14:47:36 RRSAgent has joined #wpwg 14:47:36 logging to https://www.w3.org/2021/03/30-wpwg-irc 14:47:41 Meeting: Web Payments Working Group 14:47:48 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-FTF2021 14:47:56 Chair: NickTR 14:47:58 Scribe: Ian 14:48:11 I have made the request to generate https://www.w3.org/2021/03/30-wpwg-minutes.html Ian 14:55:42 Tomasz has joined #Wpwg 14:56:49 present+ 14:58:33 present+ Anne_Pouillard 14:58:41 present+ Tomasz_Blochowicz 14:59:16 present+ David_Benoit 15:00:11 Gerhard has joined #wpwg 15:00:38 Deepu has joined #wpwg 15:01:51 present+ 15:02:03 Fawad has joined #wpwg 15:02:05 present+ 15:02:09 marcperez has joined #wpwg 15:02:17 Gavin has joined #WPWG 15:02:35 lucasb has joined #wpwg 15:02:38 JMGirard has joined #wpwg 15:02:40 Vaishali_Bulusu has joined #WPWG 15:03:00 Chris_Wood has joined #wpwg 15:03:10 SameerT has joined #wpwg 15:03:27 benoit_ has joined #wpwg 15:03:28 present+ 15:03:30 LawrenceCheng has joined #wpwg 15:03:31 present+ 15:03:32 jonathan has joined #wpwg 15:03:33 present+ 15:03:36 frank has joined #wpwg 15:03:36 present+ 15:03:37 mknowles has joined #wpwg 15:03:37 present + 15:03:38 present+ 15:03:40 present+ 15:03:40 present+ 15:03:40 present+ 15:03:40 present+ 15:03:42 present+ 15:03:42 present+ 15:03:44 present+ 15:03:45 present+ 15:03:51 present+ Aleksei 15:03:55 arno_ has joined #wpwg 15:03:58 present+ James 15:04:00 Anne has joined #wpwg 15:04:06 present+ 15:04:07 Tomasz has joined #wpwg 15:04:07 Bastien has joined #WPWG 15:04:09 present+ 15:04:12 present+ antoine 15:04:15 present+ 15:04:15 present+ 15:04:16 James has joined #wpwg 15:04:17 present+ Arno 15:04:25 present+ Tom_Bellenger 15:04:32 present+ Christina 15:04:32 present+ James Longstaff 15:04:36 JaySee has joined #wpwg 15:04:42 present+ Deepu 15:04:46 present+ Jean-Luc 15:04:51 present+ Erhard 15:04:56 Timo_Gmell has joined #wpwg 15:05:04 present+ Gavin 15:05:05 present+ Jayaseelan 15:05:09 present+ Gerhard 15:05:11 Remo_Fiorentino has joined #wpwg 15:05:12 present+ Gildas 15:05:16 present+ 15:05:18 present+ Gustavo 15:05:20 present+ 15:05:25 present+ Jean-Michel 15:05:31 present+ Vaishali 15:05:35 present+ Jonathan_Grossar 15:05:38 present+ Lawrence_Cheng 15:05:41 present+ Max_Gu 15:05:46 present+ Lucas_Bledsoe 15:05:50 present+ Manjush 15:05:53 present+ Marc_Perez 15:05:56 present+ Mathiue 15:06:02 present- Mathiue 15:06:05 present+ Mathieu 15:06:15 Gildas has joined #wpwg 15:06:21 Topic: SPC and frictionless flows 15:06:33 present+ Mike_Knowles 15:06:37 present+ Mike_Horne 15:06:40 present+ Nick_Burris 15:06:53 present+ Remo_Fiorentino 15:06:55 present+ Sameer 15:07:00 present+S ebastien_Elfors 15:07:01 mikehorne has joined #wpwg 15:07:04 present- ebastien_Elfors 15:07:07 present+ Sebastien_Elfors 15:07:10 present+ Sameer 15:07:12 present+ Olivier 15:07:14 zakim, who is here? 15:07:14 Present: Ian, Anne_Pouillard, Tomasz_Blochowicz, David_Benoit, Gerhard, AdrianHB, Deepu, mhofman, benoit_, jonathan, danyao, Fawad, lucasb, LawrenceCheng, Chris_Wood, frank, 15:07:18 ... marcperez, SameerT, mknowles, Aleksei, James, arno_, Anne, antoine, Bastien, Tomasz, Tom_Bellenger, Christina, Longstaff, Jean-Luc, Erhard, Gavin, Jayaseelan, Gildas, 15:07:18 ... Timo_Gmell, Gustavo, Remo_Fiorentino, Jean-Michel, Vaishali, Jonathan_Grossar, Lawrence_Cheng, Max_Gu, Lucas_Bledsoe, Manjush, Marc_Perez, Mathieu, Mike_Knowles, Mike_Horne, 15:07:18 ... Nick_Burris, Sebastien_Elfors, Olivier 15:07:21 On IRC I see mikehorne, Gildas, Remo_Fiorentino, Timo_Gmell, JaySee, James, Bastien, Tomasz, Anne, arno_, mknowles, frank, jonathan, LawrenceCheng, benoit_, SameerT, Chris_Wood, 15:07:21 ... Vaishali_Bulusu, JMGirard, lucasb, Gavin, marcperez, Fawad, Deepu, Gerhard, RRSAgent, Zakim, stpeter, pea13, canton_, ChrisD, AdrianHB, mhofman, wseltzer, smcgruer_[EST], 15:07:22 present+ Sejal_DSouza 15:07:26 ... benoit, danyao, dlehn, slightlyoff, falken_, jeffh, hadleybeeman, dlongley, manu, mkwst, hober, Travis_, ntelford, tobie, nicktr, joconnor, rowan_m, yoav, Ian 15:07:27 present+ Ulf_Leopold 15:07:37 btidor has joined #wpwg 15:07:39 present+ Michel_Weksler 15:07:41 present+ btidor 15:07:47 ChristianA has joined #wpwg 15:08:00 [Gerhard Oosthuizen presents slides from Entersekt] 15:08:10 present+ Kincaid_ONeil 15:08:17 present+ John_Bradley 15:08:22 present+ John_Fontana 15:08:29 Aleksei_Akimov has joined #wpwg 15:08:33 present+ Doug_Fisher 15:08:43 present+ Christian_Aabye 15:08:51 present+ Aleksei_Akimov 15:09:20 present+ Fawad_Nisar 15:09:38 gkok has joined #wpwg 15:09:41 Gerhard: Ecommerce growing significantly. With COVID even more 15:10:26 ...65% of customers abandon transactions due to friction. 