14:56:58 <RRSAgent> RRSAgent has joined #wpwg
14:57:03 <RRSAgent> logging to https://www.w3.org/2024/11/07-wpwg-irc
14:57:03 <Ian> Meeting: Web Payments Working Group
14:57:15 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20241107
14:57:17 <Ian> Chair: NickTR
14:57:21 <Ian> Scribe: Ian
14:57:27 <RRSAgent> I have made the request to generate https://www.w3.org/2024/11/07-wpwg-minutes.html Ian
14:58:04 <Ian> present+
14:58:08 <Ian> present+ Zane_Durkin
14:59:42 <Ian> present+ Rouslan_Solomakhin
14:59:58 <Ian> present+ Sami_Tikkala
15:00:09 <Ian> present+ Kenneth_Diaz
15:00:49 <Ian> present+ Ravi_Shekhar
15:00:58 <Sami> Sami has joined #wpwg
15:00:59 <durkinza> durkinza has joined #wpwg
15:01:13 <kenneth_entersekt> kenneth_entersekt has joined #wpwg
15:01:29 <Ian> present+ Vasilii_Trofimchuk
15:01:35 <Ian> present+ Grégoire_Leleux
15:01:41 <Ian> present+ Bjorn_Hjelm
15:01:44 <Ian> present+ Doug_Fisher
15:01:51 <Ian> present+ Nick_Telford-Reed
15:02:02 <Ian> present+ Rogerio_Matsui
15:02:06 <Ian> present+ Gustavo_Kok
15:02:10 <Gregoire> Gregoire has joined #wpwg
15:03:48 <Ian> present+ Stephen_McGruer
15:04:10 <Ian> Topic: Introductions
15:04:31 <Ian> [Zane Durkin]
15:04:34 <Ian> present+ Gerhard_Entersekt
15:04:49 <Ian> present+ Fahad_Saleem
15:05:10 <Ian> present+ Jorge_Vargas
15:05:23 <Ian> Topic: Browser-based key in SPC next steps
15:05:35 <Ian> -> https://github.com/w3c/secure-payment-confirmation/pull/277 Pull request for security requirements
15:05:46 <Ian> present+ Sue
15:05:53 <Ian> -> https://github.com/w3c/secure-payment-confirmation/issues/271 Original proposal
15:05:57 <Doug_f> Doug_f has joined #wpwg
15:05:59 <Fahad> Fahad has joined #wpwg
15:06:11 <jpm-block> jpm-block has joined #wpwg
15:07:09 <Ian> present+ Juan-Pablo_Marzetti
15:07:30 <Sue> Sue has joined #wpwg
15:07:50 <Ian> present+ Yannick
15:08:20 <Sue> present+
15:09:11 <nicktr> scribe: nicktr
15:09:25 <nicktr> ian explains document
15:10:46 <Yann> Yann has joined #wpwg
15:13:03 <nicktr> ian: the device binding text was inspired by an EBA supplemental note
15:13:23 <nicktr> ...so that it might be appropriate for regulatory compliance
15:14:15 <nicktr> ...and noting that "no device binding" may still be a helpful signal
15:15:49 <nicktr> ...the private browsing mode is aligned to the webauthn behaviour
15:17:10 <nicktr> ...and also noting explicit reliance on the underlying FIDO security assumptions -> https://fidoalliance.org/specs/common-specs/fido-security-ref-v2.1-ps-20220523.html#fido-security-assumptions
15:17:32 <Ian> ------
15:17:33 <Ian> Parties that call SPC directly need to trust the user environment to a certain degree, consistent with the FIDO threat model.
15:17:33 <Ian> However, in a delegated authentication scenario (e.g., when the merchant or their payment service provider conducts the SPC
15:17:33 <Ian> registration), additional security measures are necessary so that other parties (e.g., the bank or network) can trust that the
15:17:34 <Ian> authentication took place on a user device and was not spoofed (e.g., through a cloud service). An attestation from
15:17:39 <Ian> secure hardware can provide additional confidence about the context of the user’s authentication.
15:18:43 <smcgruer_[EST]> q+
15:19:35 <Ian> ack smcgruer_[EST]
15:20:15 <Ian> smcgruer_[EST]: My belief was that the fact that we are relying on web authn defeats that particular concern. Even in the delegated model, the RP created the passkey in the first place.
15:20:34 <nicktr> scribenick: ian
15:20:59 <Ian> Ian: In my scenario, the passkey is owned by the merchant.
15:21:17 <Ian> smcgruer_[EST]: Ah ok, if you don't trust your merchant than something might need to be done.
15:21:40 <Ian> ...but couldn't the merchant just proxy this to a device like a  particular device?
15:22:22 <Ian> ...let's say a malicious merchant decides to "register a passkey" for Stephen, but I just use a fleet of real devices.
15:22:33 <Ian> ...I register a passkey for "Stephen" on device 700
15:22:39 <Ian> ..here's a real attestation for device 700
15:22:55 <Ian> Fahad: That might be possible.
15:23:37 <Ian> Gerhard: Some ID&V would happen before this.
15:24:49 <Ian> ...fundamentally, because no platforms do attestation, why would you need a bank of phones? If the binding is malicious there's know way to know it was FIDO in the first place.
15:24:59 <Ian> ..if it's broken at the start, it's broken forever.
