IRC log of wpwg on 2021-10-25

Timestamps are in UTC.

13:52:46 [RRSAgent]
RRSAgent has joined #wpwg
13:52:46 [RRSAgent]
logging to https://www.w3.org/2021/10/25-wpwg-irc
13:52:51 [Ian]
Meeting: Web Payments Working Group
13:52:59 [Ian]
Agenda: https://github.com/w3c/webpayments/wiki/Agenda-TPAC2021
13:53:02 [Ian]
Chair: Nick
13:53:05 [Ian]
Scribe: Ian
13:53:06 [Ian]
present+
13:53:08 [Ian]
present+ Rouslan
13:53:29 [Ian]
agenda+ Welcome, logistics
13:53:35 [Ian]
agenda+ Background to the agenda
13:53:40 [Ian]
agenda+ SPC status in Chrome
13:53:43 [Ian]
agenda+ SPC issue review
13:57:17 [benoit]
present+
13:57:25 [Ian]
present+ Jordan_Harband
13:59:09 [ljharb]
ljharb has joined #wpwg
13:59:20 [Ian]
present+ Alain_Martin
13:59:59 [Ian]
present+ Takashi_Minamii
14:00:15 [Takashi_]
Takashi_ has joined #wpwg
14:00:18 [Ian]
present+ Ryan_Watkins
14:00:22 [Ian]
present+ Erhard_Brand
14:01:06 [Rolf]
Rolf has joined #wpwg
14:01:22 [Ian]
present+ Stephen_McGruer
14:01:26 [Ian]
present+ Clinton_Allen
14:01:41 [Ian]
present+ Hemnath_Dhananjayan
14:01:58 [Ian]
present+ Haribalu_Venkataramanaraju
14:02:04 [Ian]
present+ Julien_Ross
14:02:05 [weiler]
weiler has joined #wpwg
14:02:22 [Ian]
present+ Ninika
14:02:27 [Ian]
present+ Bastien_Latge
14:02:30 [nick_s]
nick_s has joined #wpwg
14:02:30 [Ian]
present+ Chris_Dee
14:02:36 [nick_s]
present+ nick_s
14:02:40 [Ian]
present+ Nick_Shearer
14:02:42 [nick_s]
Yes
14:02:47 [Ian]
present+ Rolf_Lindemann
14:02:51 [clinton]
clinton has joined #wpwg
14:02:53 [Jean-Luc]
Jean-Luc has joined #wpwg
14:02:54 [Ian]
present+ Sam_Weiler
14:03:00 [bmay]
bmay has joined #wpwg
14:03:01 [Ian]
present+ Uno_Veski
14:03:17 [Ian]
present+ Jayadevi_Natarajan
14:03:21 [Ian]
present+ Frank_Hoffmann
14:03:35 [Ian]
present+ Brian_May
14:03:42 [Ian]
present+ Anne_Pouillard
14:03:56 [Ian]
present+ Jean_Luc_Di_Manno
14:04:00 [Ian]
present+ Aleksei_Akimov
14:04:08 [Ian]
present+ Manish_Garg
14:04:11 [Bastien]
Bastien has joined #WPWG
14:04:11 [Ian]
present+ Krunal_Patel
14:04:16 [Bastien]
present+
14:04:17 [AdrianHB_]
AdrianHB_ has joined #wpwg
14:04:22 [Ian]
present+ Solaiyappan_Perichiappan
14:04:23 [ChrisD]
ChrisD has joined #wpwg
14:04:24 [Anne]
Anne has joined #wpwg
14:04:31 [Ian]
present+ Antoine_Cathelin
14:04:32 [Chris_Wood]
Chris_Wood has joined #wpwg
14:04:32 [aleksei]
aleksei has joined #wpwg
14:04:45 [Geun-Hyung_Kim]
Geun-Hyung_Kim has joined #wpwg
14:04:54 [Ian]
present+ Tomasz_Blachowicz
14:04:57 [Geun-Hyung_Kim]
present+
14:04:59 [Ian]
present+ Rufus
14:05:11 [Ian]
present+ Bryan_Luo
14:05:31 [Gerhard]
Gerhard has joined #wpwg
14:05:58 [ljharb]
Ian: this is jordan, in case that wasn't apparent
14:06:07 [bryanluo]
bryanluo has joined #wpwg
14:06:25 [frank_hoffmann]
frank_hoffmann has joined #wpwg
14:06:37 [Manish]
Manish has joined #wpwg
14:06:41 [aleksei]
present+
14:06:42 [Ian]
present+ Gerhard_Oosthuizen
14:06:45 [Rufus]
Rufus has joined #wpwg
14:06:48 [Ian]
present+ Arno_van_der_Merwe
14:07:03 [Ian]
present+ Max
14:07:31 [Ian]
zakim, who's here?
