From cb9c46abf990fc1cd4db392c9a9621392cf4af97 Mon Sep 17 00:00:00 2001 From: Ian Jacobs Date: Tue, 13 Aug 2024 11:28:32 -0500 Subject: [PATCH 01/25] An RP should be able to use its own credentials even if payment extension not specified. --- spec.bs | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/spec.bs b/spec.bs index 51df7aa..4e31987 100644 --- a/spec.bs +++ b/spec.bs @@ -797,10 +797,15 @@ input {{SecurePaymentConfirmationRequest}} |data|, are: 1. For each |id| in |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"]: 1. Run the [=steps to silently determine if a credential is available for - the current device=] and the [=steps to silently determine if a + the current device=], passing in + |data|["{{SecurePaymentConfirmationRequest/rpId}}"] and |id|. + If the result is `false`, remove |id| from + |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"]. + 2. If the |data|["{{SecurePaymentConfirmationRequest/rpId}}"] is + not in the current origin, run the [=steps to silently determine if a credential is SPC-enabled=], passing in |data|["{{SecurePaymentConfirmationRequest/rpId}}"] and |id|. If the - result of either of these is `false`, remove |id| from + result is `false`, remove |id| from |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"]. 1. If |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"] is now empty, From 72b71ed795d69ee1acb7a4ed3af1d8f91b286b49 Mon Sep 17 00:00:00 2001 From: Ian Jacobs Date: Tue, 13 Aug 2024 11:32:12 -0500 Subject: [PATCH 02/25] formatting fixes --- spec.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec.bs b/spec.bs index 4e31987..ccb556a 100644 --- a/spec.bs +++ b/spec.bs @@ -799,9 +799,9 @@ input {{SecurePaymentConfirmationRequest}} |data|, are: 1. Run the [=steps to silently determine if a credential is available for the current device=], passing in |data|["{{SecurePaymentConfirmationRequest/rpId}}"] and |id|. - If the result is `false`, remove |id| from + If the result is `false`, remove |id| from |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"]. - 2. If the |data|["{{SecurePaymentConfirmationRequest/rpId}}"] is + 1. If the |data|["{{SecurePaymentConfirmationRequest/rpId}}"] is not in the current origin, run the [=steps to silently determine if a credential is SPC-enabled=], passing in |data|["{{SecurePaymentConfirmationRequest/rpId}}"] and |id|. If the From 5b0d973e77d5b8c25f075674344b88cd6d747828 Mon Sep 17 00:00:00 2001 From: Ian Jacobs Date: Tue, 13 Aug 2024 13:26:33 -0500 Subject: [PATCH 03/25] typo fix --- spec.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec.bs b/spec.bs index ccb556a..77e5713 100644 --- a/spec.bs +++ b/spec.bs @@ -205,7 +205,7 @@ This limitation motivates the following Secure Payment Confirmation behavior: 1. SPC supports cross-origin registration from an iframe in a third-party context. For instance, this registration might take place following some - other identity and verification (ID&V) flow (e.g., SMS OTP). + other identity and verification (ID&V) flow (e.g., SMS OTP). * See discussion on WebAuthn issue 1656. From 2da278578f562551be451c97fd44bf2bc2ff120d Mon Sep 17 00:00:00 2001 From: Ian Jacobs Date: Tue, 29 Oct 2024 11:03:39 -0500 Subject: [PATCH 04/25] try to kick pr-preview --- spec.bs | 1 + 1 file changed, 1 insertion(+) diff --git a/spec.bs b/spec.bs index 77e5713..c3c676b 100644 --- a/spec.bs +++ b/spec.bs @@ -1671,3 +1671,4 @@ This section adds the below-listed [=extension identifier=] to the IANA "WebAuth - Change Controller: [W3C Web Payments Working Group](https://www.w3.org/groups/wg/payments) - Notes: Registration follows [3 May 2023 discussion](https://www.w3.org/2023/05/03-webauthn-minutes#t01) with the Web Authentication Working Group. + From 3782d53e12e37a2f29ee1252d26d2101cae0e8e9 Mon Sep 17 00:00:00 2001 From: Ian Jacobs Date: Tue, 29 Oct 2024 12:19:40 -0500 Subject: [PATCH 05/25] Seeking to resolve css spec preprocessor issues --- spec.bs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/spec.bs b/spec.bs index c3c676b..30b21ce 100644 --- a/spec.bs +++ b/spec.bs @@ -82,12 +82,17 @@ spec: webdriver; urlPrefix: https://w3c.github.io/webdriver/ text: undefined; url: dfn-undefined text: WebDriver error; url: dfn-error text: WebDriver error code; url: dfn-error-code + +spec: RFC4647; urlPrefix: https://datatracker.ietf.org/doc/html/rfc4647 + text: language priority list; url: section-2.3 
 spec:fetch; type:dfn; for:/; text:request;
 spec:i18n-glossary; type:dfn; text:bidi isolation
 spec:url; type:dfn; text:valid domain;
+spec:webidl; type:exception; text:RangeError
+spec:webidl; type:exception; text:TypeError
 

