13:57:39 RRSAgent has joined #wpwg 13:57:43 logging to https://www.w3.org/2026/05/07-wpwg-irc 13:57:44 Meeting: Web Payments Working Group 13:58:16 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20260507 13:58:18 Chair: Ian 13:58:22 Scribe: Ian 14:00:14 present+ Jean-Luc_di_Manno 14:00:34 present+ John_Earnshaw 14:00:50 ottomorac has joined #wpwg 14:00:50 slightlyoff has joined #wpwg 14:00:50 nicktr has joined #wpwg 14:00:50 tobie_ has joined #wpwg 14:00:50 dlehn has joined #wpwg 14:00:50 hadleybeeman has joined #wpwg 14:00:50 stephen_mcgruer has joined #wpwg 14:00:50 jthomas has joined #wpwg 14:00:50 vasilii has joined #wpwg 14:00:50 benoit has joined #wpwg 14:00:50 ljharb has joined #wpwg 14:01:37 present+ Bharat_Rathi 14:01:42 prsent+ Sami_Tikkala 14:01:54 present+ Isaiah_Inuwa 14:02:00 present+ David_Benoit 14:02:25 present+ Arnar 14:02:30 present+ Tim_Cappalli 14:02:34 present+ Otto_Mora 14:02:42 present+ Rogerio_Matsui 14:02:47 present+ 14:02:59 present+ Sharanya 14:03:11 present+ Eliza 14:03:22 JL has joined #WPWG 14:03:36 q+ 14:03:43 DP has joined #wpwg 14:03:55 Sharanya has joined #wpwg 14:03:57 present+ Garima Jaiswal 14:04:02 present+ Albert_Schibani 14:04:08 present+ Bjorn_Hjelm 14:04:11 present+ 14:04:18 Topic: Credential Manager Trust Group (CMTG) Key 14:04:19 JDE-amex has joined #wpwg 14:04:42 Eli has joined #wpwg 14:05:08 [Arnar introduces himself] 14:05:16 -> https://github.com/w3c/webauthn/blob/main/explainers/credential-manager-trust-group-key.md Credential Manager Trust Group (CMTG) Key Explainer 14:05:31 present+ Nick_Telford-Reed 14:05:32 Albert has joined #wpwg 14:05:47 Arnar: This is a WebAuthn extension 14:06:14 Arnar: We've been discussing trust signals for passkeys in FIDO. 14:06:52 ...passkeys are generally synched, and so there have been discussions about how to get back some of the 'properties of security keys' 14:06:56 present+ John_Bradley 14:07:39 Arnar: Some threat model questions: What if sync fabric is compromised? What if password managers are malicious? What about use cases where sync is required? Those scenarios are out of scope. 14:08:08 ...but there is an in scope threat for this discussion: what if the place you get the passkey from is phishable? 14:08:30 present+ Praveena 14:08:56 Arnar: So we are interested in addressing phishability of password manager. 14:09:17 iinuwa has joined #wpwg 14:10:15 present+ Henna 14:11:11 Arnar: The goal is to signal when the passkey manager takes steps to protect against phishing 14:11:34 ...there are some limitations (e.g., can't require unphishable login every time) 14:12:12 ...proved absence of a pusher is not a property of one sign-in 14:13:36 ..it is nearly impossible for a password manager to convey the "goodness of a device" and what constitutes "good" is very RP-specific. 14:14:16 ...there are no good ways to attest on large platforms what software an attestation is coming from 14:14:32 ...so our project is not to convey "the trust of a device" 14:14:50 ...the project is, instead, to tell a relying party when one session is "unphishably related" to another. 14:15:48 ...a password manager can tell an RP that a device is related to a device that has been accessed in an unphishable manner 14:16:26 ...at .create() or .get(), an extra public key CMTGK is returned in the result. 14:16:36 ...it will be used to sign the same challenge 14:17:53 [Arnar shows example of how devices become part of a trust group, represented by a trust group key] 14:18:41 Arnar: Trust groups can grow over time (even when device originally part of a different trust group) 14:20:17 Arnar: Password managers make sure devices only have the keys they are supposed to have 14:21:49 [Arnar talks about what admissible signals are to become part of a trust group] 14:22:17 Arnar: This is deliberately not defined in a W3C proposal. It is likely that FIDO will set guidelines. 14:22:48 Strawman: 14:22:55 - Provider verified proximity of devices 14:23:07 - provider used same strong physical factor on two devices (e.g., security key) 14:23:20 - provider verified strong phishing resistant external factor (e.g., phone number) 14:23:58 Arnar: CTAP/Hybrid can be used for proximity signal 14:24:06 ...OS's offer other ways as well 14:25:15 Arnar: There are phone number verification mechanisms other than OTP 14:26:34 John_Earnshaw: Can the "type of signal" be transmitted to the RP? 14:26:38 Arnar: Most likely not. 14:26:55 ...the more you tell the website, the harder the privacy aspect. 14:27:38 ...a second reason - people worry a lot about if you give a lot of control you will have a lot of inconsistent adoption at the scale of the web 14:28:56 q- 14:28:58 John_Bradley: A way to think about this is that it raises the bar for the general community. 14:30:05 John_Bradley: Without attestation you are relying on good behavior of providcers. 14:30:13 ... I should note that at the moment the general case in webAuthn will require the RP to always ask for attestation so it can know if it is a single device authenticator like windows hello, or a security key what will not be providing CMTG keys on authentication 14:30:56 ... you need to know during registration that it was a single device credential so you know not to expect signals on authentication. 