14:55:38 <RRSAgent> RRSAgent has joined #wpwg
14:55:42 <RRSAgent> logging to https://www.w3.org/2023/12/07-wpwg-irc
14:55:43 <Ian> Meeting: Web Payments WG
14:55:56 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20231207
14:56:00 <Ian> Chair: NickTR
14:56:01 <Ian> Scribe: Ian
14:56:10 <Ian> regrets+ Gerhard
14:56:44 <Ian> agenda+ SPC in MDN
14:56:54 <Ian> agenda+ Device-bound session credentials
14:57:00 <Ian> agenda+ Chrome response to SPC feedback
14:57:05 <Ian> agenda+ Next meeting
14:57:40 <Ian> present+
14:58:17 <tomasz> tomasz has joined #wpwg
14:58:54 <Ian> present+ Juliana
15:00:27 <Ian> present+ Arnar_Birgisson
15:00:35 <Ian> present+ Steve_Cole
15:00:41 <Ian> present+ Jeff_Owenson
15:01:09 <Ian> present+ Tomasz
15:01:35 <Ian> present+ Stephen_McGruer
15:01:38 <Ian> present+ Bast
15:02:01 <fahad> fahad has joined #wpwg
15:02:02 <Ian> present+ Tim_Cappalli
15:02:09 <Ian> present+ Doug_Fisher
15:02:13 <Bastien> Bastien has joined #WPWG
15:02:20 <Bastien> Present+
15:02:29 <Ian> present+ Fahad_Saleem
15:02:38 <Ian> present+ Sameer_Tare
15:02:45 <Ian> poresent+ Jean-Michel_Girard
15:02:51 <Ian> present+ Anne_Pouillard
15:02:52 <dfisher> dfisher has joined #wpwg
15:02:56 <Ian> present+ Arman_Aygen
15:03:13 <Ian> present+ Bast
15:03:28 <Anne> Anne has joined #wpwg
15:03:38 <gkok> gkok has joined #wpwg
15:03:54 <Ian> present+ Bastien_Latge
15:04:18 <Ian> Topic: Microsoft Intro
15:04:40 <Ian> Tim: We are newly rejoined; our goals are to catch up to start
15:04:46 <Ian> present+ Arno_Van_Der_Merwe
15:05:04 <Ian> Tim: Juliana has a holistic view ; I will be focused on platform authentication side
15:05:08 <JMGirard> JMGirard has joined #wpwg
15:05:10 <Ian> present+ Jean-Luc_di_Manno
15:05:23 <Ian> Juliana: I have a long history in payments before and at MS
15:05:23 <benoit> benoit has joined #wpwg
15:05:31 <gkok> (@Ian, can you confirm the meeting link? I'm getting a "The meeting has been cancelled or ended" error)
15:05:31 <Ian> present+ David_Benoit
15:06:32 <Ian> zakim, take up item 1
15:06:32 <Zakim> agendum 1 -- SPC in MDN -- taken up [from Ian]
15:06:39 <Ian> present+ Gustavo
15:07:59 <Ian> present+ Sameer
15:08:14 <Ian> zakim, take up item 2
15:08:14 <Zakim> agendum 2 -- Device-bound session credentials -- taken up [from Ian]
15:08:33 <Ian> [Arnar Birgisson, Google]
15:09:01 <Ian> present+ Nick_Telford-Reed
15:09:44 <Ian> Arnar: I work in the WebAuthn space. I also work on how we do things after sign-in. How do we bind session credentials.
15:09:46 <sameert> sameert has joined #wpwg
15:10:08 <Ian> ...Arnar and Kristin Monsen are good people to reach out to
15:10:10 <nicktr> present+ nicktr
15:10:23 <Ian> -> https://github.com/WICG/dbsc/blob/main/README.md DBSC explainer
15:10:32 <Ian> Arnaud: Problem statement is cookie exfiltration.
15:10:51 <Ian> ...malware that has same privs as browser can see cookies
15:11:10 <Ian> ...private keys and challenge/response protocols are seen as a way of improving this.
15:11:35 <Ian> ...question is how to establish and use credentials. The browser offloads the creation and use of private keys to the OS.
15:11:55 <Ian> ...the plan is to use existing TPMs and other mechanisms with a protocol.
15:12:12 <Ian> ...our focus with DBSC is to establish and use credentials (not the creation/storage of private keys)
15:12:30 <Ian> present+ Rolf_Lindemann
15:12:34 <Ian> present+ Praveena
15:12:51 <Ian> s/Arnaud/Arnar
15:13:23 <Ian> Arnar: Why is this difficult? Key protection from malware, deployment and migration, complexity, API and protocol design
15:13:39 <Ian> ...in previous attempts we've seen the deployment part is hard to do -- modifying a bunch of code all at once is difficult.
