Rick Byers

icon indicating a website link https://x.com/RickByers icon indicating an email [email protected]

icon company Google icon location Waterloo, Canada icon location Web platform software engineer on the @GoogleChrome team, leading efforts to make the web work better for users and businesses, and more open for the world.

Results 186 comments of Rick Byers

Proposal: WebAuthn-agnostic device binding for Secure Payment Confirmation

This proposal looks awesome to me, thanks @stephenmcgruer! +1 to @ianbjacobs's point on DBSC. I think user mediation is a key variable in all these different technologies (when user-mediated you...

Proposal: WebAuthn-agnostic device binding for Secure Payment Confirmation

> Question: yes, the key should be clearable by the user. But if cleared periodically by the browser automatically, could it be more long-lived than 3p cookies since there is...

Proposal: WebAuthn-agnostic device binding for Secure Payment Confirmation

> In practice in Chrome, yes. Specification wise, I suspect we would only spec a requirement that the key be device bound and not synced between devices (as far as...

User agents that only support authorized verifiers (for government credentials)

I agree. At one point I had talked with some OpenID4VP folks about having a 'bit' in the request that says the wallet must reject unless the verifier had been...

Could cards be authenticators for SPC (or WebAuthn)?

I think this is a very interesting idea, thanks Ian! Whether through WebAuthn alone or through SPC, relying on a physical card to do the crypto verification has some appealing...

enumerated values for purpose, sharing and retention in API method

In the TPAC meeting @mharbach presented [this UXR analysis](https://docs.google.com/presentation/d/1YwB-ocoI5Y7MWtMxh4eQVp1qm6SfUBKHoSt81E_oRu8/edit?slide=id.g39b27e61e89_0_0) and argued for the benefits of having purpose statements in the platform credential selection UI. I'm now convinced we should seriously...

enumerated values for purpose, sharing and retention in API method

OpenID4VP removed it [here](https://github.com/openid/OpenID4VP/issues/289), in part aligning with @marcoscaceres [arguments](https://github.com/openid/OpenID4VP/issues/230#issuecomment-2306321785) on it being the responsibility of the verifier. However if we can enable auditability somehow (like in #266) and we...

enumerated values for purpose, sharing and retention in API method

Thank you Christian! Ok that is indeed more like #266, and I agree fitting into an existing scheme at the protocol level is better than defining something at our level....

note designed-for-purpose alternatives and the risk of crowding out those options

I think this is fair but we should also note that there is a polarity to be managed here. There is no point doing something "designed for purpose" if it...

registration of and commitment to a particular use case and purpose

In #209 @c2bo says: > That is very close to what we are currently planning to do. We introduced verifier_info as an optional request parameter for OpenID4VP (https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#section-5.1-2.10.1). This parameter...