Browser Bound Keys for Secure Payment Confirmation

Zdravo TAG!

I'm requesting a TAG review of Browser Bound Keys, a change to Secure Payment Confirmation ([802](https://github.com/w3ctag/design-reviews/issues/802), [763](https://github.com/w3ctag/design-reviews/issues/763), [675](https://github.com/w3ctag/design-reviews/issues/675), [544](https://github.com/w3ctag/design-reviews/issues/544)).

Add device-binding-like capabilities, in the form of browser bound keys (BBKs), to Secure Payment Confirmation without relying on WebAuthn (at either the client or authenticator level)

  - Explainer¹: https://github.com/w3c/secure-payment-confirmation/issues/271
  - Specification: https://github.com/w3c/secure-payment-confirmation/pull/286, https://github.com/w3c/secure-payment-confirmation/pull/296
  - WPT Tests: feasibility depends on whether user agents are permitted to support “software” keys
  - User research: none
  - Security and Privacy self-review²: https://github.com/w3c/secure-payment-confirmation/blob/main/security-privacy-questionnaire-bbk.md
  - GitHub repo: https://github.com/w3c/secure-payment-confirmation
  - Primary contacts:
      - Slobodan Pejic (@pejic), Google, Spec Change Editor & Implementor
      - Stephen McGruer (@stephenmcgruer), Google, Spec Editor
  - Organization/project driving the specification: Chromium
  - This work is being funded by: Google
  - Primary standards group developing this feature: Web Payments Working Group
  - Group intended to standardize this work:
  - Incubation and standards groups that have discussed the design:
    - Web Payments Working Group: E.g. [2025-04-24 Minutes](https://www.w3.org/2025/04/24-wpwg-minutes.html), [2025-05-08 Minutes](https://www.w3.org/2025/05/08-wpwg-minutes.html)
  - Multi-stakeholder support³:
    - Chromium comments:
    - Mozilla comments: https://github.com/mozilla/standards-positions/issues/570
    - WebKit comments: https://github.com/WebKit/standards-positions/issues/30
  - Major unresolved issues with or opposition to this specification:
    - “Software” key support: https://github.com/w3c/secure-payment-confirmation/issues/288
    - Whether key storage attestation would be included: [2024-10-10 Minutes](https://www.w3.org/2024/10/10-wpwg-minutes)
  - Status/issue trackers for implementations⁴: https://chromestatus.com/feature/5106102997614592

Further details:

  - [x] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - Previous early design review, if any:
    - None for browser bound keys. See above for Secure Payment Confirmation reviews.
  - Relevant time constraints or deadlines:


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Browser Bound Keys for Secure Payment Confirmation #1097

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Browser Bound Keys for Secure Payment Confirmation #1097

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions