Comments (8)
I think it needs to be credentials since we have heard a requirement from @btidor-stripe that the merchant is able to verify the assertion itself which means it MUST get back the credential ids and public keys from the issuer before invoking SPC.
Further...
I worry about the browser-side mapping of instruments to credentials and the high likelihood that the data gets stale.
Why is it necessary for the browser to keep this mapping if it's possible for the issuer to simply return the credential IDs?
Taking that thinking a little further, why do we even need a special credential type for this use case?
Is it enough to simply use existing PublicKeyCredentials but only allow them to be used for assertions from non-RP origins if it's done in the context of a payment.
I.e. After the merchant/PISP has gone to the ACS they will have a challenge and set of credentials and public keys that can be used for the SPC.
Why not simply let the merchant provide the instrument label and icon?
const securePaymentConfirmationRequest = {
instrument: {
displayName: 'Mastercard····4444',
icon: 'icon.png'
},
allowCredentials: [{
id: Uint8Array.from(credentialId, c => c.charCodeAt(0)),
type,
transports,
}],
challenge,
timeout,
fallbackUrl: "https://fallback.example/url"
};
from secure-payment-confirmation.
Hey @adrianhopebailie, the browser needs to store the list of instruments, with names and icons, in order to show the card selector for the combined flow, right? I imagine they'll be kept in persistent, long-term storage, but that users will be able to view and delete instruments in some sort of browser settings page (which could be a nice kind of control to offer).
For the authentication-only flow, I think it could be possible to do away with the instrument and use only a PublicKeyCredential, though I'm not sure if the browser should trust the merchant to display text and an icon in this particular surface.
from secure-payment-confirmation.
the browser needs to store the list of instruments, with names and icons, in order to show the card selector for the combined flow, right?
Yes, but not bound to a credential. The mapping of an instrument to a credential is set by the issuer and will be maintained on the issuer's systems. Asking issuers to also store this in all of a user's browsers is a recipe for chaos IMO.
I'm not sure if the browser should trust the merchant to display text and an icon in this particular surface.
I think we need to look at this carefully. I couldn't think of any threats that this would present.
from secure-payment-confirmation.
Great questions!
Why not simply let the merchant provide the instrument label and icon?
Because browser doesn't trust the merchant. If the merchant is able to provide the label and icon, then it'll be possible for a malicious merchant to provide a misleading icon and label to phish the user's credential. It's critical that the label and icon are supplied by the original RP.
Technically, the instrument label and icon don't need to be saved in the browser. Since the browser knows the RP, it can use some kind of discovery mechanism to find the instrument label and credential. But this gets complicated... It's much simpler for the browser to cache a string and an icon during credential enrollment.
I worry about the browser-side mapping of instruments to credentials and the high likelihood that the data gets stale.
Great point. The simplest approach is for the issuer to update an existing credential with a new label and icon when the user visits the issuer's website. But I wonder if a user cannot be guaranteed to revisit. Perhaps some kind of push mechanism for the RP to update the instrument label and icon would be helpful. Filed https://github.com/rsolomakhin/secure-payment-confirmation/issues/14 to track this separately.
Taking that thinking a little further, why do we even need a special credential type for this use case?
Is it enough to simply use existing PublicKeyCredentials but only allow them to be used for assertions from non-RP origins if it's done in the context of a payment.
The extra metadata associated with the credential is one reason for a special credential type. Another reason is developer ergonomics. PublicKeyCredentialCreationOptions contains a lot of options that don't make sense for Secure Payment Confirmation (e.g. attestation
, user
). Creating a new credential type allows us to create a payments specific creation option that's simpler and easier to understand by payments developers. It also simplifies input validation.
The new type also enables us to build payments specific features, such as the aforementioned push update of instrument label and icon.
Going back to the original question, I'm leaning towards instrument ID over credential ID because the added layer of abstraction allows loose coupling.
instrumentId
can be a payment-network layer concept and can have any meaning the network wants to have. A possible future use case is that this can become the new routable ID that replaces the 16-digit card number. To the browser, instrumentId
is just an opaque string that a bank wants to bind to a PublicKeyCredential. This also allows the network to switch to some newer / different authentication mechanism in the future if they choose to.
from secure-payment-confirmation.
If a single PublicKeyCredential
would be linked to multiple instruments as described here: https://github.com/rsolomakhin/secure-payment-confirmation/issues/39#issuecomment-779912450, then the SPC should be invoked with the identifier of the instrument instead of the identifier of the credential.
from secure-payment-confirmation.
@rsolomakhin and @stephenmcgruer, I think we can answer "credential ID" in light of the draft and close this.
from secure-payment-confirmation.
@rsolomakhin and @stephenmcgruer, I think we can answer "credential ID" in light of the draft and close this.
I agree.
from secure-payment-confirmation.
Closed after confirming with @rsolomakhin.
from secure-payment-confirmation.
Related Issues (20)
- Broken "Object" xref in § Set SPC Transaction Mode HOT 2
- language and direction metadata needed? HOT 6
- Error example contains a hardcoded string HOT 1
- Term 'monkey-patch' may not be inclusive? HOT 1
- `DOMString` for `payeeName` vs. `USVString` for other fields? HOT 1
- Add locale hint for browser UX
- Proposal: Remove User Activation requirement for authentication HOT 1
- Use lowercase values in enum HOT 11
- Register SPC-related WebAuthn extensions in IANA registry HOT 8
- Broken references in Secure Payment Confirmation
- Example of `locale` member HOT 3
- I18N problem with displayName unresolved? HOT 3
- [PING] Only allow triggering authentication from a foreground tab HOT 4
- Broken references in Secure Payment Confirmation
- Broken references in Secure Payment Confirmation
- Add Support for Cross-Device Authentication HOT 2
- Implementing a time out for fallback UX HOT 1
- How will new passkey providers impact SPC HOT 1
- Document End-User Guide HOT 5
- Update SPC spec to reflect that credential create in cross-origin iframe is now allowed in WebAuthn HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secure-payment-confirmation.