Adjustments to BBK requirements #293

ianbjacobs · 2025-05-06T18:09:50Z

Based on recent conversations:

Clarify that a BBK should not be usable outside of the device where it was originally bound.
Make explicit the implication that if a passkey is deleted then any associated BBK should also be deleted.

Goosth · 2025-05-07T08:21:51Z

Do we need to link BBK's to a specific passkey? I feel it raises a number of other questions:

What does this mean if a Passkey is used on a different device and removed there?
What about a new passkey being issued, since the browser/RP could not detect the previous Passkey anymore (cookie was deleted).
It would be great to leave open the option of having a BBK in the future which we only want to use that as a possession factor without the direct link to Passkeys. So basically the BBK would work more along the principles of Server Side Cookies with CHIPS.

…o bbk-20250506

ianbjacobs · 2025-05-12T16:41:33Z

I have updated this pull request following the 8 May 2025 WPWG meeting.

Small adjustments based on recent conversations

0a5a717

ianbjacobs requested a review from stephenmcgruer May 6, 2025 18:10

stephenmcgruer requested a review from pejic May 7, 2025 16:30

ianbjacobs added 2 commits May 8, 2025 20:52

Merge branch 'main' of github.com:w3c/secure-payment-confirmation int…

4219e6f

…o bbk-20250506

Revamped requirements following 8 May 2025 WPWG meeting

0be72fa

ianbjacobs changed the title ~~Small adjustments to BBK requirements~~ Adjustments to BBK requirements May 12, 2025

Provide feedback