15:10:37 ...that translates to 100s of billions of USD 15:11:06 -> http://www.w3.org/2021/Talks/entersekt-20210330.pdf Gerhard's slides 15:11:21 q? 15:11:25 Gerhard: $146B in CNP purchases are declined per year 15:11:36 ...52% of orders declined for fraud were good orders to fulfill 15:11:59 ...62% of cardholders will abandon a declined card 15:12:07 ...so it's very important to get the challenge flow right. 15:12:18 ...Microsoft as a merchant posts data on a monthly basis. 15:12:32 ...they have breakdowns per country per type of authentication. 15:12:32 q+ 15:12:51 Gerhard: Authentication success rates are too low. Browser based is 75% compared to 45% for app-based 15:13:05 ...abandonment is too high (browser: 13%; app: 18%) 15:13:19 ...challenge rates are much too high (browser: 81%; app-based: 75%) 15:13:45 ...Microsoft quote: "Payments ecosystem must find ways to lower the challenge rate.". But it's also important to note that approval rates improve when a challenge succeeds. 15:14:24 ack Bas 15:14:25 ack bastien 15:14:28 Manjush has joined #WPWG 15:14:41 Bastien: looking at the MS figures, do you have any clue which system was used to create this data? 15:15:12 Gerhard: Data from 3DS2 in Europe 15:15:31 ...it is improving every month 15:15:45 ...some countries have had issues in rollouts, or ACS have had issues, and they are working through the issues 15:16:15 ...this is not a critique of 3DS2 directly, just about the state of deployment 15:16:56 [On 3DS in the slides] 15:17:13 Gerhard: 3DS 2.2 is the latest version; 2.3 in review. 15:17:42 ...quick reminder: frictionless flow then challenge flow (optional). Goal is challenge no more than 20% of transactions. 15:18:00 ...3DS2 big additions were (1) app support (2) frictionless flow. 15:18:10 ...the frictionless flow runs in a hidden iframe (methodURL) 15:18:44 ...here we are having discussions about FIDO. And there are two flavors: user validation (presence check) and user verification (multifactor) 15:18:59 ...noting two types of authenticators: platform, roaming 15:19:15 ...SPC is a great move forward. 15:19:32 ...first, gives predictability to merchant. Merchant controls the experience, whereas the issuer controls the identity [management] 15:19:52 ...(delegated auth requires the merchant to take control of both...) 15:20:11 ...second, there is a "payment focused display" 15:20:24 ...better customer experience, especially since many authenticators don't have a built-in display 15:20:36 ...closer to the regulatory intent (of, e.g., PSD2) 15:20:51 ...a challenge for SPC is that both the merchant and issuer need to support it. 15:21:18 ...even if the merchant does not do SPC, ultimately we as providers to issuers will still use SPC from the issuer domain, because of the transaction confirmation dialog and the signature over the transaction data. 15:21:41 ...what interests Entersekt is to create a bridge. 15:22:00 ...any extra click increases (by something like 10%) abandonment rates 15:22:24 ...we want to avoid the extremes: too much friction v. no challenges as all (which can lead to higher false declines) 15:22:28 ...what can we do? 15:22:28 mweksler has joined #wpwg 15:22:39 q+ to talk about the importance of consent 15:22:46 Gerhard: Two suggestions here (1) SPC with one-click (1) Silent challenge 15:22:58 ...a silent challenge is where the user does not participate, but we have uplift on the approval rate 15:23:17 ...with the latter the issuer is more likely to approve the transaction, reducing false declines. 15:23:18 ack nicktr 15:23:18 nicktr, you wanted to talk about the importance of consent 15:23:31 I have made the request to generate https://www.w3.org/2021/03/30-wpwg-minutes.html Ian 15:23:44 nicktr: Another topic - need explicit consumer consent. 