Requirements and Good Practices around Unenrollment

[ianbjacobs]

Hi all,

Lawrence Cheng and I were chatting today and he raised an issue I had not yet thought about: unenrollment of SPC credentials. It seems to me there are multiple topics here:

• The user's lifecycle management of stored SPC credentials (add/delete)
• Server-initiated requests to delete stored SPC credentials
• Server-side management of associations between SPC credentials and payment instruments. Suppose I lose my laptop and I want to tell my financial services provider: please forget all (or some?) of my SPC credentials.

Are the second two necessary? If so, from an API perspective is anything needed? Or is this just "good practice" documentation?

I have not yet looked into what FIDO says about unenrollment. That could be a good starting point.

Ian

[ianbjacobs]

Here are some potentially relevant FIDO resources:

FIDO Authenticator Lifecycle Management for IT Administrators https://fidoalliance.org/fido-authenticator-lifecycle-management-for-it-administrators/

White Paper: Enterprise Adoption Best Practices – Managing FIDO Credential Lifecycle for Enterprises https://fidoalliance.org/white-paper-enterprise-adoption-best-practices-managing-fido-credential-lifecycle-for-enterprises/

I've also asked a question in "How to FIDO" https://github.com/fido-alliance/how-to-fido/issues/35

[ianbjacobs]

Through a conversation today one idea came up: could the enrollment API take as input from the relying party a URL to a lifecycle management page, so the user can "opt out" some SPC credentials?

[ianbjacobs]

I've decided to close this issue in favor of #172