Register SPC-related WebAuthn extensions in IANA registry

[stephenmcgruer]

At TPAC, we heard that WebAuthn extensions must be filed in an IANA registry to be official: https://www.iana.org/assignments/webauthn/webauthn.xhtml#webauthn-extension-ids

There are two extensions related to SPC:

• payment, which is set by the calling website at creation time, and is set internally by the browser at authentication time.
• thirdPartyPayment, which is spec'd in CTAP 2.1 (yet to be released).

However currently the payment extension does too much, as per SPC: From browser cache to FIDO/WebAuthn integration. Long term, thirdPartyPayment will be the creation-time way to indicate that a credential can be used for third-party payment flows, and payment becomes an authentication-time only extension.

I am not currently sure if we should register these extensions in IANA soon, or wait until we reach some future stable state before doing so, but filing this to track doing the registration.

[ianbjacobs]

@plehegar re: IANA

[adrianhopebailie]

I would recommend holding off until things stabilise.

[plehegar]

re timing: I would suggest to follow the same way we do for media types, ie a month or two before moving to CR, you should ask IETF folks to comments. If you don't where to do that, I'm happy to dig around and find the proper pointers.

[ianbjacobs]

@plehegar, we are planning to advance to CR and have not resolved with the Web Authentication WG how to proceed on the IANA registration. I anticipate that we will continue to work on the registration once we have entered CR.

[ianbjacobs]

Discussed today with the Web Authentication WG [1]. I believe that the WPWG can go ahead and proceed according to RFC 8809 [2] for the 'payment' extension defined in SPC.

[1] https://www.w3.org/2023/05/03-webauthn-irc
[2] https://www.rfc-editor.org/rfc/rfc8809.html

[ianbjacobs]

With today's publication of the Candidate Recommendation of SPC, I have sent a request to include the 'payment' extension in the IANA registry:
https://mailarchive.ietf.org/arch/msg/webauthn-reg-review/-NFaDPjBGh2CLB6NfW6M8aBd4XU/

[ianbjacobs]

I believe our application has been approved; I don't have an estimate of the time to implement.

[ianbjacobs]

This has been completed:
https://mailarchive.ietf.org/arch/msg/webauthn-reg-review/SXVR9jFJ0DVOnTdZmqmf798wsTc/