15:25:19 <Ian> smcgruer_[EST]: Agree that if there's no attestation for the passkey site, then they could just as easily do it in web crypto
15:25:31 <smcgruer_[EST]> s/site/side
15:26:41 <SameerT> SameerT has joined #wpwg
15:26:50 <SameerT> present+
15:27:06 <Ian> smcgruer_[EST]: To defeat a substitution attack, you would need a strong identifier as the RP.
15:27:23 <Ian> nicktr: Attestation would only give device class, not individual device.
15:28:02 <Ian> Gerhard: I am intrigued the the FedCM model where two parties are in place. Could Chrome send a message to the bank (assuming they are the RP) saying "here's the reference, I'm on this device."
15:29:34 <Ian> smcgruer_[EST]: As long as the issuer were involved in a 1p moment with the customer on this device (e.g., the issuer drops a cookie) and later the browser talks to the issuer, the issuer could check whether there's a cookie...you might e able to provide enough assurances.
15:29:38 <Ian> ...but is this in our threat model.
15:29:57 <nicktr> q?
15:33:50 <Ian> Nick: I had always anticipated that there would always be an interaction between user and issuer at time of credential creation
15:35:35 <SameerT> q+
15:35:52 <Ian> Ian: SPC does not require a first party interaction (in delegation scenario)
15:35:55 <Ian> ack SameerT
15:36:45 <Ian> Nick: Credential is created on a challenge screen; that's when initial registration of authentication credential takes place.
15:39:59 <nicktr> q?
15:40:20 <Ian> Ian: Can we move forward with the "other pieces" or do we need to wait for attestation requirements?
15:40:47 <Ian> Gerhard: Maybe we could put something out first to get learnings and add other bits based on fraud we detect.
15:41:16 <Ian> NickTR: I think we need to hear from the schemes and issuers about whether this would work for them or not
15:42:30 <smcgruer_[EST]> q+
15:42:37 <Ian> ack smcgruer_[EST]
15:42:50 <Ian> smcgruer_[EST]: We have someone who has started work on this.
15:43:28 <Fahad> q+
15:43:37 <Ian> ack farad
15:43:47 <Ian> fahad: Can we discuss details about how this would work?
15:44:02 <D_fisher> D_fisher has joined #wpwg
15:44:05 <Ian> ...for example, will BBK be created at WebAuthn registration time?
15:44:40 <Ian> ...from our perspective we would strongly prefer BBK creation at WebAuthn registration time after an ID&V.
15:45:08 <Ian> ...for us to trust seeing a new BBK at authentication time, we'd need to do another ID&V
15:46:09 <Ian> smcgruer_[EST]: The WebAuthn folks do not like the idea of one-passkey-per-instrument; just note that...they think of passkeys as per-account.
15:46:24 <Ian> ...we are amenable to creating the BBK at WebAuthn creation time.
15:46:37 <Ian> ...however, for synched passkey you will still want a BBK on the new device.
15:48:51 <SameerT> RPs can consider a registration and re-auth (without existing BBK) to be the same event. The BBK framework could do the same
15:49:39 <Gregoire> agreed with Ian
15:49:39 <Ian> Gustavo: We have heard from banks that step up on new device is ok UX.
15:50:03 <Ian> ..also, if you get a new device, cards can be ported to the new device, but you still need to do ID&V to the bank before you can start using the card.
15:50:07 <Ian> ....new token generation
15:50:39 <Ian> Fahad: Yes, we expect that for a new device, step up is ok
15:51:13 <Ian> ACTION: Ian to add a UX expectation that an ID&V at time of creation of BBK on a new device is ok UX
15:52:25 <nicktr> q+
15:52:33 <Ian> ack Fahad
15:53:08 <Ian> smcgruer_[EST]: We will see whether "on registration" generation of BBK is in the plan
15:54:12 <Ian> smcgruer_[EST]: I have a more fundamental question -- should we not be doing synched passkeys at all because they are not compatible with payments expectations?
15:54:17 <Ian> NickTR: FIDO allows for both types.
15:54:54 <Ian> smcgruer_[EST]: FIDO says that, but the platform authenticators always sync.
15:54:58 <Ian> ack Ger
15:55:01 <Ian> ack nick
15:55:02 <smcgruer_[EST]> s/the/some
15:55:14 <Ian> s/the platform/some platform/
15:55:25 <Ian> q+
15:55:45 <Ian> Gerhard: I think we can help by creating low-friction experience sooner.
15:56:07 <Ian> ack me
15:56:48 <Sami> Sami has joined #wpwg
15:56:57 <Ian> present+ Steve_Cole
15:57:04 <Sami> present+
15:57:20 <Sue> Stephen - correct....BE= Back up Eligible, BS= back up supported.
15:57:50 <Ian> Ian: Would it be useful if BBK only used when passkey is synched?
15:57:54 <Ian> smcgruer_[EST]: probably not
15:58:02 <Ian> q?
15:59:25 <nicktr> This is the camera issue -> https://github.com/w3c/payment-request/issues/1039
15:59:30 <Ian> Topic: next meeting
15:59:38 <Ian> 5 December
15:59:54 <Ian> RRSAGENT, make minutes
15:59:55 <RRSAgent> I have made the request to generate https://www.w3.org/2024/11/07-wpwg-minutes.html Ian
16:58:24 <TallTed> TallTed has joined #wpwg
18:03:56 <Zakim> Zakim has left #wpwg
19:13:28 <bkardell_> bkardell_ has joined #wpwg