15:14:14 <Ian> ...in particular, the slowness of underlying key protection means we cannot practically sign every request.
15:14:34 <Ian> ...we are not saying in DBSC how keys are protected (implementation detail)
15:14:51 <Ian> ...what is in scope is to allow in the protocol flexibility for frequency of requiring signatures.
15:15:00 <Ian> ...we also want a protocol that supports improvements over time.
15:15:13 <Ian> Arnar: Regarding the deployment challenge:
15:15:21 <Ian> ...even simple websites can be complex.
15:15:32 <Ian> ...when to require sigs can be part of business work, but lots of work.
15:15:55 <Ian> ... web stacks are complex and auth is cross-cutting. Want the new protocol to be close to the session management happens
15:16:09 <Ian> ...there is also authentication middleware in multiple places, using off the shelf libraries
15:16:30 <Ian> So what's difficult but in scope: a way to get binding without rewriting business logic or migrating stacks.
15:17:09 <Ian> [Overview]
15:17:23 <Ian> * Explicit represents the "session" concept.
15:17:30 <Ian> * New functionality on website is "add-on" not a rewrite.
15:17:37 <Ian> * Periodic key proofs
15:17:42 <Ian> * Browser manages when to send proofs
15:17:51 <Ian> * Browser can HOLD other requests when proof is needed
15:17:59 <Ian> * Reset of the website stays on cookies, but short-lived
15:18:22 <Ian> ...the web site decides the period of key proofs it wants. But the browser decides when to send proofs
15:18:45 <Ian> ...browser queues requests its receives until proofs have been exchanged.
15:18:59 <Ian> ...cookies go from "long-lived" to "short-lived"
15:19:05 <Ian> ....e.g., 10 minutes
15:19:11 <Ian> [Making sessions explicit]
15:19:31 <Ian> Arnar: Today I'll show in JS but session definitions might end up in HTTP headers
15:19:36 <nicktr> q+ to ask if there are UX hints that a "session" is in progress
15:20:07 <nicktr> chair: nicktr
15:20:12 <Ian> Arnar: "Session" does not necessarily mean "user has signed in" though it might happen that way often.
15:20:22 <Ian> ...other use case might be "user adds something to a shopping card."
15:20:24 <Ian> s/card/cart
15:20:49 <Ian> Nick: Is there UX to suggest a secure session is in progress?
15:20:53 <Ian> Arnar: Not in our proposal
15:21:07 <Ian> ...DBSC happens in the background like cookies
15:21:39 <Ian> ...but at the same time, where the user can manage cookies they should be able to manage sessions (e.g., remove them)
15:21:52 <Ian> ...might appear in dev tools, for example.
15:22:00 <nicktr> ack nicktr
15:22:00 <Zakim> nicktr, you wanted to ask if there are UX hints that a "session" is in progress
15:22:17 <Ian> Gustavo: Is it fair to say the browser would not be put to sleep if the user leave browser to another app.
15:22:56 <Ian> Arnar: The session can be active if the browser is off. Sessions does not add anything regarding outreach to servers unless the user is making requests (and thus interacting within the session)
15:23:06 <Ian> q?
15:23:37 <Ian> [diagram of current world where cookies are set, with long-term cookies
15:23:53 <Rolf> Rolf has joined #wpwg
15:24:17 <Ian> Arnar: You typically sign in once and server consults cookies
15:24:49 <Ian> ...with DBSC, the typical flow will involve the user signing in, and the server starting a session.
15:25:10 <Ian> ...the browser will generate keys, talk to the OS, request signatures, etc.
15:25:39 <Ian> ...the browser will reach out to an endpoint (managed by the site's server and involving a new protocol) for binding verifications and short-term credential issuance.
15:25:58 <Ian> ...the design goal is that the web site otherwise works the same and relies on cookies, but those cookies are now valid for only short periods.
15:26:26 <Ian> [Periodic key proofs]
15:27:17 <Ian> (Arnar walks through the protocol showing how a session is initiated, a key pair is generated, and credential request is sent.)
15:27:56 <Ian> Arnar: Site can also provide a set of constraints for what must hold for the session to remain active. Right now the constraints are limited to "these cookies must be present."
15:28:51 <Ian> Arnar: During ordinary site functioning, if the browser encounters an expired cookies, for example, it reaches out to the end point to refresh cookies (and/or get new instructions).
