12:28:21 RRSAgent has joined #apps 12:28:21 logging to http://www.w3.org/2016/08/17-apps-irc 12:50:22 agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2016Aug/0082.html 12:50:27 Ian has changed the topic to: Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2016Aug/0082.html 12:56:47 Chair: Ian 12:59:01 present+ Adam 12:59:03 present+ Max 12:59:23 TommyT has joined #apps 12:59:50 regrets: Conor 12:59:53 present+ Tommy 13:02:28 adamR has joined #apps 13:02:29 present+ Jason 13:02:41 Max has joined #apps 13:02:44 present+ adamR 13:03:07 /me is running 2 mins late 13:03:10 alyver has joined #apps 13:03:20 https://github.com/w3c/webpayments-method-identifiers/issues/11 13:03:23 present+ alyver 13:04:32 zakim, who's here? 13:04:32 Present: Adam, Max, Tommy, Jason, adamR, alyver 13:04:34 On IRC I see alyver, Max, adamR, TommyT, RRSAgent, Zakim, Dongwoo, AdrianHB, Ian 13:04:47 ---> https://lists.w3.org/Archives/Public/public-payments-wg/2016Aug/0082.html 13:06:08 Topic: AdamR's proposal 13:06:21 https://github.com/w3c/webpayments-payment-apps-api/blob/gh-pages/proposals/jsapi.md 13:06:25 IJ: Quick overview and where we are? 13:06:41 AdamR: This proposes something that looks like a service worker (and is modeled after what is done in WebRTC). 13:06:46 ...process is spun up after selection by the user 13:06:57 ...we have one message in one direction, and one message in the other 13:07:05 present+ Roy 13:07:36 ..the application has opportunity to do what it wants with a message (within its origin)...including the opportunity to open a window for the user 13:07:48 ...(two: one allows for a URL instead of a body) 13:08:05 ..."data" is internal detail to the app (allows window to communicate with worker) 13:08:23 ..when everything is done, the application sends a message back which the browser turns into a promise resolution 13:08:25 q? 13:08:42 present+ Mahesh 13:09:11 IJ: Feedback so far? 13:09:15 present+ AdrianHB 13:09:20 I will need a bit more time to review the proposal. 13:09:25 AdamR: Tommy sent feedback and that's been incorporated 13:10:39 Roy has joined #apps 13:10:53 IJ: Proposed 2 reviewers then try to integrate into the spec 13:11:12 IJ: How would text need to change before going into doc? 13:11:17 q+ to ask if there has been feedback from other implementors? 13:11:19 AdamR: Will need expansion 13:11:28 ack Ad 13:11:28 AdrianHB, you wanted to ask if there has been feedback from other implementors? 13:11:44 Issue with audio 13:11:49 Will try call in again 13:12:14 IJ: (Has there been feedback from other implementors?) 13:12:29 AdrianHB: Aside from Tommy; no. What is spec'd here is similar to Tommy's polypill 13:13:09 +1 13:13:16 IJ: Volunteers to review? 13:13:25 Volunteers: AdrianHB, Max 13:13:45 AdrianHB: This proposal has triggered some good discussion on the issues list. 13:14:08 ...it would be valuable to get MS and Google input on payment apps since it's increasingly becoming clear that we may have to make decisions that impact both. 13:14:42 TommyT has joined #apps 13:15:13 q? 13:15:46 ACTION: Max to review the registration proposal, due 24 August 13:15:50 ACTION: AdrianHB to review the registration proposal, due 24 August 13:16:09 I can take a look, but this is the first I heard of Adam's proposal, maybe someone can shoot me a pointer 13:16:14 https://github.com/w3c/webpayments-payment-apps-api/blob/gh-pages/proposals/jsapi.md 13:16:23 JasonYANG has joined #apps 13:16:26 https://github.com/w3c/webpayments-payment-apps-api/blob/gh-pages/proposals/jsapi.mdhttps://github.com/w3c/webpayments-payment-apps-api/blob/gh-pages/proposals/jsapi.md 13:16:28 https://github.com/w3c/webpayments-payment-apps-api/blob/gh-pages/proposals/jsapi.md 13:16:30 jnormore has joined #apps 13:16:33 https://github.com/w3c/webpayments-payment-apps-api/blob/gh-pages/proposals/jsapi.md 13:16:55 IJ: Anything else today? 13:17:00 AdamR: Feedback! 13:17:07 Topic: Origin info 13:18:06 https://github.com/w3c/webpayments-payment-apps-api/issues/27 13:18:32 IJ: Would that be useful? 13:18:36 q+ 13:18:40 IJ: what's the design consideration? 