14:07:31 [Zakim]
Present: Ian, Rouslan, benoit, Jordan_Harband, Alain_Martin, Takashi_Minamii, Ryan_Watkins, Erhard_Brand, Stephen_McGruer, Clinton_Allen, Hemnath_Dhananjayan,
14:07:35 [Zakim]
... Haribalu_Venkataramanaraju, Julien_Ross, Ninika, Bastien_Latge, Chris_Dee, nick_s, Nick_Shearer, Rolf_Lindemann, Sam_Weiler, Uno_Veski, Jayadevi_Natarajan, Frank_Hoffmann,
14:07:35 [Zakim]
... Brian_May, Anne_Pouillard, Jean_Luc_Di_Manno, Aleksei_Akimov, Manish_Garg, Krunal_Patel, Bastien, Solaiyappan_Perichiappan, Antoine_Cathelin, Tomasz_Blachowicz, Geun-Hyung_Kim,
14:07:35 [Zakim]
... Rufus, Bryan_Luo, aleksei, Gerhard_Oosthuizen, Arno_van_der_Merwe, Max
14:07:37 [bryanluo]
present+
14:07:40 [Zakim]
On IRC I see Rufus, Manish, frank_hoffmann, bryanluo, Gerhard, Geun-Hyung_Kim, aleksei, Chris_Wood, Anne, ChrisD, AdrianHB_, Bastien, bmay, Jean-Luc, clinton, nick_s, weiler, Rolf,
14:07:40 [Zakim]
... Takashi_, ljharb, RRSAgent, Ninika_, Zakim, rouslan, jeff, pea13, canton, benoit, rowan_m, dlehn, manu, dlongley, slightlyoff, Travis, hadleybeeman, falken_, tobie, nicktr,
14:07:40 [Zakim]
... hober, smcgruer_[EST], Joshue108, ntelford, mkwst, Ian, jeffh, AdrianHB
14:08:00 [Ian]
present+ Adrian_Hope_Bailie
14:08:24 [Krunal]
Krunal has joined #wpwg
14:08:25 [Ian]
present+ Emil_Lundberg
14:08:45 [Solai]
Solai has joined #wpwg
14:08:47 [Ian]
-> https://github.com/w3c/webpayments/wiki/Agenda-TPAC2021 Agenda
14:08:52 [rwatkins_mc]
rwatkins_mc has joined #wpwg
14:08:59 [clinton_]
clinton_ has joined #wpwg
14:09:05 [jrossi]
jrossi has joined #wpwg
14:09:16 [Ian]
-> https://www.w3.org/Consortium/Legal/2017/antitrust-guidance Antitrust reminder
14:09:49 [Ian]
present+ Gargi
14:10:06 [kirkwood]
kirkwood has joined #WPWG
14:10:54 [Ian]
Adrian: Thanks for joining (especially for people up late or early)
14:11:04 [Ian]
...we miss in-person; thanks for coming
14:11:11 [Ian]
...most of the focus this week will be on SPC
14:11:22 [Ian]
present+ Krunal_Patel
14:11:32 [Ian]
present+ Susan_Pandy
14:11:47 [Ian]
zakim, take up item 1
14:11:47 [Zakim]
agendum 1 -- Welcome, logistics -- taken up [from Ian]
14:11:48 [Ian]
[Done]
14:11:54 [Ian]
zakim, close item 1
14:11:54 [Zakim]
agendum 1, Welcome, logistics, closed
14:11:55 [Ian]
zakim, take up item 2
14:11:55 [Gerhard_]
Gerhard_ has joined #wpwg
14:11:56 [Zakim]
I see 3 items remaining on the agenda; the next one is
14:11:56 [Zakim]
2. Background to the agenda [from Ian]
14:11:56 [Zakim]
agendum 2 -- Background to the agenda -- taken up [from Ian]
14:12:11 [Ian]
-> http://www.w3.org/2021/Talks/ij-wpwg-overview-202110/w3c.pdf Ian's slides
14:12:34 [AdrianHB_]
agenda?
14:14:48 [Geun-Hyung_Kim]
Geun-Hyung_Kim has left #wpwg
14:15:27 [AdrianHB_]
[Ian talking through slides]
14:21:46 [Ian]
present+ Doug_Fisher
14:22:43 [Ian]
scribenick: Ian
14:22:46 [Ian]
scribe: Ian
14:22:59 [Ian]
AdrianHB: I started a new job in August and so my plan is to step down as co-Chair.
14:23:09 [Ian]
...the timing is opportune since we are rechartering
14:23:20 [Ian]
...we are still working on the timing
14:23:34 [Ian]
...if you have suggestions for co-Chairs, please reach out to Ian and Nick
14:23:58 [Ian]
...thanks to Ian who makes this job easy
14:24:09 [Ian]
...it's been very fulfilling to work with all of you
14:24:16 [Ian]
...optimistic about the work we've done.
