16:48:34 <RRSAgent> RRSAgent has joined #wpwg-spc
16:48:34 <RRSAgent> logging to https://www.w3.org/2022/02/14-wpwg-spc-irc
16:48:46 <Ian> zakim, clear the queue
16:48:46 <Zakim> I don't understand 'clear the queue', Ian
16:48:53 <Ian> Meeting: SPC Task Force
16:50:14 <Ian> Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2022Feb/0004.html
16:50:17 <Ian> Chair: Ian
16:55:51 <Ian> agenda+ Issues list review
16:55:54 <Ian> agenda+ Next meeting
16:56:04 <Ian> RRSAGENT, clear the agenda
16:56:04 <RRSAgent> I'm logging. I don't understand 'clear the agenda', Ian.  Try /msg RRSAgent help
16:56:09 <Ian> zakim, clear agenda
16:56:09 <Zakim> agenda cleared
16:56:12 <Ian> agenda+ Issues list review
16:56:14 <Ian> agenda+ Next meeting
16:58:07 <Ian> present+
16:58:53 <Ian> present+ Susan_Pandy
16:59:06 <Ian> present+ John_Bradley
16:59:42 <Ian> present Carey_Ferro
17:00:14 <Ian> present+ Carey_Ferro
17:00:18 <Ian> present+ Rolf_Lindemann
17:00:24 <Ian> Topic: Web Authentication Update
17:00:50 <Ian> John: Changes are happening to WebAuthn and authenticators about device public key
17:00:58 <Ian> ...and synchronizing credentials
17:01:02 <Ian> present+ Nick_Burris
17:01:26 <Ian> https://github.com/w3c/webauthn/issues/1665
17:01:40 <Ian> John: There's a pull request for an extension
17:01:44 <Ian> Rolf: Two pull requests.
17:02:11 <Ian> https://github.com/w3c/webauthn/pull/1663
17:02:24 <Ian> https://github.com/w3c/webauthn/pull/1695
17:02:35 <Ian> present+ Doug_Fisher
17:02:59 <Ian> present+ Samere_Tare
17:03:06 <Ian> John: Default behavior would be "can be synced"
17:03:21 <Ian> ...so want to air this change of expectation here.
17:03:42 <Ian> Rolf: You have to look into the assertion to understand whether the key cannot leave the device.
17:04:18 <SameerT> SameerT has joined #wpwg-spc
17:04:20 <Ian> Rolf: You say "I want a credential" and you might get two (one synchronizable and one note)
17:04:22 <Ian> s/note/not
17:04:34 <Ian> ...you can look into the non-synchronizable one to get more security.
17:05:05 <Ian> ...you can distinguish first use and subsequent use.
17:05:24 <Ian> John: The SPC API is going to have to essentially default the device public key extension to "True"
17:05:28 <Ian> Rolf: Agreed
17:05:55 <Ian> JohN: If the authenticator supports multi-device credentials, the additional security information would always come back for multi-device credentials.
17:06:04 <Ian> ...note that not all authenticators are likely to support this extension.
17:06:15 <Ian> ..but it's probably a good idea to always ask for it.
17:06:59 <Ian> ...at registration time you get a primary registration, and in the extension you get a secondary attestation (over the device key)
17:07:50 <Ian> ...if you send the extension during get() you would also get back the signature over the public key. These credentials roam devices, so every get() assertion, the assertion contains new registration information for the device public key.
17:08:00 <Ian> ...this means the complexity of the back end goes up.
17:08:30 <Ian> ..but this also means "way more risk information"; people can say whether it's the same person based on their account and whether it's a previously used device
17:10:48 <Ian> ...model is that for a given credential ID, there are potentially N public keys that are specific to each device.
17:11:26 <Ian> ...so there is a "group" public key and N "device-specific" public keys.
17:12:00 <Ian> Ian: Any changes to SPC inputs?
17:12:32 <SameerT> q+
17:12:36 <Ian> John: Given that we may have situations where there's a 3p intermediary, I think the spec should always add the moral equivalent of the extension when talking to WebAuthn
17:12:40 <Ian> ack Sam
17:13:43 <praveenas> praveenas has joined #wpwg-spc
17:13:50 <Ian> John: API input would still be a list of credential IDs. If you want to get back both the signature for the sync key and the device-specific key, you want to have the extension turned on in SPC
17:14:19 <Ian> present+ Praveena_Subrahmanyam
17:14:49 <Ian> Ian: Does the assertion change shape?
17:15:07 <Ian> John: Still one thing, but the extension would be part of the blob. There would potentially be a new attestation.
17:15:23 <Ian> ...might double the size of the response.
17:15:52 <Ian> Sameer: if I break it down, sounds like no changes in what credential IDs are returned
17:16:17 <Ian> ACTION: Ian to add to the SPC issues list the question of default extension on in SPC
17:16:51 <Ian> John_Bradley: When evaluating the assertion, you'll need to look at the assertion to see whether this is (1) a synced credential and (2) whether this is a device I've seen before.
17:17:22 <Ian> Sameer: What should issuer do if authentication is successful but device has not been seen before?
17:17:59 <Ian> John: You won't get anything back if authentication is unsuccessful. If it's a valid group key, someone who controls the account is authenticating. So you need to look at the extension to see if you've seen this specific device before or not.
17:18:17 <Ian> ...and you can look at each attestation to see whether you trust the new device (public key) for future transactions.
17:18:26 <Ian> ...so you can add the new device public key to the back end
17:18:51 <Ian> ...let's use Apple just as an example.
17:19:09 <Ian> ...say you register once on the iPhone; the registration can be synchronized to iPad and laptop.
17:19:41 <Ian> ...when I do 3DS from my laptop, the assertion would tell you that the user of the credential ID has authenticated but it's a new device.
17:19:52 <Ian> ...and you can decide whether more ID&V is required before enrolling the new public key.
17:20:38 <RRSAgent> I have made the request to generate https://www.w3.org/2022/02/14-wpwg-spc-minutes.html Ian
17:21:41 <Ian> John: These are different biometrics possibly (since those are device-specific).
17:22:50 <Ian> Ian:I am hearing that the new work is evaluating the new attestation (and whether to proceed silently or do more ID&V)
17:23:10 <Ian> John: The default security is "the default security of the fabric."
17:23:57 <Ian> ...it's a good signal having the same credential from multiple devices. But not the same level of assurance that "this is the same device for the user."
17:24:29 <Ian> John: Look for a white paper from FIDO on this.
17:27:18 <Ian> Topic: RPID as input
17:27:24 <Ian> https://github.com/w3c/secure-payment-confirmation/pull/173
17:27:55 <Ian> Nick: We are looking for a response before closing
17:28:25 <Ian> zakim, take up item 2
17:28:25 <Zakim> agendum 2 -- Next meeting -- taken up [from Ian]
17:28:35 <Ian> - No meeting 21 Feb
17:28:44 <Ian> - Next meeting 28 Feb
17:29:04 <Ian> RRSAGENT, make minutes
17:29:04 <RRSAgent> I have made the request to generate https://www.w3.org/2022/02/14-wpwg-spc-minutes.html Ian
17:29:07 <Ian> RRSAGENT, set logs public