15:23:50 ...that's lost in the debate about invisible payments 15:25:14 The minutes page seems to throw "Sorry, Insufficient Access Privileges" 15:25:22 Gerhard: Predictability is really important as well 15:25:30 ack nicktr 15:25:46 [Gerhard on PSD2] 15:26:04 Gerhard: Number of rules around challenges. When challenge occurs, requirement is 2 factors 15:26:45 Gerhard: But outside of Europe there are other authentication requirements, e.g., single possession factor (e.g., SMS, App-based OTP, push to mobile) 15:26:56 ...provable possession is a very strong signal for risk based authentication 15:27:36 ....a core driver behind the browser data collection requirements of EMV 3DS 15:27:42 [Gerhard on requirements fo ra solution] 15:27:51 Gerhard: Needs to be privacy-friendly and secure. 15:27:55 ...more specifically: 15:27:59 Is Gehard's audio breaking up for anyone else? 15:28:23 Ack 15:28:39 Gerhard: Domain bound (only visible to issuing party). Accessible using identifier only known to issuer. Get user consent before issued to that user. Resettable by the user. 15:28:50 Gerhard: Security reqs: generated by the browser 15:29:12 Gerhard: Lots can be learned from WebAuthn, SPC experiment, Credential Management API, and Web Crypto 15:29:16 Aleksei_Akimov has joined #wpwg 15:29:43 Gerhard: WebCrypto lets you generate key pairs with protected private key in the browser; enables signing a challenge. 15:29:52 ...with these technologies we can generate a signature 15:29:59 [Gerhard on what would NOT work well] 15:30:22 Gerhard: (1) cookies ...no user consent...nothing signed....always provides for full domain, i.e., not linked to a specific credential ID 15:30:34 q+ 15:30:37 ...(2) WebID does not solve for complete user challenge 15:30:47 ...(3) Trust tokens....anonymity is not what's needed here 15:30:52 ack mhofman 15:31:07 sorry audio issues 15:31:13 let's discuss later 15:31:20 present+ Takashi_Minamii 15:31:25 q+ mhofman 15:31:42 ack mhofman 15:32:08 takashi has joined #wpwg 15:32:08 mhofman: In the use case of payments, we already have an idea of who the customer is. We want to authenticate that the browser has been used by a person we already know. 15:32:18 ...I think that there is a lack of web platform primitives to do this today. 15:32:36 present+ Jeff_Hodges 15:32:45 present+ Chris_Dee 15:32:55 Gerhard Proposal: 15:33:06 * Possession only factor issued by the browser 15:33:16 ...user specific (credential ID) and domain-bound 15:33:22 ...only generated after epxi8cit consent 15:33:29 * Stored with credential management API 15:34:00 [Architectural slide] 15:34:45 Gerhard: From a consent perspective, during enrollment the user consents first, then credential provisioned in the RP's domain 15:35:02 ....the consumer needs to be able to manage (including delete) the credential at any stage; similar to password management in the browser 15:35:27 ...for authentication, signature created only after a user action 15:35:39 ....allow the RP (issuer or bank) to choose the required level of trust. 15:35:57 ...that might be, for example, full strong customer authentication, or for some transactions, possession only could suffice 15:36:41 ...this could be implemented with a checkbox, for example, on the transaction confirmation dialog: "Don't ask me again for 30 days" or "Don't ask me again for transactions less than $10" etc. 15:36:53 q+ 15:37:05 Gerhard:....this might only show up after a full consent auth for example 15:37:26 ....question:s would the issuer be able to also indicate if a user challenge is NOT needed (enabling a frictionless flow) without user consent? 15:37:31 ack SameerT 15:37:50 SameerT: Great presentation. What is your vision for the checkbox? Does consent go to the issuer or is stored locally? 15:38:07 q+ to ask who will control what kind of options the users can consent to? 15:38:12 Gerhard: What we've considered (because we want to maintain the current SPC flow) is that the consent is stored in the browser. T 15:38:33 ....but we could imagine that the issuer provides a hint like "It's ok if the user doesn't want to see the dialog for this transaction." 