14:52:40 RRSAgent has joined #wpwg 14:52:44 logging to https://www.w3.org/2024/12/05-wpwg-irc 14:52:47 Meeting: Web Payments Working Group 14:53:04 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20241205 14:53:05 Chair: Ian 14:53:08 Scribe: Ian 14:53:10 Regrets+ NickTR 14:53:13 present+ 14:54:41 agenda+ Browser-based key in SPC next steps 14:55:13 present+ Payment request question about camera access in handler 14:55:23 present- Payment request question about camera access in handler 14:55:29 agenda+ Payment request question about camera access in handler 14:55:31 agenda+ Next meeting 14:55:52 I have made the request to generate https://www.w3.org/2024/12/05-wpwg-minutes.html Ian 15:00:15 present+ Jean-Luc 15:00:32 present+ Rogerio_Matsui 15:01:07 present+ Rouslan_Solomakhin 15:01:13 present+ Gerhard_Oosthuizen 15:02:19 present+ Steve_Cole 15:03:05 present+ Slobodan 15:03:33 present+ Sami_Tikkala 15:03:54 present+ Vasilii_Trofimchuk 15:04:04 present+ Bjorn_Hjelm 15:04:40 present+ Henna_Kapur 15:04:52 regrets+ Stephen_McGruer 15:04:59 zakim, take up item1 15:04:59 agendum 1 -- Browser-based key in SPC next steps -- taken up [from Ian] 15:05:24 (Slobodan Pejic presents) 15:05:40 present+ Jorge_Vargas 15:05:54 present+ Gregoire_Leleux 15:06:07 sami has joined #wpwg 15:06:16 vasilii has joined #wpwg 15:06:20 Slobodan: We plan to augment the payment extension in webauthn to communicate the BBK 15:06:36 present+ Doug_Fisher 15:06:40 present+ Praveena 15:07:25 Slobodan: Some development work is happening in Canary that has not quite landed but should be available soon to get signature in Canary behind a flag 15:07:41 present+ Nakjo_Shishkov 15:07:45 Ian: Any surprises? 15:08:08 Slobodan: Initially we thought we would have multiple signature, but will only have one 15:08:30 ...we had thought about algorithm transitions and thought about cross-signing but that's rare. 15:09:04 present+ Sue_Koomen 15:09:15 JeanLuc has joined #WPWG 15:09:23 Doug: Thanks for the update....I didn't quite understand the bullet point on registration. 15:09:28 present+ Gustavo_Kok 15:10:02 Slobodan: When we generate a passkey in a 1p context, it's a different context from the assertion. The browser-bound signature should be available when the passkey is created. 15:10:24 ...info would be in the client extension outputs 15:10:46 Ian: Anything changed in the UX? 15:12:04 Slobodan: I don't have details there. 15:12:24 Ian: Are keys always created? 15:12:37 Slobodan: Yes, if payment extension is set. And may depend on availability of platform support. 15:13:50 Ian: Any updates on attestation? 15:14:22 Henna: We wanted to go back to check on threat model. The general concern is that when the device-bound key is created, is there a way for it to come directly from the platform (rather than the browser)? 15:15:10 q+ 15:15:25 Slobodan: Attestation in any case will not be part of first build 15:15:27 ack Je 15:15:35 JeanLuc: How is the lifecycle of the BBK managed? 15:15:54 (See our requirements doc https://github.com/w3c/secure-payment-confirmation/blob/main/bbk-requirements.md ) 15:16:20 Slobodan: We have some options on this. 15:16:37 E.g., we might delete and recreate a key if signing algo changes 15:16:41 ..and treat it as a new key 15:17:06 Jean-Luc: If you create a new BBK for a credential, is there a way to keep a trace of the previous one for the purpose of chaining? 15:17:17 Rouslan: That won't work, for example, if the user has multiple devices. 15:17:34 ..regarding user ability to delete the BBK, the user can do things like "clear browser data' and that should clear the keys 15:17:42 ...switching profiles should also work 15:18:06 present+ Sharanya 15:18:40 Ian: Any questions for the group to be helpful? 15:19:01 Rouslan: General question is whether doing this will satisfy device binding requirements for the industry. 15:19:15 ...we're trying to provide an approach to bind a key to at most one device. 