Closed ianbjacobs closed 1 year ago
Hi @ianjacobs - this change looks good to us. Thanks for running this by us and thanks to the group for documenting this so well in the issue including the security & privacy considerations and potential abuse cases. We would encourage you to document this in the explainer and in the spec as well and to provide some additional guidance to UA developers about the risks and mitigations.
In particular, we were very happy to see the group ask for us to weigh in on last minute changes; given that there isn't anything mandating this in the process.
We wish you luck with this. Please let us know if we can help with anything else.
@torgo, thank you and the TAG for the review and the support! I will work with the editors to integrate guidance for developers as you recommend.
@torgo, we have merged our pull request into the explainer as suggested. https://github.com/w3c/secure-payment-confirmation/blob/main/explainer.md
Thank you!
Wotcher TAG!
I'm requesting a TAG review of Secure Payment Confirmation (SPC) based on two non-editorial changes to the specification since the previous TAG review that was conducted as we approached CR: https://github.com/w3ctag/design-reviews/issues/675
Since that review, the Web Payments Working Group has made or plans to make two non-editorial changes to the specification. We seek your review of these changes as we prepare to go to CR:
The expected removal of a requirement that the user agent consume a user activation during authentication. For background, see issue 216, including the Chrome Team's security and privacy consideration notes. Although we have not yet updated the specification to remove the user activation requirement, we seek your review at this time. We would anticipate the actual change to the specification to be small (and it would include the security and privacy considerations).
Further details:
We'd prefer the TAG provide feedback as (please delete all but the desired option):
🐛 open issues in our GitHub repo for each point of feedback