Rolf Lindemann
Rolf Lindemann
We might need a way to add the transaction text (or a hash of it) to the collectedClientData structure. The Browser's Web Payments component would have to generate it.
Since WebAuthn is considering handling the multi-device credential/single-device key distinction in WebAuthn (see w3c/webauthn/pull/1663 and w3c/webauthn/pull/1695), we might just leverage that - without having the need to change the SPC...
Note that the assertion already allows the RP to determine the origin of the requester (see field "origin" in https://w3c.github.io/webauthn/#dictionary-client-data). Additionally the field "crossOrigin" is set if that differs from...
See PR #2020
There are SPC use cases that will benefit from such an option as well. Today it is an issue that it is not possible to determine whether a WebAuthn credential...
Don't understand the overall flow. Let's assume the RP is interested in 'fresh' user verification (i.e. timeSinceUv = 0). With this proposal, the RP would ask for timeSinceUv extension and...
With this approach, the maxUVC included in the authenticator output could be defined differently to be less or equal to the maxUVC as provided by the RP - so that...
Should this extension cover userPresence as well? If yes: we might want to rename it to userGestureCaching...