15:38:38 q+ 15:39:12 SameerT: From a 3DS perspective, it looks like there are 2 different consents: (1) creation of the initial ID and (2) adding the browser to a sort of "trusted list" 15:39:44 ack Dan 15:39:44 danyao, you wanted to ask who will control what kind of options the users can consent to? 15:39:46 ack danyao 15:40:08 Danyao: You mentioned a few options for consent (e.g., 30 days or low transaction amounts). Who in this model would control which options would be presented to the user? 15:40:28 Gerhard: That's a topic for discussion. Our initial view was that browsers could differentiate themselves through different features 15:40:37 q+ 15:41:17 Gerhard: Merchant also needs to be able to provide hints like "I need an SCA here." 15:41:33 Does the vision also include provision to withdraw consent? 15:41:46 Danyao: Assuming user gives consent, when browser does frictionless flow, would the issuer and merchant have data what happened? 15:41:54 q? 15:41:56 Gerhard: Yes, the signature should include that information. 15:41:57 q? 15:42:04 ack gk 15:42:17 q+ 15:42:18 gkok: Regarding this specific flow. Would there be cryptographic proof? 15:42:31 [Ian thinks there would be crypto...just without user presence check] 15:42:55 Gerhard: For me there would be cryptographic proof. The browser would say "I issued this based on prior customer consent" 15:43:06 ...I do have a flow diagram for this 15:43:22 ack ChristianA 15:43:37 ChristianA: Yes, would be good to see more about "how the issuer knows what happened" 15:43:47 [Flow illustrations follow] 15:43:52 I have made the request to generate https://www.w3.org/2021/03/30-wpwg-minutes.html Ian 15:44:46 Gerhard: Suppose in a 3DS flow that frictionless flow does not lead to satisfaction. 15:44:49 q? 15:45:07 Gerhard:....so challenge flow initiated, and ACS says in AReq "Let's challenge with possession" 15:45:08 q== ChristianA, Deepu 15:45:27 queue=ChristianA, Deepu 15:45:45 Gerhard: So the PSP gets back a set of credential IDs. If the merchant does not use SPC, fallback flows possible. 15:46:06 ...but if merchant does use SPC, the transaction dialog is opened. 15:46:22 ...but due to the way that the keys have been generated, the browser knows it can, for example, not require the user presence check. 15:47:06 ....an alternative is that if the user has consented previously, the merchant could make the same call (without knowledge of the user's stored consent) and they would get the same result back (with information available to issuer that it was silent) 15:47:38 ...CReq with signature can be returned to the ACS 15:47:45 ...the signature can include information about which authentication flow happened 15:48:00 ...this is not as strong as WebAuthn, but it's not as bad as data collection as it is done today 15:48:18 ...so we have a bit better on the one hand, and not as good as SCA, but has minimal friction. 15:48:19 q+ 15:48:22 q+ follow up on my previous question 15:48:32 q? 15:48:41 ack ChristianA 15:48:47 ChristianA: I am hearing that it's the same rails as WebAuthn, with just possession check. 15:49:36 Gerhard: When SPC was originally proposed we imagined one solution where the methodURL provides a hint 15:49:49 ...but we didn't want to stretch too far, so this proposal leverages SPC as it's been proposed 15:49:53 q? 15:50:13 Gerhard: The proposal is basically about how the various perspectives (merchant, user, issuer) as melded for a UX 15:50:26 ChristianA: The issuer needs to know what the consumer has consented to. 15:51:08 Gerhard: I agree, and the signature in SPC will say how consent was given and what was consented to 15:51:25 Vaishali_Bulusu has joined #WPWG 15:51:29 q? 15:51:30 ack Deepu 15:51:52 Deepu: Thanks for the explanation. Assuming a user gives consent (e.g., 30 days). Is there a provision for the user to revoke it? 15:51:54 Aleksei_Akimov has joined #wpwg 15:52:07 Gerhard: Yes. User will manage that information in the browser, like passwords. 15:52:24 occasion 15:52:29 d/occasion/ 15:52:38 q? 15:52:48 Deepu: This mechanism does not rely on Web authentication 15:53:04 Gerhard: Correct. 