16:02:15 RRSAgent has joined #wpwg 16:02:15 logging to http://www.w3.org/2016/05/12-wpwg-irc 16:02:17 RRSAgent, make logs public 16:02:18 Zakim has joined #wpwg 16:02:19 Zakim, this will be 16:02:19 I don't understand 'this will be', trackbot 16:02:20 Meeting: Web Payments Working Group Teleconference 16:02:21 Date: 12 May 2016 16:02:22 briansullivan has joined #wpwg 16:02:28 present+ jnormore 16:02:34 agenda: https://github.com/w3c/webpayments/wiki/Agenda-20160512 16:02:54 present+ zkoch 16:05:31 scribe: Ian 16:05:34 topic: FTF meeting 16:05:39 https://github.com/w3c/webpayments/wiki/Web-Payments-Working-Group-FTF-Meeting-%28July-2016%29 16:05:47 AHB: Please register -> https://www.w3.org/2002/09/wbs/83744/wpwgftf-201607/ 16:05:52 ..thanks to Brian and Visa Europe for hosting us 16:05:56 ..London, 7-8 July 16:06:04 ..near Paddington Station 16:06:22 nicktr has joined #wpwg 16:06:26 ...chairs will start building agenda once we've addressed pressing issues on the issues list 16:06:30 q? 16:06:32 present+ AdamR 16:06:45 Marta: If I have to choose between IG and WG, which should I do? 16:07:00 present+ nicktr 16:07:02 Q? 16:07:39 zakim, who is here 16:07:39 nicktr, you need to end that query with '?' 16:07:40 IJ: seem like if you want to go to the workshop, pick the IG meeting 16:07:42 zakim, who is here? 16:07:42 Present: jnormore, zkoch, AdamR, nicktr 16:07:44 On IRC I see nicktr, briansullivan, Zakim, RRSAgent, jnormore, zkoch, dezell, alyver, maheshk, collier-matthew, ShaneM, adamR, mountie, shepazu, hober, slightlyoff, mkwst, schuki_, 16:07:44 ... dlongley, manu, wseltzer, trackbot, dlehn, Mike5, AdrianHB, adrianba, davidillsley, dwim_, Ian 16:07:50 ..and if you want to focus on payment apps and payment request API, pick the WG 16:08:06 adrianHB: The IG will focus on "up and coming" whereas the WG will focus on specific deliverables 16:08:23 q? 16:09:03 [Regarding hotels, see the meeting page and also Visa special rates] 16:09:10 Roy has joined #wpwg 16:09:24 to tpac? 16:09:27 Topic: TPAC 2016 16:09:33 https://www.w3.org/2016/09/TPAC/ 16:09:37 Lisbon, Portugal19-23 September 2016 16:09:46 q+ 16:09:55 WG meets 19-20 Sept 16:10:01 lgombos has joined #wpwg 16:10:02 https://www.w3.org/2002/09/wbs/35125/TPAC2016/?login 16:10:14 kriske has joined #wpwg 16:10:33 kriske has left #wpwg 16:10:40 [Please register for TPAC!] 16:10:43 ack dezell 16:10:46 ack dezell 16:11:08 dezell: adrianHB, however you want to schedule ILP at TPAC is fine by me 16:11:18 adrianhb: We'll pick up offline 16:11:21 Topic: Payment Method Identifiers 16:11:22 q? 16:11:28 kriske has joined #wpwg 16:12:06 adrianhb: There's a pull request from Ade that is significant in terms of text change (narrowing doc to URLs)..but doesn't fundamentally change functionality 16:12:11 https://github.com/w3c/browser-payment-api/pull/183 16:12:25 ..the PR requests the group consensus from last week to use Absolute URLs for PMIs 16:12:31 ..any questions? 16:12:32 q+ 16:12:37 ack dlongley 16:12:49 dlongley: My only comment was that there was more specific text for options to resolve PMIs 16:12:57 ...there is still an issue marker in the text 16:13:06 q+ 16:14:15 dlongley: I'd like to see the section that was in there still in there. 16:14:20 ack Ian 16:15:10 https://github.com/w3c/webpayments/wiki/PMI_Notes 16:15:30 +1 to deletion and keeping issue marker 16:15:35 q+ 16:15:44 ack dlongley 16:15:45 IJ: I think the issue marker does the job 16:16:02 That seems fine to me 16:16:02 dlongley: Let's put the text in the issue marker...then I'm ok with moving it 16:16:16 if zach and dave happy, I'm happy 16:16:32 PROPOSAL: Accept PR 183 and move requirements bullets into issue marker 16:16:37 +1 16:16:44 +1 16:16:46 +1 16:16:54 +1 16:17:03 +1 16:17:18 SO RESOLVED 16:17:24 nick_tr has joined #wpwg 16:17:32 RESOLVED: Accept PR 183 and move requirements bullets into issue marker 16:18:08 AdrianHB: We did not get consensus on 10 and 11 last week. 16:18:15 ..there are elements of PMIs that we need to address. 