[w3ctag/design-reviews] Browser Bound Keys for Secure Payment Confirmation (Issue #1097) from Slobodan Pejić on 2025-05-20 (public-webapps-github@w3.org from May 2025)

From: Slobodan Pejić <notifications@github.com>
Date: Tue, 20 May 2025 09:18:38 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1097@github.com>

pejic created an issue (w3ctag/design-reviews#1097)

Zdravo TAG!

I'm requesting a TAG review of Browser Bound Keys, a change to Secure Payment Confirmation ([802](https://github.com/w3ctag/design-reviews/issues/802), [763](https://github.com/w3ctag/design-reviews/issues/763), [675](https://github.com/w3ctag/design-reviews/issues/675), [544](https://github.com/w3ctag/design-reviews/issues/544)).

Add device-binding-like capabilities, in the form of browser bound keys (BBKs), to Secure Payment Confirmation without relying on WebAuthn (at either the client or authenticator level)

  - Explainer¹: https://github.com/w3c/secure-payment-confirmation/issues/271
  - Specification: https://github.com/w3c/secure-payment-confirmation/pull/286, https://github.com/w3c/secure-payment-confirmation/pull/296
  - WPT Tests: feasibility depends on whether user agents are permitted to support “software” keys
  - User research: none
  - Security and Privacy self-review²: https://github.com/w3c/secure-payment-confirmation/pull/297
  - GitHub repo: https://github.com/w3c/secure-payment-confirmation
  - Primary contacts:
      - Slobodan Pejic (@pejic), Google, Spec Change Editor & Implementor
      - Stephen McGruer (@stephenmcgruer), Google, Spec Editor
  - Organization/project driving the specification: Chromium
  - This work is being funded by: Google
  - Primary standards group developing this feature: Web Payments Working Group
  - Group intended to standardize this work:
  - Incubation and standards groups that have discussed the design:
    - Web Payments Working Group: E.g. [2025-04-24 Minutes](https://www.w3.org/2025/04/24-wpwg-minutes.html), [2025-05-08 Minutes](https://www.w3.org/2025/05/08-wpwg-minutes.html)
  - Multi-stakeholder support³:
    - Chromium comments:
    - Mozilla comments: https://github.com/mozilla/standards-positions/issues/570
    - WebKit comments: https://github.com/WebKit/standards-positions/issues/30
  - Major unresolved issues with or opposition to this specification:
    - “Software” key support: https://github.com/w3c/secure-payment-confirmation/issues/288
    - Whether key storage attestation would be included: [2024-10-10 Minutes](https://www.w3.org/2024/10/10-wpwg-minutes)
  - Status/issue trackers for implementations⁴: https://chromestatus.com/feature/5106102997614592

Further details:

  - [x] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - Previous early design review, if any:
    - None for browser bound keys. See above for Secure Payment Confirmation reviews.
  - Relevant time constraints or deadlines:


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1097
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1097@github.com>

Received on Tuesday, 20 May 2025 16:18:43 UTC