From c7f1466bd85318bb36bfdc15759da109e62bbaaa Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Tue, 29 Oct 2024 12:20:51 -0500
Subject: [PATCH 06/25] syntax fix of link-defaults?

---
 spec.bs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/spec.bs b/spec.bs
index 30b21ce..98a16d3 100644
--- a/spec.bs
+++ b/spec.bs
@@ -89,10 +89,10 @@ spec: RFC4647; urlPrefix: https://datatracker.ietf.org/doc/html/rfc4647
 
 
 spec:fetch; type:dfn; for:/; text:request;
-spec:i18n-glossary; type:dfn; text:bidi isolation
+spec:i18n-glossary; type:dfn; text:bidi isolation;
 spec:url; type:dfn; text:valid domain;
-spec:webidl; type:exception; text:RangeError
-spec:webidl; type:exception; text:TypeError
+spec:webidl; type:exception; text:RangeError;
+spec:webidl; type:exception; text:TypeError;
 

 
 

From c603f012b9749ab009880e0dc0bb3f777385c7fb Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Tue, 29 Oct 2024 12:22:20 -0500
Subject: [PATCH 07/25] remove semi-colon from link-defaults lines

---
 spec.bs | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/spec.bs b/spec.bs
index 98a16d3..6ae7b3a 100644
--- a/spec.bs
+++ b/spec.bs
@@ -88,11 +88,11 @@ spec: RFC4647; urlPrefix: https://datatracker.ietf.org/doc/html/rfc4647
 

 
 
-spec:fetch; type:dfn; for:/; text:request;
-spec:i18n-glossary; type:dfn; text:bidi isolation;
-spec:url; type:dfn; text:valid domain;
-spec:webidl; type:exception; text:RangeError;
-spec:webidl; type:exception; text:TypeError;
+spec:fetch; type:dfn; for:/; text:request
+spec:i18n-glossary; type:dfn; text:bidi isolation
+spec:url; type:dfn; text:valid domain
+spec:webidl; type:exception; text:RangeError
+spec:webidl; type:exception; text:TypeError
 

 
 

From 83ec338cce5631468d3d2124aa7e19234ed093e4 Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Tue, 29 Oct 2024 12:23:10 -0500
Subject: [PATCH 08/25] removed &

---
 spec.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec.bs b/spec.bs
index 6ae7b3a..29d2527 100644
--- a/spec.bs
+++ b/spec.bs
@@ -210,7 +210,7 @@ This limitation motivates the following Secure Payment Confirmation behavior:
 
 1. SPC supports cross-origin registration from an iframe in a third-party
     context. For instance, this registration might take place following some
-    other identity and verification (ID&V) flow (e.g., SMS OTP).
+    other identity and verification (ID and V) flow (e.g., SMS OTP).
 