14:24:40 [Ian]
PROPOSED: To thank Adrian vigorously for his service
14:24:41 [rouslan]
+1000
14:24:45 [benoit]
+1000
14:24:49 [Ian]
+1000
14:24:54 [ChrisD]
+1000
14:24:59 [jeff]
+1000
14:25:02 [Gerhard_]
+1000
14:25:03 [nick_s]
+1000%1
14:25:05 [Manish]
+1000
14:25:08 [manu]
+1000 :)
14:25:15 [aleksei]
+10000
14:25:26 [Ian]
AdrianHB: I'll remain part of the Working Group in some capacity
14:26:12 [Ian]
zakim, close item 2
14:26:12 [Zakim]
agendum 2, Background to the agenda, closed
14:26:13 [Zakim]
I see 2 items remaining on the agenda; the next one is
14:26:13 [Zakim]
3. SPC status in Chrome [from Ian]
14:26:17 [Ian]
zakim, take up next
14:26:17 [Zakim]
agendum 3 -- SPC status in Chrome -- taken up [from Ian]
14:27:04 [Ian]
present+ Chris_Wood
14:27:44 [Ian]
Stephen: Let's review SPC over the past year. Goal: Simple, seamless, and secure user authentication for payments
14:27:59 [Ian]
...but I would add since 1 year ago explicitly "in a privacy preserving way"
14:28:06 [ChristianA]
ChristianA has joined #wpwg
14:28:23 [Ian]
...SPC helps to address some pain points not directly addressed by Web Authentication
14:28:55 [Ian]
...this has led to the SPC superpowers:
14:29:01 [Ian]
* Create in 3p context
14:29:07 [bdewater]
bdewater has joined #wpwg
14:29:13 [Ian]
* Browser UX with payment confirmation (signing transaction data)
14:29:33 [Ian]
[Stephen walks through some SPC design history]
14:31:14 [Ian]
-> http://www.w3.org/2021/Talks/chrome-spc-20211025.pdf Stephen's slides
14:32:56 [Ian]
present+ Eric_Mwobobia
14:33:21 [Ian]
Stephen: SPC in Chrome 95 on some platforms as of last week
14:33:56 [Ian]
Stephen: What does SPC look like today? WebAuthn credential with "payment" extension.
14:34:30 [Ian]
Stephen: Because this is a WebAuthn credential, it can be used for login use cases as well
14:35:02 [weiler]
q+ to ask re: using SPC creds for login
14:36:38 [Ian]
[Stephen on addressing timing attacks with UX]
14:36:50 [Ian]
present+ Bart_de_Water
14:37:14 [Ian]
q+ Alain
14:38:57 [Ian]
Stephen: On the future of SPC
14:39:04 [Ian]
...we think it is in a good v1 condition.
14:39:10 [Ian]
...we'd like to see launches this year
14:39:25 [Ian]
...we also see a v2, with changes based on industry adoption
14:39:32 [Ian]
...things that interest us in particular:
14:39:57 [Ian]
a) Solve the cross-browser problem. Would like users to be able to use any browser on the device where registration happened.
14:40:07 [Ian]
...hope to fix with tighter integration with WebAuthn
14:40:20 [Ian]
b) Would like to include Android support (but need discoverable credentials)
14:40:32 [Ian]
c) Would like more ergonomic API shape (easier feature detection)
14:40:54 [Ian]
d) More privacy considerations.
14:41:02 [Ian]
e) More! Dark mode support, other Ones
14:41:03 [AdrianHB_]
q+ to ask if the plan is still to move to credentials.get instead of PR.show?
14:41:11 [Ian]
ack weiler
14:41:11 [Zakim]
weiler, you wanted to ask re: using SPC creds for login
14:41:31 [Ian]
Weiler: You said that SPC credentials can be used for login.
14:41:50 [weiler]
q+ to ask re: the prohibition on roaming authenticators (e.g. YubiKeys)
14:41:56 [Ian]
...is there a use case for creating login credentials for SPC?
14:42:01 [Ian]
Stephen: Yes.
14:42:13 [Ian]
...the RP would make the decision.
14:42:47 [Ian]
Weiler: But would that allow other sites that are not doing payments to work around origin barriers?
14:42:49 [rouslan]
q+ to reply
14:43:02 [Ian]
rolf: How can you get around the barriers? There is UX only related to payments?
14:43:10 [Ian]
Weiler: Imagine you have a set of RPs that want to break the barrier.
14:43:24 [Ian]
ack rouslan
14:43:24 [Zakim]
rouslan, you wanted to reply
14:43:41 [Ian]
rouslan: We think that all of WebAuthn will have the ability to create credentials in a cross-origin fashion.
14:44:04 [Ian]
...the only way for a 3rd party to query the credential is through payment specific UX
14:44:54 [Ian]
Weiler: There might be social engineering to try to fool the user.
14:45:04 [Ian]
Rolf: I don't understand how the RP would know the public key
14:45:20 [Ian]
Weiler: I'm imagining a case where RPs want to break down the barriers between origins
14:45:21 [rouslan]
q-
14:45:37 [Ian]
Rolf: The RP that is tied to the credential would need to publish the public key
14:45:43 [Ian]
AdrianHB: There's always a user interaction
14:46:15 [Ian]
present+ Christian_Aabye
14:46:20 [smcgruer_[EST]]
q??
14:46:55 [Gerhard]
q+
14:46:57 [Ian]
Weiler: I am concern bad RPs will try to train users to get around limitations
14:47:12 [Ian]
Alain: I had not realized you needed to do register explicitly for SPC
14:47:22 [smcgruer_[EST]]
q+ to reply
14:47:47 [Ian]
Stephen: The WebAuthn raised a concern. We had wondered whether vanilla WebAuthn should "Just work"
14:48:03 [Ian]
...but the WebAuthn folks imagined login attacks (malicious attacker, innocent RP)
14:48:20 [Ian]
...the RP might accidentally not verify credentials correctly.
