Meeting minutes
Requirements Document
https://
Question: What about a hidden iframe?
smcgruer_[EST]: From the chrome side we talk about "user activation" or user gesture.
… so visible/hidden is not as important to call out
Jean: In the README there's a section that mentions user activation
smcgruer_[EST]: SPC as a concept requires user activation
Gerhard: I think user activation is required, but there's a balance between clicking a button before you trigger SPC, and no button requirement because SPC itself will require a user activation
… and a user gesture might be part of consent for lower friction in the future
smcgruer_[EST]: But we'd likely not do that due to on-load UX in your face
Gerhard: User gesture is required, whether to kick off SPC or during SPC.
Action: smcgruer_[EST] to formulate a user activation requirement
Tomasz: Regarding "must be available in PR API"; I don't agree. I think it's more closely tied to credential management API.
Gerhard: The credential is important, but the transaction confirmation is important to us
Action: Ian to revise requirements to decouple from Payment Request as a concrete requirement.
smcgruer_[EST]: Regarding "SPC enrollment in a transaction."
… I hear a desired behavior is for one gesture to be used to (1) enroll and then (2) sign
Tomasz: That's not possible in WebAuthn today. Would be great to be able to do this here.
… In FIDO you produce either the attestation or the assertion.
IJ: Is this a general FIDO issue or a web payments-specific issue?
Tomasz: Would be great: if SPC is enrolled during transaction, they are also used to produce the SPC Assertion
smcgruer_[EST]: This is interesting as a concept. I support us investigating this in some way. But I Think it's a core FIDO question not an SPC question
Action: Ian to schedule 2 SPC topics at next WPWG meeting (1) is PR API required? (2) cardinality question for credentials