 * See discussion
     on WebAuthn issue 1656.

From 540f44f4f8f1e1fb9114ed72b763d1f1bbe7e6aa Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Tue, 29 Oct 2024 12:24:25 -0500
Subject: [PATCH 09/25] removed ID&V

---
 scope.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scope.md b/scope.md
index f17ec1b..013da7e 100644
--- a/scope.md
+++ b/scope.md
@@ -112,7 +112,7 @@ Note: This use case intends to capture the "in-transaction registration" use cas
 
 #### EMV® Secure Remote Commerce (SRC) System as Relying Party
 
-* Alice checkouts on a merchant web site with SRC, which triggers the SRC Digital Card Facilitator (DCF) to be displayed. The SRC DCF asks whether she wants to use biometric authentication to streamline payment. She agrees and SRC DCF redirects her to her bank where she goes through an ID&V process with her bank for the credit card she wishes to use.
+* Alice checkouts on a merchant web site with SRC, which triggers the SRC Digital Card Facilitator (DCF) to be displayed. The SRC DCF asks whether she wants to use biometric authentication to streamline payment. She agrees and SRC DCF redirects her to her bank where she goes through an Identificatino and Verification process with her bank for the credit card she wishes to use.
 * As an alternative, Alice visits her bank, authenticates to her bank, registers into biometric authentication, and selects card(s) that she wants to make available to SRC. The bank (the Relying Party) shares the authentication credential with the SRC System.
 * The following week Alice checkouts with a merchant enabled with SRC. The SRCi/DCF prompts Alice to do biometric authentication. The SRC System reviews the authentication results, and the bank authorizes the transaction.
 
@@ -187,7 +187,7 @@ These use cases represent additional considerations, some of which (e.g., unregi
 #### Merchant as Relying Party
 
 * Alice logs into her favorite merchant using a merchant proprietary mechanism or using biometric authentication.   
-* The merchant asks Alice if she wants to use biometric authentication to streamline payment. She agrees and goes through an ID&V process with her bank for the credit card she wishes to use. (The merchant may decide to perform IDamp;&V during the checkout or outside of the checkout.)
+* The merchant asks Alice if she wants to use biometric authentication to streamline payment. She agrees and goes through an Identification and Verification process with her bank for the credit card she wishes to use. (The merchant may decide to perform IDamp;&V during the checkout or outside of the checkout.)
 * The merchant is the relying party for this authentication credential, and shares authentication data with Alice’s bank and/or payment network to allow for partial or full validation of authentication results in subsequent checkouts.
 * The following week Alice checks out on the merchant site and is prompted by the merchant to do biometric authentication. The merchant uses SPC then shares authentication results with Alice’s bank and/or payment network, which reviews the data. The bank authorizes the transaction.
 

From 95a644712fba221594aa8da02699f93553687f14 Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Tue, 29 Oct 2024 12:25:49 -0500
Subject: [PATCH 10/25] &V

---
 scope.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scope.md b/scope.md
index 013da7e..9f347b9 100644
--- a/scope.md
+++ b/scope.md
@@ -187,7 +187,7 @@ These use cases represent additional considerations, some of which (e.g., unregi
 #### Merchant as Relying Party
 
 * Alice logs into her favorite merchant using a merchant proprietary mechanism or using biometric authentication.   
-* The merchant asks Alice if she wants to use biometric authentication to streamline payment. She agrees and goes through an Identification and Verification process with her bank for the credit card she wishes to use. (The merchant may decide to perform IDamp;&V during the checkout or outside of the checkout.)
+* The merchant asks Alice if she wants to use biometric authentication to streamline payment. She agrees and goes through an Identification and Verification process with her bank for the credit card she wishes to use. (The merchant may decide to perform Identification and Verification during the checkout or outside of the checkout.)
 * The merchant is the relying party for this authentication credential, and shares authentication data with Alice’s bank and/or payment network to allow for partial or full validation of authentication results in subsequent checkouts.
 * The following week Alice checks out on the merchant site and is prompted by the merchant to do biometric authentication. The merchant uses SPC then shares authentication results with Alice’s bank and/or payment network, which reviews the data. The bank authorizes the transaction.
 
