[Spec] Rename rp --> rpId in CollectedClientAdditionalPaymentData - Githubissues

w3c / secure-payment-confirmation

Secure Payment Confirmation (SPC)

https://w3c.github.io/secure-payment-confirmation/

Other

106 stars 48 forks source link

[Spec] Rename rp --> rpId in CollectedClientAdditionalPaymentData #198

Closed stephenmcgruer closed 1 year ago

stephenmcgruer commented 1 year ago

To align with WebAuthn, we should use the term rpId here. This is a breaking change, but implementations can mitigate the breakage by continuing to include the old 'rp' name going forwards.

See https://github.com/w3c/secure-payment-confirmation/issues/191

Test changes: https://github.com/web-platform-tests/wpt/pull/35602 Implementation bugs:

Chrome: https://crbug.com/1356224
Safari: N/A
Firefox: N/A

stephenmcgruer commented 1 year ago

This probably warrants discussion in the WPWG, or at least some communication to anyone who may be validating an SPC credential today. On the Chrome side, we would likely have to keep the rp version of the entry around for now, and eventually do a deprecation process to switch over to rpId.

stephenmcgruer commented 1 year ago

Worth noting that it will be actually impossible for us to know if anyone is still relying on rp being included in the assertion (at whatever future point in time we did a deprecation), as it will usually be verified server-side.

ianbjacobs commented 1 year ago

I will add to the 18 August WPWG agenda.

ianbjacobs commented 1 year ago

cc @stare893

ianbjacobs commented 1 year ago

See resolution at the 18 August meeting to make this change: https://www.w3.org/2022/08/18-wpwg-minutes.html#t01

stare893 commented 1 year ago

@stephenmcgruer There is some confusion on the proposed change. From EMV 3DSWG consideration, we already see rpId in use per the SPC API webpage and we have included the same in all 3DS spec references to the SPC API use. Can you please elaborate/point me in the right direction to understand the change.

@ianbjacobs you might get a similar query through the 3dswg official email

ianbjacobs commented 1 year ago

@stare893 You are correct that SPC input refers to the Web Authentication rpid; see the request dictionary: https://w3c.github.io/secure-payment-confirmation/#sctn-securepaymentconfirmationrequest-dictionary

This proposal is to change the field name in the output; see the additional payment dictionary: https://w3c.github.io/secure-payment-confirmation/#sctn-collectedclientadditionalpaymentdata-dictionary

The proposal is that assertions will include the field name "rpid" to align with the Web Authentication name.

The Chrome implementation would support both "rp" and "rpid" field names for some period of time, eventually deprecating "rp".

It was not clear to us on the call today whether the 3DS specification itself would need to change (e.g., because it refers to the "rp" field in the resulting assertion), or if instead it would just be implementations (e.g., ACS) that would need to adapt code to look for "rpid" rather than "rp" in the assertion.

ianbjacobs commented 1 year ago

@stephenmcgruer, EMVCo folks have confirmed that this change does not impact their 3DS integration (the spec itself). Given the WG's support, let's merge this.