Skip to content

Commit a84dda6

Browse files
Clarify that RP can use its own credentials even if extension not specified (#272)
Make clear that an RP should be able to use its own credentials even if payment extension not specified. --------- Co-authored-by: Stephen McGruer <[email protected]>
1 parent 0288442 commit a84dda6

File tree

2 files changed

+11
-9
lines changed

2 files changed

+11
-9
lines changed

scope.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -112,7 +112,7 @@ Note: This use case intends to capture the "in-transaction registration" use cas
112112

113113
#### EMV&reg; Secure Remote Commerce (SRC) System as Relying Party
114114

115-
* Alice checkouts on a merchant web site with SRC, which triggers the SRC Digital Card Facilitator (DCF) to be displayed. The SRC DCF asks whether she wants to use biometric authentication to streamline payment. She agrees and SRC DCF redirects her to her bank where she goes through an ID&V process with her bank for the credit card she wishes to use.
115+
* Alice checkouts on a merchant web site with SRC, which triggers the SRC Digital Card Facilitator (DCF) to be displayed. The SRC DCF asks whether she wants to use biometric authentication to streamline payment. She agrees and SRC DCF redirects her to her bank where she goes through an Identity and Verification (ID&amp;V) process with her bank for the credit card she wishes to use.
116116
* As an alternative, Alice visits her bank, authenticates to her bank, registers into biometric authentication, and selects card(s) that she wants to make available to SRC. The bank (the Relying Party) shares the authentication credential with the SRC System.
117117
* The following week Alice checkouts with a merchant enabled with SRC. The SRCi/DCF prompts Alice to do biometric authentication. The SRC System reviews the authentication results, and the bank authorizes the transaction.
118118

@@ -187,7 +187,7 @@ These use cases represent additional considerations, some of which (e.g., unregi
187187
#### Merchant as Relying Party
188188

189189
* Alice logs into her favorite merchant using a merchant proprietary mechanism or using biometric authentication.
190-
* The merchant asks Alice if she wants to use biometric authentication to streamline payment. She agrees and goes through an ID&V process with her bank for the credit card she wishes to use. (The merchant may decide to perform IDamp;&V during the checkout or outside of the checkout.)
190+
* The merchant asks Alice if she wants to use biometric authentication to streamline payment. She agrees and goes through an ID&amp;V process with her bank for the credit card she wishes to use. (The merchant may decide to perform ID&amp;V during the checkout or outside of the checkout.)
191191
* The merchant is the relying party for this authentication credential, and shares authentication data with Alice’s bank and/or payment network to allow for partial or full validation of authentication results in subsequent checkouts.
192192
* The following week Alice checks out on the merchant site and is prompted by the merchant to do biometric authentication. The merchant uses SPC then shares authentication results with Alice’s bank and/or payment network, which reviews the data. The bank authorizes the transaction.
193193

@@ -220,7 +220,7 @@ priority:
220220

221221
## Out of Scope
222222

223-
* ID & V to establish real world identity during registration.
223+
* ID&amp;V to establish real world identity during registration.
224224
* Use cases for peer-to-peer payments or business-to-business transactions.
225225

226226
## Future Extensions

spec.bs

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,7 @@ spec:fetch; type:dfn; for:/; text:request;
9090
spec:i18n-glossary; type:dfn; text:bidi isolation
9191
spec:i18n-glossary; type:dfn; text:language priority list
9292
spec:url; type:dfn; text:valid domain;
93+
spec:html; type:dfn; for:environment settings object; text:origin
9394
</pre>
9495

9596
<pre class="biblio">
@@ -703,7 +704,7 @@ NOTE: The use of the static {{PaymentRequest/isSecurePaymentConfirmationAvailabl
703704
### Steps to validate payment method data ### {#sctn-steps-to-validate-payment-method-data}
704705

705706
The [=steps to validate payment method data=] for this payment method, for an
706-
input {{SecurePaymentConfirmationRequest}} |data|, are:
707+
input {{PaymentRequest}} |request| and {{SecurePaymentConfirmationRequest}} |data|, are:
707708

708709
<wpt>
709710
constructor.https.html
@@ -799,11 +800,13 @@ input {{SecurePaymentConfirmationRequest}} |data|, are:
799800
1. For each |id| in |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"]:
800801

801802
1. Run the [=steps to silently determine if a credential is available for
802-
the current device=] and the [=steps to silently determine if a
803-
credential is SPC-enabled=], passing in
804-
|data|["{{SecurePaymentConfirmationRequest/rpId}}"] and |id|. If the
805-
result of either of these is `false`, remove |id| from
803+
the current device=], passing in
804+
|data|["{{SecurePaymentConfirmationRequest/rpId}}"] and |id|.
805+
If the result is `false`, remove |id| from
806806
|data|["{{SecurePaymentConfirmationRequest/credentialIds}}"].
807+
1. If the |data|["{{SecurePaymentConfirmationRequest/rpId}}"] is
808+
not the [=origin=] of the [=relevant settings object=] of |request|,
809+
run the [=steps to silently determine if a credential is SPC-enabled=], passing in |data|["{{SecurePaymentConfirmationRequest/rpId}}"] and |id|. If the result is `false`, remove |id| from |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"].
807810

808811
1. If |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"] is now empty,
809812
return `false`. The user agent must maintain
@@ -1667,4 +1670,3 @@ This section adds the below-listed [=extension identifier=] to the IANA "WebAuth
16671670
- Specification Document: Section [[#sctn-payment-extension-registration]] of this specification
16681671
- Change Controller: [W3C Web Payments Working Group](https://www.w3.org/groups/wg/payments)
16691672
- Notes: Registration follows [3 May 2023 discussion](https://www.w3.org/2023/05/03-webauthn-minutes#t01) with the Web Authentication Working Group.
1670-

0 commit comments

Comments
 (0)