13:18:48 IJ: What do we need to do to modify the spec? 13:19:02 maheshk has joined #apps 13:19:16 AdamR: I don't necessarily object up front but it does raise a privacy issue. Would it have "surprising" properties for users? My first inclination is "probably not" 13:19:31 ...adding a field for all methods that has origin information might make sense 13:19:48 ..but it might also be payment-method specific and should figure into the payment method spec. 13:19:59 ..e.g., for basic not useful; for tokenized useful 13:20:07 ..so figures into payment method good practice 13:20:16 (PAYMENT METHOD GOOD PRACTICE NOTE :) 13:20:36 ...I wish we had more payment method specs in development to determine 13:22:05 IJ: We have been talking about getting an EMV tokenization spec 13:22:31 Roy: Facebook is looking at a payment method specification involving tokenization 13:23:08 Yes EMV is network tokenization 13:23:41 present+ jnormore 13:23:48 I have made the request to generate http://www.w3.org/2016/08/17-apps-minutes.html Ian 13:24:01 q+ 13:24:03 ack ad 13:24:43 (Discussion of gateway v. network tokens) 13:25:41 IJ: How do you deal with the privacy issue in the case where it's useful (e.g., payment method includes tokenization) 13:25:54 AdamR: I would like to run the question by the Privacy Interest Group 13:26:44 IJ: In today's payment methods, is origin information available to e.g., card networks? 13:29:56 q+ 13:30:25 AdrianHB: Concern is payment app distributor (who is not also the issuer) 13:30:29 ack Ian 13:30:49 ack jn 13:30:56 Kepeng has joined #apps 13:31:40 jnormore: We have multiple payment gateways and multiple payment methods available, and even the concept of payment apps....we only pass information required to process the payment itself. In some cases we don't pass line item or customer information ... only when necessary to process the payment. 13:31:41 q 13:31:42 q? 13:33:16 jnormore: Isn't it up to the merchant what they want to pass through? 13:34:02 Ian: The user might also care ("I don't want others knowing what ecommerce sites I'm visiting") 13:35:17 Ij: Any volunteers to write up something? 13:35:18 (No) 13:35:39 IJ: I will record in the issue the points on (1) privacy and (2) may depend on payment method 13:36:28 Max has joined #apps 13:37:06 ACTION: Ian to put notes on privacy and payment method potential dependency about origin info into the issues list 13:37:29 topic: Display and selection of apps 13:37:38 https://github.com/w3c/webpayments/wiki/PaymentApp_Notes#user-experience-descriptions 13:37:45 IJ: Adrian, status of your action? 13:37:51 AdrianHB: Not done. 13:37:53 +1 13:38:11 Max: I have read the table and have some thoughts. 13:38:53 ...one question has to do with whether explicit user consent is required for registration 13:39:22 IJ: What is the scenario? 13:39:36 Max: E.g., site automatically registers payment app when user visits site 13:40:16 AdamR: I think we should provide some guidance here but don't think we should provide anything normative here. Different browsers will have different notions of user protection, and they can validly differentiate themselves. 13:40:18 Max: Ok 13:40:30 ..from user experience, most users will be confused about information 13:40:31 q+ 13:41:02 Max: From user experience we could "allow" the browser to automatically register the payment app 13:41:14 ...I am ok to provide guidance and leave to browser implementation 13:41:40 https://w3c.github.io/webpayments-payment-apps-api/ 13:41:48 https://w3c.github.io/webpayments-payment-apps-api/#registration-and-unregistration 13:41:58 "We expect registrations to happen at various times (e.g., outside and inside of checkout), and with differing levels of user consent to modify their configuration within the user agent. " 13:42:18 "Users visiting a Web site (e.g., merchant or bank) may wish to explicitly register payment apps, which would require explicit consent from the user." 13:42:35 We could add: 13:43:03 "User agents may distinguish themselves by the extent to which they enable users to automatically register payment apps without additional user interaction." 13:43:25 AdamR: That text seems unnecessary; what is under the bullet looks ok to me today 13:43:43 IJ: I think this is too strong: "which would require explicit consent from the user." 13:44:07 +1 on requiring consent 13:44:21 AdamR: I think in that scenario (visiting a site) consent is the right thing. 13:44:51 ...but I think that during checkout (first sub-bullet) is ok ... I want to avoid language that says "must happen without user consent" 13:46:32 AdrianHB: I think we need to be more explicit in cases where things are happening on the web; less we say outside the web context the better 13:48:09 Note: https://github.com/w3c/webpayments-method-identifiers/issues/11 13:48:53 AdamR: I am concerned about malware scenario...don't want implicit registratino 13:49:17 Max: The reason why we should allow browser to register payment apps automatically is because most users will not quite understand the technical details 13:49:24 ...we want to improve the user experience 13:49:46 [Move to point 2] 13:50:13 Max: We have discussed a bit ... how do we ensure that a payment app is who it claims to be? How do we prevent fake payment apps? 13:50:52 Roy: Zach's PMI proposal distinguishes open/proprietary methods 13:51:06 ...the way you specify each one is different 13:51:15 ...open payment methods involve (in the proposal) URNs. 13:51:24 ...and proprietary methods are URLs which have origins. 