14:48:26 [Ian]
..there was also a user experience concern...
14:48:37 [Ian]
...SPC allows a dialog to appear with another origin's name on it
14:49:09 [Ian]
Alain: A down side is that the user will tend to only register with a few merchants.
14:49:23 [Rolf]
q+
14:49:30 [Ian]
Stephen: Going forward, if you register with your bank for SPC, then you can reuse that across transactions.
14:49:46 [Ian]
-> https://www.w3.org/blog/wpwg/2021/10/06/spc-design-choices-for-flexibility-and-scale/ Blog post
14:49:58 [jrossi]
jrossi has joined #wpwg
14:50:09 [Ian]
q?
14:50:15 [smcgruer_[EST]]
q?
14:50:16 [Ian]
ack Alain
14:50:19 [Ian]
ack AdrianHB
14:50:19 [Zakim]
AdrianHB_, you wanted to ask if the plan is still to move to credentials.get instead of PR.show?
14:50:21 [smcgruer_[EST]]
q-
14:50:40 [Ian]
AdrianHB: We discussed API shape on GitHub some time ago. Is the plan to still move away from PR API and closer to some other API?
14:50:58 [Ian]
Rouslan: I think the plan is to take a look at the API shape and decide if navigator.get is preferable
14:51:14 [Ian]
...I'm pretty sure it would be better. But we may need to make adjustments like requiring user gestures.
14:51:37 [Ian]
Stephen: There's no concrete plan at this time, but we do think some change should happen to make the API more ergonomic
14:52:03 [Ian]
AdrianHB: But roughly the goal is for SPC to work with vanilla WebAuthn credentials without a need for an extension
14:52:18 [Ian]
...but some features need to be available to support this like discoverable credentials.
14:52:29 [ljharb]
does SPC allow a merchant to specify currencies they accept, and have the user shown only the subset of instruments that provide those?
14:52:36 [Ian]
Stephen: So far the WebAuthn WG is pretty set that a vanilla WebAuthn SHOULD NOT have the ability to perform a cross origin ceremony
14:52:42 [Ian]
q+ ljharb
14:53:06 [Ian]
ack weil
14:53:06 [Zakim]
weiler, you wanted to ask re: the prohibition on roaming authenticators (e.g. YubiKeys)
14:53:12 [ljharb]
thanks
14:53:16 [Ian]
weiler: What about the prohibition on roaming authenticators?
14:53:41 [Ian]
Stephen: We would like to take advantage of roaming authenticators, but have not figured out how to do so
14:54:05 [Ian]
...some ideas like "Plug in your authenticator if you have one"
14:54:31 [Ian]
weiler: I see there is a milestone for roaming authenticators that says "complete"; where does the WG want to track roaming auth support?
14:54:47 [Ian]
[Same reopens an issue]
14:54:59 [Ian]
ack Ger
14:55:23 [nick_s]
Thank you everyone, I have to drop out but I will see you all for our next session tomorrow. Very interesting work on SPC.
14:55:39 [Ian]
Gerhard: Thanks for the walk-through. I think we will almost always create the credential with the flag set.
14:55:46 [Ian]
...is that a desirable outcome?
14:56:50 [Ian]
...I would like to decouple capabilities (1) cross-browser availability and (2) using a WebAuthn for payment confirmation
14:57:17 [Ian]
...what does it mean if RPs always set the payments flag just to be sure?
14:58:08 [weiler]
qq+
14:58:39 [Ian]
Gerhard: Are we prepared to say "best practice" is to set the bit?
14:58:44 [Ian]
...I think it will become the norm
14:59:21 [Ian]
weiler: Just to note, my concern earlier was about credentials not being used for credentials.
14:59:37 [Ian]
Gerhard: +1 to a tick box to "untick" a payment capability
14:59:45 [Ian]
(That was suggested by Sam)
15:00:00 [Ian]
zakim, who's here?
15:00:00 [Zakim]
Present: Ian, Rouslan, benoit, Jordan_Harband, Alain_Martin, Takashi_Minamii, Ryan_Watkins, Erhard_Brand, Stephen_McGruer, Clinton_Allen, Hemnath_Dhananjayan,
15:00:04 [Zakim]
... Haribalu_Venkataramanaraju, Julien_Ross, Ninika, Bastien_Latge, Chris_Dee, nick_s, Nick_Shearer, Rolf_Lindemann, Sam_Weiler, Uno_Veski, Jayadevi_Natarajan, Frank_Hoffmann,
15:00:04 [Zakim]
... Brian_May, Anne_Pouillard, Jean_Luc_Di_Manno, Aleksei_Akimov, Manish_Garg, Krunal_Patel, Bastien, Solaiyappan_Perichiappan, Antoine_Cathelin, Tomasz_Blachowicz, Geun-Hyung_Kim,
15:00:09 [Zakim]
... Rufus, Bryan_Luo, aleksei, Gerhard_Oosthuizen, Arno_van_der_Merwe, Max, bryanluo, Adrian_Hope_Bailie, Emil_Lundberg, Gargi, Susan_Pandy, Doug_Fisher, Chris_Wood, Eric_Mwobobia,
15:00:09 [Zakim]
... Bart_de_Water, Christian_Aabye
15:00:09 [Zakim]
On IRC I see jrossi, bdewater, ChristianA, Gerhard_, kirkwood, clinton_, rwatkins_mc, Solai, Krunal, Rufus, Manish, frank_hoffmann, bryanluo, Gerhard, aleksei, Chris_Wood, Anne,
15:00:13 [Ian]
present+ Julien_Rossi
15:00:14 [Zakim]
... ChrisD, AdrianHB_, Bastien, bmay, Jean-Luc, nick_s, weiler, Rolf, Takashi_, ljharb, RRSAgent, Ninika_, Zakim, rouslan, jeff, pea13, canton, benoit, rowan_m, dlehn, manu,
15:00:14 [Zakim]
... dlongley, slightlyoff, Travis, hadleybeeman, falken_, tobie, nicktr, hober, smcgruer_[EST], Joshue108, ntelford, mkwst, Ian, jeffh, AdrianHB
15:00:32 [Hemnath_Dhananjayan]
Hemnath_Dhananjayan has joined #wpwg
15:00:33 [Ian]
q?