16:18:22 ..right now there are no concrete proposals to address them. 16:18:40 ...there has been discussion (e.g., MattS+Ian, then MattS+Ian+AHB) 16:18:46 I believe using URLs addresses issue #11 16:18:47 ...there are some ideas floating around, but not on the list yet 16:19:04 +1 that using URLs addresses 11 16:19:19 q? 16:19:30 PROPOSED: Close 11 since we are using URLs 16:19:56 adrianba: Now that we are using URLs we get distributed extensibility 16:20:12 ...we can deal with optimizations (short strings) as a separate issue 16:20:28 +1 to closing #11 16:20:30 rouslan has joined #wpwg 16:20:31 q+ 16:20:35 adrianHB: I agree we can close 11 but there are still issues around dereferencing URLs 16:20:39 present+ rouslan 16:20:43 ...I don't want to make an assertion around priorities 16:20:46 +1 to closing 11 16:20:48 ack adrianba 16:21:32 +1 to closing #11 16:21:34 adrianba: I think dereference topic is something we should talk about (but separately) 16:21:43 Q? 16:21:46 +1 to close #11, we have #46 to talk about resolving URLs 16:21:50 AdrianHB: Any objections? 16:21:52 [None] 16:22:10 (Done) 16:22:36 q+ 16:22:38 adrianHB: So this is an appeal to the group to look at the PMI spec after 183 merger and outstanding issues and fashion some proposals. 16:23:00 zkoch: I do think we have a number of proposals on the table....I think we don't have consensus yet. 16:23:05 ...e.g., short strings, etc. 16:23:13 ...all of these proposals have pros and cons 16:23:22 ...I'm skeptical that there's a magical solution that will address all concerns 16:23:32 ...so at some point I think we will just need a decision on a starting point. 16:23:40 AdrianHB: I am referring to pull requests. 16:24:43 zkoch: My point is not that we are missing concrete text, but rather we just don't have consensus yet. 16:24:48 q+ 16:24:51 ack zkoch 16:25:29 q- 16:25:35 AdrianHB: So the priority questions are: 16:25:41 * Short identifiers (and how would they work)? 16:25:47 * Grouping and subclassing? 16:25:58 * Dereferencing? 16:25:59 Clarification: They don’t necessarily have to be “short”. They just have to be standardized. 16:26:04 Grouping: https://github.com/w3c/browser-payment-api/issues/30 16:26:26 q+ to note that we had spec text in the options for how to do short identifiers 16:27:05 IJ: I believe that there is consensus that we do not require dereferencing. Therefore, that topic should be lower priority for now. 16:27:09 ack dlongley 16:27:09 dlongley, you wanted to note that we had spec text in the options for how to do short identifiers 16:27:15 dlongley: We have seen spec text (in issues) 16:27:18 ...just not as PR requests 16:27:44 Topic: What data should be sent to the payment app? 16:28:14 adrianhb: When a browser gets data, should it do anything before handing to the payment app? 16:28:17 ...or just pass it on? 16:28:37 q+ 16:28:50 adrianhb: Relates to some other issues 16:28:52 q+ 16:28:58 q+ 16:29:11 ack Ian 16:29:23 IJ: Topics: 16:29:25 * Shape of APIs 16:29:28 * What data is passed? 16:29:35 * What mechanisms used to pass it? 16:30:12 q- 16:30:15 +1 to Ian 16:30:16 q- 16:30:22 IJ: I think the priority issue is "what data does a payment app need"? 16:30:25 ..then we figure out how. 16:30:26 q+ 16:30:32 ack dlongley 16:30:45 dlongley: I agree with Ian's approach, but also important to try to make sure that we don't over specify any particular role 16:30:55 ..it's really easy to overspeicfy the payment mediator role. 16:30:59 q+ with concrete proposal! 16:31:04 q+ to make a concrete proposal! 16:31:20 Proposal for what goes to the payment app: 16:31:43 * The PMIs supported by the payment app 16:31:47 * The transaction data 16:31:52 * Any payment method specific data 16:32:15 q+ to talk about core messages relation to this 16:32:15 +1 16:32:23 ack Ian 16:32:23 Ian, you wanted to make a concrete proposal! 