13:51:48 ...and browsers would compare origin of the payment app with origin of the payment method to help determine whether it's the right app 13:52:04 Max: We have some other ideas as well that we can write down. 13:52:07 q+ to ask about delegation 13:52:15 ack ian 13:52:42 ack AdrianHB 13:52:42 AdrianHB, you wanted to ask about delegation 13:53:07 AdrianHB: What happens if a proprietary payment method owner wants to delegate authority to a third party proprietary payment app? 13:53:20 +1 13:53:50 AdrianHB: I think that we may need metadata for this 13:54:08 ...we need to define how this works and might be for both proprietary and open payment methods 13:54:16 +1 to AdrianHB’s point about origin binding being too restrictive — I was planning to put a comment on PMI issue 11 to this effect 13:54:44 +1 ^ 13:54:56 AdrianHB: I don't like putting together "identification of payment method" with "getting data about payment method" 13:55:40 q? 13:56:09 https://github.com/w3c/webpayments-payment-apps-api/blob/gh-pages/proposals/jsapi.md 13:57:04 Action: Max to write up a new proposal (in the proposals directory) about managing authenticity of payment apps 13:57:25 -> https://github.com/zkoch/zkoch.github.io/blob/master/pmi.md 13:57:59 https://github.com/w3c/webpayments/blob/gh-pages/proposals/zach-pmi.md 13:58:10 q? 13:58:33 [Back to user experience table] 13:58:36 https://github.com/w3c/webpayments/wiki/PaymentApp_Notes#user-experience-descriptions 13:58:52 Max: Would be better for merchant web site to take control of the display of the payment app. 13:59:12 ....and we can provide good practice to browsers of how to display but in the end merchants have final control 13:59:13 -1 14:00:43 ACTION: Max to write up some thoughts on merchant-controlled display of payment apps for selection 14:00:56 Topic: TPAC 14:02:03 IJ: Anyone available to do payment app demos at TPAC? 14:02:17 Max: W3C staff in China is chatting with us about demos. 14:02:21 ...so we are thinking about that. 14:02:33 alyver has left #apps 14:02:40 ...we are looking into but can't confirm 100% yet we will have a demo 14:02:55 I'm in the same boat Ian 14:03:13 +1 14:04:21 Topic: Next meeting 24 August 14:04:23 IJ: Any regrets? 14:04:27 [Hearing none] 14:04:39 thanks 14:04:39 rrsagent, make minutes 14:04:39 I have made the request to generate http://www.w3.org/2016/08/17-apps-minutes.html Ian 14:04:41 rrsagent, set logs public 14:06:04 Hi Ian, the demo that we discussed with w3c China staff is not the implementation of payment api, it is the user experience demo of alipay and maybe other payment providers in China. Is that OK? 14:08:51 hi Max 14:09:07 There are two topics: 14:09:18 * How payments work in China .... that should be on the Interest Group agenda 14:09:27 * Feedback on payment request API ... that should be on the WG agenda 14:09:34 (You may choose to do one or the other or both) 14:10:04 ok, we will think about that. thanks 14:18:09 cool 14:18:18 I have just written to Chunming Hu with some other suggestions 16:07:16 Zakim has left #apps 16:35:21 rrsagent, bye 16:35:21 I see 5 open action items saved in http://www.w3.org/2016/08/17-apps-actions.rdf : 16:35:21 ACTION: Max to review the registration proposal, due 24 August [1] 16:35:21 recorded in http://www.w3.org/2016/08/17-apps-irc#T13-15-46 16:35:21 ACTION: AdrianHB to review the registration proposal, due 24 August [2] 16:35:21 recorded in http://www.w3.org/2016/08/17-apps-irc#T13-15-50 16:35:21 ACTION: Ian to put notes on privacy and payment method potential dependency about origin info into the issues list [3] 16:35:21 recorded in http://www.w3.org/2016/08/17-apps-irc#T13-37-06 16:35:21 ACTION: Max to write up a new proposal (in the proposals directory) about managing authenticity of payment apps [4] 16:35:21 recorded in http://www.w3.org/2016/08/17-apps-irc#T13-57-04 16:35:21 ACTION: Max to write up some thoughts on merchant-controlled display of payment apps for selection [5] 16:35:21 recorded in http://www.w3.org/2016/08/17-apps-irc#T14-00-43