15:57:44 <RRSAgent> RRSAgent has joined #wpwg-spc
15:57:44 <RRSAgent> logging to https://www.w3.org/2021/06/07-wpwg-spc-irc
15:57:47 <Zakim> Zakim has joined #wpwg-spc
15:57:51 <Ian> Meeting: SPC Task Force
15:58:01 <Ian> Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Jun/0001.html
15:58:04 <Ian> Chair: Ian
15:58:05 <Ian> Scribe: Ian
15:58:09 <Ian> present+
15:59:27 <Ian> agenda+ Survey to prioritize use cases
15:59:30 <Ian> agenda+ Issues list review
15:59:36 <Ian> agenda+ Next meeting
15:59:48 <Ian> present+ Jean-Carlo_Emer
16:00:42 <Ian> present+ Rouslan_Solomakhin
16:01:54 <Ian> present+ Praveena_Subrahmany
16:02:11 <Ian> present+ Adrian_Hope-Bailie
16:02:16 <Ian> present+ Chris_Wood
16:03:10 <Ian> present+ Doug_Fisher
16:03:15 <praveena> praveena has joined #wpwg-spc
16:03:31 <Ian> present+ Clinton_Allen
16:03:44 <Ian> -> https://lists.w3.org/Archives/Public/public-payments-wg/2021Jun/0001.html Agenda
16:04:09 <Chris_Wood> Chris_Wood has joined #wpwg-spc
16:05:21 <jcemer_> jcemer_ has joined #wpwg-spc
16:05:26 <Ian> present+ Laura
16:06:39 <Ian> present+ Gerhard_Oosthuizen
16:09:12 <Ian> zakim, close item 1
16:09:12 <Zakim> agendum 1, Survey to prioritize use cases, closed
16:09:13 <Zakim> I see 2 items remaining on the agenda; the next one is
16:09:13 <Zakim> 2. Issues list review [from Ian]
16:09:16 <Ian> zakim, take up item 2
16:09:16 <Zakim> agendum 2 -- Issues list review -- taken up [from Ian]
16:11:08 <Ian> https://github.com/w3c/secure-payment-confirmation/issues/65
16:11:43 <Ian> Gerhard: Interesting discussion of "what's stored" v "what's passed as input"?
16:12:08 <Ian> ...late binding is nice, but what are you registering for?
16:12:19 <Ian> ...do all the underlying protocols need to pass the data for authentication time?
16:13:56 <Ian> IJ: What are the benefits to auth-time binding?
16:14:10 <Ian> Rouslan: (1) Allows credential updates (instead of updating stored information).
16:14:46 <Ian> (2) If we want to work across multiple profiles or browsers, the way that WebAuthn does that today is data is stored in the authenticator (the browser doesn't store data in webAuthn case)
16:15:28 <Ian> (3) Private browsing mode is a separate profile; so you could not access the stored data from that mode...but if we pass the data as a parameter, you could still use SPC during a transaction in private browsing mode
16:16:05 <Ian> ...there is an option question: "What would we do during enrollment?"
16:16:15 <Ian> ...if the only thing that's created is a credential, do we need UX?
16:16:30 <Ian> ...we think that the UX is beneficial; we are experimenting with it but don't have enough data yet
16:16:48 <Ian> ...however, the UX would be a privacy and security requirement if we want to allow enrollment of credentials from an iframe
16:19:04 <Ian> Gerhard: Thanks for the context. It's not insurmountable for browsers to share state. If I register a credential in a browser and give consent to use my Visa card ... we need to be sure that it's the same card I've consented to use the next time
16:19:45 <Ian> ...as service provider, we'd like the browser to store the association instead of us having to keep track of some of the information.
16:20:12 <Ian> AdrianHB: If I enroll a new FIDO credential with an instrument, in the late binding model is there any binding at all?
16:20:26 <Ian> ...any hints up front to help the user choose the credential I want to use?
16:20:51 <Ian> ...what's the actual relationship between FIDO token and instrument?
16:21:14 <Ian> Gerhard: It seems there's no need for instrument registration. You are basically consenting to use a FIDO token to be used for "any payment"; not a specific instrument.
16:21:40 <Ian> ...it's not clear all the underlying protocols would support passing of data.
16:21:56 <Ian> q+
16:22:36 <Ian> rouslan: We are thinking of multiple instruments should be usable per credential.