16:32:42 IJ: I suggest we move that topic to the payment app spec. 16:33:33 adrianHB: The crux of issue 157 is, when you make a payment request from the merchant site, you provide PMIs and PM-specific data...when the browser passes it on, Ian is proposing handing off only the relevant PMI info 16:33:56 q+ 16:34:29 adrianHB: Question is sharing too much info from payment app, v. verbosity, and related is signing payment info 16:34:35 dlongley: Some of this relates to the core messages spec. 16:34:44 ...which specifies what does to the payment app 16:34:57 ...the idea is to have some core message base independent of payment method 16:35:09 nicktr has joined #wpwg 16:35:13 ...regarding digital signature from the merchant....that's very important for push-type payments 16:35:18 q? 16:35:21 ...app needs to know that nothing was interfered with 16:35:25 ack dl 16:35:25 dlongley, you wanted to talk about core messages relation to this 16:35:34 ..my opinion is that we should not have the payment mediator filter the data 16:35:44 ..I think there's a relationship between merchant and payment app 16:35:53 (IJ does not think, in general, there is relationship between merchant and payment app) 16:35:59 ack adamR 16:36:02 ack ad 16:36:36 q+ 16:36:43 adamR: If all we do is throw data back and forth, we create potential of super cookie. I think that the mediator will need to play a role of policing that. So I think there will be some modification. 16:36:45 +1 to adamR 16:36:49 +1 to adamR 16:36:52 ack dlongley 16:36:54 ack dlongley 16:37:08 dlongley: As soon as we police data, we put constraints on extensibility. 16:37:27 ..if the payment mediator decides what the app gets, we will have limitations to innovation. 16:37:52 nicktr: Feel free to spec out that proposal. 16:38:23 https://github.com/w3c/webpayments/wiki/PaymentApp_Notes 16:38:32 IJ: My point is that this issue is not about paymentRequest API 16:38:37 ...it's about payment app spec. 16:39:28 q? 16:39:46 adrianHB: I think people now understand the discussion points, and I think we should move discussion to the wiki or mailign list 16:39:54 Topic: User data 16:40:19 adrianHB: PR 174 was merged after discussion between MattS and editors 16:40:27 ...I think MattS may log some issues separately 16:41:17 ...looking for PRs 16:42:17 adrianhb: Crux of concern is this: browser gets some user data that merchant (at different domain potentially than payment app) can view before completion 16:43:49 q? 16:45:01 IJ: Seems like a same-origin issue. 16:45:49 q+ 16:45:51 q+ 16:46:21 IJ: is the characterization that you are providing information to B and it gets to A? 16:46:57 AdamR: I don't think that's the issue, it's that data is available to the Web site even though it was sent without my knowledge. 16:47:11 ack adrianhb 16:47:18 the two scenarios: you enter information into merchant.com vs. you enter information into a special browser UI (and not merchant.com branded) and that information is sent to merchant.com whenever you make a selection even if you don't accept the payment, etc. 16:47:58 adrianHB: I think Adam has characterized it correctly ... I want to reemphasize what I said - when you call show() what is not the payment app but rather privileged browser UX. In that privileged browser UX that data is being captured...any time data is captured there, the site can tell 16:48:09 ..this does not have to do with payment app yet 16:48:34 zkoch: I agree with Adam we need to be careful. This is browser UI at the end of the day. 16:49:00 ...chrome tries to do things to show what is browser UI but it's not obvious that users know that 16:49:16 ...I agree we need to figure out the consent issue...and need to leave the mediator the role of addressing it. 16:49:39 q? 16:49:43 ack zkoch 16:49:47 q+ 16:49:49 ..there are subtle things going on...good that ew are having the conversation...but at the end of the day, I think it's the responsibility of the mediator to say what consent is. 16:49:53 seems like we could do the same thing with shipping address and provide a component (or similar) as an alternative mechanism for collecting that info on the merchant site 16:50:19 IJ: Would "mediator needs to get user consent" be a requirement? 16:50:44 adamr: Perhaps not a requirement, but for example, some privacy preserving proof of concept as an example. 16:50:53 ..but allow mediators to do things differently as well 16:50:57 adamR, is one of the PRs you mentioned taking a stab at this? I would be supportive of that language 16:51:04 q? 16:51:17 zkoch: It wasn’t, but I can give it a go. :) 16:51:19 Topic: API design issues 16:51:24 Issue 16 - Use navigator.payments singleton, factory method, or PaymentRequest constructor. 16:51:40 AdrianHB: This seems mostly like a question of taste. 16:51:45 Here's a concrete proposal from Manu: 16:51:46 https://github.com/w3c/browser-payment-api/issues/16#issuecomment-217269345 16:52:02 ...goal is to leave room for new API calls 16:52:20 zkoch: I think the big issue is that there are basically two ways to solve this; one is with the current API and carefully crafted UX. The other is by doing data collection in one phase, and payment submission in another. I think the second is safer, but likely more controversial. 16:52:28 +1 to the proposal. 16:52:33 q? 16:52:37 ack adam 16:52:40 q- 16:52:44 q+ 16:53:16 adrianhB: This issue is like bikeshedding 16:53:26 ...anyone opposed to using something akin to a factory method? 16:53:43 zkoch: I don't necessarily have a strong objection. It might be unnecessary (+0) 16:53:56 ..before we decide this, I'd rather get some sense from Ade who had to leave the call 16:54:15 adrianHB: Let's postpone that one to when Ade is here 16:54:26 Topic: Issue 122 - Format of complete() 16:54:38 https://github.com/w3c/browser-payment-api/pull/191 16:55:14 +1 16:55:22 IJ: +1 to approach of treating unrecognized as "empty string" 16:55:26 +0 16:55:40 +1 to the PR, but I think using the "empty string" is weird. 16:55:40 [No objections] 16:56:01 RESOLVED: accept PR 191 16:56:37 Topic: Issue 2 16:56:41 Payment Request API only available in a top-level browsing context? 16:56:46 q+ 16:56:59 adrianHB: So, if an iframe attempts to call the API it won't work. 16:57:13 ...but we know that merchants use an iframe that pulls content from a PSP 16:57:24 ...we can imagine a PSP having the code to call the API 16:57:32 ...we'd like to hear from PSPs on this topic 16:57:46 ...how would you want this to be handled? 16:57:47 q+ 16:57:56 ack zk 16:58:18 +1 to giving permission from the parent. 16:58:27 zkoch: I am now coming down on the side of allowing non-top-level (aka iframe) as long as we can find a way to give permission (parent to iframe) via the sandbox attribute 16:58:32 alyver has left #wpwg 16:58:50 q+ 16:58:55 ...I there may be some UX challenges, but can write up a proposal. 16:59:25 nicktr: I recognize the use case that adrianHB described. I recognize that iframes have issues as well. 16:59:48 ...I would like to talk to my Worldpay colleagues to understand consequences of such an approach 16:59:51 ack n 16:59:53 ack ad 17:00:09 adamR: I need, also, to consult with my security colleagues (e.g., about sandbox) 17:00:10 +1 to researching that! 17:00:13 q- 17:00:29 adrianHB: I am hearing "top level unless parent has given consent" 17:00:36 q+ it may also depend on the payment request itself in some way 17:00:37 (e.g., through sandbox approach) 17:00:41 q+ to say it may also depend on the payment request itself in some way 17:00:41 sandbox=“allow-payment”. We would need an extension spec, too, probably 17:00:52 ack dlongley 17:00:52 dlongley, you wanted to say it may also depend on the payment request itself in some way 17:01:31 dlongley: Another use case (future) is calling API outside of parent site (e.g., IOT) 17:01:44 rrsagent, make minutes 17:01:44 I have made the request to generate http://www.w3.org/2016/05/12-wpwg-minutes.html Ian 17:01:53 nicktr: Thanks everyone, there was a lot on the agenda! 17:01:56 I’ll see you guys in June! 17:02:03 Thanks! 17:02:08 RRSAgent, make minutes 17:02:08 I have made the request to generate http://www.w3.org/2016/05/12-wpwg-minutes.html Ian 17:02:12 rrsagent, set logs public 17:02:29 Topic: Next meeting 17:02:35 19 May 17:02:38 RRSAgent, make minutes 17:02:38 I have made the request to generate http://www.w3.org/2016/05/12-wpwg-minutes.html Ian 17:02:41 rrsagent, set logs public