15:58:22 <RRSAgent> RRSAgent has joined #wpwg-spc
15:58:22 <RRSAgent> logging to https://www.w3.org/2021/08/30-wpwg-spc-irc
15:58:26 <Ian> Meeting: SPC Task Force
15:58:28 <Ian> Chair: Ian
15:58:34 <Ian> Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0039.html
15:58:44 <Ian> Scribe: Ian
15:58:46 <Ian> present+
15:58:58 <Ian> present+ John_Bradley
16:00:10 <Ian> present+ Gerhard_Oosthuizen
16:01:04 <Ian> present+ Clinton_Allen
16:01:17 <Ian> present+ Doug_Fisher
16:01:40 <clinton> clinton has joined #wpwg-spc
16:02:38 <Ian> present+ Bastien_Latge
16:02:48 <Ian> present+ Susan_Pandy
16:03:12 <Ian> Topic: Pull request 120
16:03:17 <Ian> Ian: Ok @goosth?
16:03:30 <Ian> present+ Michel_Weksler
16:03:32 <mweksler> mweksler has joined #wpwg-spc
16:03:48 <Ian> present+ Adrian_Hope-Bailie
16:04:08 <Ian> Topic: Editor thanks!
16:04:21 <Ian> present+ Stephen_McGruer
16:05:02 <Ian> FPWD is tomorrow!
16:05:30 <Ian> Topic: Chrome updates?
16:06:00 <Ian> Stephen: Chatted with WebAuthn WG last week; expect more discussion next week. No actions yet.
16:06:19 <Ian> ...we have filed an intent to ship in 95; not a guarantee but we hope to have it there.
16:06:33 <Ian> John_Bradley: M95 where?
16:06:37 <Ian> Stephen: MacOS and Windows
16:07:03 <Ian> John_Bradley: How are you doing it on Windows? WebAuthn.dll v1 doesn't have any way to track cross-origin flag.
16:07:30 <Ian> ...the question is: how does the platform authenticator differentiate SPC v other FIDO credentials?
16:07:35 <jonathan__> jonathan__ has joined #wpwg-spc
16:07:47 <jonathan__> present+
16:07:50 <Ian> Stephen: I don't think today it's the job of the platform authenticator. We have a local browser list implementation today (not the long-term plan)
16:08:30 <Ian> present+ Sameer_Tare
16:08:58 <Ian> Stephen: Temporary in-browser storage today; various proposals being discussed (e.g., CTAP, or discoverable credentials)
16:09:43 <Ian> John_Bradley: Windows doesn't have non-discoverable-credentials.
16:10:32 <Ian> ..in principle SPC credentials are non-discoverable
16:10:38 <Ian> stephen: Yes, when used in a 3p context
16:11:14 <Ian> IJ: What does the spec need to say?
16:11:49 <Ian> Stephen: I was waiting to chat with WebAuthn folks before adding some info to the spec.
16:11:58 <Ian> John_Bradley: LargeBlob is a viable option.
16:12:45 <Ian> ...best thing is to have an extension IMO and store information in authenticator.
16:13:00 <Ian> ...could be a Webauthn extension (inherited by CTAP)
16:13:24 <Ian> ...there's no reason the extension couldn't also be passed to the authenticator
16:13:37 <Ian> ...the question is how the authenticator tells the platform that it is one kind of credential or another
16:14:00 <Ian> Stephen: Long term, what I'm hoping to do is that the necessary APIs for conditional UI should enable this use case.
16:14:25 <Ian> ...what we need is the ability to say "Does this credential match?" without a user interaction....
16:15:38 <Ian> AdrianHB: Is our use case in front of conditional UI folks?
16:15:42 <Ian> Stephen: Yes from Google side
16:16:04 <Ian> John_Bradley: People aren't necessarily thinking how this will work with caBLE
16:16:37 <Ian> ...how do private APIs talk to internal authenticator....we need to think about how this works with roaming authenticators
16:16:47 <Ian> Stephen: I agree.
