filed in an IANA registry to be official: https://www.iana.org/assignments/webauthn/webauthn.xhtml#webauthn-extension-ids
There are two extensions related to SPC:
payment
, which is set by the calling website at creation time, and is set internally by the browser at authentication time.thirdPartyPayment
, which is spec'd in CTAP 2.1 (yet to be released).However currently the
payment
extension does too much, as per SPC: From browser cache to FIDO/WebAuthn integration. Long term,thirdPartyPayment
will be the creation-time way to indicate that a credential can be used for third-party payment flows, andpayment
becomes an authentication-time only extension.I am not currently sure if we should register these extensions in IANA soon, or wait until we reach some future stable state before doing so, but filing this to track doing the registration.
The text was updated successfully, but these errors were encountered: