13:52:34 <RRSAgent> RRSAgent has joined #wpwg
13:52:39 <RRSAgent> logging to https://www.w3.org/2024/10/10-wpwg-irc
13:52:40 <Ian> Meeting: Web Payments Working Group
13:52:50 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20241010
13:52:52 <Ian> Chair: NickTR
13:52:55 <Ian> Scribe: Ian
13:52:57 <Ian> present+
13:53:00 <vasilii> vasilii has joined #wpwg
13:53:47 <Ian> agenda+ TPAC recap
13:53:54 <Ian> agenda+ Next steps browser-based key in SPC
13:53:57 <Ian> agenda+ next meeting
13:56:05 <Ian> present+
13:59:55 <Ian> present+ Rouslan_Solomakhin
14:00:08 <Ian> present+ Vasilii_Trofimchuk
14:00:41 <Ian> present+ Steve_Cole
14:01:11 <Ian> present+ Wade_Jensen
14:01:41 <Ian> regrets+ David_Benoit
14:02:06 <Ian> present+ Doug_Fisher
14:02:12 <Ian> present+ Praveena_Subrahmanyam
14:02:18 <Ian> present+ Henna_Kapur
14:02:23 <Ian> present+ Gustavo_Kok
14:04:04 <Ian> present+ Sue_Koomen
14:04:12 <Ian> present+ Nick_Telford-Reed
14:04:28 <Ian> zakim, take up item 1
14:04:28 <Zakim> agendum 1 -- TPAC recap -- taken up [from Ian]
14:05:05 <nicktr> q+
14:05:08 <Ian> ack nick
14:06:18 <Ian> NickTR: I left TPAC the most energized I've been for several years. There's a lot of really exciting progress around authentication. Digital credentials work is interesting. What I was excited to see what real interest and opportunity beyond cards in PIX and UPI and other payment use cases.
14:06:27 <Ian> ...we want architecture to support those and so it was heartening.
14:06:34 <Ian> ...and the WPSIG meeting aligned well with the WPWG work
14:06:47 <Ian> present+ Rogerio_Matsui
14:06:56 <nicktr> q?
14:13:11 <Ian> zakim, close item 1
14:13:11 <Zakim> agendum 1, TPAC recap, closed
14:13:12 <Zakim> I see 2 items remaining on the agenda; the next one is
14:13:12 <Zakim> 2. Next steps browser-based key in SPC [from Ian]
14:13:20 <Ian> zakim, take up item 2
14:13:20 <Zakim> agendum 2 -- Next steps browser-based key in SPC -- taken up [from Ian]
14:14:13 <Ian> Henna: What's the best way to stay close to the digital credentials work?
14:18:25 <smcgruer_[EST]> present+
14:20:42 <nicktr> q?
14:21:38 <dougf> dougf has joined #wpwg
14:23:32 <nicktr> q+ henna
14:23:50 <nicktr> ack henna
14:24:20 <Ian> [Regarding signal that a BBK is not device-bound]
14:25:45 <Ian> Ian: Any updates from Visa re: attestation?
14:25:49 <Ian> Henna: Still working through that.
14:28:21 <nicktr> I found this technical note on attestation very helpful - I don't know if FIDO has changed its position but at least originally, attestation was about describing the model/class of authenticator, not the individual device -> https://fidoalliance.org/fido-technotes-the-truth-about-attestation/
14:29:41 <Ian> Ian: I was wondering whether the attestation might be bound to a group of devices (for privacy reasons) and say "This is a key signed by a device model from me"
14:30:16 <Ian> NickTR: That FIDO article is related to that point; note that it was written prior to growth of platform authenticators.
14:30:43 <Ian> Henna: In general with passkeys now we don't have any attestation. We have expressed concerns about that. That's why attestation around BBK came up.
14:31:13 <Ian> ...there's definitely need for attestation on BBK and need to figure out whether that's possible. We still wonder whether that is sufficient, or what else is needed.
14:31:41 <Ian> ...there would be a certificate telling the RP this is a trustworthy device.
14:31:50 <Ian> ...question is whether that's even possible as a starting point.