@@ -220,7 +220,7 @@ priority:
 
 ## Out of Scope
 
-* ID & V to establish real world identity during registration.
+* Identification and Verification to establish real world identity during registration.
 * Use cases for peer-to-peer payments or business-to-business transactions.
 
 ## Future Extensions

From 5d8d4f33a4268c28c35286bdf19198bba11f52c1 Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Tue, 29 Oct 2024 12:30:59 -0500
Subject: [PATCH 11/25] still working on link defaults

---
 spec.bs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/spec.bs b/spec.bs
index 29d2527..59c7e64 100644
--- a/spec.bs
+++ b/spec.bs
@@ -91,8 +91,8 @@ spec: RFC4647; urlPrefix: https://datatracker.ietf.org/doc/html/rfc4647
 spec:fetch; type:dfn; for:/; text:request
 spec:i18n-glossary; type:dfn; text:bidi isolation
 spec:url; type:dfn; text:valid domain
-spec:webidl; type:exception; text:RangeError
-spec:webidl; type:exception; text:TypeError
+spec:webidl; type:exception; text:RangeError {{RangeError}}
+spec:webidl; type:exception; text:TypeError {{TypeError}}
 

 
 

From 273cde623002fb08142a98a767e6b40b39c7b646 Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Tue, 29 Oct 2024 12:32:17 -0500
Subject: [PATCH 12/25] removed newlines end of file

---
 spec.bs | 2 --
 1 file changed, 2 deletions(-)

diff --git a/spec.bs b/spec.bs
index 59c7e64..f4820c5 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1675,5 +1675,3 @@ This section adds the below-listed [=extension identifier=] to the IANA "WebAuth
 - Specification Document: Section [[#sctn-payment-extension-registration]] of this specification
 - Change Controller: [W3C Web Payments Working Group](https://www.w3.org/groups/wg/payments)
 - Notes: Registration follows [3 May 2023 discussion](https://www.w3.org/2023/05/03-webauthn-minutes#t01) with the Web Authentication Working Group.
-
-

From b115212e982e06200338117c9cc850e1ebb8b68c Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Tue, 29 Oct 2024 12:34:21 -0500
Subject: [PATCH 13/25] typo fix

---
 scope.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scope.md b/scope.md
index 9f347b9..74b366c 100644
--- a/scope.md
+++ b/scope.md
@@ -112,7 +112,7 @@ Note: This use case intends to capture the "in-transaction registration" use cas
 
 #### EMV® Secure Remote Commerce (SRC) System as Relying Party
 
-* Alice checkouts on a merchant web site with SRC, which triggers the SRC Digital Card Facilitator (DCF) to be displayed. The SRC DCF asks whether she wants to use biometric authentication to streamline payment. She agrees and SRC DCF redirects her to her bank where she goes through an Identificatino and Verification process with her bank for the credit card she wishes to use.
+* Alice checkouts on a merchant web site with SRC, which triggers the SRC Digital Card Facilitator (DCF) to be displayed. The SRC DCF asks whether she wants to use biometric authentication to streamline payment. She agrees and SRC DCF redirects her to her bank where she goes through an Identification and Verification process with her bank for the credit card she wishes to use.
 * As an alternative, Alice visits her bank, authenticates to her bank, registers into biometric authentication, and selects card(s) that she wants to make available to SRC. The bank (the Relying Party) shares the authentication credential with the SRC System.
 * The following week Alice checkouts with a merchant enabled with SRC. The SRCi/DCF prompts Alice to do biometric authentication. The SRC System reviews the authentication results, and the bank authorizes the transaction.
 

