secure-payment-confirmation icon indicating copy to clipboard operation
secure-payment-confirmation copied to clipboard
verified publisher icon w3c

Backup of the payment bit should be defined in SPC spec

Open timcappalli opened this issue 1 year ago • 3 comments

@stephenmcgruer there was a discussion earlier in the year / last year around ensuring that the payment bit was stored with and backed up with the WebAuthn credential. I believe the core reason was to ensure the bit was available across WebAuthn clients, and the secondary reason was to ensure the bit was still present on a new device.

We discussed in WebAuthn WG (https://github.com/w3c/webauthn/issues/2153) and came to the conclusion that the SPC spec should state this, as the extension is wholly defined in this spec.

I think it could be as simple as:

"The payment bit MUST be stored with the Public Key Credential Source and MUST be backed up for [=backup eligible=] credentials."

timcappalli avatar Nov 25 '24 15:11 timcappalli