At today's SPC task force call [1] we discussed progress in the Web Authentication WG around the issue of synced credentials [2]. (I note from [2] that terminology for this feature may change.)

This issue is about the impact of those changes on SPC. From today's discussion, my initial sense is that:

• The API surface may not need to change (inputs or outputs).
• The API should take the new extension into account in the extensions member of SecurePaymentConfirmationRequest and any algorithms that touch on extensions.

Under section 8 Relying Party Operations we will likely want to either enhance 8.1 (Verifying an Authentication Assertion) or introduce new good practice about interpreting the output. In particular: what should an RP do when the extension includes a new device public key that the RP has never seen before (e.g., in terms of risk assessment, recording information on the server, etc.)?

Ian

cc @ve7jtb, @rlin1, @equalsJeffH

[1] https://www.w3.org/2022/02/14-wpwg-spc-minutes
[2] w3c/webauthn#1665
[3] https://w3c.github.io/secure-payment-confirmation/#sctn-securepaymentconfirmationrequest-dictionary