From a6ae5d9b6b1e6bbd3678dcad1cb58836bd340ed1 Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Tue, 29 Oct 2024 12:37:42 -0500
Subject: [PATCH 14/25] try without {{...}}

---
 spec.bs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/spec.bs b/spec.bs
index f4820c5..d4ed2de 100644
--- a/spec.bs
+++ b/spec.bs
@@ -91,8 +91,8 @@ spec: RFC4647; urlPrefix: https://datatracker.ietf.org/doc/html/rfc4647
 spec:fetch; type:dfn; for:/; text:request
 spec:i18n-glossary; type:dfn; text:bidi isolation
 spec:url; type:dfn; text:valid domain
-spec:webidl; type:exception; text:RangeError {{RangeError}}
-spec:webidl; type:exception; text:TypeError {{TypeError}}
+spec:webidl; type:exception; text:RangeError
+spec:webidl; type:exception; text:TypeError
 

 
 

From ac8496de4a2562fd924d10d5211a2e93e369b47b Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Tue, 29 Oct 2024 12:40:12 -0500
Subject: [PATCH 15/25] try 2 lines

---
 spec.bs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/spec.bs b/spec.bs
index d4ed2de..1430908 100644
--- a/spec.bs
+++ b/spec.bs
@@ -92,7 +92,9 @@ spec:fetch; type:dfn; for:/; text:request
 spec:i18n-glossary; type:dfn; text:bidi isolation
 spec:url; type:dfn; text:valid domain
 spec:webidl; type:exception; text:RangeError
+{{RangeError}}
 spec:webidl; type:exception; text:TypeError
+{{TypeError}}
 

 
 

From 4b258c51e39fa82e17c9f64608d580882f74a255 Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Tue, 29 Oct 2024 12:42:39 -0500
Subject: [PATCH 16/25] restore earlier text

---
 spec.bs | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/spec.bs b/spec.bs
index 1430908..ea4dc18 100644
--- a/spec.bs
+++ b/spec.bs
@@ -88,13 +88,10 @@ spec: RFC4647; urlPrefix: https://datatracker.ietf.org/doc/html/rfc4647
 

 
 
-spec:fetch; type:dfn; for:/; text:request
+spec:fetch; type:dfn; for:/; text:request;
 spec:i18n-glossary; type:dfn; text:bidi isolation
-spec:url; type:dfn; text:valid domain
-spec:webidl; type:exception; text:RangeError
-{{RangeError}}
-spec:webidl; type:exception; text:TypeError
-{{TypeError}}
+spec:i18n-glossary; type:dfn; text:language priority list
+spec:url; type:dfn; text:valid domain;
 

 
 

From 8c8feedb9ee8d417675268b400c5136a7bff09a4 Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Tue, 29 Oct 2024 12:44:07 -0500
Subject: [PATCH 17/25] try semicolons end of lines

---
 spec.bs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/spec.bs b/spec.bs
index ea4dc18..8456430 100644
--- a/spec.bs
+++ b/spec.bs
@@ -89,8 +89,8 @@ spec: RFC4647; urlPrefix: https://datatracker.ietf.org/doc/html/rfc4647
 
 
 spec:fetch; type:dfn; for:/; text:request;
-spec:i18n-glossary; type:dfn; text:bidi isolation
-spec:i18n-glossary; type:dfn; text:language priority list
+spec:i18n-glossary; type:dfn; text:bidi isolation;
+spec:i18n-glossary; type:dfn; text:language priority list;
 spec:url; type:dfn; text:valid domain;
 

 

From f084af4724bc88a86aaf074412764cd6138b727b Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Tue, 29 Oct 2024 12:45:38 -0500
Subject: [PATCH 18/25] restore without some end ;