14:31:12 ...I would say this is voluntary probabilistic protection, not deterministic 14:31:39 Arnar: Agree that this does not protect against malicious password providers 14:32:19 Tim: If a security requirement is met by default ecosystem, you need to provide special tools 14:32:50 Albert: How should we think about CMTG related to BBKs? 14:33:07 Arnar: I think they are complementary. 14:33:26 ...the CMTG is bound to the provider 14:35:09 Ian: I think that CMTG could be used to say "I trust this device so I'll trust this new BBK" 14:35:26 Arnar: There's a class of RPs and use cases that need "device bound proof" 14:35:48 ...but we also think there's a large class of RP (e.g., online services generally) 14:36:24 ...and where the "new phone" scenario with trust key will likely not lead to step-up 14:37:03 Jean-Luc: I hear primary objective is to give RP a signal that a device belongs to a trust group. 14:37:49 ...are there additional security requirements for passkey managers? That might give more signals about the device itself. 14:38:22 Arnar: a password manager can choose to not make itself available on some kinds of device (e.g., TVs) 14:38:40 present+ Sue_Koomen 14:38:50 present+ Takashi_Minamii 14:39:10 Tim: We are thinking about ways to convey "basic compliance" 14:39:17 ...e.g, spec compliance 14:39:29 ...we've started those conversations 14:40:03 John_Bradley: The problem is that, depending on the passkey provider deployment model, they may not be able to tell whether it's their actual passkey provider they are synching to (e.g., due to browser extensions) 14:40:11 ...you are basically getting a "best effort approach" 14:40:16 ...but not an absolute guarantee 14:41:10 naive question: Can the RP require device bound passkeys? Like I do not necessarily trust bitwarden to hold my passkeys so I would rather make sure this a hw bound type one. 14:41:29 Otto: Can an RP require non-synched passkeys? 14:42:02 Tim: You can ask for one but may not get one. 14:42:14 ...you can't in practice ask for one. 14:43:43 Dan: Is password manager step-up per transaction? 14:43:48 Arnar: No, once per device. 14:44:40 JB: And all the passkeys on the device can get upgraded to a trust group in the same step-up 14:46:00 Topic: Chrome SPC support update 14:46:24 stephen_mcgruer: BBK feature detection landed in Chrome 148, which started to stable on 5. 14:46:32 ...so by next Tuesday or Weds should be available to all users. 14:46:38 https://chromiumdash.appspot.com/schedule as always 14:47:27 Topic: Roaming authenticators and SPC 14:48:34 Bjorn: One requirement is that SPC should follow the WebAuthn flow for identifying authenticators to be used. 14:49:09 ...consistent CTAP PUAT should be supported 14:49:54 https://github.com/w3c/secure-payment-confirmation/issues/12 14:51:13 ACTION: Bjorn to add requirements to issue 12 for future WG discussion 14:51:24 Topic: BBK questions and answers 14:51:56 https://github.com/w3c/secure-payment-confirmation/issues/321#issuecomment-4374638224 14:52:43 ottomorac has changed the topic to: DID WG Agenda 2026-05-07 https://lists.w3.org/Archives/Public/public-did-wg/2026May/0003.html 14:52:50 sorry 14:52:53 wrong group 14:54:26 John_Bradley: What about chrome custom tabs? 14:54:52 ..."can't be used for web views" might be right answer, but maybe chrome custom tabs needs another reply 14:56:19 John: We should also say explicitly "chrome custom tabs" 14:56:42 ...some of those things like custom tabs DO share cookies. So it's not impossible, but we should make sure that the policy is not misunderstood. 14:56:59 Ian: How does it work today? 14:57:19 Stephen: I suspect you will get the same bbk as the chrome app that is backing the custom tab. 14:57:29 ...custom tabs are not part of an application that calls it. 14:57:54 ..from a UX perspective, it's visual embedded, but it is fully isolated from the calling app (which is different from web view scenario) 14:59:33 stephen: A custom tab is an instance of an "installed browser program" 15:00:27 RRSAGENT, make minutes 15:00:28 I have made the request to generate https://www.w3.org/2026/05/07-wpwg-minutes.html Ian 15:00:34 RRSAGENT, set logs public 15:00:59 John_B: Apple has a thing similar to custom tab 15:01:06 Topic: next call 15:01:09 21 May 15:01:41 RRSAGENT, make minutes 15:01:43 I have made the request to generate https://www.w3.org/2026/05/07-wpwg-minutes.html Ian 15:01:52 RRSAGENT, set logs public 15:01:56 TallTed has joined #wpwg 15:02:31 Ian has changed the topic to: Web Payments Working Group 15:18:04 TallTed has joined #wpwg 15:18:04 ottomorac has joined #wpwg 15:18:04 slightlyoff has joined #wpwg 15:18:04 nicktr has joined #wpwg 15:18:04 tobie_ has joined #wpwg 15:18:04 dlehn has joined #wpwg 15:18:04 hadleybeeman has joined #wpwg 15:18:04 stephen_mcgruer has joined #wpwg 15:18:04 jthomas has joined #wpwg 15:18:04 vasilii has joined #wpwg 15:18:04 benoit has joined #wpwg 15:18:04 ljharb has joined #wpwg 15:18:14 ottomorac has left #wpwg 16:43:59 Zakim has left #wpwg