14:32:05 <Ian> Rouslan: Not all authenticators support attestation.
14:33:56 <Ian> smcgruer_[EST]: example: android device. At manufacturing time, cert embedded in device that can be chained to a wider scope cert. This establishes a chain of trust back to manufacturer. So at auth time, the device can sign something with the certificate, and the RP can fetch the certificate from Google and gain confidence.
14:34:48 <Ian> ...one question is "what are you actually trying to prove." It's hard to prove that a device is definitely trustworthy. What about case of malware? The TPM might be good but malware may undermine something.
14:34:57 <Ian> ...so it's important to know what the security requirements are.
14:36:22 <Ian> ...not all devices expose TPM attestations (to the best of my knowledge)
14:37:25 <Ian> q?
14:40:22 <Ian> Ian: Anything needed around storage of the BBK?
14:41:28 <Ian> Doug: This is an important topic. It relates to how the BBK is generated. Back to Stephen's comment and malware...we'd like to get a better understanding of how the BBK is stored. Could it be stored outside of the JS environment?
14:41:53 <Ian> ...can it be isolated from any JS layer and stored outside of that "level of the browser"?
14:41:56 <rouslan> q+
14:42:06 <Ian> ack robs
14:42:14 <nicktr> ack rouslan
14:42:26 <Ian> rouslan: From a spec perspective, that's an implementation detail. But from a requirements perspective, yes it would  be isolate.
14:42:33 <Ian> s/isolate/isolated
14:42:49 <Ian> rouslan: There is browser isolation and the guarantees depend on the operating system.
14:46:04 <Ian> Henna: Are you saying that the BBK generation process would be subject to how the browser works with the OS, and that won't be standardized?
14:46:24 <Ian> rouslan: The isolation part may be browser-specific. Depends on the OS.
14:49:03 <Ian> present+ Gerhard
14:49:08 <Ian> present+ Sameer
14:49:14 <Ian> present+ Melissa_Sebastian
14:49:27 <Ian> present+ Kenneth_Diaz
14:50:04 <Ian> rrsagent, make minutes
14:50:06 <RRSAgent> I have made the request to generate https://www.w3.org/2024/10/10-wpwg-minutes.html Ian
14:50:08 <nicktr> zakim, who is here?
14:50:08 <Zakim> Present: Ian, Rouslan_Solomakhin, Vasilii_Trofimchuk, Steve_Cole, Wade_Jensen, Doug_Fisher, Praveena_Subrahmanyam, Henna_Kapur, Gustavo_Kok, Sue_Koomen, Nick_Telford-Reed,
14:50:10 <Zakim> ... Rogerio_Matsui, smcgruer_[EST], Gerhard, Sameer, Melissa_Sebastian, Kenneth_Diaz
14:50:10 <Zakim> On IRC I see dougf, vasilii, RRSAgent, Zakim, canton_, pea1358, dlehn1, jthomas, aki, jets, Ian, tobie_, nicktr, rbyers, hadleybeeman, ljharb, slightlyoff, smcgruer_[EST], rouslan,
14:50:10 <Zakim> ... hober
14:50:19 <Ian> zakim, close item 2
14:50:19 <Zakim> agendum 2, Next steps browser-based key in SPC, closed
14:50:21 <Zakim> I see 1 item remaining on the agenda:
14:50:21 <Zakim> 3. next meeting [from Ian]
14:50:23 <Ian> zakim, take up item 3
14:50:23 <Zakim> agendum 3 -- next meeting -- taken up [from Ian]
14:50:34 <Ian> Next meeting: 24 October
14:51:07 <Ian> NickTR: If you have feedback on TPAC / suggestions let us know!
14:51:22 <Ian> RRSAGENT, make minutes
14:51:24 <RRSAgent> I have made the request to generate https://www.w3.org/2024/10/10-wpwg-minutes.html Ian
14:51:28 <Ian> RRSAGENT, set logs public
15:02:31 <TallTed> TallTed has joined #wpwg
15:04:28 <Ian> RRSAGENT, set logs public
15:39:39 <dlehn> dlehn has joined #wpwg