Secure Payment Confirmation (SPC) is a Web API to support streamlined authentication during a payment transaction. It builds on top of WebAuthn to bring strong authentication to payment flows. In the initial spec and implementation of SPC, the output CollectedClientAdditionalPaymentData dictionary[0] of the cryptogram contained a parameter named 'rp'. This was renamed in the specification[1] to 'rpId' to align with WebAuthn, and Chrome is changing its implementation to match (that is, adding 'rpId' and removing 'rp'). [0]: https://w3c.github.io/secure-payment-confirmation/#sctn-collectedclientadditionalpaymentdata-dictionary [1]: https://github.com/w3c/secure-payment-confirmation/pull/198
Secure Payment Confirmation (SPC) is a Web API to support streamlined authentication during a payment transaction. It builds on top of WebAuthn to bring strong authentication to payment flows. In the initial spec and implementation of SPC, the output CollectedClientAdditionalPaymentData dictionary[0] of the cryptogram contained a parameter named 'rp'. This was renamed in the specification[1] to 'rpId' to align with WebAuthn, and Chrome is changing its implementation to match (that is, adding 'rpId' and removing 'rp'). In M107, we added[2] 'rpId' to CollectedClientAdditionalPaymentData as an additional, identical field to 'rp'. We will now be removing the old 'rp' parameter. [0]: https://w3c.github.io/secure-payment-confirmation/#sctn-collectedclientadditionalpaymentdata-dictionary [1]: https://github.com/w3c/secure-payment-confirmation/pull/198 [2]: https://chromium.googlesource.com/chromium/src/+/3472ddafd924cbffab61b88746c5fe81e71e26a7
Compatibility: The main risk is that a developer is still using the 'rp' parameter (and has not migrated to 'rpId'), and that their cryptogram-parsing code fails. Notably, we cannot detect this via browser metrics, as cryptogram-parsing is normally done server-side (i.e. the client just sends the received cryptogram up to a server). This also means that we cannot do e.g., a devtool deprecation warning. However, there are still relatively few users of SPC, and all are active participants in its development. We have announced this planned rename previously, and will now announce its deprecation + removal timeline ('deprecate' today, remove in M113).
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
No - SPC does not ship on WebView.
Deprecation: 'now' (M110, but impossible to add e.g. deprecation warnings)
Removal: M113
I was asked to clarify the level of compat risk for this change (very reasonably, I did a poor job in the original email!).Conceptually, this change is risky as we cannot detect exact usage of 'someone is reading the old "rp" field', because CollectedClientAdditionalPaymentData is essentially a data blob returned from Chrome which is usually sent to the website's server backend and processed there.However, for SPC we believe there is low enough usage in general and we have good enough partner relations that we can make sure partners are aware of and adapt to this change* ahead of the removal. The usecounter for SPC is at ~0.0005% of page loads, and we have internal metrics with more details. We know of a short list of partners who are actively experimenting with SPC 'in the wild'. There is a slightly longer and not fully known list of partners who may be experimenting with SPC in a dev environment, but we still expect to be able to inform these partners via the Web Payments WG and Web Payments SIG where most payment partners interact.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3MaeSz5M_k5FaysBE-OgV3sarO6tgXY%3DcxmAMWivAfdW_SA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW7sFdW0ig4jniA2Wya2noA6fo9VaoqgYUvPQOhSYm5Tw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-87yGWds1pNCJ0Sn3OqMrahdv_56%2Bf43WgsS4hncQkQw%40mail.gmail.com.