16:22:55 <Ian> ...the user would know how the FIDO credential is being used through the browser-native UX
16:24:05 <Ian> ...if a bank participates in the WebAuthn ecosystem, what happens if bank loses credential IDs?
16:24:47 <Ian> ...wondering if it's an issue if a merchant has access to credentials illegitimately; I think it's not a problem since there is still an authorization phase
16:26:26 <Ian> AdrianHB: RP is responsible for validating instrument is correct.
16:26:43 <Ian> Rouslan: Correct. In the happy path, the issuer provides a list of credentials and an icon/name and a nonce.
16:26:59 <Ian> ...the merchant invokes SPC
16:27:29 <Ian> ...browser gets the icon/name...once user authenticates, authenticator signs over ALL the information provided as input.
16:27:46 <Ian> ...the relying party can validate the data (also, who is merchant, transaction id (?))
16:29:25 <Ian> IJ: Does this work for push payments?
16:29:38 <Ian> AdrianHB: Whoever authorizes the transaction confirms that what the user saw was ok.
16:34:55 <Ian> rouslan: We are thinking that no instrument info will be provided. And at authentication time it will be provided. There are tradeoffs to consider if we want to allow both.
16:35:16 <Ian> ...at enrollment time it might improve enrollment rate to provide instrument information
16:35:28 <Ian> ...it would be good to experiment with both ways
16:36:22 <Ian> ...a use case of interest for us is for user to reuse FIDO credential to bank for N cards
16:36:36 <Gerhard> Gerhard has joined #wpwg-spc
16:36:42 <Ian> ..I am leaning more towards "just one way to do it"
16:36:45 <Gerhard> q+
16:36:49 <Ian> ack me
16:37:10 <Ian> AdrianHB: This feels like a clean model, but it also allows us to consider payment instruments independent of SPC
16:37:35 <Ian> ...this flow would be interesting:
16:37:41 <Ian> * merchant declares payment method support
16:37:47 <Ian> * browser shows list of instruments
16:37:56 <Gerhard> q-
16:37:56 <Ian> * merchant gets back some blob that can be passed as input to SPC for authentication
16:42:18 <Gerhard> Have to drop off guys.
16:42:23 <Gerhard> Thanks for a great discussion.
16:42:27 <Ian> zakim, close item 2
16:42:27 <Zakim> agendum 2, Issues list review, closed
16:42:28 <Zakim> I see 1 item remaining on the agenda:
16:42:28 <Zakim> 3. Next meeting [from Ian]
16:42:33 <Ian> zakim, take up item 3
16:42:33 <Zakim> agendum 3 -- Next meeting -- taken up [from Ian]
16:42:35 <Ian> 21 June
16:42:54 <Ian> RRSAGENT, make minutes
16:42:54 <RRSAgent> I have made the request to generate https://www.w3.org/2021/06/07-wpwg-spc-minutes.html Ian
16:42:59 <Ian> RRSAGENT, set logs public
16:51:00 <Ian> RRSAGENT, make minutes
16:51:00 <RRSAgent> I have made the request to generate https://www.w3.org/2021/06/07-wpwg-spc-minutes.html Ian
16:51:02 <Ian> RRSAGENT, set logs public
16:52:53 <Ian> RRSAGENT, make minutes
16:52:53 <RRSAgent> I have made the request to generate https://www.w3.org/2021/06/07-wpwg-spc-minutes.html Ian
16:53:59 <Ian> RRSAGENT, make minutes
16:53:59 <RRSAgent> I have made the request to generate https://www.w3.org/2021/06/07-wpwg-spc-minutes.html Ian
16:56:06 <Ian> RRSAGENT, make minutes
16:56:06 <RRSAgent> I have made the request to generate https://www.w3.org/2021/06/07-wpwg-spc-minutes.html Ian
16:59:29 <Ian> RRSAGENT, make minutes
16:59:29 <RRSAgent> I have made the request to generate https://www.w3.org/2021/06/07-wpwg-spc-minutes.html Ian
17:08:43 <Ian> RRSAGENT, make minutes
17:08:43 <RRSAgent> I have made the request to generate https://www.w3.org/2021/06/07-wpwg-spc-minutes.html Ian
17:10:12 <Ian> RRSAGENT, make minutes
17:10:12 <RRSAgent> I have made the request to generate https://www.w3.org/2021/06/07-wpwg-spc-minutes.html Ian