15:00:37 [Ian]
ach Weiler
15:00:50 [Ian]
ack Weiler
15:00:50 [Zakim]
weiler, you wanted to react to Gerhard
15:01:21 [Ian]
rolf: I'm still trying to understand the risk associated with Sam's use case. Federation is available today to enable parties to share a credential.
15:01:26 [Ian]
ack Rolf
15:01:54 [Ian]
Rolf: Cross-origin iframe WebAuthn authentication also works today.
15:02:05 [Ian]
present+ Nick_Telford-Reed
15:02:33 [Ian]
Rolf: With SPC, the browser renders the dialog; the assertion goes back to the PSP who sends it to the RP
15:03:19 [Ian]
...if the PSP and RP collaborate, then it will still be confusing to the user to see a payment dialog (instead of the typical terms and conditions screen)
15:03:34 [Ian]
...so I don't see how the Payment UX can be practically used abusively
15:03:56 [Ian]
ack ljharb
15:04:16 [jonathan]
jonathan has joined #wpwg
15:04:29 [Ian]
Jordan: Does SPC support instrument selection logic?
15:04:36 [Ian]
Rouslan: That's not part of SPC
15:05:04 [Ian]
...SPC does not evaluate the currency provided as input to the PR API call for SPC
15:05:11 [Ian]
...the browser just displays it in the dialog
15:05:42 [Ian]
...the currency code is part of the signature to tell the RP that the user agreed to what was displayed
15:05:57 [benoit]
q+
15:06:23 [ljharb]
did i drop out?
15:06:25 [ljharb]
i can't hear anything
15:06:29 [Ian]
i can't hear you
15:06:35 [ljharb]
sorry
15:06:45 [Ian]
we see you
15:06:46 [ljharb]
the question was "was that an oversight, or is there a technical or non-technical constraint that prevents that"
15:07:01 [Ian]
(I'm not sure what the question was yet....)
15:07:10 [Ian]
(Instrument selection happens pre SPC call)
15:08:08 [nicktr]
q?
15:08:19 [nicktr]
agenda?
15:08:25 [ljharb]
did my question come through?
15:08:36 [ljharb]
if not i'll drop and reconnect
15:08:45 [Ian]
(very choppy alas)
15:08:48 [ljharb]
k
15:09:14 [Ian]
David: Regarding "merchant of record" style purchases.
15:09:16 [ljharb]
my internet's down because of a storm, so this is all on cellular :-(
15:09:55 [Ian]
David: Sometimes merchants are working with providers specifically to facilitate payments. If the PSP is the merchant of record, how can I set that up?
15:10:18 [Ian]
Rouslan: There are 4 origins in the signature:
15:10:45 [Ian]
- Two of them are displayed to the user. In the address page it's the current page (which might be PSP). In the UX it's the PayeeOrigin (e.g., merchant)
15:11:08 [ljharb]
q+
15:11:10 [Ian]
...if you redirect from Walmart to PayPal you still want the PayeeOrigin to be Walmart
15:11:13 [Ian]
ack benoit
15:11:47 [Ian]
Rouslan: The signature will also include the origin of the iframe (e.g., if PayPal is embedded in Stripe)
15:11:56 [Ian]
...and finally the relying party ID is in the signature
15:12:15 [Ian]
present+ Jonathan_Grossar
15:13:13 [Ian]
benoit: I would love to see more on intelligence we can do on that data
15:13:22 [ljharb]
q-
15:13:32 [ljharb]
my audio device isn't working, sorry about that
15:13:41 [Ian]
talk
15:13:45 [rouslan]
q+ to talk about issuer side verifications
15:13:48 [Ian]
ack ros
15:13:49 [ljharb]
i can't hear anything
15:14:22 [Ian]
Rouslan: Regarding 'issuer side intelligence', if your issuer is the RP, they are enrolling the user and they will be able to collect all the data and verify it.
15:14:29 [Ian]
...if you delegate, then that party can do it, etc.
