15:56:25 RRSAgent has joined #wpwg-spc 15:56:25 logging to https://www.w3.org/2021/08/16-wpwg-spc-irc 15:56:28 Meeting: SPC Task Force 15:56:30 Chair: Ian 15:56:33 Scribe: Ian 15:56:46 Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0016.html 15:56:53 agenda+ Issue 98: UX behavior when there are no matching credentials 15:57:00 agenda+ Question: can SPC authentication be called from a cross-origin iframe with proper permissions? 15:57:10 agenda+ Gerhard comments 15:57:21 agenda+ Any implementation updates? 15:57:24 agenda+ Next call 15:58:19 I have made the request to generate https://www.w3.org/2021/08/16-wpwg-spc-minutes.html Ian 15:59:05 present+ Clinton 16:01:11 present+ Jonathan 16:01:20 present+ Susan_Pandy 16:01:31 present+ Jean-Carlo_Emer 16:01:39 Anne has joined #wpwg-spc 16:01:39 regrets+ Nick_Telford-Reed 16:01:45 present+ Anne_Pouillard 16:01:52 present+ Stephen_McGruer 16:01:56 present+ Rolf_Lindemann 16:02:06 zakim, take up item 1 16:02:06 agendum 1 -- Issue 98: UX behavior when there are no matching credentials -- taken up [from Ian] 16:02:32 https://github.com/w3c/secure-payment-confirmation/issues/98 16:02:39 clinton has joined #wpwg-spc 16:02:41 Rolf has joined #wpwg-spc 16:03:16 present+ Gerhard_Oosthuizen 16:03:34 Stephen: In M94, notification rather than silence when no matching credentials. 16:03:44 Jonathan: So the user will receive a message that someone is trying to authenticate them? 16:04:00 ..how would a user understand this merchant? 16:04:26 ...e.g., messages like "use your security key" are likely to confuse the user. 16:05:07 [Stephen shows a screen shot of notification message to the user that way it will look in M94] 16:05:31 present+ Sameer_Tare 16:05:33 present+ Sameer_Tare 16:05:45 Jonathan: How does this address privacy concern? 16:05:54 Stephen: It prevents a timing attack. 16:06:14 ..the attack goes like like: 16:06:47 ...you call SPC with credentials and one of two things happens, either I have the authenticator (and SPC UI will show up) or I don't have authenticator and we would immediately exit. 16:07:05 ...so the time to resolve the promise reveals information about the user environment 16:07:14 ...this is how WebAuthn handles this attack. 16:07:37 Jonathan: This forces the use of cookies. 16:07:50 Stephen: I agree with you that that's a common implication. 16:08:32 Jonathan: Could we get consent at enrollment? 16:08:49 Stephen: That might work for webAuthn but we decouple ceremony in SPC and let more people initiate authentication. 16:09:00 present+ Michel_Weksler 16:09:10 jcemer has joined #wpwg-spc 16:09:10 present+ Doug_Fisher 16:09:25 Jonathan: I think it would be worth exploring more options. 16:10:02 Ian: What about varying the response time for silent promise fail? 16:10:07 Stephen: Yes, we could also "wait some time" 16:10:27 ...that has the down side of the user waiting around. 16:10:41 ..for now we've aligned with WebAuthn behavior. 16:10:52 Jean-Carlo: Can the user interact with the page while waiting? 16:11:15 ...probably not if you can monitor that the user is doing other actions during this time (which may suggest dialog is not showing) 16:11:55 ...I think this approach is ok (not great) because it is at least clear to the user what's happening. 16:12:33 Stephen: When promise fails, it's a generic failure to not reveal user environment info. 16:13:07 zakim, take up item 2 16:13:07 agendum 2 -- Question: can SPC authentication be called from a cross-origin iframe with proper permissions? -- taken up [from Ian] 16:13:14 mweksler has joined #wpwg-spc 16:13:48 Stephen: Yes. Nothing has changed re: using this in an iframe. 