15:53:25 Comment: Perhaps there is a potential for collaboration to make sure the key EMV 3DS principles (Issuer making the final decision) is included in a broad concept where implementers can choose SPC as a bundle or parts of it for challenge 15:54:03 My understanding is this would use the same APIs as SPC but using credential IDs that are for software-stored credentials (vs hardware-based credentials as used for WebAuthn) 15:55:43 Ian: I am hearing that you'd like to enable the issuer to decide (with input from merchant) the UX, and the issuer (RP) has different credential ids for different experiences. And that WebCrypto is a fall back encryption mechanism when WebAuthn not available AND 15:55:52 q+ to correct authenticator coverage on Android 15:55:59 ack ian 15:56:27 Gerhard: The question is that some behaviors may not depend on external authenticators, and so we might be able to use Web Crypto. But if Web Authentication with no presence check can be used, that's good too 15:57:19 [On 3DS impact] 15:57:38 Gerhard: (1) proposal aligns with SPC as initially hatched (2) proposed SPC solution does require merchant integration 15:57:58 Gerhard: This proposal is not specific to 3DS. 15:58:22 Gerhard: Let me speak a bit about a second proposal...using the browser as a silent possession factor 15:58:23 Danyao: On Android, FIDO authenticator coverage is closer to 2/3rds and growing 15:58:30 I have made the request to generate https://www.w3.org/2021/03/30-wpwg-minutes.html Ian 15:59:15 Gerhard: 3DS2 caters to frictionless authentication. Risk-based auth leverages data from three sources (browser, user, transaction) 15:59:43 ...a unique ID will also help here. 15:59:56 ...if we use the same possession factor concept and can use it silently in an iframe to sign 16:00:32 ...the challenge could bind browser + user + transaction details without the need of data collection 16:00:58 [Gerhard slides on this second proposal] 16:01:22 Gerhard: The ACS gets possession keys from the browser and ask the browser to sign transaction data in the method URL 16:01:49 ...the 3DS transaction ID is the same, and the ACS can say "I've already verified this credential; I'm satisfied with other data; I can choose to not do step-up" 16:01:54 q+ 16:02:22 Gerhard: I think this proposal aligns full with standard 3DS methodURL. Does not require any extensions. No merchant integration/modification required. 16:02:30 ...but iframe permissions would need to support this 16:02:40 ..if a possession credential is not available , you could fall back to SPC 16:02:45 q+ 16:02:51 q+ to ask about big picture ordering of approaches 16:02:53 q- 16:03:09 Gerhard: For me, I think this gets close to satisfying the browser ID requirements 16:03:33 ...but it might not be "SPC" if the essence of SPC is the transaction confirmation dialog (since there isn't one) 16:03:39 q? 16:03:46 zakim, close the queue 16:03:46 ok, Ian, the speaker queue is closed 16:03:58 ack gk 16:03:59 q? 16:04:12 gkok: To clarify - when you mention frictionless flow. Are you still using the PR API? 16:04:32 q+ to mention that SPC support for cross-origin iframe is now available for experimentation 16:04:39 zakim, open the queue 16:04:39 ok, Ian, the speaker queue is open 16:04:40 q+ 16:04:44 q+ Danyao 16:05:10 Gerhard: There are three scenarios (1) with user presence check (2) without presence check (3) no dialog 16:05:48 ...but data is signed in all cases 16:06:17 ack Sam 16:06:49 SameerT: In the silent challenge flow, is the browser notifying the ACS of a credential or is the issuer sending credentials to the PSP? 16:07:08 Gerhard: ACS sends list of credentials to the browser 16:07:30 SameerT: So 3DS method allows silent challenge, and silent challenge data goes through AReq? 16:08:01 Gerhard: Maybe, but that would require the merchant. So we think there might be a way to do this simply in the method URL, which means the merchant does not need to be aware of that data. 16:08:20 SameerT: let's collaborate on the "id requirements" to make sure that it meets our requirements 16:08:22 Gerhard: +1 16:08:25 ack Sam 16:08:39 Gerhard: Yes, want to ensure meets requirements, meets privacy requirements, has good UX 16:08:41 ack me 16:08:42 Ian, you wanted to ask about big picture ordering of approaches 16:09:01 zakim, close the queue 16:09:01 ok, Ian, the speaker queue is closed 16:09:49 ian: there seems to be a growing space of solutions that are within scope of SPC and not. What order would you approach these solutions? 