ljharb
commented
2 years ago As a forewarning, I likely have close to zero context here, including understanding of proper terms, but this is the scenario that popped into my head when trying to understand this:
I have a relationship with, for example, Visa. I use my Visa card in a ton of places. I often might want to sever my relationship with an individual merchant - cellphone, TV, gym, or something - and literally never would I want to accidentally sever my relationship with Visa in that context, thus stopping payments on my electricity, water, childcare, home internet, etc. Doing so would be an unmitigated disaster.
In other words, if I've used a provider (stripe, etc) via "store A", and then later, go to use "store B" which also happens to use the same provider - I very much might want to exert GDPR rights and/or sever my relationship with store B, but under no circumstances would i want that to accidentally sever my relationship with store A.
ianbjacobs
rlin1
At today's SPC task force call [1] we discussed progress in the Web Authentication WG around the issue of synced credentials [2]. (I note from [2] that terminology for this feature may change.)
This issue is about the impact of those changes on SPC. From today's discussion, my initial sense is that:
Under section 8 Relying Party Operations we will likely want to either enhance 8.1 (Verifying an Authentication Assertion) or introduce new good practice about interpreting the output. In particular: what should an RP do when the extension includes a new device public key that the RP has never seen before (e.g., in terms of risk assessment, recording information on the server, etc.)?
Ian
cc @ve7jtb, @rlin1, @equalsJeffH
[1] https://www.w3.org/2022/02/14-wpwg-spc-minutes [2] https://github.com/w3c/webauthn/issues/1665 [3] https://w3c.github.io/secure-payment-confirmation/#sctn-securepaymentconfirmationrequest-dictionary