IRC log of wpwg on 2024-05-23
Timestamps are in UTC.
- 13:55:51 [RRSAgent]
- RRSAgent has joined #wpwg
- 13:55:55 [RRSAgent]
- logging to https://www.w3.org/2024/05/23-wpwg-irc
- 13:55:56 [Ian]
- Meeting: Web Payments Working Group
- 13:55:58 [Ian]
- Chair: NickTR
- 13:56:01 [Ian]
- Scribe: Ian
- 13:56:24 [Ian]
- Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20240523
- 13:56:44 [Ian]
- present+ Ian_Jacobs
- 13:58:15 [Ian]
- agenda+ SPC and device bindin
- 13:58:19 [Ian]
- s/bindin/binding
- 13:58:28 [Ian]
- agenda+ Visa passkeys announcement
- 13:58:37 [Ian]
- agenda+ Web Monetization topic
- 13:58:39 [Ian]
- agenda+ Next meeting
- 13:58:46 [Ian]
- present+ Rouslan_Solomakhin
- 13:59:08 [Ian]
- present+ Kenneth_Diaz
- 13:59:40 [Ian]
- present+ Fahad_Saleem
- 14:00:28 [Ian]
- present+ Nakjo_Shiskov
- 14:00:29 [yonpols]
- yonpols has joined #wpwg
- 14:00:33 [Ian]
- present+ Jean-Luc_di_Manno
- 14:00:42 [Ian]
- present+ Anne_Pouillard
- 14:00:47 [Ian]
- present+ Alex_Lakatos
- 14:00:55 [Ian]
- present+ Steve_Cole
- 14:01:02 [Ian]
- present+ Stephen_McGruer
- 14:01:12 [Ian]
- present+ Juan-Pablo_Marzetti
- 14:01:18 [Anne]
- Anne has joined #wpwg
- 14:01:22 [Gregoire]
- Gregoire has joined #wpwg
- 14:01:29 [Ian]
- present+ Eric_Groves
- 14:01:36 [Ian]
- present+ Vasilii_Trofimchuk
- 14:01:47 [Ian]
- present+ Grégoire_Leleux
- 14:01:54 [Ian]
- present+ Jean-Michel_Girard
- 14:02:02 [benoit]
- benoit has joined #wpwg
- 14:02:05 [nsiskov]
- nsiskov has joined #wpwg
- 14:02:14 [Ian]
- present+ Haribalu
- 14:02:30 [gkok]
- gkok has joined #wpwg
- 14:02:32 [Ian]
- present+ David_Benoit
- 14:02:43 [Ian]
- present+ Gerhard_Oosthuizen
- 14:02:50 [Ian]
- present+ Adrian_Hope-Bailie
- 14:03:00 [Ian]
- present+ Nick_Telford-Reed
- 14:03:06 [jmgirard]
- jmgirard has joined #wpwg
- 14:03:29 [Ian]
- present+ Clinton_Allen
- 14:03:49 [vasilii]
- vasilii has joined #wpwg
- 14:03:54 [Ian]
- present+ Vincent_Kuntz
- 14:03:57 [JeanLuc]
- JeanLuc has joined #WPWG
- 14:04:10 [AdrianHB_]
- AdrianHB_ has joined #wpwg
- 14:04:14 [Ian]
- zakim, take up item 1
- 14:04:14 [Zakim]
- agendum 1 -- SPC and device bindin -- taken up [from Ian]
- 14:04:18 [Hari_PayPal]
- Hari_PayPal has joined #wpwg
- 14:04:22 [Ian]
- https://github.com/w3c/secure-payment-confirmation/issues/271
- 14:04:33 [yonpols]
- yonpols has joined #wpwg
- 14:04:53 [vincent]
- vincent has joined #wpwg
- 14:05:00 [Ian]
- Stephen: I plan to walk through what I just posted
- 14:05:26 [Ian]
- stephen: This is a high-level proposal for adding device-binding to SPC without relying on WebAuthn SPK/DPK
- 14:05:55 [Ian]
- ...we have heard many requests for device binding from the payments industry to meet regulatory requirements.