16:10:31 ... this helps us know how these might map to different payment flows 16:10:37 Gehrard: Here's my list in order: 16:10:48 1) Issuer issues possession credentials (enrollment) 16:11:01 2) Issuer / ACS silent challenge without merchant knowledge 16:11:09 3) If the merchant wants control, then you move on to SPC 16:11:43 ...if the issuer has done step 1 and that supports lower friction, then the merchant and issuer can take advantage 16:12:29 ack mh 16:12:31 +1 to single-click SPC as priority (likely same API but with different credential IDs) 16:13:03 mhofman: I want to focus on the prompt-less authentication. Might be useful outside of payments use cases, especially if the browser is not showing specific UI. 16:13:12 ...perhaps this should be discussed in the Web Authentication WG 16:13:27 ...somehow you can use browser credential to sign some data in an iframe context 16:13:36 ...that's where we need to figure out with privacy folks if that's ok 16:13:48 ...maybe because it's tied to browser alone might be ok 16:14:00 Gehard: That's an astute observation. The important thing is what is the user consenting to? 16:14:09 ....our use case allows us to scope the consent. 16:14:18 ..but we are interested in chatting with Web App Sec 16:14:32 ...we can also discuss with the WebAuthn WG. 16:14:38 ..to reiterate: the privacy side is important to us 16:14:59 ...but due to progress on the payment side (via SPC), and because the user knows this is an important activity (payment), this could help prevent abuse. 16:15:02 q? 16:15:38 mhofman: Since the authentication is silent, user approval will have to happen at enrollment. Even if you tie it to a payment request object, somebody could build such an object to use this; so I don't see how you can lock it down to the payments use case. 16:15:43 Gehard: I hear that point. 16:15:51 I have made the request to generate https://www.w3.org/2021/03/30-wpwg-minutes.html Ian 16:16:12 present+ Robin_Hjelte 16:16:36 Danyao: Picking up one point about implementation in the methodURL..is the proposal that you want to be able to invoke SPC directly from the methodURL iframe? 16:16:40 Gerhard: Yes, at a high level 16:16:59 ...and to be able to say "Only do SPC if you can do it silently" 16:17:04 zakim, who's here? 16:17:04 Present: Ian, Anne_Pouillard, Tomasz_Blochowicz, David_Benoit, Gerhard, AdrianHB, Deepu, mhofman, benoit_, jonathan, danyao, Fawad, lucasb, LawrenceCheng, Chris_Wood, frank, 16:17:07 ... marcperez, SameerT, mknowles, Aleksei, James, arno_, Anne, antoine, Bastien, Tomasz, Tom_Bellenger, Christina, Longstaff, Jean-Luc, Erhard, Gavin, Jayaseelan, Gildas, 16:17:07 ... Timo_Gmell, Gustavo, Remo_Fiorentino, Jean-Michel, Vaishali, Jonathan_Grossar, Lawrence_Cheng, Max_Gu, Lucas_Bledsoe, Manjush, Marc_Perez, Mathieu, Mike_Knowles, Mike_Horne, 16:17:10 ... Nick_Burris, Sebastien_Elfors, Olivier, Sejal_DSouza, Ulf_Leopold, Michel_Weksler, btidor, Kincaid_ONeil, John_Bradley, John_Fontana, Doug_Fisher, Christian_Aabye, 16:17:10 ... Aleksei_Akimov, Fawad_Nisar, Takashi_Minamii, Jeff_Hodges, Chris_Dee, Robin_Hjelte 16:17:10 On IRC I see Aleksei_Akimov, Vaishali_Bulusu, takashi, mweksler, Manjush, gkok, btidor, mikehorne, Gildas, Remo_Fiorentino, Timo_Gmell, JaySee, James, Bastien, Tomasz, Anne, arno_, 16:17:13 ... mknowles, SameerT, Chris_Wood, JMGirard, lucasb, marcperez, Fawad, Deepu, Gerhard, RRSAgent, Zakim, stpeter, pea13, canton_, ChrisD, AdrianHB, mhofman, wseltzer, 16:17:13 ... smcgruer_[EST], benoit, danyao, dlehn, slightlyoff, falken_, jeffh, hadleybeeman, dlongley, manu, mkwst, hober, Travis_, ntelford, tobie, nicktr, joconnor, rowan_m, yoav, Ian 16:17:44 Danyao: For the second version of the SPC origin trial we now allow the creation of SPC credentials from inside a cross-origin iframe. So that should allow some prototyping. 16:18:00 Gerhard: Suppose I got to merchant 1. I can create credential in bank domain, then use in merchant 2's domain? 16:18:16 @danyao would that 3rd party use of SPC be with feauture policy such as with webuathn 16:18:25 Danyao: Merchant 1 still needs to embed the bank domain in the iframe, but does not need to redirect to the bank domain or use a secure modal window 16:18:32 Gerhard: Any specific iframe settings required? 