---
 spec.bs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/spec.bs b/spec.bs
index 8456430..ea4dc18 100644
--- a/spec.bs
+++ b/spec.bs
@@ -89,8 +89,8 @@ spec: RFC4647; urlPrefix: https://datatracker.ietf.org/doc/html/rfc4647
 
 
 spec:fetch; type:dfn; for:/; text:request;
-spec:i18n-glossary; type:dfn; text:bidi isolation;
-spec:i18n-glossary; type:dfn; text:language priority list;
+spec:i18n-glossary; type:dfn; text:bidi isolation
+spec:i18n-glossary; type:dfn; text:language priority list
 spec:url; type:dfn; text:valid domain;
 

 

From 16d765d468aca127c190eaff18db671948fb2a40 Mon Sep 17 00:00:00 2001
From: Stephen McGruer 
Date: Thu, 31 Oct 2024 09:39:21 -0400
Subject: [PATCH 19/25] Fix: remove language priority list dfn

---
 spec.bs | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/spec.bs b/spec.bs
index ea4dc18..6b826b9 100644
--- a/spec.bs
+++ b/spec.bs
@@ -82,9 +82,6 @@ spec: webdriver; urlPrefix: https://w3c.github.io/webdriver/
         text: undefined; url: dfn-undefined
         text: WebDriver error; url: dfn-error
         text: WebDriver error code; url: dfn-error-code
-
-spec: RFC4647; urlPrefix: https://datatracker.ietf.org/doc/html/rfc4647
-        text: language priority list; url: section-2.3
 

 
 

From c856b942489f3349ad81a9915265e9f40b6ec1af Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Mon, 18 Nov 2024 08:50:52 -0600
Subject: [PATCH 20/25] Fixes per Stephen

---
 scope.md | 6 +++---
 spec.bs  | 9 +++------
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/scope.md b/scope.md
index 74b366c..6b9e064 100644
--- a/scope.md
+++ b/scope.md
@@ -112,7 +112,7 @@ Note: This use case intends to capture the "in-transaction registration" use cas
 
 #### EMV® Secure Remote Commerce (SRC) System as Relying Party
 
-* Alice checkouts on a merchant web site with SRC, which triggers the SRC Digital Card Facilitator (DCF) to be displayed. The SRC DCF asks whether she wants to use biometric authentication to streamline payment. She agrees and SRC DCF redirects her to her bank where she goes through an Identification and Verification process with her bank for the credit card she wishes to use.
+* Alice checkouts on a merchant web site with SRC, which triggers the SRC Digital Card Facilitator (DCF) to be displayed. The SRC DCF asks whether she wants to use biometric authentication to streamline payment. She agrees and SRC DCF redirects her to her bank where she goes through an ID&V) process with her bank for the credit card she wishes to use.
 * As an alternative, Alice visits her bank, authenticates to her bank, registers into biometric authentication, and selects card(s) that she wants to make available to SRC. The bank (the Relying Party) shares the authentication credential with the SRC System.
 * The following week Alice checkouts with a merchant enabled with SRC. The SRCi/DCF prompts Alice to do biometric authentication. The SRC System reviews the authentication results, and the bank authorizes the transaction.
 
@@ -187,7 +187,7 @@ These use cases represent additional considerations, some of which (e.g., unregi
 #### Merchant as Relying Party
 
 * Alice logs into her favorite merchant using a merchant proprietary mechanism or using biometric authentication.   
-* The merchant asks Alice if she wants to use biometric authentication to streamline payment. She agrees and goes through an Identification and Verification process with her bank for the credit card she wishes to use. (The merchant may decide to perform Identification and Verification during the checkout or outside of the checkout.)
+* The merchant asks Alice if she wants to use biometric authentication to streamline payment. She agrees and goes through an ID&V process with her bank for the credit card she wishes to use. (The merchant may decide to perform ID&V during the checkout or outside of the checkout.)
 * The merchant is the relying party for this authentication credential, and shares authentication data with Alice’s bank and/or payment network to allow for partial or full validation of authentication results in subsequent checkouts.
 * The following week Alice checks out on the merchant site and is prompted by the merchant to do biometric authentication. The merchant uses SPC then shares authentication results with Alice’s bank and/or payment network, which reviews the data. The bank authorizes the transaction.
 