15:14:40 [ljharb]
q+ asking about filtering instruments, take 2
15:14:47 [ljharb]
q+ to ask about filtering instruments, take 2
15:14:49 [Ian]
....there are server-side libraries to do validation
15:15:05 [Ian]
...if you pass a WebAuthn signature to the JS library and a public key, it will return a boolean
15:15:18 [Ian]
..if you pass an SPC signature to the JS library it will BREAK
15:15:34 [Ian]
..but that's intentional. We don't want RPs to unknowingly accept payment signatures for login
15:16:00 [Ian]
...but there's a branch on the particular JS library @@name@@ with a separate method for verifying a payment-related signature
15:16:13 [Ian]
..and there are more things you can check for (e.g., instrument display, merchant, amount, etc)
15:16:53 [rouslan]
https://github.com/webauthn4j/webauthn4j
15:16:59 [Ian]
ack ljh
15:16:59 [Zakim]
ljharb, you wanted to ask about filtering instruments, take 2
15:17:12 [rouslan]
SPC branch: https://github.com/webauthn4j/webauthn4j/tree/spc-dev
15:18:47 [smcgruer_[EST]]
q+ to disagree with Ian :P
15:18:53 [rouslan]
q-
15:18:54 [ljharb]
thanks, that answers my question, sorry if it's off topic for SPC.
15:19:16 [smcgruer_[EST]]
q- ok nevermind, I misunderstood Ian
15:19:23 [smcgruer_[EST]]
q-
15:20:43 [Ian]
[Ian on architecture]
15:21:17 [Ian]
zakim, close item 3
15:21:17 [Zakim]
agendum 3, SPC status in Chrome, closed
15:21:18 [Zakim]
I see 1 item remaining on the agenda:
15:21:18 [Zakim]
4. SPC issue review [from Ian]
15:21:23 [Ian]
zakim, take up item 4
15:21:23 [Zakim]
agendum 4 -- SPC issue review -- taken up [from Ian]
15:21:41 [Ian]
https://github.com/w3c/secure-payment-confirmation/issues?q=is%3Aissue+is%3Aopen+label%3Aagenda%2B
15:23:08 [Ian]
https://github.com/w3c/secure-payment-confirmation/issues/93
15:23:37 [Ian]
Stephen: Issue here is where information (e.g, text on instrument string) is internationalized (direction, language). Important for rendering, screen readers, etc.
15:23:54 [Ian]
...there's a proposal on the thread.
15:23:57 [Ian]
..but Localizable does not yet exist
15:24:35 [Ian]
Ian: We'll discuss with I18N folks this week
15:24:48 [Ian]
https://github.com/w3c/secure-payment-confirmation/issues/101
15:25:40 [Ian]
Stephen: This works today (we support data URLs) but there was an issue about including data URLs in JSON clientData
15:25:48 [Ian]
...and that might be a lot of data for authenticators with limited storage
15:26:16 [Ian]
...we now have at least 2 implementers who have things up and running and there are not any complaints
15:26:38 [Ian]
AdrianHB: If you include a regular URL you have no idea what was fetched
15:26:38 [Ian]
q+
15:27:18 [rouslan]
q+
15:27:27 [Ian]
Ian: I heard "no that's not important"
15:27:29 [Ian]
ack rous
15:27:43 [Ian]
AdrianHB: Then it becomes a risk decision topic
15:28:01 [smcgruer_[EST]]
q+
15:28:06 [Ian]
rouslan: The data URL solution solves the "exact bits" approach when needed
15:28:07 [Ian]
ack me
15:28:22 [smcgruer_[EST]]
q-
15:28:24 [Ian]
AdrianHB: So the RP can make local policies
15:29:03 [rouslan]
q-
15:29:10 [Ian]
Ian: Let's provide some informative note in the spec to say "use data URLs if you want a record of the bits shown"
15:29:19 [Ian]
AdrianHB: +1
15:29:30 [smcgruer_[EST]]
SGTM, ship it
15:29:50 [Ian]
ACTION: Stephen to write a pull request for a note about data URL v HTTP(S) URL
15:29:53 [AdrianHB_]
+1 to close the issue too
15:30:16 [Ian]
IJ: So what is signed?
15:30:22 [Ian]
AdrianHB: The URL
15:30:42 [Ian]
...also, they hash data before it's sent to the authenticator so storage limits not really an issue
15:30:43 [jcemer]
jcemer has joined #wpwg
15:31:35 [Ian]
PROPOSAL: Specification today satisfies issue 101. Add a note on usage of data URLs.
15:31:50 [rouslan]
+1
15:31:52 [Anne]
+1
15:31:54 [ChrisD]
+1
15:31:56 [AdrianHB_]
+1
15:31:56 [aleksei]
+1
15:32:00 [smcgruer_[EST]]
+1
15:32:12 [Ian]
SO RESOLVED:
15:32:24 [Ian]
ACTION: Ian to close issue 101 with note to minutes
15:32:26 [Ninika_]
+1
15:32:36 [Ian]
https://github.com/w3c/secure-payment-confirmation/issues/125
15:32:47 [Ian]
Should SPC allow for a failed download of the payment instrument icon?
15:32:59 [Ian]
Stephen: This originally came up as a bug in chrome.
