13:52:46 RRSAgent has joined #wpwg 13:52:46 logging to https://www.w3.org/2021/10/25-wpwg-irc 13:52:51 Meeting: Web Payments Working Group 13:52:59 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-TPAC2021 13:53:02 Chair: Nick 13:53:05 Scribe: Ian 13:53:06 present+ 13:53:08 present+ Rouslan 13:53:29 agenda+ Welcome, logistics 13:53:35 agenda+ Background to the agenda 13:53:40 agenda+ SPC status in Chrome 13:53:43 agenda+ SPC issue review 13:57:17 present+ 13:57:25 present+ Jordan_Harband 13:59:09 ljharb has joined #wpwg 13:59:20 present+ Alain_Martin 13:59:59 present+ Takashi_Minamii 14:00:15 Takashi_ has joined #wpwg 14:00:18 present+ Ryan_Watkins 14:00:22 present+ Erhard_Brand 14:01:06 Rolf has joined #wpwg 14:01:22 present+ Stephen_McGruer 14:01:26 present+ Clinton_Allen 14:01:41 present+ Hemnath_Dhananjayan 14:01:58 present+ Haribalu_Venkataramanaraju 14:02:04 present+ Julien_Ross 14:02:05 weiler has joined #wpwg 14:02:22 present+ Ninika 14:02:27 present+ Bastien_Latge 14:02:30 nick_s has joined #wpwg 14:02:30 present+ Chris_Dee 14:02:36 present+ nick_s 14:02:40 present+ Nick_Shearer 14:02:42 Yes 14:02:47 present+ Rolf_Lindemann 14:02:51 clinton has joined #wpwg 14:02:53 Jean-Luc has joined #wpwg 14:02:54 present+ Sam_Weiler 14:03:00 bmay has joined #wpwg 14:03:01 present+ Uno_Veski 14:03:17 present+ Jayadevi_Natarajan 14:03:21 present+ Frank_Hoffmann 14:03:35 present+ Brian_May 14:03:42 present+ Anne_Pouillard 14:03:56 present+ Jean_Luc_Di_Manno 14:04:00 present+ Aleksei_Akimov 14:04:08 present+ Manish_Garg 14:04:11 Bastien has joined #WPWG 14:04:11 present+ Krunal_Patel 14:04:16 present+ 14:04:17 AdrianHB_ has joined #wpwg 14:04:22 present+ Solaiyappan_Perichiappan 14:04:23 ChrisD has joined #wpwg 14:04:24 Anne has joined #wpwg 14:04:31 present+ Antoine_Cathelin 14:04:32 Chris_Wood has joined #wpwg 14:04:32 aleksei has joined #wpwg 14:04:45 Geun-Hyung_Kim has joined #wpwg 14:04:54 present+ Tomasz_Blachowicz 14:04:57 present+ 14:04:59 present+ Rufus 14:05:11 present+ Bryan_Luo 14:05:31 Gerhard has joined #wpwg 14:05:58 Ian: this is jordan, in case that wasn't apparent 14:06:07 bryanluo has joined #wpwg 14:06:25 frank_hoffmann has joined #wpwg 14:06:37 Manish has joined #wpwg 14:06:41 present+ 14:06:42 present+ Gerhard_Oosthuizen 14:06:45 Rufus has joined #wpwg 14:06:48 present+ Arno_van_der_Merwe 14:07:03 present+ Max 14:07:31 zakim, who's here? 14:07:31 Present: Ian, Rouslan, benoit, Jordan_Harband, Alain_Martin, Takashi_Minamii, Ryan_Watkins, Erhard_Brand, Stephen_McGruer, Clinton_Allen, Hemnath_Dhananjayan, 14:07:35 ... Haribalu_Venkataramanaraju, Julien_Ross, Ninika, Bastien_Latge, Chris_Dee, nick_s, Nick_Shearer, Rolf_Lindemann, Sam_Weiler, Uno_Veski, Jayadevi_Natarajan, Frank_Hoffmann, 14:07:35 ... Brian_May, Anne_Pouillard, Jean_Luc_Di_Manno, Aleksei_Akimov, Manish_Garg, Krunal_Patel, Bastien, Solaiyappan_Perichiappan, Antoine_Cathelin, Tomasz_Blachowicz, Geun-Hyung_Kim, 14:07:35 ... Rufus, Bryan_Luo, aleksei, Gerhard_Oosthuizen, Arno_van_der_Merwe, Max 14:07:37 present+ 14:07:40 On IRC I see Rufus, Manish, frank_hoffmann, bryanluo, Gerhard, Geun-Hyung_Kim, aleksei, Chris_Wood, Anne, ChrisD, AdrianHB_, Bastien, bmay, Jean-Luc, clinton, nick_s, weiler, Rolf, 14:07:40 ... Takashi_, ljharb, RRSAgent, Ninika_, Zakim, rouslan, jeff, pea13, canton, benoit, rowan_m, dlehn, manu, dlongley, slightlyoff, Travis, hadleybeeman, falken_, tobie, nicktr, 14:07:40 ... hober, smcgruer_[EST], Joshue108, ntelford, mkwst, Ian, jeffh, AdrianHB 14:08:00 present+ Adrian_Hope_Bailie 14:08:24 Krunal has joined #wpwg 14:08:25 present+ Emil_Lundberg 14:08:45 Solai has joined #wpwg 14:08:47 -> https://github.com/w3c/webpayments/wiki/Agenda-TPAC2021 Agenda 14:08:52 rwatkins_mc has joined #wpwg 14:08:59 clinton_ has joined #wpwg 14:09:05 jrossi has joined #wpwg 14:09:16 -> https://www.w3.org/Consortium/Legal/2017/antitrust-guidance Antitrust reminder 14:09:49 present+ Gargi 14:10:06 kirkwood has joined #WPWG 14:10:54 Adrian: Thanks for joining (especially for people up late or early) 14:11:04 ...we miss in-person; thanks for coming 14:11:11 ...most of the focus this week will be on SPC 14:11:22 present+ Krunal_Patel 14:11:32 present+ Susan_Pandy 14:11:47 zakim, take up item 1 14:11:47 agendum 1 -- Welcome, logistics -- taken up [from Ian] 14:11:48 [Done] 14:11:54 zakim, close item 1 14:11:54 agendum 1, Welcome, logistics, closed 14:11:55 zakim, take up item 2 14:11:55 Gerhard_ has joined #wpwg 14:11:56 I see 3 items remaining on the agenda; the next one is 14:11:56 2. Background to the agenda [from Ian] 14:11:56 agendum 2 -- Background to the agenda -- taken up [from Ian] 14:12:11 -> http://www.w3.org/2021/Talks/ij-wpwg-overview-202110/w3c.pdf Ian's slides 14:12:34 agenda? 