@@ -220,7 +220,7 @@ priority:
 
 ## Out of Scope
 
-* Identification and Verification to establish real world identity during registration.
+* ID&Vto establish real world identity during registration.
 * Use cases for peer-to-peer payments or business-to-business transactions.
 
 ## Future Extensions
diff --git a/spec.bs b/spec.bs
index 6b826b9..2b4cbc4 100644
--- a/spec.bs
+++ b/spec.bs
@@ -702,7 +702,7 @@ NOTE: The use of the static {{PaymentRequest/isSecurePaymentConfirmationAvailabl
 ### Steps to validate payment method data ### {#sctn-steps-to-validate-payment-method-data}
 
 The [=steps to validate payment method data=] for this payment method, for an
-input {{SecurePaymentConfirmationRequest}} |data|, are:
+input {{PaymentRequest}} |request| and {{SecurePaymentConfirmationRequest}} |data|, are:
 
 
   constructor.https.html
@@ -803,11 +803,8 @@ input {{SecurePaymentConfirmationRequest}} |data|, are:
         If the result is `false`, remove |id| from
         |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"].
     1.  If the |data|["{{SecurePaymentConfirmationRequest/rpId}}"] is
-        not in the current origin, run the [=steps to silently determine if a
-        credential is SPC-enabled=], passing in
-        |data|["{{SecurePaymentConfirmationRequest/rpId}}"] and |id|. If the
-        result is `false`, remove |id| from
-        |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"].
+        not the [=origin=] of the [=relevant settings object=] of |request|,
+        run the [=steps to silently determine if a credential is SPC-enabled=],         passing in |data|["{{SecurePaymentConfirmationRequest/rpId}}"] and |id|.        If the result is `false`, remove |id| from |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"].
 
 1. If |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"] is now empty,
     return `false`. The user agent must maintain

From 8040884423c4a634e5c2686eca90b3d713f7d32e Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Mon, 18 Nov 2024 08:55:43 -0600
Subject: [PATCH 21/25] origin => tpo-level origin

---
 spec.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec.bs b/spec.bs
index 2b4cbc4..4a22e43 100644
--- a/spec.bs
+++ b/spec.bs
@@ -803,7 +803,7 @@ input {{SecurePaymentConfirmationRequest}} |data|, are:
         If the result is `false`, remove |id| from
         |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"].
     1.  If the |data|["{{SecurePaymentConfirmationRequest/rpId}}"] is
-        not the [=origin=] of the [=relevant settings object=] of |request|,
+        not the [=top-level origin=] of the [=relevant settings object=] of |request|,
         run the [=steps to silently determine if a credential is SPC-enabled=],         passing in |data|["{{SecurePaymentConfirmationRequest/rpId}}"] and |id|.        If the result is `false`, remove |id| from |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"].
 
 1. If |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"] is now empty,

From 1a8c580c0b134e1bc871fb649fb428c46f04cf97 Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Mon, 18 Nov 2024 08:59:25 -0600
Subject: [PATCH 22/25] cleanup

---
 scope.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scope.md b/scope.md
index 6b9e064..36c3587 100644
--- a/scope.md
+++ b/scope.md
@@ -112,7 +112,7 @@ Note: This use case intends to capture the "in-transaction registration" use cas
 
