W3C

SPC Task Force

21 June 2021

Attendees

Present
Adrian Hope-Bailie (Coil), Anne Pouillard (Worldline), Benjamin Tidor (Stripe), Chris Wood, Christian Aabye (Visa), Clinton Allen (American Express), Doug Fisher (Visa), Ian Jacobs (W3C), Jonathan Grossar (Mastercard), Michel Weksler (Airbnb), Rolf Lindemann (Nok Nok Labs), Sameer Tare (Mastercard), Stephen McGruer (Google), Werner Bruinings (American Express)
Regrets
-
Chair
Ian
Scribe
Ian

Meeting minutes

Survey results

https://www.w3.org/2002/09/wbs/83744/spc-priority/results

Top five use cases

- Authentication different merchant

- Frictionless Checkout (no user presence check or payment confirmation dialog)

- In-transaction enrollment, later authentication same merchant

- Authentication with out-of-band authenticator

- Express Checkout (no user presence check)

- Authentication by bank after redirect

<smcgruer_[EST]> Stephen: Note that this ordering doesn't pay attention to number of responses to a given use-case.

<smcgruer_[EST]> ... so Frictionless Checkout only got two votes, meaning it was outside of the top-5 for 4/6 respondents

<smcgruer_[EST]> ... we need to analyze this deeper

What is enrollment?

IJ: Question from Gerhard was "What is enrollment?"

smcgruer_[EST]: Today you need to store the credential in the browser. My view is that the RP has control and maintains the binding. They can say "This is my credential and it can be used for payment."
… if they get a payment somehow where the credential has not gone through the flow, then can choose not to accept it.

IJ: What does enrollment do?

smcgruer_[EST]: First pilot motivated us to try a standardized enrollment ux.
… we may find it is useful or not

btidor: I thought one reason for the enrollment UI was to allow it to happen in an iframe

smcgruer_[EST]: permission policy on iframe suggests it would be fine (without UX for enrollment)
… I have been thinking this could just be something that's part of webauthn

btidor: If we could just do permission policy and remove enrollment screen, that would be amazing.

btidor: SPC would allow 1p enrollment of webauthn credential (unlikely vanilla webauthn)

smcgruer_[EST]: Right, gated behind permission policy

btidor: Maybe "upgrade" and "create" permissions are different

Ian: Is enrollment in a 1p context a requirement?

btidor: I hear there's a proposal to integrate SPC into FIDO
… how do we think about what we can specify here v WebAuthN?

<Zakim> smcgruer_[EST], you wanted to note that 'In-transaction enrollment' essentially states that cross-origin iframe requires that

smcgruer_[EST]: On the question of 3p enrollment; it's sort of covered by the use case of "enrollment during transaction"
… to btidor's point, I think enrollment could wind its way to webauthn
… on authentication, i think that will solidly stay in WPWG space

btidor: That makes sense

<Zakim> AdrianHB, you wanted to ask about "instruments" in SPC vs WebAuthn?

AdrianHB: Where do payment instruments fit in? When I enroll an authenticator, do I explicitly say which instrument I will use for future auth?
… or does instrument stuff happen at auth time?
… what worries me is disconnect between instrument information and losing connection to RP

smcgruer_[EST]: We are interested in this direction - instrument is auth-time; and you are correct there is a UX issue

"At enrollment, the Relying Party should be able to provide information about zero, one, or more than one instruments, and the browser should support verbiage in the user experience that communicates what the user is consenting to."

<btidor> +1 to not precluding software authenticators!

Ian: API should abstract above "credential id" even if v1 is focused on FIDO

<Zakim> smcgruer_[EST], you wanted to discuss comment on discoverable credentials

Ian: The less we store in the browser, the less instrument selection work we can do (I think)

Editor's Note: After the meeting, Stephen McGruer wrote to the WG about this agenda item: "Having done some digging, I need to correct myself from this meeting. When we moved to allow SPC enrollment to happen in an iframe (for Origin Trial #2), our security/privacy folks were the ones who asked for an explicit browser enrollment UX, to make sure that the user was aware of what was happening. This decision isn't necessarily final, and I'm following up internally to see what might change if WebAuthn themselves allow cross-origin creation of credentials, but for now let's proceed assuming an enrollment browser UX is required (at least by Chrome; other browsers may make different decisions)."

Agenda for thursday?

<clinton> +1

AdrianHB: Yes, but let's define those topics

btidor: Might be good to talk through what we want to do that may or may not make sense from a FIDO perspective.

<mweksler> +1

<AdrianHB> +1

Next SPC task force call

28 June

Minutes manually created (not a transcript), formatted by scribe.perl version 136 (Thu May 27 13:50:24 2021 UTC).