IRC log of wpwg-spc on 2021-05-24
Timestamps are in UTC.
- 16:00:27 [RRSAgent]
- RRSAgent has joined #wpwg-spc
- 16:00:27 [RRSAgent]
- logging to https://www.w3.org/2021/05/24-wpwg-spc-irc
- 16:00:29 [Zakim]
- Zakim has joined #wpwg-spc
- 16:00:39 [Ian]
- Meeting: SPC Task Force
- 16:00:46 [Ian]
- present+ Ian_Jacobs
- 16:00:51 [Ian]
- present+ Clinton_Allen
- 16:00:58 [Ian]
- regrets+ Stephen_McGruer
- 16:01:06 [Ian]
- present+ Rouslan_Solomakhin
- 16:01:15 [Ian]
- present+ Jean-Carlo_Emer
- 16:01:20 [Ian]
- present+ Chris_Wood
- 16:01:24 [Ian]
- present+ Benjamin_TIdor
- 16:01:44 [Ian]
- Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021May/0017.html
- 16:02:06 [Ian]
- present_ Gerhard_Oosthuizen
- 16:02:10 [Ian]
- present+ Christina_Aabye
- 16:02:56 [Gerhard]
- Gerhard has joined #wpwg-spc
- 16:02:57 [btidor]
- btidor has joined #wpwg-spc
- 16:03:04 [Ian]
- https://lists.w3.org/Archives/Public/public-payments-wg/2021May/0017.html
- 16:03:09 [jcemer]
- jcemer has joined #wpwg-spc
- 16:03:10 [Christian]
- Christian has joined #wpwg-spc
- 16:03:14 [clinton]
- clinton has joined #wpwg-spc
- 16:03:15 [Ian]
- Topic: Scope + Requirements
- 16:03:23 [Ian]
- https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/requirements.md
- 16:03:23 [Ian]
- https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/scope.md
- 16:03:32 [Ian]
- present+ Sameer_Tare
- 16:03:59 [Ian]
- present+ Laura
- 16:04:06 [Ian]
- present+ Tomasz
- 16:04:39 [rouslan]
- rouslan has joined #wpwg-spc
- 16:04:45 [Ian]
- -> https://github.com/w3c/secure-payment-confirmation/wiki/Plan-2021
- 16:05:19 [Ian]
- Topic: Clearer benefits/features
- 16:05:25 [Ian]
- https://github.com/w3c/secure-payment-confirmation/pull/70
- 16:06:08 [Chris_Wood__]
- Chris_Wood__ has joined #wpwg-spc
- 16:06:12 [Ian]
- Gerhard: Willr review today or tomorrow
- 16:06:35 [Ian]
- Topic: Pull request 73
- 16:06:35 [Ian]
- https://github.com/w3c/secure-payment-confirmation/pull/73
- 16:07:27 [Ian]
- present+ Rolf_Lindemann
- 16:07:34 [Ian]
- https://github.com/w3c/secure-payment-confirmation/pull/73/files
- 16:08:43 [Ian]
- Gerhard: This is the "user gesture" bit, right
- 16:08:52 [SameerT]
- SameerT has joined #wpwg-spc
- 16:10:08 [Ian]
- Tomasz: What about capability delegation?
- 16:10:21 [Rolf]
- Rolf has joined #wpwg-spc
- 16:11:02 [Ian]
- Tomasz: I think this is a good requirement; capability delegation can help with the UX
- 16:12:06 [Ian]
- Topic: Wrap up discussion raised by Tomasz and Stephen on GitHub:
- 16:12:22 [Ian]
- https://github.com/w3c/secure-payment-confirmation/pull/71
- 16:14:44 [Ian]
- Tomasz: How does API know that auth has taken place already?
- 16:14:58 [Ian]
- rouslan: SPC requires a "key" as input.
- 16:16:39 [Ian]
- Ian: But what impact would this have on the API?
- 16:16:42 [Ian]
- rouslan: None
- 16:18:33 [DF]
- DF has joined #wpwg-spc
- 16:19:00 [Ian]
- present+ Doug_Fisher
- 16:19:45 [Ian]
- Tomasz: I am ok with requirement for in-transaction enrollment; but we may not need to mention "the user has been authenticated"
- 16:19:56 [Ian]
- ACTION: Ian to revise the requirement to remove the pre-auth mention and to focus on the UX
- 16:21:01 [Ian]
- Christian: In 3DS land, 3DS space would be where we talk about this.