- 14:06:54 [Ian]
- ...passkey synching does not on its own appear to satisfy requirements. There is a DPK/SPK extension but we don't have a sense of a timeline for support in platform authenticators.
- 14:07:10 [nicktr]
- q/.
- 14:07:11 [Ian]
- ...so the proposal here is to do the device binding directly in SPC.
- 14:07:12 [nicktr]
- q?
- 14:07:13 [yonpols]
- yonpols has joined #wpwg
- 14:07:32 [Ian]
- present+ Yannick
- 14:07:58 [Ian]
- stephen: The generated SPC key would be signed by the WebAuthn key to avoid MITM attack.
- 14:08:25 [Ian]
- ...expectation is that first time this device key appears, it would not be trusted. So there might be a step-up when it is first seen.
- 14:08:39 [Yannick]
- Yannick has joined #wpwg
- 14:08:40 [Ian]
- ...however, on the same device for future authentications you would get back the same key.
- 14:09:17 [Ian]
- ...an alternative would be to register something at webAuthn registration time (using payment extension) but it would not work for extant credentials or when a 1p uses a vanilla webauthn credential.
- 14:09:31 [nicktr]
- q+ to ask about browser profiles
- 14:09:33 [Ian]
- ...note that the key would be (1) browser specific on a given device, (2) available cross-origin
- 14:09:48 [Ian]
- stephen: We think per-browser is a feature rather than a limitation.
- 14:10:23 [Ian]
- stephen: Where would keys be stored? There are software and hardware options; I think hardware is the right move here (to reduce risk of key exfiltration).
- 14:10:49 [Ian]
- ...but there may not be a TPM available on all platforms. We would have to think about a other situations like roaming authenticators or hybrid.
- 14:10:54 [Vincent]
- Vincent has joined #wpwg
- 14:11:02 [Ian]
- present+ Ravi_Shekhar
- 14:11:14 [Vincent]
- present+
- 14:11:17 [Ian]
- stephen: Regarding privacy sharing key cross-origin, there are two consent dialogs.
- 14:11:20 [Gerhard]
- Gerhard has joined #wpwg
- 14:11:32 [nsiskov]
- present+
- 14:11:45 [Ian]
- ...we will do a privacy review but the sense is that this is not adding issues beyond what has already been considered.
- 14:12:16 [Ian]
- stephen: Some other topics are discussed in the FAQ (e.g., whether to offer a single-factor version of SPC where there is no biometric authentication and only the SPC key is used).
- 14:12:37 [Ian]
- ...that's an interesting situation but I'm not proposing it here; one reason has to do with the use of the WebAuthn key to avoid MITM attack.
- 14:12:56 [Ian]
- ...secondly and possibly more importantly, it simplifies the privacy store a lot if we keep close to WebAuthn's privacy bar.
- 14:13:52 [nicktr]
- q+ fahad
- 14:13:52 [Ian]
- ...there's another topic: what if SPK/DPK does get wide interoperable adoption? If so, we have a few options including deprecation of the SPC feature.
- 14:13:59 [nicktr]
- q+ later
- 14:14:33 [Ian]
- ...Ian also had an idea for defining the SPC key in such a way that it could be implemented in different ways (e.g., by browser or WebAuthn SPK).
- 14:15:29 [Hari_PayPal]
- Hari_PayPal has joined #wpwg
- 14:15:36 [Ian]
- ...With respect to Device Bound Session Credentials, there are enough differences between the APIs that they are not really competing; and also their launch timeline would be much later.
- 14:15:36 [Ian]
- q?
- 14:15:51 [Gerhard]
- q+
- 14:16:29 [Ian]
- Stephen: Are we reinventing the wheel with this proposal? Yes, to a certain extent. WebAuthn already addresses a bunch of topics. Our approach here should be to stick close to WebAuthn's experience. We should use the same primitives that they do (e.g,. their signing algorithms and crypto)
- 14:17:19 [Ian]
- Stephen: Regarding device attestation, we've heard requests from the industry (in WebAuthn space) for this. On the Web there are privacy implications revealing device information, and ecosystem issues (barriers to entry for new players due to whitelisting).