15:33:16 [Ian]
...but partner indicated they'd rather have something other than a fatal error.
15:33:27 [benoit]
alt text in this case? text that would also be signed as part of the request?
15:33:32 [Ian]
...my proposal at this point is to close the issue and leave it as fatal.
15:33:43 [Ian]
...Erhard proposed to catch first failure and retry
15:33:54 [Ian]
..but Rouslan pointed out that another user activation would be important
15:33:58 [Ian]
...but we're not hearing demand so I propose to close it
15:34:06 [benoit]
alt text might also promote accessibility
15:34:17 [Ian]
(David, see issue on icon accessibility coming up)
15:34:29 [Ian]
AdrianHB: What is in signature to indicate something failed?
15:35:09 [Ian]
Stephen: We'd sign empty URL or a bit that said we have not displayed it.
15:36:16 [Ian]
Stephen: today the promise is rejected with a general issue. We can have a more specific error message.
15:36:17 [ChrisD]
q+ to ask if the inability to download a card image would then cause a payment to fail - merchants won't like this
15:36:31 [Ian]
Stephen: The proposal was to do UX with a blank icon
15:37:14 [smcgruer_[EST]]
q?
15:37:33 [Ian]
AdrianHB: We could also add an explicit bit in the signature "Image was displayed"
15:37:48 [Ian]
..I'm suggesting that rather than show an error, we could just indicate in the response that the image was shown or not
15:38:04 [rouslan]
q+ to reply
15:38:14 [Ian]
...there might be NON ERROR reasons to not show an image (e.g., constrained display)
15:38:39 [Ian]
ack ChrisD:
15:39:33 [Ian]
ChrisD: If I've understood correctly, if the browser cannot load the icon from the RP, that results in failure. I think that is an issue if that leads to payment failure.
15:39:48 [Ian]
...there might be different service levels between payments and image servers.
15:40:20 [smcgruer_[EST]]
q?
15:40:26 [Ian]
ack ChrisD
15:40:26 [Zakim]
ChrisD, you wanted to ask if the inability to download a card image would then cause a payment to fail - merchants won't like this
15:40:30 [Ian]
ack Rous
15:40:30 [Zakim]
rouslan, you wanted to reply
15:40:48 [Ian]
Rouslan: First, I think that SPC is essentially used as a step-up (in 3DS terms)
15:41:05 [Ian]
...it is quite possible that the user uses an existing card on a new device
15:41:22 [Ian]
...it's normal in that case for SPC to fail, and that should result in some other form of authentication.
15:42:06 [Ian]
...nothing in SPC requires that the icon has to come from the bank.
15:42:42 [Ian]
...data URLs can also help against server issues
15:43:36 [ChrisD]
q+ to challenge whether SPC can rely on another authentication method being used as a fallback
15:43:40 [Ian]
Rouslan: I like AdrianHB's idea regarding an explicit bit to say the image was shown. But I doubt we would add it to the spec just yet. But please raise as an issue
15:44:09 [Ian]
ACTION: AdrianHB to add an issue about an explicit bit in the signature whether browser displayed image
15:44:11 [Ian]
ack ChrisD
15:44:11 [Zakim]
ChrisD, you wanted to challenge whether SPC can rely on another authentication method being used as a fallback
15:44:44 [AdrianHB_]
I think the assertion (clientData JSON) should contain an optional bit that indicates the instrument image was *not shown*. RPs can choose to consider this in their risk evaluation.
15:44:47 [smcgruer_[EST]]
q+
15:45:14 [rouslan]
q+ to reply about emvco 3ds
15:45:36 [Ian]
ChrisD: I heard Rouslan say "We don't need to make SPC super resilient to URL availability" since we can fall back to other authentication mechanisms. And I kind of understand that. It feels to me that wherever you add friction, you increase the risk of abandonment.
15:45:49 [Ian]
...I'm not sure there are benefits to not handling URLs.
15:46:16 [Ian]
Stephen: If we allow for a failed URL download, the user will see UX. What if the RP does not accept that? What if the RP really wants the icon to be shown?
15:46:49 [Ian]
...but the user experience would be for the user to confirm then get a second step up (e.g. OTP) because the RP did not accept the image not being show
15:47:08 [Ian]
...today, the failure is silent, so there's no extra user friction when there is a failed download.
15:47:26 [AdrianHB_]
Or we need to do both...
15:48:15 [Ian]
Ian: Should we just note for RPs what to do (more "good practice" for RPs)
15:48:49 [Ian]
ChrisD: I would need to think more about whether there should be alternate behavior where the RP can say in advance "I accept if the browser cannot download the image"
15:48:50 [Ian]
q+
15:48:56 [Ian]
ack smc
15:49:16 [Ian]
ack ros
15:50:17 [Ian]
rouslan: In response to the question about 3DS, when were working on adding SPC to 3DS v 2.3, some members of our organization were very aware of image download reliability issues, and pushed to ONLY allow data URLs. We got pushback on ONLY using data uRLs. So 3DS v 2.3 allows both kinds of URLs.