15:28:58 <Ian> ...so the server asks for a challenge (to sign)
15:29:15 <Ian> ...the browser sends the session id that was established when the session was initialized.
15:29:29 <Ian> ...and the browser sends back all the cookies it knows.
15:29:54 <Ian> ...in the browser's second request to the server it sends a JWT signed with a key and the server's challenge to prove it's the same browser
15:30:04 <Ian> ...the server responds with new instances of (short-term) cookies.
15:30:22 <Ian> ...the server can change lifetimes of cookies dynamically (e.g., based on risk analysis)
15:30:52 <Ian> Arnar: There are only session refreshes if new requests are made. The browser doesn't do this on it's own.
15:31:10 <Ian> ...however, there's a latency issue potentially due to outreach to server.
15:32:08 <Ian> ...by default with DBSC, the browser queues requests until the refresh endpoint has replied.
15:33:05 <Ian> ...this reduces server-side effort to migrate to this approach, but it does introduce latency (time to wait for server, do signatures, etc.)
15:33:43 <Ian> ...browsers can make this ALMOST invisible, e.g., by saying "if there have been requests within the last minute, that means the user is active....I'll go talk to the session end point PROACTIVELY to refresh cookies."
15:34:00 <Ian> ...this will help reduce visible latency other than opening the browser the first time.
15:34:02 <JeanLuc> JeanLuc has joined #Wpwg
15:34:12 <Ian> ...also this means that a single refresh can service many cookies
15:34:15 <JeanLuc> Q+
15:34:35 <nicktr>  q+ rolf
15:35:17 <Ian> IJ: How could this be useful for payments?
15:36:10 <Ian> Arnar: This is a fairly low-level tool we are developing. We expect this to be useful in general for many things. There are types of malware and fraud and this could force them to behave differently; the constraints on them will make them more detectable (both on client and server side)
15:36:29 <Ian> ...session exfiltration is often used to reuse stolen cookies to evade detection.
15:37:10 <Ian> ack Je
15:38:06 <Ian> JeanLuc: Thank you for the presentation. If site sets a cookie, does browser refresh?
15:38:09 <Ian> Arnar: Yes.
15:38:45 <Ian> JeanLuc: Is it possible for a server to on demand request if private key is still available?
15:38:58 <Ian> Arnar: We have talked about this a lot: "on-demand signatures." There is a way to get that.
15:39:04 <Ian> ..."I want a signature now."
15:39:19 <Ian> ...the server can force expire the cookie (expiry set to past)
15:39:32 <Ian> ..this will force the browser to hold cookies and do a refresh.
15:39:47 <Ian> ...we also have sketches for other approaches (e.g., HTTP headers)
15:39:54 <Ian> ...we are interested in concrete use cases for that.
15:40:30 <Ian> JeanLuc: I have a concrete 3DS example. The first action the merchant does is called the 3DS Method.
15:41:02 <Ian> ...merchant sends identifier to the bank, and in an iframe the bank performs device recognition. If the bank has access to the broader context, can the bank check to see if the private key is still present?
15:41:13 <Ian> Arnar: This would be a private key tied to the bank?
15:41:17 <Ian> JeanLuc: yes
15:42:06 <Ian> Arnar: It should be possible.
15:42:06 <Ian> q+
15:42:06 <nicktr> q+ to ask about iframe behaviour
15:42:24 <Ian> Arnar: We definitely have more direct ways to do this, with e.g., response headers: "On the next request I want a signature"
15:42:45 <Ian> ...we are wondering whether to include such a feature in the MVP because it might be more complex.
15:43:22 <nicktr> ack Rolf
15:43:28 <Ian> Ian: I suggest JeanLuc reaches out to Arnar.
15:43:41 <Ian> Rolf: The boundary of a web application is more weakly defined than with a web app.
15:43:55 <sameert> +1 to hearing more about the use-case Jean Luc defined for 3ds
15:44:01 <nicktr> s/with a web app/with a native app/
15:44:11 <Ian> ..did you think about conveying the boundary of the web application (e.g., a hash of code) as part of signature back to server so that the server knows whether this is the legit. application?
15:44:24 <Ian> Arnar: We didn't really think about that (the integrity of the web application itself).
15:45:02 <Ian> ...that was not exactly our use case. We were thinking about malware post registration (that steals cookies)
15:45:32 <Ian> Rolf: Integrity check could prevent against malicious javascript.
15:45:44 <Ian> Arnar: That is interesting; we'd have to think about whether this fits in this API.
15:46:30 <Ian> Rolf: This would nicely fit, IMO. And would allow more parity with web applications.
15:46:56 <Ian> Arnar: Cf the Web Environment Integrity Proposal.
