ianbjacobs
commented
1 year ago @plehegar re: IANA
Closed stephenmcgruer closed 9 months ago
ianbjacobs
commented
1 year ago @plehegar re: IANA
adrianhopebailie
commented
1 year ago I would recommend holding off until things stabilise.
plehegar
commented
1 year ago re timing: I would suggest to follow the same way we do for media types, ie a month or two before moving to CR, you should ask IETF folks to comments. If you don't where to do that, I'm happy to dig around and find the proper pointers.
ianbjacobs
commented
1 year ago @plehegar, we are planning to advance to CR and have not resolved with the Web Authentication WG how to proceed on the IANA registration. I anticipate that we will continue to work on the registration once we have entered CR.
ianbjacobs
commented
1 year ago Discussed today with the Web Authentication WG [1]. I believe that the WPWG can go ahead and proceed according to RFC 8809 [2] for the 'payment' extension defined in SPC.
[1] https://www.w3.org/2023/05/03-webauthn-irc [2] https://www.rfc-editor.org/rfc/rfc8809.html
ianbjacobs
commented
1 year ago With today's publication of the Candidate Recommendation of SPC, I have sent a request to include the 'payment' extension in the IANA registry: https://mailarchive.ietf.org/arch/msg/webauthn-reg-review/-NFaDPjBGh2CLB6NfW6M8aBd4XU/
ianbjacobs
commented
9 months ago I believe our application has been approved; I don't have an estimate of the time to implement.
ianbjacobs
commented
9 months ago This has been completed: https://mailarchive.ietf.org/arch/msg/webauthn-reg-review/SXVR9jFJ0DVOnTdZmqmf798wsTc/
At TPAC, we heard that WebAuthn extensions must be filed in an IANA registry to be official: https://www.iana.org/assignments/webauthn/webauthn.xhtml#webauthn-extension-ids
There are two extensions related to SPC:
payment, which is set by the calling website at creation time, and is set internally by the browser at authentication time.thirdPartyPayment, which is spec'd in CTAP 2.1 (yet to be released).However currently the
paymentextension does too much, as per SPC: From browser cache to FIDO/WebAuthn integration. Long term,thirdPartyPaymentwill be the creation-time way to indicate that a credential can be used for third-party payment flows, andpaymentbecomes an authentication-time only extension.I am not currently sure if we should register these extensions in IANA soon, or wait until we reach some future stable state before doing so, but filing this to track doing the registration.