15:50:31 [Ian]
...+1 to the note on data Urls as we suggested
15:50:48 [AdrianHB_]
lots of reasons to ONLY support data URLS
15:51:40 [Manish]
Manish has left #wpwg
15:51:41 [aleksei]
q+
15:51:45 [Ian]
ack rou
15:51:45 [Zakim]
rouslan, you wanted to reply about emvco 3ds
15:51:46 [Ian]
ack ian
15:51:49 [Ian]
ack aleksei
15:52:13 [Ian]
Ian: You could also allow the RP to specify some backup behavior (whatever that might be; e.g., enum of options)
15:52:35 [smcgruer_[EST]]
q+ to reply to a comment on having a good error
15:52:44 [Ian]
Aleksei: +1 to a recovery mechanism in the API
15:53:02 [Ian]
ack smcgruer_[EST]
15:53:02 [Zakim]
smcgruer_[EST], you wanted to reply to a comment on having a good error
15:53:29 [Ian]
Stephen: Today Chrome (incorrectly) returns the generic WebAuthn error. What is more useful to the RP?
15:53:36 [Ian]
1) Failure with a proper error message or
15:53:48 [Ian]
2) Transaction completes with signature over error condition
15:54:00 [Ian]
Aleksei: I think second...gives developers some options
15:54:07 [Ian]
Stephen: I hear "fix chrome bug to start"
15:54:40 [Ian]
q?
15:54:44 [smcgruer_[EST]]
q+ to note time and draw this to a 'close' ?
15:54:51 [Ian]
ack sm
15:54:51 [Zakim]
smcgruer_[EST], you wanted to note time and draw this to a 'close' ?
15:55:07 [Ian]
Stephen: What we have to determine then is next steps.
15:55:23 [Ian]
ACTION: Stephen to file a bug on Chrome to return a more useful error message when URL download failed.
15:55:44 [Ian]
Stephen: I am hearing from ChrisD and Aleksei that recovery is useful.
15:57:39 [Ian]
q?
15:57:45 [Ian]
RRSAGENT, make minutes
15:57:45 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/10/25-wpwg-minutes.html Ian
15:57:56 [Ian]
RRSAGENT, set logs public
16:04:00 [Ian]
RRSAGENT, make minutes
16:04:00 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/10/25-wpwg-minutes.html Ian
16:06:31 [Ian]
RRSAGENT, make minutes
16:06:31 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/10/25-wpwg-minutes.html Ian
16:11:09 [Ian]
RRSAGENT, make minutes
16:11:09 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/10/25-wpwg-minutes.html Ian
16:47:03 [Ian]
zakim, bye
16:47:03 [Zakim]
leaving. As of this point the attendees have been Ian, Rouslan, benoit, Jordan_Harband, Alain_Martin, Takashi_Minamii, Ryan_Watkins, Erhard_Brand, Stephen_McGruer, Clinton_Allen,
16:47:03 [Zakim]
Zakim has left #wpwg
16:47:06 [Zakim]
... Hemnath_Dhananjayan, Haribalu_Venkataramanaraju, Julien_Ross, Ninika, Bastien_Latge, Chris_Dee, nick_s, Nick_Shearer, Rolf_Lindemann, Sam_Weiler, Uno_Veski, Jayadevi_Natarajan,
16:47:06 [Zakim]
... Frank_Hoffmann, Brian_May, Anne_Pouillard, Jean_Luc_Di_Manno, Aleksei_Akimov, Manish_Garg, Krunal_Patel, Bastien, Solaiyappan_Perichiappan, Antoine_Cathelin, Tomasz_Blachowicz,
16:47:09 [Ian]
rrsagent, bye
16:47:09 [RRSAgent]
I see 4 open action items saved in https://www.w3.org/2021/10/25-wpwg-actions.rdf :
16:47:09 [RRSAgent]
ACTION: Stephen to write a pull request for a note about data URL v HTTP(S) URL [1]
16:47:09 [RRSAgent]
recorded in https://www.w3.org/2021/10/25-wpwg-irc#T15-29-50
16:47:09 [RRSAgent]
ACTION: Ian to close issue 101 with note to minutes [2]
16:47:09 [RRSAgent]
recorded in https://www.w3.org/2021/10/25-wpwg-irc#T15-32-24
16:47:09 [RRSAgent]
ACTION: AdrianHB to add an issue about an explicit bit in the signature whether browser displayed image [3]
16:47:09 [RRSAgent]
recorded in https://www.w3.org/2021/10/25-wpwg-irc#T15-44-09
16:47:09 [RRSAgent]
ACTION: Stephen to file a bug on Chrome to return a more useful error message when URL download failed. [4]
16:47:09 [RRSAgent]
recorded in https://www.w3.org/2021/10/25-wpwg-irc#T15-55-23
16:47:10 [Zakim]
... Geun-Hyung_Kim, Rufus, Bryan_Luo, aleksei, Gerhard_Oosthuizen, Arno_van_der_Merwe, Max, bryanluo, Adrian_Hope_Bailie, Emil_Lundberg, Gargi, Susan_Pandy, Doug_Fisher,
16:47:10 [Zakim]
... Chris_Wood, Eric_Mwobobia, Bart_de_Water, Christian_Aabye, Julien_Rossi, Nick_Telford-Reed, Jonathan_Grossar