13:47:43 RRSAgent has joined #wpwg 13:47:43 logging to https://www.w3.org/2021/07/22-wpwg-irc 13:47:46 Meeting: Web Payments Working Group 13:47:56 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20210722 13:48:04 Scribe: Ian 13:48:22 agenda+ Early draft of SPC API 13:48:28 agenda+ Next meeting 13:50:43 Chair: Ian 13:59:34 persent+ 13:59:36 present+ 14:00:17 present+ Anne_Pouillard 14:00:41 present+ Clinton_Allen 14:00:54 clinton has joined #wpwg 14:01:02 present+ Robert_Savage(MAG) 14:01:22 present+ Jonathan_Grossar 14:01:30 present+ Jean-Luc_Di-Manno 14:02:05 present+ Jean-Michel_Girard 14:02:09 present+ Lawrence_Cheng 14:02:15 jonathan has joined #wpwg 14:02:25 Anne has joined #wpwg 14:02:30 present+ Stephen_McGruer 14:03:13 present+ Werner_Bruining 14:03:17 Chair: Nick 14:03:31 Gerhard has joined #wpwg 14:03:32 present+ Gerhard_Oosthuizen 14:03:57 werner has joined #wpwg 14:03:57 JMGirard has joined #wpwg 14:04:42 present+ Sophie_Rainford 14:05:01 regrets+ Adrian_Hope-Bailie 14:05:05 zakim, take up item 1 14:05:05 agendum 1 -- Early draft of SPC API -- taken up [from Ian] 14:05:14 present+ Thomas_Bellenger 14:05:31 -> https://w3c.github.io/secure-payment-confirmation/ Draft SPC API spec 14:06:06 present+ Susan_Pandy 14:06:13 JeanLuc has joined #wpwg 14:06:25 Stephen: RTFM 14:06:39 smcgruer_[EST]: There is a first draft link of the spec. It does 2 things: 14:06:48 1) Somewhat encodes the origin trial where SPC is a payment method 14:07:02 Fawad has joined #wpwg 14:07:02 ...one discussion is "don't attach this to PR API" 14:07:18 2) The other part of the spec is about how to connect to the WebAuthn backend 14:07:27 ...so the spec defines an extension to WebAuthn 14:07:46 ...these changes (from "payment credential" to WebAuthn extension) came from discussions internally with WebAuthn folks 14:07:49 present+ Fawad_Nisar 14:08:07 smcgruer_[EST]: We are moving the Chrome code in the direction described by the specification. 14:08:35 ...work still to do on use cases, security/privacy sec tons 14:08:39 s/sec tons/sections/ 14:08:55 ...one challenge is to specify what is shown to the user since usually specs don't describe UX 14:09:04 ...so this spec is unusual in that regard. 14:09:19 IJ: Any hot topics where you need input? 14:09:24 q+ to ask how webauthn handles the question of ui 14:09:47 smcgruer_[EST]: One big issue I just wrote up -> https://github.com/w3c/secure-payment-confirmation/issues/92 14:09:51 q+ to ask about being a payment method 14:10:03 ack nick 14:10:03 nicktr, you wanted to ask how webauthn handles the question of ui and to ask about being a payment method 14:10:18 nicktr: A few things struck me as I read through the spec 14:10:38 ...you mention the challenge of how/whether to define the UX 14:10:44 ...how does WebAuthn address that challenge? 14:11:11 smcgruer_[EST]: I believe the WebAuthn spec takes a hands-off approach 14:11:31 ...WebAuthn slightly gets away with this because much of the UX is from the platform 14:11:33 q+ 14:11:59 smcgruer_[EST]: I think we can take a similar approach of saying that the user agent will communicate the following information to the user... 14:12:26 Nick: It does seem that UI guidance is minimal in WebAuthn 14:13:05 Nick: Second part of my question, regarding SPC-as-Payment method...if we are using SPC as the payment method, how does that interact with calls where multiple payment methods are referenced? 14:13:37 [Ian thinks the answer is: if you want to use PR API for payment credentials, do that first, then call PR API for SPC...and without other payment method ids..and if this is accurate, we should say this in the spec.] 14:14:44 smcgruer_[EST]: I agree SPC is not a payment method. SPC assumes the payment instrument has been selected 14:14:53 ack JeanLuc 14:15:17 JeanLuc: Regarding the additional data dictionary...I see you have amount (for dynamic linking) 14:15:25 ...can we also add a timestamp? 