IRC log of wpwg-spc on 2021-05-24

Timestamps are in UTC.

16:00:27 [RRSAgent]
RRSAgent has joined #wpwg-spc
16:00:27 [RRSAgent]
logging to
16:00:29 [Zakim]
Zakim has joined #wpwg-spc
16:00:39 [Ian]
Meeting: SPC Task Force
16:00:46 [Ian]
present+ Ian_Jacobs
16:00:51 [Ian]
present+ Clinton_Allen
16:00:58 [Ian]
regrets+ Stephen_McGruer
16:01:06 [Ian]
present+ Rouslan_Solomakhin
16:01:15 [Ian]
present+ Jean-Carlo_Emer
16:01:20 [Ian]
present+ Chris_Wood
16:01:24 [Ian]
present+ Benjamin_TIdor
16:01:44 [Ian]
16:02:06 [Ian]
present_ Gerhard_Oosthuizen
16:02:10 [Ian]
present+ Christina_Aabye
16:02:56 [Gerhard]
Gerhard has joined #wpwg-spc
16:02:57 [btidor]
btidor has joined #wpwg-spc
16:03:04 [Ian]
16:03:09 [jcemer]
jcemer has joined #wpwg-spc
16:03:10 [Christian]
Christian has joined #wpwg-spc
16:03:14 [clinton]
clinton has joined #wpwg-spc
16:03:15 [Ian]
Topic: Scope + Requirements
16:03:23 [Ian]
16:03:23 [Ian]
16:03:32 [Ian]
present+ Sameer_Tare
16:03:59 [Ian]
present+ Laura
16:04:06 [Ian]
present+ Tomasz
16:04:39 [rouslan]
rouslan has joined #wpwg-spc
16:04:45 [Ian]
16:05:19 [Ian]
Topic: Clearer benefits/features
16:05:25 [Ian]
16:06:08 [Chris_Wood__]
Chris_Wood__ has joined #wpwg-spc
16:06:12 [Ian]
Gerhard: Willr review today or tomorrow
16:06:35 [Ian]
Topic: Pull request 73
16:06:35 [Ian]
16:07:27 [Ian]
present+ Rolf_Lindemann
16:07:34 [Ian]
16:08:43 [Ian]
Gerhard: This is the "user gesture" bit, right
16:08:52 [SameerT]
SameerT has joined #wpwg-spc
16:10:08 [Ian]
Tomasz: What about capability delegation?
16:10:21 [Rolf]
Rolf has joined #wpwg-spc
16:11:02 [Ian]
Tomasz: I think this is a good requirement; capability delegation can help with the UX
16:12:06 [Ian]
Topic: Wrap up discussion raised by Tomasz and Stephen on GitHub:
16:12:22 [Ian]
16:14:44 [Ian]
Tomasz: How does API know that auth has taken place already?
16:14:58 [Ian]
rouslan: SPC requires a "key" as input.
16:16:39 [Ian]
Ian: But what impact would this have on the API?
16:16:42 [Ian]
rouslan: None
16:18:33 [DF]
DF has joined #wpwg-spc
16:19:00 [Ian]
present+ Doug_Fisher
16:19:45 [Ian]
Tomasz: I am ok with requirement for in-transaction enrollment; but we may not need to mention "the user has been authenticated"
16:19:56 [Ian]
ACTION: Ian to revise the requirement to remove the pre-auth mention and to focus on the UX
16:21:01 [Ian]
Christian: In 3DS land, 3DS space would be where we talk about this.
16:21:06 [Ian]
...not sure it belongs in SPC
16:22:34 [Ian]
-> proposal regarding cardinality
16:25:51 [Ian]
Tomasz: I am hearing from API perspective that I provide an SPC Credential Identifier
16:25:59 [Gerhard]
16:26:12 [Ian]
Ian: Each instrument is independently addressable
16:26:52 [Gerhard]
+1 for that unique addressability. Unique id for each instrument + auth combination.
16:27:11 [Ian]
ack Gerhard
16:27:21 [Ian]
Gerhard: I agree with the simple model
16:27:32 [rouslan]
q+ to discuss cardinality
16:27:48 [Ian]
...but it does bring me to a use case comment: how do we handle scenario where multiple credentials are available
16:29:44 [Ian]
Benjamin: Regarding N > 1, the original expectation was "browser picks arbitrary one"
16:30:14 [rouslan]
q+ to talk about cardinality and failure experience
16:30:30 [Ian]
ack rouslan
16:30:30 [Zakim]
rouslan, you wanted to discuss cardinality and to talk about cardinality and failure experience
16:32:08 [Ian]
rouslan: In case of "no matches", the reqs returns error code without uX. That's the experiment we've been running. But there are some people who think that if there's no a user gesture requirement, there might be a way to iterate over a list of credentials ... and bad actors might use that info nefariously.
16:32:19 [Ian] some people might be interested in an error message in case of no match
16:32:41 [Ian]
...regarding cardinality, I think that for each web site you'd have one credential
16:32:57 [Ian]
...some people want to reuse webauthn credential for payments
16:33:00 [Ian]
16:33:40 [Ian]
...the experience we've tested with SPC trial increases number of credentials
16:35:41 [Rolf]
Note that it presents some level of friction to register an additional credential. So the ability to reuse one credential for auth and for payment is preferred from our side.
16:38:00 [Ian]
btidor:If we have a situation where N instruments can have signature from same key, we want to reduce avenues of attack, e.g., locking down cardinality as well as good practice to avoid vulnerability
16:38:45 [Gerhard]
Thanks everone. Have to drop. Chat later
16:39:16 [jcemer]
It is important to cover the case where the API is invoked with 2 credentialIds that are from 2 different instruments.
16:39:30 [Ian]
Topic: Next call
16:39:32 [Ian]
31 May
16:39:41 [Ian]
RRSAGENT, make minutes
16:39:41 [RRSAgent]
I have made the request to generate Ian
16:39:47 [Ian]
RRSAGENT, set logs public
16:43:52 [Ian]
regrets+ Praveena
16:43:55 [Ian]
RRSAGENT, make minutes
16:43:55 [RRSAgent]
I have made the request to generate Ian
16:43:57 [Ian]
RRSAGENT, set logs public
19:43:53 [Ian]
zakim, bye
19:43:53 [Zakim]
leaving. As of this point the attendees have been Ian_Jacobs, Clinton_Allen, Rouslan_Solomakhin, Jean-Carlo_Emer, Chris_Wood, Benjamin_TIdor, Christina_Aabye, Sameer_Tare, Laura,
19:43:53 [Zakim]
Zakim has left #wpwg-spc
19:43:54 [Ian]
rrsagent, bye
19:43:54 [RRSAgent]
I see 1 open action item saved in :
19:43:54 [RRSAgent]
ACTION: Ian to revise the requirement to remove the pre-auth mention and to focus on the UX [1]
19:43:54 [RRSAgent]
recorded in
19:43:56 [Zakim]
... Tomasz, Rolf_Lindemann, Doug_Fisher