15:19:30 ...what in the industry would need to chance to accommodate this new key (e.g., in 3DS) 15:20:22 Gerhard: I think there's a mandate that something like dynamic linking must be done. If the device bound key is used to sign a payload I think the requirement will be met 15:20:58 Doug: From a 3DS side we'll be reviewing this and confirming this; I think it's not likely necessary since this is being done as an extension. 15:21:24 Doug: I assume the key is being created by the browser. Could it be created in the browser in a way that is protected from the JS layer? 15:21:31 Rouslan: Yes, it's protected from the JS layer. 15:22:12 Gerhard: Is device bound key merchant bound? 15:23:24 (Ian reads from BBK reqs doc about BBK in incognito mode) 15:23:29 Slobodan: That still resonates for me. 15:23:49 Gerhard: +1 to being able to use in incognito mode. 15:24:13 Slobodan: Regarding cross-origin access, the key will be available cross-origin. 15:24:41 Gerhard: How complex would it be to add this concept to a payment handler, to complement other payment mechanisms. 15:26:13 ...I'm talking with industry players who could be interested in a BBK for payment handlers themselves. 15:26:50 q+ 15:27:06 present+ 15:27:10 apologies for being late 15:27:15 Ian: Different context than SPC, so we should separate that discussion 15:27:36 Jean-Luc: How would the signal about the device binding mechanism would be reflected? 15:28:01 Slobodan: That is not currently in the proposal because it may overlap with the attestation discussion. 15:28:37 Ian: Would you expect first signal in first release? 15:29:13 Jean-Luc: For financial information, this information is very important. 15:29:37 Slobodan: I can take that as feedback. So far the initial proposal does not include that. 15:29:56 present+ sgothoskar 15:30:58 Henna: Regarding usefulness to industry, I think yes. If we can prove that the key is coming from a TPM and bound to a device, it should be ok. 15:32:46 q+ 15:33:01 ack Jean 15:33:19 Jean-Luc: I see synergies with DBSC. Is this key isolated from other initiatives? 15:35:13 IJ: Keys should not be reused (due to expectations) but could be used together in deployments. 15:35:48 Doug: When might this be available for testing? 15:36:11 Slobodan: "Early Q1" in Canary behind a flag is my estimate 15:37:11 zakim, next item 15:37:11 agendum 2 -- Payment request question about camera access in handler -- taken up [from Ian] 15:37:23 -> https://github.com/w3c/payment-handler/issues/420 15:38:15 Ian: Limitations today may mean you can't do facial recognition in a payment handler. That's the issue that was raised. 15:38:35 rouslan: We've not received feature requests from primary partners. 15:38:55 ...are there partners who want to use payment handlers who want to experiment with this, please let us know. 15:39:30 Ian: Gerhard, is that interesting to the people you're talking to? 15:39:45 Gerhard: Absolutely. Selfie identification in payment handler would be an important capability. 15:39:59 ...would it be a disqualifying thing if we can't? Probably not. But it would help. 15:40:14 ...the reason I'm looking into payment handlers relates to FIDO adoption in the banking industry. 15:40:26 ...so being able to use a camera for other types of authentication is important. 15:41:26 topic: AOB? 15:41:31 zakim, next item 15:41:31 agendum 3 -- Next meeting -- taken up [from Ian] 15:41:46 Gerhard: I will be presenting on payment fraud at the Antifraud CG on Friday at noon ET 15:42:03 -> https://www.w3.org/events/meetings/968e3a71-9184-4349-89c9-259ade3352a3/ 15:42:03 Antifraud meeting info 15:42:43 16 January 2025 15:43:12 RRSAGENT, make minutes 15:43:13 I have made the request to generate https://www.w3.org/2024/12/05-wpwg-minutes.html Ian 15:43:15 RRSAGENT, set logs public 16:27:42 rrsagent, set logs public 16:27:46 rrsagent, bye 16:27:46 I see no action items