- 16:21:06 [Ian]
- ...not sure it belongs in SPC
- 16:22:34 [Ian]
- -> https://lists.w3.org/Archives/Public/public-payments-wg/2021May/0016.html proposal regarding cardinality
- 16:25:51 [Ian]
- Tomasz: I am hearing from API perspective that I provide an SPC Credential Identifier
- 16:25:59 [Gerhard]
- q+
- 16:26:12 [Ian]
- Ian: Each instrument is independently addressable
- 16:26:52 [Gerhard]
- +1 for that unique addressability. Unique id for each instrument + auth combination.
- 16:27:11 [Ian]
- ack Gerhard
- 16:27:21 [Ian]
- Gerhard: I agree with the simple model
- 16:27:32 [rouslan]
- q+ to discuss cardinality
- 16:27:48 [Ian]
- ...but it does bring me to a use case comment: how do we handle scenario where multiple credentials are available
- 16:29:44 [Ian]
- Benjamin: Regarding N > 1, the original expectation was "browser picks arbitrary one"
- 16:30:14 [rouslan]
- q+ to talk about cardinality and failure experience
- 16:30:30 [Ian]
- ack rouslan
- 16:30:30 [Zakim]
- rouslan, you wanted to discuss cardinality and to talk about cardinality and failure experience
- 16:32:08 [Ian]
- rouslan: In case of "no matches", the reqs returns error code without uX. That's the experiment we've been running. But there are some people who think that if there's no a user gesture requirement, there might be a way to iterate over a list of credentials ... and bad actors might use that info nefariously.
- 16:32:19 [Ian]
- ...so some people might be interested in an error message in case of no match
- 16:32:41 [Ian]
- ...regarding cardinality, I think that for each web site you'd have one credential
- 16:32:57 [Ian]
- ...some people want to reuse webauthn credential for payments
- 16:33:00 [Ian]
- q+
- 16:33:40 [Ian]
- ...the experience we've tested with SPC trial increases number of credentials
- 16:35:41 [Rolf]
- Note that it presents some level of friction to register an additional credential. So the ability to reuse one credential for auth and for payment is preferred from our side.
- 16:38:00 [Ian]
- btidor:If we have a situation where N instruments can have signature from same key, we want to reduce avenues of attack, e.g., locking down cardinality as well as good practice to avoid vulnerability
- 16:38:45 [Gerhard]
- Thanks everone. Have to drop. Chat later
- 16:39:16 [jcemer]
- It is important to cover the case where the API is invoked with 2 credentialIds that are from 2 different instruments.
- 16:39:30 [Ian]
- Topic: Next call
- 16:39:32 [Ian]
- 31 May
- 16:39:41 [Ian]
- RRSAGENT, make minutes
- 16:39:41 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/05/24-wpwg-spc-minutes.html Ian
- 16:39:47 [Ian]
- RRSAGENT, set logs public
- 16:43:52 [Ian]
- regrets+ Praveena
- 16:43:55 [Ian]
- RRSAGENT, make minutes
- 16:43:55 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/05/24-wpwg-spc-minutes.html Ian
- 16:43:57 [Ian]
- RRSAGENT, set logs public
- 19:43:53 [Ian]
- zakim, bye
- 19:43:53 [Zakim]
- leaving. As of this point the attendees have been Ian_Jacobs, Clinton_Allen, Rouslan_Solomakhin, Jean-Carlo_Emer, Chris_Wood, Benjamin_TIdor, Christina_Aabye, Sameer_Tare, Laura,
- 19:43:53 [Zakim]
- Zakim has left #wpwg-spc
- 19:43:54 [Ian]
- rrsagent, bye
- 19:43:54 [RRSAgent]
- I see 1 open action item saved in https://www.w3.org/2021/05/24-wpwg-spc-actions.rdf :
- 19:43:54 [RRSAgent]
- ACTION: Ian to revise the requirement to remove the pre-auth mention and to focus on the UX [1]
- 19:43:54 [RRSAgent]
- recorded in https://www.w3.org/2021/05/24-wpwg-spc-irc#T16-19-56
- 19:43:56 [Zakim]
- ... Tomasz, Rolf_Lindemann, Doug_Fisher