- 14:17:35 [Ian]
- ...so at this time I am not proposing doing attestation with this proposal and hope that device binding alone will suffice.
- 14:17:56 [Ian]
- ...please note that at time of writing, there are only two implementations, so attestation is of limited value at this point.
- 14:18:00 [Ian]
- q?
- 14:18:03 [Ian]
- ack nick
- 14:18:29 [nicktr]
- ack fahad
- 14:18:49 [Ian]
- Fahad: When would key be created? And who is the relying party?
- 14:19:09 [Ian]
- stephen: It's created at authentication time using SPC payment method. It's bound to the actual party of the WebAuthn credential.
- 14:19:14 [Ian]
- present+ Juliana_Cafik
- 14:19:28 [nsiskov]
- q+
- 14:19:45 [Ian]
- ...this means that it can be created by a party other than the RP, but only when the RP has said it's ok for 3p to use their credentials.
- 14:20:07 [Ian]
- ...also, this key should not be used on its own, but only (in this proposal) in conjunction with the WebAuthn key.
- 14:20:15 [Ian]
- ...the trust in the user is from the WebAuthn credential.
- 14:20:23 [Ian]
- ..the trust in the device is from this newly minted identifier.
- 14:20:27 [Ian]
- q+
- 14:20:42 [Ian]
- Fahad: In the 3DS context, the issuer would have to register the key the first time they see it.
- 14:21:02 [Ian]
- q+ to ask about relationship to cookes (3p access, persistence)
- 14:21:12 [Ian]
- Stephen: Yes.
- 14:21:24 [Ian]
- s/cookes/cookies
- 14:21:47 [Ian]
- q+ to ask whether 3DS would need to be modified for this
- 14:22:12 [Hari_PayPal]
- Hari_PayPal has joined #wpwg
- 14:22:35 [Ian]
- q+ to suggest device key creation at creation time as well to identify current device
- 14:23:06 [Ian]
- q+ to ask about regulatory satisfaction
- 14:23:14 [Ian]
- ack nick
- 14:23:14 [Zakim]
- nicktr, you wanted to ask about browser profiles
- 14:23:39 [Ian]
- nicktr: My question is specific to Chrome. You can have multiple profiles in a Chrome instance. Are these identifiers bound to the profile?
- 14:23:48 [vasilii]
- vasilii has joined #wpwg
- 14:24:07 [Ian]
- Stephen: I suspect the answer would be one key per profile.
- 14:24:18 [Ian]
- ...Rick points out that these would be clearable keys as well
- 14:24:26 [Ian]
- ...site storage is tied to profile
- 14:24:58 [Ian]
- ...not sure yet where we will handle private browsing mode, but might issue a dummy key
- 14:25:21 [Ian]
- ack Gerh
- 14:25:30 [Ian]
- Gerhard: I like the proposal.
- 14:25:55 [Ian]
- ...I was in a call last week with a financial institution and they were worried about the attestation.
- 14:26:03 [Ian]
- ...just to say that that may still be an issue.
- 14:26:48 [Ian]
- ...what domain would the key be bound to?
- 14:26:59 [JeanLuc]
- +q
- 14:27:02 [Ian]
- Stephen: The identifier would be tied to tuple of the relying party and (possibly) the credential id
- 14:27:05 [JeanLuc]
- q+
- 14:27:31 [Ian]
- Gerhard: So if I have two FIDO keys for an origin, I would get two device keys?
- 14:27:38 [Ian]
- Stephen: Yes, at least to start.
- 14:27:44 [Ian]
- Gerhard: That seems fine as a starting point.
- 14:29:39 [Ian]
- Gerhard: Second topic (Gerhard shows a diagram) could we do the same device attestation and send it directly to the issuer?