16:14:07 zakim, close item 1 16:14:07 agendum 1, Issue 98: UX behavior when there are no matching credentials, closed 16:14:08 zakim, close item 2 16:14:10 I see 4 items remaining on the agenda; the next one is 16:14:10 2. Question: can SPC authentication be called from a cross-origin iframe with proper permissions? [from Ian] 16:14:10 agendum 2, Question: can SPC authentication be called from a cross-origin iframe with proper permissions?, closed 16:14:11 I see 3 items remaining on the agenda; the next one is 16:14:11 3. Gerhard comments [from Ian] 16:14:12 zakim, take up item 3 16:14:12 agendum 3 -- Gerhard comments -- taken up [from Ian] 16:14:37 Ian: Any thorny ones to discuss? 16:15:03 zakim, who's here/ 16:15:03 I don't understand 'who's here/', Ian 16:15:05 zakim, who's here? 16:15:05 Present: Clinton, Jonathan, Susan_Pandy, Jean-Carlo_Emer, Anne_Pouillard, Stephen_McGruer, Rolf_Lindemann, Gerhard_Oosthuizen, Sameer_Tare, Michel_Weksler, Doug_Fisher 16:15:09 On IRC I see mweksler, jcemer, Rolf, clinton, Anne, RRSAgent, Zakim, jeffh, smcgruer_[EST], AdrianHB, Ian 16:15:16 Gerhard: Will there be a screen during enrollment? 16:15:32 Gerhard: Can you upgrade an SPC credential to use it for other auth? 16:15:45 ...can you upgrade a WebAuth credential later to payment? 16:16:08 Stephen: 16:16:28 - Yes, you can use an SPC credential with other WebAuthn use cases (e.g., login) 16:16:43 - Yes, our intention is to NOT show enrollment UX other than the WebAuthn UX 16:17:24 ...we think that the WebAuthn UX is good enough re: establishing a relationship, and we prefer that the RP has the ability to handle communication as they see fit (e.g., to fulfill GDPR requirements, etc.) 16:17:33 ...but I realize there's a difference of opinion here. 16:17:50 Gerhard: We need to be clearer in the spec about these points. 16:19:24 Ian: I think we can at most say "This spec does not preclude other uses of the credential." 16:20:01 Gerhard: Given a webauthn credential, how do I turn it into a payment credential? 16:20:47 Stephen: We need to broach this with the WebAuthn working group. We may get to a place where there is no extension for payments, or we may not. 16:21:37 ...I think you can't update a credential; I think it's a replace operation. 16:22:26 Rolf: Some things are dynamic (don't affect credential). I think that for payment this might be how it works. "For a payment operation" use the credential this way. 16:22:36 ...the operation determines behavior with the same credential. 16:25:28 Gerhard: Is the extension adding value? 16:25:32 ...why not take it out? 16:25:34 Rolf: I think I agree. 16:25:52 ..the credential is generic and might be used in various contexts. 16:26:02 ..the RP will see the fact of how it was used in the assertion 16:26:12 ..and if the RP was not prepared for a particular usage, it can reject the assertion. 16:26:37 Stephen: I agree. But I suspect that the WebAuthn will reject this. 16:27:28 Ian: We will chat with the WebAuthn WG mid-October 16:28:05 Stephen: I think we will launch with the extension but can revisit it 16:28:31 Gerhard: +1 to Rolf's comments. 16:28:46 Stephen: We may need it for caching but hope to be able to get rid of it. 16:29:19 zakim, close item 3 16:29:19 agendum 3, Gerhard comments, closed 16:29:20 I see 2 items remaining on the agenda; the next one is 16:29:20 4. Any implementation updates? [from Ian] 16:29:25 zakim, take up item 4 16:29:25 agendum 4 -- Any implementation updates? -- taken up [from Ian] 16:29:47 Stephen: We continue to update the implementation to align with the spec. 16:30:10 ...if the spec doesn't say what you think it is right, let us know in an issue. 16:30:13 zakim, close item 4 16:30:13 agendum 4, Any implementation updates?, closed 16:30:14 I see 1 item remaining on the agenda: 16:30:14 5. Next call [from Ian] 16:30:19 zakim, take up item 5 16:30:19 agendum 5 -- Next call -- taken up [from Ian] 16:30:23 23 August 16:30:56 RRSAGENT, make minutes 16:30:56 I have made the request to generate https://www.w3.org/2021/08/16-wpwg-spc-minutes.html Ian 16:33:54 rrsagent, bye 16:34:01 rrsagent, set logs public 16:34:02 rrsagent, bye 16:34:02 I see no action items