rlin1
commented
3 years ago We might need a way to add the transaction text (or a hash of it) to the collectedClientData structure. The Browser's Web Payments component would have to generate it.
Open equalsJeffH opened 3 years ago
rlin1
commented
3 years ago We might need a way to add the transaction text (or a hash of it) to the collectedClientData structure. The Browser's Web Payments component would have to generate it.
equalsJeffH
commented
3 years ago wrt @rlin1's https://github.com/w3c/webauthn/issues/1492#issuecomment-705017243 above: that is a separate concern and not relevant to this particular issue.
cyberphone
commented
3 years ago @rlin1 Note that there are two entirely different takes on the transaction data: https://fido-web-pay.github.io/specification/#seq-4.2
WRT Secure Payment Confirmation,
it is possible, but am not sure how likely, that we might want to put a Note or other mention of different RP hostname mapping/handling in the layer underneath the webauthn api. this is because the webauthn spec is the specification of the protocol between the RP and the authenticator (N.B. CTAP is a spec of just one manifestation of the comms btwn the client platform and the authnr, and it conveys the signed object back from the authnr to the client platform as an opaque blob -- webauthn is the definitive spec of its contents, and thus the "protocol spec" for authnr <----> RP).