14:15:48 ...from the RP 14:16:07 ..for 3DS, for example, let's assume that the ACS is the RP 14:17:03 ...the banks may wish to know how much time has elapsed between when credential requested and when authentication happened 14:17:31 ...subscription use case may also be interesting 14:17:34 +1 for timestamp. 14:18:02 +1 14:18:15 smcgruer_[EST]: I would like to meet industry needs but also minimize features. 14:18:23 ...is there a concrete use cases for embedding the time stamp? 14:18:35 q+ 14:18:49 smcgruer_[EST]: Time stamp precision may be an issue. 14:19:02 JeanLuc: Right, the same comes from the RP. 14:19:13 smcgruer_[EST]: You can put time stamp in the challenge 14:19:15 ack Gerhard 14:19:33 Gerhard: We need something to prevent replay attack. 14:20:55 Ian: How do you put it in the challenge? 14:21:14 smcgruer_[EST]: You can encode whatever you want in the challenge, and then extract it. 14:22:18 JeanLuc: Time stamp may be useful in risk assessment. 14:22:52 q+ 14:23:11 smcgruer_[EST]: Please do file a GitHub issue with use cases described. 14:25:16 ...RP controls the challenge. You can record time on RP server; and compare when you get assertion back...don't need SPC feature 14:26:54 ack Ger 14:27:09 Gerhard: If I look at Example 2...the instrument object 14:27:43 ..if the instrument information is presented at auth-only, it might be useful to provide a reference in the signature provided by the RP 14:27:56 ...like an instrument identifier that can be signed 14:28:44 q? 14:28:44 q+ 14:29:25 ack smcgruer_[EST] 14:29:42 smcgruer_[EST]: the reference doesn't prove anything. 14:29:51 ..the browser doesn't do anything but sign it 14:30:02 ..the display name and icon are important for dynamic linking 14:31:47 IJ: How do people speak to the "if you trust the browser" comment? 14:34:06 q+ 14:34:49 ack nick 14:35:01 [IJ mentions WPSIG conversation about trusting the browser] 14:35:26 +q 14:35:29 q+ 14:35:33 Ian: We may want a FAQ outside the spec 14:36:22 Nick: I don't think "who calls the API" is material to the "trust the browser" issue 14:36:36 ack clin 14:36:37 clinton, 14:36:56 clinton: From my perspective, any one of these components solves a small segment of a big problem. 14:37:14 ...the browser's security properties doesn't seem to be relevant; 14:39:05 ...is it a browser issue or a broader "end-to-end system" issue so examined per payment method? 14:39:27 Ian: I think questions are on (1) how to trust browser displays properly what is provided in the API and (2) CTAP implementation quality 14:40:17 q+ 14:40:23 ach Werner 14:40:40 werner: I noticed currency amount in SPC...in 3DS there are a few other things that are required. 14:40:47 ...does that go here? 14:41:34 Ian: I think it has to do with how SPC is integrated into 3DS. 14:46:54 ACTION: Ian to raise an issue about localizing browser UX cf PR API 14:49:07 zakim, take up item 2 14:49:07 agendum 2 -- Next meeting -- taken up [from Ian] 14:49:17 5 August 14:49:48 RRSAGENT, make minutes 14:49:48 I have made the request to generate https://www.w3.org/2021/07/22-wpwg-minutes.html Ian 14:49:57 RRSAGENT, set logs team 14:50:37 rrsagent, set logs public 14:51:14 RRSAGENT, make minutes 14:51:14 I have made the request to generate https://www.w3.org/2021/07/22-wpwg-minutes.html Ian 14:51:45 zakim, bye 14:51:45 leaving. As of this point the attendees have been Ian, Anne_Pouillard, Clinton_Allen, Robert_Savage(MAG), Jonathan_Grossar, Jean-Luc_Di-Manno, Jean-Michel_Girard, Lawrence_Cheng, 14:51:45 Zakim has left #wpwg 14:51:47 rrsagent, bye 14:51:47 I see 1 open action item saved in https://www.w3.org/2021/07/22-wpwg-actions.rdf : 14:51:47 ACTION: Ian to raise an issue about localizing browser UX cf PR API [1] 14:51:47 recorded in https://www.w3.org/2021/07/22-wpwg-irc#T14-46-54 14:51:49 ... Stephen_McGruer, Werner_Bruining, Gerhard_Oosthuizen, Sophie_Rainford, Thomas_Bellenger, Susan_Pandy, Fawad_Nisar