Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creation of BBK requirements document #277

Merged
merged 4 commits into from
Nov 11, 2024
Merged

Creation of BBK requirements document #277

merged 4 commits into from
Nov 11, 2024

Conversation

ianbjacobs
Copy link
Collaborator

@ianbjacobs ianbjacobs commented Oct 29, 2024
edited
Loading

This is a first draft resulting from discussions within the Web Payment Security IG (during TPAC) and the 10 October 2024 WPWG meeting.

This proposal is intended to inform discussion of #271.

@rsolomakhin
Copy link
Collaborator

/cc @pejic

rsolomakhin
rsolomakhin requested changes Nov 8, 2024
View reviewed changes
bbk-requirements.md Outdated Show resolved Hide resolved
bbk-requirements.md Outdated Show resolved Hide resolved
bbk-requirements.md Outdated Show resolved Hide resolved
bbk-requirements.md Outdated Show resolved Hide resolved
bbk-requirements.md Show resolved Hide resolved
rsolomakhin
rsolomakhin approved these changes Nov 11, 2024
View reviewed changes
Copy link
Collaborator

@rsolomakhin rsolomakhin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thank you!

@ianbjacobs ianbjacobs merged commit 2ad7194 into main Nov 11, 2024
3 checks passed
github-actions bot added a commit that referenced this pull request Nov 11, 2024
@ianbjacobs @github-actions
Merge pull request #277 from w3c/bbk-reqs
6377a9f 
SHA: 2ad7194
Reason: push, by ianbjacobs

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
github-actions bot added a commit that referenced this pull request Nov 11, 2024
@ianbjacobs @github-actions
Merge pull request #277 from w3c/bbk-reqs
4b12be9 
SHA: 2ad7194
Reason: push, by ianbjacobs

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
stephenmcgruer
stephenmcgruer reviewed Nov 11, 2024
View reviewed changes
Copy link
Collaborator

@stephenmcgruer stephenmcgruer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for the late review. LGTM, but with one comment that may be worth addressing for clarity. (There were a few other comments that I decided not to give as they are not significant and not worth follow-up).

bbk-requirements.md

Secure Payment Confirmation provides a convenient "sign what you see" experience for a user to agree to the terms and conditions of a transaction, and where Web Authentication is used to generate cryptographic evidence of the user's agreement.

The payments industry has indicated that SPC would further benefit from a device binding capability. As WebAuthn passkeys can now be synced, it can be argued that they no longer meet strict 2FA requirements (being no longer a signal of device possession), and so SPC (like WebAuthn) is reduced to a single factor (biometric or possession, depending on the authentication method used).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reduced to a single factor (biometric or possession, depending on the authentication method used).

In what case can SPC/WebAuthn still provide possession, given syncing? Was this meant to read "biometric or knowledge" ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, that was a bug. I've fixed it in the merged version. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stephenmcgruer stephenmcgruer stephenmcgruer left review comments

@rsolomakhin rsolomakhin rsolomakhin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ianbjacobs @rsolomakhin @stephenmcgruer