Is it possible for a user to downgrade a credential creation request?

[w3cbot]

This is a tracker issue. Only discuss things here if they are privacy group internal meta-discussions about the issue. Contribute to the actual discussion at the following link:

§ https://github.com/w3c/secure-payment-confirmation/issues/154

[samuelweiler]

much discussion in today's WPWG meeting, incl. with WebAuthn people, re: this being more of an RP choice; the user can't easily distinguish cross-site credentials from WebAuthn happening in an iframe, so maybe it's not worth offering the user a choice? https://www.w3.org/2022/05/04-wpwg-minutes.html https://github.com/w3c/webpayments/wiki/Remote-Agenda-202205

[samuelweiler]

I'm fine with pushing this to after-v1, as the WG has proposed.

[samuelweiler]

Per discussion on the 6 Apr 2023 PING call, I understand that using an SPC credential in a cross-origin context can only happen during payment flows. It is not possible to use an SPC credential for routine authentication cross-origin. Given that understanding, I'm downgrading this issue from -needs-resolution.

I'll leave it open for tracking until the WG closes their issue, in case they have further discussion