Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible for a user to downgrade a credential creation request? #154

Open
samuelweiler opened this issue Oct 28, 2021 · 2 comments
Open

Is it possible for a user to downgrade a credential creation request? #154

samuelweiler opened this issue Oct 28, 2021 · 2 comments
Labels
after-v1 privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.

Comments

@samuelweiler
Copy link
Member

During TPAC, we observed that SPC-capable credentials can also be used for login. I speculated about the possibility of not-payment sites attempting to create SPC-capable credentials for the purpose of getting around storage partitioning. While that could make for some lovely UX studies, there might also be an action for the WPWG:

Is it possible for a user to downgrade a credential creation request from SPC-capable (cross-origin) to login-only (single-origin)? If not, what changes do we need to make in the protcol to be able to present that option to the user (or for the user to be able to configure their UA to default to that choice)?
@samuelweiler samuelweiler added the privacy-needs-resolution Issue the Privacy Group has raised and looks for a response on. label Oct 28, 2021
@w3cbot w3cbot mentioned this issue Oct 28, 2021
Open
@ianbjacobs ianbjacobs mentioned this issue Mar 2, 2022
Open
@ianbjacobs
Copy link
Collaborator

Here's an update in advance of the May WPWG meeting:

  1. The WPWG has drafted a proposal [1] for a bit that an RP could set in a credential to indicate it is ok to use cross-origin with SPC. We are raising this directly with FIDO as it affects CTAP.
  2. At our May WPWG meeting, we will discuss this with the Web Authentication WG and include in the discussion your point about whether there needs to be UX allowing the user to consent to the cross-origin capability at creation time.

We will leave this issue open as those conversations play out.

[1] w3c/webauthn#1667 (comment)

@ianbjacobs ianbjacobs mentioned this issue Aug 12, 2022
Closed
@samuelweiler samuelweiler mentioned this issue Apr 5, 2023
Closed
@samuelweiler
Copy link
Member Author

Per discussion on the 6 Apr 2023 PING call, I understand that using an SPC credential in a cross-origin context can only happen during payment flows. It is not possible to use an SPC credential for routine authentication cross-origin. Given that understanding, I'm downgrading this issue from -needs-resolution

@samuelweiler samuelweiler added privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. and removed privacy-needs-resolution Issue the Privacy Group has raised and looks for a response on. labels Apr 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
after-v1 privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ianbjacobs @samuelweiler