- 14:29:52 [Ian]
- ...that would take away a lot of the issue related to merchant MITM attack
- 14:30:33 [Ian]
- Stephen: Yes, that is what FedCM is doing. Usually handled via a .well_known URL. But SPC doesn't do that because the initial proposal involved explicitly the RP not being actively involved in the flow.
- 14:30:48 [Ian]
- ...if the ecosystem has changed, that may open new options.
- 14:31:47 [Ian]
- q?
- 14:32:18 [Ian]
- ack Nshiskov
- 14:32:43 [Ian]
- ack nshiskov
- 14:33:18 [Ian]
- Nakjo: I like the proposal. I'd also like to get a device key at the time of registration.
- 14:33:33 [Ian]
- ..the issuer, while creating the passkey, could use the key and remember it for this device.
- 14:33:47 [Ian]
- ..that would reduce step-ups not he same device
- 14:34:47 [Ian]
- ...I like this proposal as, in some sense, a special cookie that can be exchanged via the merchant without having a direct issuer connection at authentication ime.
- 14:34:53 [Ian]
- s/ime/time
- 14:34:56 [Ian]
- q?
- 14:34:58 [Ian]
- ack ns
- 14:35:06 [Ian]
- ack me
- 14:35:06 [Zakim]
- Ian, you wanted to ask about relationship to cookes (3p access, persistence) and to ask whether 3DS would need to be modified for this and to suggest device key creation at
- 14:35:09 [Zakim]
- ... creation time as well to identify current device and to ask about regulatory satisfaction
- 14:35:21 [nicktr]
- ack ian
- 14:35:35 [nicktr]
- scribe: nicktr
- 14:35:55 [nicktr]
- ian: this would be available in a third party context so better than cookies
- 14:36:17 [nicktr]
- ...it would be good to be relatively long-lived (but still clearable)
- 14:36:38 [nicktr]
- ...if there is another key, do we have to modify 3DS?
- 14:37:01 [nicktr]
- ...I was also going to suggest device key creation at key creation time
- 14:37:19 [nicktr]
- ...do we have a sense of whether this would meet regulatory requirements?
- 14:37:24 [nicktr]
- scribe: ian
- 14:37:31 [Ian]
- ack JeanLuc
- 14:37:37 [Ian]
- zakim, close the queue
- 14:37:37 [Zakim]
- ok, Ian, the speaker queue is closed
- 14:38:06 [ericgroves]
- ericgroves has joined #wpwg
- 14:38:10 [Ian]
- JeanLuc: Thank you for this proposal. It's close to DBSC. Can we trigger the same key outside of SPC authentication?
- 14:38:23 [Ian]
- ...there's a step where the issuer would like to identify the device (as is done with DBSC)
- 14:39:26 [Ian]
- stephen: In the initial proposal, there would not be a way. But we could look at whether the key might be available via DBSC.
- 14:40:15 [Ian]
- JeanLuc: DBSC+CHIPS in an iframe could work. If issuer could use the same SPC key to recognize the device and not trigger step-up that would be nice.
- 14:40:56 [Ian]
- ..note that DBSC also involves a direct connection to a RP; we could imagine the issuer as an endpoint and the issuer could do device recognition.
- 14:41:44 [Ian]
- Stephen: Both Ian and Rick thought DBSC should be characterized as distinct from this SPC proposal; not sure myself.
- 14:42:06 [Ian]
- JeanLuc: One question is how to do key renewal
- 14:42:48 [Ian]
- JeanLuc: The issuer might record a chain of device keys over time. Will the issuer have information about key renewal?
- 14:43:08 [Ian]
- Stephen: I have not contemplated that. We get into concerns, however, about reinventing the wheel.
- 14:43:23 [Ian]
- ...each API has its own way of doing key management.
- 14:44:26 [Ian]
- JeanLuc: Would this work in a custom tab?
