[webauthn] SPC Security Analysis (#1584) from Anders Rundgren via GitHub on 2021-03-17 (public-webauthn@w3.org from March 2021)

From: Anders Rundgren via GitHub <sysbot+gh@w3.org>
Date: Wed, 17 Mar 2021 05:57:53 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-833430183-1615960672-sysbot+gh@w3.org>

cyberphone has just created a new issue for https://github.com/w3c/webauthn:

== SPC Security Analysis  ==
Follow-up to: https://github.com/w3c/webauthn/issues/1579

A current W3C project known as Secure Payment Confirmation (SPC), combines a Browser-resident payment application, FIDO/WebAuthn, and 3D Secure.  This solution has AFAICT, not been subjected to a peer review regarding security from a _payment system_ point of view.  Since the current specification is close to unreadable (it is a sequence diagram crammed with text), the following analysis may indeed be completely wrong.

Anyway, SPC builds on 3D Secure which is an separate card-holder authentication step performed _before_ the actual payment request.  Mapped to SPC I _assume_ that this is how it works:
![3ds](https://user-images.githubusercontent.com/8044211/109784009-e47f5780-7c0a-11eb-85dd-01b6201b753a.png)
ACS is a special purpose FIDO server that verifies assertions (which also contain pieces from the payment request rendered by the built-in payment application).

It seems to me that in SPC as well as all other 3D Secure implementations, the **Merchant** is the actual relying party although of course the **issuer** also _indirectly_ benefits from this.

I'm at loss understanding what the payment request assertion data adds to the pudding beyond proving WYSIWYS to the **Merchant**.   This departs from most other signature schemes where WYSIWYS is primarily of concern to the "ultimate" relying party. 

In theory there could be some kind of correlation between the ACS and the Pay service but that would require a lot of changes and also leaves you with the question: why complicate things with multiple steps?

<hr/>

As a contrast, the system that powers payments in the physical world (EMV), only requires a _single step_ and makes the **Issuer** the sole relying party.  That is, _EMV builds on a true end-2-end security model_.



Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1584 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 17 March 2021 05:57:54 UTC