15:47:04 <Ian> q?
15:47:53 <Ian> Arnar: Web Env. Integrity was strongly opposed due to DRM concerns.
15:48:27 <Ian> ...we've intentionally left some gaps in DBSC for potential integration with other protocols like DBSC
15:49:44 <Ian> Rolf: Session transfer among devices is increasingly common. How would DBSC work in these transfers, and how would server understand what's happening?
15:50:17 <Ian> Arnar: I think we can get a lot of protection with a simple initial proposal. But there should be extensions possible (e.g., to make it easy to change devices, or to get attestations)
15:50:52 <Ian> Arnar: Session transfer would complicate DBSC.
15:51:04 <Ian> ...we want to confirm basic concept first.
15:51:18 <Ian> Rolf: Looking at the JS API...for malicious JS code it's easy to overload these things.
15:51:29 <Ian> ...code could emulate functionality in a malicious way.
15:51:54 <Ian> Arnar: We will look at the situation of compromised apps...and we'll also talk more about Headers.
15:51:54 <nicktr> ack Ian
15:52:15 <JeanLuc> JeanLuc has joined #Wpwg
15:52:24 <JeanLuc> Q+
15:52:59 <Ian> IJ: Why is this different from previous requests for globally unique identifiers?
15:53:22 <Ian> Arnar: There's nothing you can convey with DBSC that can't already be conveyed. But we need to do more regarding 3p frames.
15:53:50 <Ian> ...there might need to be constraints, like requests in a 3p context won't trigger a refresh.
15:54:11 <nicktr> ack nicktr
15:54:11 <Zakim> nicktr, you wanted to ask about iframe behaviour
15:54:16 <Ian> ack Jean
15:54:26 <nicktr> ack JeanLuc
15:54:32 <Ian> JeanLuc: As long as the platform owns the private key, could this functionality be cross-browser?
15:54:39 <Ian> Arnar: No
15:54:46 <Ian> ...this is scoped like cookies
15:55:14 <Ian> zakim, close this item
15:55:14 <Zakim> agendum 2 closed
15:55:15 <Zakim> I see 3 items remaining on the agenda; the next one is
15:55:15 <Zakim> 1. SPC in MDN [from Ian]
15:55:23 <Ian> zakim, close item 1
15:55:23 <Zakim> agendum 1, SPC in MDN, closed
15:55:24 <Zakim> I see 2 items remaining on the agenda; the next one is
15:55:24 <Zakim> 3. Chrome response to SPC feedback [from Ian]
15:55:25 <Ian> zakim, take up item 3
15:55:26 <Zakim> agendum 3 -- Chrome response to SPC feedback -- taken up [from Ian]
15:55:44 <Ian> smcgruer_[EST]: We can take to 1 February
15:55:50 <Ian> NickTR: Any teaser?
15:56:06 <Ian> smcgruer_[EST]: We hope to have a UX person looking at SPC in Q1. We are definitely looking at that.
15:56:16 <Ian> zakim, close item 3
15:56:16 <Zakim> agendum 3, Chrome response to SPC feedback, closed
15:56:16 <Zakim> I see 1 item remaining on the agenda:
15:56:16 <Zakim> 4. Next meeting [from Ian]
15:56:23 <Ian> zakim, take up item 4
15:56:23 <Zakim> agendum 4 -- Next meeting -- taken up [from Ian]
15:56:23 <Ian> 1 February 2024
15:56:52 <Ian> [Adjourned]
15:56:55 <Ian> RRSAGENT, make minutes
15:56:56 <RRSAgent> I have made the request to generate https://www.w3.org/2023/12/07-wpwg-minutes.html Ian
15:57:02 <Ian> RRSAGENT, set logs public
15:59:17 <Ian> zakim, bye
15:59:17 <Zakim> leaving.  As of this point the attendees have been Ian, Juliana, Arnar_Birgisson, Steve_Cole, Jeff_Owenson, Tomasz, Stephen_McGruer, Bast, Tim_Cappalli, Doug_Fisher, Bastien,
15:59:17 <Zakim> Zakim has left #wpwg
15:59:20 <Zakim> ... Fahad_Saleem, Sameer_Tare, Anne_Pouillard, Arman_Aygen, Bastien_Latge, Arno_Van_Der_Merwe, Jean-Luc_di_Manno, David_Benoit, Gustavo, Nick_Telford-Reed, nicktr, Rolf_Lindemann,
15:59:20 <Zakim> ... Praveena
15:59:22 <Ian> rrsagent, bye
15:59:22 <RRSAgent> I see no action items