Intent to Prototype: Secure Payment Confirmation: Browser Bound Keys
Chromestatus
Contact emails
slob...@chromium.org, smcg...@chromium.org, rou...@chromium.orgExplainer
https://github.com/w3c/secure-payment-confirmation/issues/271Specification
https://pr-preview.s3.amazonaws.com/pejic/secure-payment-confirmation/pull/286.htmlSummary
Adds an additional cryptographic signature over Secure Payment Confirmation assertions and credential creation. The corresponding private key is not synced across devices. This helps web developers meet requirements for device binding for payment transactions.
Blink component
Blink>PaymentsMotivation
This feature amends to Secure Payment Confirmation to keep up with syncing passkeys and device requirements for online payments. The Browser Bound Keys feature adds device binding in the browser to enabling payment use cases where device binding is required.
Initial public proposal
https://github.com/w3c/secure-payment-confirmation/issues/271TAG review
NoneTAG review status
PendingRisks
Interoperability and Compatibility
Browser bound keys are an additive feature for Secure Payment Confirmation, the risk is that other browser do not implement it.
Gecko: No signal
WebKit: No signal
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Debuggability
Web developers should be able to inspect the new signature output which is defined in WebIDL, thus no changes are needed in devtools.
Is this feature fully tested by web-platform-tests?
NoDevTrial instructions
https://docs.google.com/document/d/1Wgx8MQG4GsdPErGPya7iMCbhw5NiSrLrNIoDPq2_P2s/edit?usp=sharingFlag name on about://flags
enable-secure-payment-confirmation-browser-bound-keyFinch feature name
SecurePaymentConfirmationBrowserBoundKeysRequires code in //chrome?
FalseEstimated milestones
No milestones specified