16:16:55 <Gerhard_> Gerhard_ has joined #wpwg-spc
16:17:14 <Ian> ...what I'm hoping to see is that, with this initial version, we will prove the value and then we extend to roaming, caBLE, etc.
16:18:13 <Ian> q?
16:19:04 <Gerhard_> question: Will SPC work across all Platform Authenticators today (WebAuthn Level 1)
16:19:43 <Ian> Gerhard: Will M95 work on Android?
16:20:07 <Ian> ...will M95 work on existing Windows and MacOS versions shipping today?
16:20:36 <Ian> Stephen: Windows and MacOS works today with existing libraries today
16:20:49 <Ian> ..but we are waiting for Android to add discoverable credentials before we support SPC on Android
16:21:05 <Ian> Ian: What is that timeline?
16:22:08 <Ian> Topic:  Issue 101: Proposal: support data URIs for card art icons
16:23:18 <Ian> Ian: Doug indicated probably suffices to has the URL (not the data)
16:23:52 <Ian> Stephen: Current implementation is to sign the URL.
16:24:05 <Ian> John: The authenticator signs a hash of client data.
16:24:18 <Ian> Stephen: Cripes! You're right!
16:25:09 <Ian> AdrianHB: We don't have to has the data, but we should sign the image data (e.g., base 64). You don't need to hash it.
16:25:34 <Ian> John: Put the information in client data (e.g., base 64 url encoded or whatever)
16:25:47 <Ian> Stephen: It does mean that whatever has to be sent to the RP may be quite large
16:26:04 <Ian> ....what is the hash also in webAuthN?
16:26:17 <Ian> John_Bradley: SHA256. Just the one algorithm.
16:27:25 <Ian> Stephen: the original problem is that I thought the authenticator would not like the large blob, not realizing that it would be hashed before hitting the authenticator. Sorry about that!
16:27:36 <RRSAgent> I have made the request to generate https://www.w3.org/2021/08/30-wpwg-spc-minutes.html Ian
16:28:26 <Ian> Stephen: So first problem not a problem.
16:28:40 <Ian> John_Bradley: The RP should have the image. They keep the challenge. Why can't they keep the image?
16:29:08 <Ian> Stephen: So "URL or image data"?
16:30:37 <Ian> John_Bradley: Signing over URL probably not useful for embedded flows. The Verifier doesn't know what the URL pointed to.
16:32:38 <Ian> John_Bradley: What was the feedback from Apple and Firefox on displaying image URLs in this as opposed to structured data?
16:32:58 <Ian> ...somebody else could use this API for displaying arbitrary (nefarious) images
16:33:10 <Ian> ..if it's an image URL, people will try to use it to sign for property purchases or other things
16:33:31 <Ian> Stephen: Hoping to get more input from Mozilla and Apple.
16:33:52 <Ian> ..regarding URL...it's just to an image
16:33:58 <Ian> John_Bradley: Ah, ok
16:34:17 <Ian> ..this is just for confirmation of what card image was used.
16:34:24 <Ian> Stephen: I suspect RPs will not check this field.
16:34:30 <Ian> John_Bradley: Agreed.
16:35:00 <Ian> ..if just the card image, just sign a hash of the argument that was passed.
16:35:11 <Ian> ...let the RP cache that.
16:35:38 <Ian> Topic: Next meeting 13 September
16:35:41 <Ian> (No meeting on the 6th)
16:36:23 <Ian> RRSAGENT, make minutes
16:36:23 <RRSAgent> I have made the request to generate https://www.w3.org/2021/08/30-wpwg-spc-minutes.html Ian
16:36:27 <Ian> RRSAGENT, set logs public
18:32:33 <Ian> zakim, bye
18:32:33 <Zakim> leaving.  As of this point the attendees have been Ian, John_Bradley, Gerhard_Oosthuizen, Clinton_Allen, Doug_Fisher, Bastien_Latge, Susan_Pandy, Michel_Weksler,
18:32:33 <Zakim> Zakim has left #wpwg-spc
18:32:35 <Ian> rrsagent, bye
18:32:35 <RRSAgent> I see no action items