-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify cardinality between PaymentCredential and payment instruments #13
Comments
Also, a single user may have multiple credentials (one on each authenticator/end user device). In reality we'd need to support a many-to-many relationship between credentials and instruments. |
Supporting multiple instruments per credential would definitely be beneficial. This does bring to mind cases where a single instrument has to be removed from an existing credential (e.g. card lost, card expired). While the current WebAuthn convention is for the RP to simply delete the user<->credentials link server side to remove the entire credential, the ability to remove a single instrument from an existing credential could help prevent re-registration if a single instrument is no longer active. Unfortunately I cannot think of an elegant way of doing this with the available navigator.credentials.get() and navigator.credentials.create() API's, other than perhaps also requiring a list of instruments to be passed in during credentials.get(). Querying a credential
|
See related email: |
See discussion from 27 May: @stephenmcgruer raised an interesting point about "late binding". We will work on a proposal for the requirements document that the API support "late binding" which I currently undersatnd to mean that the RP can decide the concrete funding source at authentication time, and is not required to determine it at enrollment time (though that case must also be supported). |
The API now allows the RP (or other party) to provide instrument display information at authentication time. I believe this approach renders the current issue moot, so I am going to close it. (We can reopen if I'm wrong.) |
Arguments for 1 credential for many instruments:
Arguments for 1 credential for 1 instrument:
Next step is to try to enumerate attack vectors for sharing credential.
The text was updated successfully, but these errors were encountered: