14:00:46 <RRSAgent> RRSAgent has joined #wpwg
14:00:50 <RRSAgent> logging to https://www.w3.org/2025/03/27-wpwg-irc
14:00:50 <Zakim> Zakim has joined #wpwg
14:00:52 <Ian> Meeting: WPWG meeting
14:00:53 <Ian> Scribe: Ian
14:00:56 <Ian> Chair: Ian
14:01:02 <Ian> regrets+ Henna
14:01:17 <Ian> agenda: https://github.com/w3c/webpayments/wiki/Agenda-20250327
14:01:20 <Ian> present+ NickTR
14:01:29 <Ian> present+ Stephen_McGruer
14:01:41 <Ian> present+ Ioana
14:01:45 <Ian> present+ Rogerio
14:01:48 <Ian> presnet+ Rouslan
14:01:50 <Ian> present+ Fahad
14:02:02 <Ian> present+ Jeff_Owenson
14:02:03 <Ian> present+ Bjorn_Hjelm
14:02:07 <Ian> presnt+ Rene_Leveille
14:02:10 <Ian> present+ Gustavo
14:02:14 <smcgruer_[EST]> present+ Slobodan_Pejic
14:02:32 <Ian> agenda+ SPC matching BBKs
14:02:41 <Ian> agenda+ FYI on pull request to add BBK to SPC
14:02:48 <Ian> agenda+ Charter
14:02:50 <Ian> agenda+ next meeting
14:02:58 <Ian> present+ Jean-Luc
14:03:03 <Ian> present+ Doug_Fisher
14:03:27 <Ian> zakim, take up item 1
14:03:27 <Zakim> agendum 1 -- SPC matching BBKs -- taken up [from Ian]
14:03:28 <JL> JL has joined #WPWG
14:04:06 <Ian> -> https://github.com/w3c/secure-payment-confirmation/issues/271#issuecomment-2748417300
14:04:33 <Ian> Stephen: We've been working on browser-bound keys in BBK. We have a prototype behind a flag. We also now have a pull request for the specification
14:04:42 <Ian> -> https://github.com/w3c/secure-payment-confirmation/pull/286 Pull request 286 to add BBK to SPC
14:05:01 <Ian> ...we think this reflects what was in the issue (271)
14:05:16 <Rene> Rene has joined #wpwg
14:05:17 <Ian> ...one partner raised a topic -- they would like to be able to only trust a set of known BBKs
14:05:32 <Ian> ...they will get a BBK on creation, and that's the one they want to trust
14:05:39 <Ian> ...they want to avoid a double authentication problem.
14:05:48 <Ian> present+ Sameer_Tare
14:06:05 <Ian> ...when second BBK issued, there would likely be another step-up to start to trust the second BBK.
14:06:22 <Ian> ...but then the question is: why do we need passkeys if we are just using single BBKs?
14:06:25 <nicktr> q+
14:06:36 <Ian> ack nicktr
14:06:44 <Ian> q+ nicktr
14:07:48 <Ian> present+ Praveena
14:08:01 <Ian> present+ Laszlo_Gombos
14:09:15 <Ian> Gustavo: The reason we wanted BBK is for device binding. There's no way to know which device it is until the user starts interaction.
14:09:41 <Ian> ...I've talked to banks and I think they've said "if I can't prove to regulators that the user went through some device-binding that I trusted" it wouldn't work for them
14:09:54 <Ian> present+ Sami_Tikkala
14:10:05 <Ian> Gustavo: Banks are using their own banking apps in many cases (rather than OTP)
14:10:23 <Ian> ...when the user does 3DS there's an out-of-band interaction; regulators trust the app approach.
14:10:57 <Ian> Stephen: Understood. The statement here is -- for the second factor we need to have proof of possession of a *known* device (although it might not be the *current* device)
14:11:20 <Ian> q+
14:11:20 <smcgruer_[EST]> q?
14:11:45 <Ian> Gustavo: The BBK binding process might need to go through a banking app they trust.
14:11:59 <Ian> Stephen: we've heard that BBK at passkey creation is acceptable
14:12:06 <benoit> benoit has joined #wpwg
14:12:12 <Ian> ...it's recreation (at authentication) is the challenge
14:12:18 <Ian> ack nick
14:12:33 <Ian> present+ David_Benoit
14:12:58 <Ian> queue=Fahad, Doug, Ian
14:13:35 <Ian> stephen: You can avoid 2 authentications by having a BBK accept list...send user to fallback flow in this case but they won't be authenticated; they will be shunted back for a single step-up
14:13:56 <Ian> ...downside of this is that it makes the passkey useless
14:14:39 <Ian> ack Fahad
14:14:40 <Ian> ack Doug
14:15:07 <Ian> Doug: I want to point out in terms of the second authentication; not every country has SCA. There's value in the BBK when it's generated on a new device.
14:15:26 <Ian> ..the trust that comes into the first BBK is variable. There are other signals that the RP might have including fingerprinting, checking SIM
14:15:42 <Ian> ...if you get a new BBK but it fits into a situation where you've seen the device, you may not need to challenge
14:16:10 <Ian> ...having a fallback ux when there is no match tests poorly
14:16:49 <nicktr> q?
14:16:55 <Ian> ..not sure there's a need for the bbk accept list but if so, option
14:17:03 <nicktr> q+ to ask again about non-ynched passkeys
14:17:54 <Rene> q+
14:18:37 <Ian> ack me
14:18:39 <Ian> ack nick
14:18:39 <Zakim> nicktr, you wanted to ask again about non-ynched passkeys
14:18:56 <Ian> Ian: See also DBSC, trust signals, and other ways to get trust
14:19:09 <Ian> NickTR: Can you say "must use synched passkeys"?
14:19:29 <Ian> Stephen: WebAuthn only allows hints, and platforms are generally synching
14:20:16 <slobodan> slobodan has joined #wpwg
14:20:26 <Ian> ack Rene
14:20:29 <JL> q+
14:20:44 <nicktr> q+ gustavo
14:20:45 <Ian> Rene: I think DBSC would not work in the case of SPC because the cookie is bound to the session of the merchant.
14:20:58 <nicktr> q+ JL
14:21:38 <Ian> Rene: Extensions for either webAuthn or CTAP can be used by any authenticator
14:21:55 <Ian> ...there might be interest in an extension to hint to authenticators to not have a syncable key
14:22:37 <Ian> ...I was going to bring up RPK (relations public key)...finding a signal that would be device-binding-ish where the key is transferred through a proximity signal or it gets signed
14:23:21 <Ian> ...I have a question -- has there been input from platforms here about implementing BBK
14:23:46 <nicktr> q?
14:23:49 <Ian> ack JL
14:23:52 <nicktr> ack JL
14:24:20 <Ian> Jean-Luc: There's a WebAuthn L3 flag on backup-eligibility.
14:24:36 <Ian> ...this flag could send a strong signal whether the RP wants this credential to be synched or not
14:25:10 <Ian> Stephen: I think that's an output property; the authenticator decides the value but there's no way to request a particular value
14:25:55 <Ian> JL: We think DBSC + CHIPS would be useful here; combining SPC with this
14:26:28 <Ian> JL: Regarding the proposal of "BBK accept list" to avoid double authentication; that seems to be the equivalent of registering a new device.
14:27:06 <Ian> ...there's an opportunity to request BBK after step-up
14:27:09 <smcgruer_[EST]> q?
14:27:12 <Ian> ack gu
14:27:13 <Ian> q+
14:27:14 <TallTed> TallTed has joined #wpwg
14:27:23 <smcgruer_[EST]> q+
14:27:51 <Ian> Gustavo: Could a key be created after a 3DS step-up?
14:27:57 <nicktr> q+
14:28:27 <Ian> gustavo: What would experience look like for user when they engage again? Would they have multiple passkeys? How would they know which device is which?
14:29:56 <Ian> Ian: Can we add key after step-up? Or fallback authentication?
14:31:11 <Ian> Stephen: Likely privacy issues ("ah, there was no bbk in this case!")
14:31:37 <Ian> regrets+ Gerhard_Oosthuizen
14:32:22 <Ian> [We discuss in more detail the UX of double SCA situation]
14:33:37 <Ian> Gustavo: 2 SCA is a one-time thing (cf onboarding a card in a payment app and first doing faceid then doing OTP)
14:34:20 <Ian> Fahad: In digital credentials discussions they are looking at this topic of "inline provisioning"; there haven't been privacy issues raised.
14:34:28 <Ian> ...so you could give a provisioning URL if a key does not exist
14:34:47 <Ian> ...and the user completes authentication within that URL and then processing continues depending on the outcome of the process.
14:34:55 <Ian> ...so check out what DC folks are doing.
14:35:37 <Ian> ...second topic - if we get an SPC error (fallback UX) and we do a 3DS call, would you then need to do a second SPC call?
14:35:54 <Ian> Stephen: It feels like if we haven't authenticated the user we can't simply give you a new BBK.
14:36:15 <Ian> ...if you want a passkey with a bbk that you trust, you need to do some sort of WebAuthn before or after you do the step-up authentication. That's the binding.
14:36:17 <nicktr> q?
14:36:20 <Ian> ack me
14:36:21 <Ian> ack smcgruer_[EST]
14:36:47 <Ian> ack ni
14:39:25 <Ian> [Nick walks through his understanding of the flow]
14:39:43 <Ian> q?
14:40:07 <Ian> Nick: Is the objection that there's never a second authentication, then it's broken. But if you can have a step-up once for a new device, then everything's ok.
14:40:44 <Ian> Fahad: You're right that the concern is that on a new device, you'll see the payment sheet and the user will do biometric. Then after that because the device is new, there would be a step-up by the issuer.
14:42:08 <Rene> q+
14:43:09 <JL> q+
14:43:13 <Ian> ack Rene
14:43:39 <Ian> Ian summarizes three things he heard: (1) not a problem at all (2) not likely a common problem (3) inline provisioning
14:43:49 <nicktr> q?
14:43:55 <Ian> Rene: Question is what amount of user friction is acceptable when onboarding a new device?
14:44:33 <Ian> ...do you want to require the user to log into a financial institution after an authentication failed, or do you want to do something with a synched passkey where you will end up doing the re-authentication inline which likely means less friction.
14:44:46 <Ian> ...do you need the user to onboard the device in an app or a 1p context?
14:44:56 <Ian> ..but I think there will be a second authentication regardless.
14:44:59 <Ian> ack JL
14:45:12 <Ian> JL: My understanding is that, to know there's a bbk, we need to go through SPC.
14:45:17 <Ian> Stephen: Correct
14:46:18 <Ian> JL: That means in this case, I would be concerned about whether same factor type (e.g., biometric) used twice; which might not satisfy regulation
14:47:07 <Ian> JL: What about using DC API for second factor?
14:48:04 <Ian> Stephen: relationship with DCI needs to be worked on more; lots of unknowns
14:49:16 <Ian> zakim, take up item 3
14:49:16 <Zakim> agendum 3 -- Charter -- taken up [from Ian]
14:49:28 <Ian> https://www.w3.org/Payments/WG/charter-2025.html
14:52:30 <Ian> present+ Sue_Koomen
14:53:55 <Ian> [Ian reviews changes in charter]
14:54:00 <Ian> Ian: We need a plan to get PR API to Rec.
14:54:13 <Ian> Stephen: We are still interested in the PR API and PH specs; supportive of that work
14:55:15 <nicktr> q+
14:55:43 <Ian> Ian: Please give feedback on charter within 2 weeks
14:55:43 <Ian> ack nick
14:56:04 <Ian> nicktr: Regarding PR API ... WebAuthn use L1, L2, L3 language for versioning
14:56:16 <Ian> ...should we use similar language to provide greater clarity?
14:57:29 <Ian> NickTR: Payments industry may want revision numbers.
14:57:44 <Ian> Stephen: -1 to versioning info
14:57:58 <Ian> ...for WebAuthn, the levels are not really observed by implementers
14:58:04 <Ian> Rene: Levels are additive
14:59:16 <Ian> zakim, next item
14:59:16 <Zakim> agendum 1 -- SPC matching BBKs -- taken up [from Ian]
14:59:22 <Ian> zakim, close item 1
14:59:22 <Zakim> agendum 1, SPC matching BBKs, closed
14:59:23 <Ian> zakim, close item 2
14:59:24 <Zakim> I see 2 items remaining on the agenda; the next one is
14:59:24 <Zakim> 2. FYI on pull request to add BBK to SPC [from Ian]
14:59:24 <Zakim> agendum 2, FYI on pull request to add BBK to SPC, closed
14:59:24 <Zakim> I see 1 item remaining on the agenda:
14:59:24 <Zakim> 4. next meeting [from Ian]
14:59:24 <Ian> zakim, close item 3
14:59:25 <Zakim> agendum 3, Charter, closed
14:59:25 <Zakim> I see 1 item remaining on the agenda:
14:59:25 <Zakim> 4. next meeting [from Ian]
14:59:35 <Ian> zakim, take up item 4
14:59:35 <Zakim> agendum 4 -- next meeting -- taken up [from Ian]
14:59:41 <Ian> Next meeting: 24 April
14:59:47 <Ian> rrsagent, make minutes
14:59:48 <RRSAgent> I have made the request to generate https://www.w3.org/2025/03/27-wpwg-minutes.html Ian
14:59:51 <Ian> rrsagent, set logs public
15:02:44 <Ian> rrsagent, make minutes
15:02:45 <RRSAgent> I have made the request to generate https://www.w3.org/2025/03/27-wpwg-minutes.html Ian
15:07:30 <Ian> rrsagent, set logs public