16:18:37 Danyao: Allow_payments 16:19:11 RRSAGENT, make minutes 16:19:11 I have made the request to generate https://www.w3.org/2021/03/30-wpwg-minutes.html Ian 16:19:21 Topic: SPC and open banking 16:19:46 -> https://docs.google.com/presentation/d/1xvuO67_YzkGfavNKY-tEgRVCDp9PMIyksQF5p225JMI/edit?usp=sharing Slides from Chris Wood 16:20:11 Vaishali_Bulusu has joined #WPWG 16:20:16 Chris: I am relatively new to the group. Have worked on open banking standards in Europe. Today we'll talk about open banking and SPC 16:20:48 ...at a high level, I think that open banking and SPC mesh nicely. 16:21:15 ...[slide on benefits of SPC] 16:21:59 -> https://docs.google.com/document/d/1qjBPa6l0EM9A3sLl9neccq_8UPHe90jXTGXqcbge2vQ Full write-up on SPC and open banking 16:22:26 present+ Staci_Shatsoff 16:23:07 Chris: I think that open banking would benefit greatly from a standardized, ubiquitous authentication mechanism. 16:23:58 ...an inconsistent user experience may make open banking less compelling 16:24:59 ...various approaches have been tried like QR codes, but I see SPC having great potential for bringing consistency to the UX 16:26:37 ...review of acronyms: payment services user (PSU), payment initiation services provider (PSIP), bank with PSU is the ASPSP 16:26:53 ...the PSU wants to make a payment and has a SPC credential. 16:27:07 ...the merchant or their PISP initiates the payment (calls Payment Request / SPC) 16:27:17 ...the RP here is the ASPSP 16:28:49 ...so the bank plays an important role (RP) even though they are not part of the legal agreements. 16:28:55 I have made the request to generate https://www.w3.org/2021/03/30-wpwg-minutes.html Ian 16:29:19 benoit_ has joined #wpwg 16:29:59 Chris: Good idea to allow enrolled WebAuthn credentials to be "upgraded" to SPC credentials 16:30:06 ...this will promote efficiencies 16:30:59 [Chris reviews steps] 16:31:16 Chris: Enrollment happens (typically) out of band with ASPSP 16:31:52 ...during transaction, with many open banking standards, the customer and PISP make an agreement 16:32:05 ...they agree to what is being paid, which authentication mechanism is being used 16:32:10 ...that's built into the standards. 16:32:20 [Chris shows some UX associated with UK open banking] 16:32:30 Chris: In UK open banking, there are prescriptions for the UX 16:33:01 ...the information about what is consented to ("the consent object" or "the payment initiation request") is sent by the PISP to the bank. 16:33:27 ...the PISP invokes SPC (via PR API) 16:34:08 ...there could be a payment handler in the background that orchestrates the result of authentication, or the assertion is returned immediately to the PISP 16:34:13 ...the PISP sends the assertion to the ASPSP 16:34:21 ...the ASPSP verifies the cryptogram and lets the PISP know 16:34:37 ...the PISP executes the payment initiation request at the ASPSP. 16:34:46 [Sequence diagram walk-through] 16:36:43 Chris: In the flow diagram, the bank sends a consent identifier back to the PISP. My suggestion is that data is used in the SPC challenge. 16:36:56 q? 16:36:59 ack D 16:38:01 Chris: Interesting open question on whether merchant needs to hold public key as well as the RP (yesterday Benjamin suggested this is a good thing to enable Merchants to do some validation; I agree) 16:38:37 q+ 16:38:41 zakim, open the queue 16:38:41 ok, Ian, the speaker queue is open 16:38:42 q+ 16:39:08 Chris: I think SPC fits nicely with the consent flows 16:39:20 ...but there might be some further discussion on discoverable client-side credentials 16:39:38 scribenick: nicktr 16:40:07 ian: in SPC there are two things that need providing: the list of the credential IDs and the random number 16:40:15 ...where in the seq diagram is that done? 16:40:31 Chris: In this proposal, the merchant knows the credential ID (and they bind it to the consent they send in). 