#763: Secure Payment Confirmation (heading to Candidate Recommendation)

Visit on Github.

Opened Aug 12, 2022

Wotcher TAG!

I'm requesting a TAG review of Secure Payment Confirmation, which is heading soon to Candidate Recommendation.

Specification: https://w3c.github.io/secure-payment-confirmation/

Explainer: https://github.com/w3c/secure-payment-confirmation/blob/main/explainer.md

Updated security/privacy questionnaire: https://github.com/w3c/secure-payment-confirmation/blob/main/security-privacy-questionnaire.md

The TAG's previous positive review was recorded on 14 February 2022: https://github.com/w3ctag/design-reviews/issues/675#issuecomment-1039354818

We are now preparing to advance the document to CR (mid-September 2022).

Here are the diffs to the document since your February 2022 results: https://github.com/w3c/secure-payment-confirmation/compare/8c18586..ac828cb2#diff-6f5a1d8263b0b0c42e2716ba5750e3652e359532647ac934c1c70086ae3cedda

(Sorry, the diff includes multiple files; please see the diffs at the end for spec.bs)

Further details:

  • Relevant time constraints or deadlines: We would like review comments by 16 September 2022.
  • The group where the work on this specification is currently being done: Web Payments Working Group
  • Major unresolved issues with or opposition to this specification: None at this time

We will be at TPAC 2022 and welcome discussion then of any new substantive issues you uncover.

We'd prefer the TAG provide feedback as (please delete all but the desired option): ☂️ open a single issue in our GitHub repo for the entire review

Discussions

2022-09-26

Minutes

Max: basically this proposal is to secure the playment request web webauthn proposal... extension enhancement with webauthn protocol... I looked at the explainer.. They summarized the issues this proposal has - security considerations, cross-origin auth mechanism... analysis that there may be security risks... Also from a design perspective they have analysis that this security payment confirmation - mechanism is designed ... may not be a good design choice because not a payment method... But easier way to do this... In general looking at their explainer they summarized well. Maybe they need our input on the design choice.

<blockquote> Thank you for this review request and for the comprehensive information you've put together in the explainer. As we've previously positively reviewed Payment Request and Web Authentication we're happy to see these being brought together to make the web payment user flow easier. The use cases and user needs are well documented. It's also great to see the results of the experiment written up here.

Regarding the design choices you've made to implement this as a payment method: we're concerned that this may be confusing to developers. Would the alternative approach (navigator.credentials.get()) be better from a developer ergonomics PoV? If so, it may be worth the effort to coordinate with the webauthn working group.

Regarding the privacy risks enumerated at the end of the explainer, can you include more specific mitigation advice for implementers on how to mitigate against these potential attacks?

</blockquote>