- 14:44:30 [Ian]
- Stephen: yes
- 14:44:48 [RRSAgent]
- I have made the request to generate https://www.w3.org/2024/05/23-wpwg-minutes.html Ian
- 14:44:50 [Ian]
- zakim, take up item 3
- 14:44:50 [Zakim]
- agendum 3 -- Web Monetization topic -- taken up [from Ian]
- 14:45:35 [Ian]
- -> https://www.w3.org/2024/Talks/ahb-signed-http-20240523.pdf Adrian Hope-Bailie slides
- 14:46:52 [Ian]
- AdrianHB_: This relates to Web Monetization, being incubated in a CG.
- 14:47:06 [Ian]
- ..it's a declarative API for receiving payments at a Web site
- 14:47:26 [Ian]
- ...an important use cases is very low value payments without user interactions
- 14:48:05 [Ian]
- [Slide shows payment flow]
- 14:48:52 [Ian]
- AdrianHB_: The browser authenticates with signed http requests.
- 14:49:09 [Ian]
- [Current provisioning and transaction flow slide]
- 14:50:58 [Ian]
- AdrianHB_: Key is more of a session key than an authentication key.
- 14:51:34 [Ian]
- [We review different proposals for key management]
- 14:52:33 [Ian]
- [Ian thinks AHB should check out https://github.com/WICG/dbsc/blob/main/README.md ]
- 14:52:59 [Fahad]
- Fahad has joined #wpwg
- 14:53:25 [Fahad]
- Looks like a good use-case fit for DBSC, no?
- 14:54:30 [Ian]
- q+
- 14:54:36 [Ian]
- ack me
- 14:56:14 [Ian]
- ack me
- 14:56:35 [Ian]
- AdrianHB_: DBSC only gets us half way. We want the request signed; not just the challenge.
- 14:56:46 [Ian]
- q?
- 14:56:53 [Gerhard]
- q+ Are you using https://datatracker.ietf.org/doc/rfc9421/
- 14:57:02 [Ian]
- zakim, open the queue
- 14:57:02 [Zakim]
- ok, Ian, the speaker queue is open
- 14:57:06 [Gerhard]
- q+, Are you using https://datatracker.ietf.org/doc/rfc9421/
- 14:57:13 [Ian]
- q+ Gerhard to ask about https://datatracker.ietf.org/doc/rfc9421/
- 14:57:20 [Gerhard]
- q+ to ask Are you using https://datatracker.ietf.org/doc/rfc9421/
- 14:57:20 [Ian]
- ack Gerhard
- 14:57:20 [Zakim]
- Gerhard, you wanted to ask about https://datatracker.ietf.org/doc/rfc9421/">https://datatracker.ietf.org/doc/rfc9421/ and to ask Are you using https://datatracker.ietf.org/doc/rfc9421/
- 14:58:03 [Ian]
- AdrianHB_: We're proposing that, for Web Monetization, the browsers would use that to make calls to the wallet as a way for the browser to identify itself
- 14:58:30 [Ian]
- ...GNAP has a bunch of ways for clients to authenticate themselves; this ties in nicely to the browser-as-client with keys
- 14:58:38 [Ian]
- Gerhard; FedCM does some of this
- 14:58:47 [Ian]
- s/Gerhard;/Gerhard:
- 14:58:56 [RRSAgent]
- I have made the request to generate https://www.w3.org/2024/05/23-wpwg-minutes.html Ian
- 14:59:03 [Ian]
- zakim, close item 1
- 14:59:04 [Zakim]
- agendum 1, SPC and device bindin, closed
- 14:59:04 [Zakim]
- I see 3 items remaining on the agenda; the next one is
- 14:59:04 [Zakim]
- 2. Visa passkeys announcement [from Ian]
- 15:00:15 [Ian]
- Topic: next meeting
- 15:00:17 [Ian]
- 6 June
- 15:00:29 [RRSAgent]
- I have made the request to generate https://www.w3.org/2024/05/23-wpwg-minutes.html Ian
- 15:01:11 [Ian]
- RRSAGENT, set logs public
- 15:01:13 [Ian]
- RRSAGENT, bye
- 15:01:13 [RRSAgent]
- I see no action items