 #### EMV® Secure Remote Commerce (SRC) System as Relying Party
 
-* Alice checkouts on a merchant web site with SRC, which triggers the SRC Digital Card Facilitator (DCF) to be displayed. The SRC DCF asks whether she wants to use biometric authentication to streamline payment. She agrees and SRC DCF redirects her to her bank where she goes through an ID&V) process with her bank for the credit card she wishes to use.
+* Alice checkouts on a merchant web site with SRC, which triggers the SRC Digital Card Facilitator (DCF) to be displayed. The SRC DCF asks whether she wants to use biometric authentication to streamline payment. She agrees and SRC DCF redirects her to her bank where she goes through an Identity and Verification (ID&V) process with her bank for the credit card she wishes to use.
 * As an alternative, Alice visits her bank, authenticates to her bank, registers into biometric authentication, and selects card(s) that she wants to make available to SRC. The bank (the Relying Party) shares the authentication credential with the SRC System.
 * The following week Alice checkouts with a merchant enabled with SRC. The SRCi/DCF prompts Alice to do biometric authentication. The SRC System reviews the authentication results, and the bank authorizes the transaction.
 
@@ -220,7 +220,7 @@ priority:
 
 ## Out of Scope
 
-* ID&Vto establish real world identity during registration.
+* ID&V to establish real world identity during registration.
 * Use cases for peer-to-peer payments or business-to-business transactions.
 
 ## Future Extensions

From 0d0c2c4ac73d4e66f869ae9ffabf3154437e1431 Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Mon, 18 Nov 2024 09:19:10 -0600
Subject: [PATCH 23/25] Define link-default for orgin

---
 spec.bs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/spec.bs b/spec.bs
index 4a22e43..2badb2a 100644
--- a/spec.bs
+++ b/spec.bs
@@ -89,6 +89,7 @@ spec:fetch; type:dfn; for:/; text:request;
 spec:i18n-glossary; type:dfn; text:bidi isolation
 spec:i18n-glossary; type:dfn; text:language priority list
 spec:url; type:dfn; text:valid domain;
+spec:html; type:dfn; for:/; text:origin
 

 
 
@@ -803,7 +804,7 @@ input {{SecurePaymentConfirmationRequest}} |data|, are:
         If the result is `false`, remove |id| from
         |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"].
     1.  If the |data|["{{SecurePaymentConfirmationRequest/rpId}}"] is
-        not the [=top-level origin=] of the [=relevant settings object=] of |request|,
+        not the [=origin=] of the [=relevant settings object=] of |request|,
         run the [=steps to silently determine if a credential is SPC-enabled=],         passing in |data|["{{SecurePaymentConfirmationRequest/rpId}}"] and |id|.        If the result is `false`, remove |id| from |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"].
 
 1. If |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"] is now empty,

From 3aebdfe486f58be8ad2a84ff20c4a097de4c254c Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Mon, 18 Nov 2024 09:35:57 -0600
Subject: [PATCH 24/25] another =origin= dfn

---
 spec.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec.bs b/spec.bs
index 2badb2a..16d4b2a 100644
--- a/spec.bs
+++ b/spec.bs
@@ -89,7 +89,7 @@ spec:fetch; type:dfn; for:/; text:request;
 spec:i18n-glossary; type:dfn; text:bidi isolation
 spec:i18n-glossary; type:dfn; text:language priority list
 spec:url; type:dfn; text:valid domain;
-spec:html; type:dfn; for:/; text:origin
+spec:html; type:dfn; for:environment settings object; text:origin
 

 
 

From 70f9605e28e0b7161e08e6c8901663447ce2e43e Mon Sep 17 00:00:00 2001
From: Ian Jacobs 
Date: Mon, 18 Nov 2024 09:58:52 -0600
Subject: [PATCH 25/25] use entity def

---
 spec.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec.bs b/spec.bs
index 16d4b2a..46a198d 100644
--- a/spec.bs
+++ b/spec.bs
@@ -207,7 +207,7 @@ This limitation motivates the following Secure Payment Confirmation behavior:
 
 1. SPC supports cross-origin registration from an iframe in a third-party
     context. For instance, this registration might take place following some
-    other identity and verification (ID and V) flow (e.g., SMS OTP).
+    other identity and verification (ID&V) flow (e.g., SMS OTP).
 
 * See discussion
     on WebAuthn issue 1656.