16:40:42 I think the consent id is sufficeinet randomness to prevent a replay 16:40:45 ...the ASPSP sends the random number back in the "provide consent identifier" line 16:40:54 scribenick: ian 16:41:04 [Chris: Example UK - payment initiation consent] 16:42:24 [Second flow diagram] 16:43:03 Chris: second flow diagram shows same flow with more specific example data in it 16:43:29 ...includes SPC, OpenID, FAPI pieces as well 16:44:04 I have made the request to generate https://www.w3.org/2021/03/30-wpwg-minutes.html Ian 16:44:58 [Example: Berlin Group - Payment Initiation Request] 16:45:26 Chris: In Berlin Group, similar: payment initiation request goes to target bank. 16:45:49 ...suggestion I have is to send the credential id in the X-SPC-Credential-ID header (but could be done in other ways) 16:45:59 ...the process overall is very similar to the UK flow 16:46:07 [Conclusions] 16:46:22 Chris: SPC can fit in open banking use cases effectively. Limited need to change initial vision of SPC to make this work. 16:46:28 q? 16:46:37 Chris:...salient open banking standards would need little change to support this 16:46:44 ...ASPSPs need to see the value of this. 16:46:55 [Open questions] 16:47:09 Chris: What should the role of payment handler be? 16:48:41 q+ 16:49:04 ack me 16:49:06 +1 to using the term "assertion" and following WebAuthn conventions 16:49:25 q+ to ask about sharing public key with PISP 16:49:33 Makes sense, the term "cryptogram" has already been a little confusing with 3D Secure 16:49:52 Ian: Is sharing of key done out of band? 16:49:54 ian: interested tin the desire to share public key with PISP 16:50:09 Chris: Merchant invokes PR API. Giving them access to the public key is very sensible 16:50:18 q? 16:50:21 ...they can make sure that responses are sent on the back end 16:50:37 ...can help reduce risk of failure 16:50:57 ack dan 16:50:57 danyao, you wanted to ask about sharing public key with PISP 16:51:13 Danyao: Thanks for the great presentation. Also regarding the last point (access to public key). 16:51:23 ..in the FIDO world, usually only the RP has access to the public key 16:51:31 q+ 16:51:40 Danyao:...do you see security concerns that ASPSPs might have? 16:51:49 Chris: I don't think so, but I'm not a security expert 16:52:07 ...to me it feels like it's an ok thing to do. Whether it's part of the spec is another question. 16:52:33 ack Sam 16:53:08 SameerT: To me it sounds liked the PISPs would have access to the public key. That sounds like a delegated auth scenario. 16:53:32 ...in 3DS use cases, even with merchants having keys, issuers may still choose to step up 16:53:48 I have made the request to generate https://www.w3.org/2021/03/30-wpwg-minutes.html Ian 16:54:21 SameerT: Merchant validating the user and sending that data to issuers is part of 3DS 16:54:32 ...whether issuers trust the data is distinct question 16:54:37 q? 16:55:02 John_Bradley: the UK flow that's being talked about is based on FAPI. 16:55:19 ...adopted in other places as well (AU, CA, Brazil, NZ, others) 16:55:50 ...the biggest issue I see in this is the merchant being able to specify an RPID for a credential issued by the bank 16:56:05 ...I think origin scoping of credentials could be a big part of this work. 16:56:28 ...so within WebAuthn we may need to enable banks to make credentials for merchants, or alternatively changing the flow where the WebAuthn can happen in an iframe in the bank's origin 16:56:39 ...I would be interested in working on this, but there will be some webauthn issues to sort out 16:56:54 ...I don't see the public key being shared with the merchant not necessarily a security risk. 16:57:10 ...using the request id as the challenge would be fine IMO 16:57:17 I have made the request to generate https://www.w3.org/2021/03/30-wpwg-minutes.html Ian 16:57:32 Chris: Do you think that FAPI would see this as something they could create a profile for? 16:57:59 ...would there be merit in that? "This is the expected behavior" 16:58:09 ChristianA_ has joined #wpwg 16:58:33 John_Bradley: I can't speak for the whole FAPI WG. There is interested in that group participating in this group and increasing the interaction. 16:58:44 ...to get it to work smoothly probably requires some optimizations of some FAPI flows 16:58:57 ...would have to figure out how some of the origin constraints can be dealt with on the WebAuthn side. 16:59:02 ...but getting it to work would be a great thing 16:59:17 I have made the request to generate https://www.w3.org/2021/03/30-wpwg-minutes.html Ian 17:00:24 I have made the request to generate https://www.w3.org/2021/03/30-wpwg-minutes.html Ian 17:00:27 Thanks everyone 17:00:33 thanks! 17:01:11 ciao! 17:02:21 I have made the request to generate https://www.w3.org/2021/03/30-wpwg-minutes.html Ian 19:20:10 Zakim has left #wpwg