Closed stephenmcgruer closed 1 year ago
This probably warrants discussion in the WPWG, or at least some communication to anyone who may be validating an SPC credential today. On the Chrome side, we would likely have to keep the rp
version of the entry around for now, and eventually do a deprecation process to switch over to rpId.
Worth noting that it will be actually impossible for us to know if anyone is still relying on rp
being included in the assertion (at whatever future point in time we did a deprecation), as it will usually be verified server-side.
I will add to the 18 August WPWG agenda.
cc @stare893
See resolution at the 18 August meeting to make this change: https://www.w3.org/2022/08/18-wpwg-minutes.html#t01
@stephenmcgruer There is some confusion on the proposed change. From EMV 3DSWG consideration, we already see rpId in use per the SPC API webpage and we have included the same in all 3DS spec references to the SPC API use. Can you please elaborate/point me in the right direction to understand the change.
@ianbjacobs you might get a similar query through the 3dswg official email
@stare893 You are correct that SPC input refers to the Web Authentication rpid; see the request dictionary: https://w3c.github.io/secure-payment-confirmation/#sctn-securepaymentconfirmationrequest-dictionary
This proposal is to change the field name in the output; see the additional payment dictionary: https://w3c.github.io/secure-payment-confirmation/#sctn-collectedclientadditionalpaymentdata-dictionary
The proposal is that assertions will include the field name "rpid" to align with the Web Authentication name.
The Chrome implementation would support both "rp" and "rpid" field names for some period of time, eventually deprecating "rp".
It was not clear to us on the call today whether the 3DS specification itself would need to change (e.g., because it refers to the "rp" field in the resulting assertion), or if instead it would just be implementations (e.g., ACS) that would need to adapt code to look for "rpid" rather than "rp" in the assertion.
@stephenmcgruer, EMVCo folks have confirmed that this change does not impact their 3DS integration (the spec itself). Given the WG's support, let's merge this.
To align with WebAuthn, we should use the term rpId here. This is a breaking change, but implementations can mitigate the breakage by continuing to include the old 'rp' name going forwards.
See https://github.com/w3c/secure-payment-confirmation/issues/191
Test changes: https://github.com/web-platform-tests/wpt/pull/35602 Implementation bugs:
Preview | Diff