14:14:48 Geun-Hyung_Kim has left #wpwg 14:15:27 [Ian talking through slides] 14:21:46 present+ Doug_Fisher 14:22:43 scribenick: Ian 14:22:46 scribe: Ian 14:22:59 AdrianHB: I started a new job in August and so my plan is to step down as co-Chair. 14:23:09 ...the timing is opportune since we are rechartering 14:23:20 ...we are still working on the timing 14:23:34 ...if you have suggestions for co-Chairs, please reach out to Ian and Nick 14:23:58 ...thanks to Ian who makes this job easy 14:24:09 ...it's been very fulfilling to work with all of you 14:24:16 ...optimistic about the work we've done. 14:24:40 PROPOSED: To thank Adrian vigorously for his service 14:24:41 +1000 14:24:45 +1000 14:24:49 +1000 14:24:54 +1000 14:24:59 +1000 14:25:02 +1000 14:25:03 +1000%1 14:25:05 +1000 14:25:08 +1000 :) 14:25:15 +10000 14:25:26 AdrianHB: I'll remain part of the Working Group in some capacity 14:26:12 zakim, close item 2 14:26:12 agendum 2, Background to the agenda, closed 14:26:13 I see 2 items remaining on the agenda; the next one is 14:26:13 3. SPC status in Chrome [from Ian] 14:26:17 zakim, take up next 14:26:17 agendum 3 -- SPC status in Chrome -- taken up [from Ian] 14:27:04 present+ Chris_Wood 14:27:44 Stephen: Let's review SPC over the past year. Goal: Simple, seamless, and secure user authentication for payments 14:27:59 ...but I would add since 1 year ago explicitly "in a privacy preserving way" 14:28:06 ChristianA has joined #wpwg 14:28:23 ...SPC helps to address some pain points not directly addressed by Web Authentication 14:28:55 ...this has led to the SPC superpowers: 14:29:01 * Create in 3p context 14:29:07 bdewater has joined #wpwg 14:29:13 * Browser UX with payment confirmation (signing transaction data) 14:29:33 [Stephen walks through some SPC design history] 14:31:14 -> http://www.w3.org/2021/Talks/chrome-spc-20211025.pdf Stephen's slides 14:32:56 present+ Eric_Mwobobia 14:33:21 Stephen: SPC in Chrome 95 on some platforms as of last week 14:33:56 Stephen: What does SPC look like today? WebAuthn credential with "payment" extension. 14:34:30 Stephen: Because this is a WebAuthn credential, it can be used for login use cases as well 14:35:02 q+ to ask re: using SPC creds for login 14:36:38 [Stephen on addressing timing attacks with UX] 14:36:50 present+ Bart_de_Water 14:37:14 q+ Alain 14:38:57 Stephen: On the future of SPC 14:39:04 ...we think it is in a good v1 condition. 14:39:10 ...we'd like to see launches this year 14:39:25 ...we also see a v2, with changes based on industry adoption 14:39:32 ...things that interest us in particular: 14:39:57 a) Solve the cross-browser problem. Would like users to be able to use any browser on the device where registration happened. 14:40:07 ...hope to fix with tighter integration with WebAuthn 14:40:20 b) Would like to include Android support (but need discoverable credentials) 14:40:32 c) Would like more ergonomic API shape (easier feature detection) 14:40:54 d) More privacy considerations. 14:41:02 e) More! Dark mode support, other Ones 14:41:03 q+ to ask if the plan is still to move to credentials.get instead of PR.show? 14:41:11 ack weiler 14:41:11 weiler, you wanted to ask re: using SPC creds for login 14:41:31 Weiler: You said that SPC credentials can be used for login. 14:41:50 q+ to ask re: the prohibition on roaming authenticators (e.g. YubiKeys) 14:41:56 ...is there a use case for creating login credentials for SPC? 14:42:01 Stephen: Yes. 14:42:13 ...the RP would make the decision. 14:42:47 Weiler: But would that allow other sites that are not doing payments to work around origin barriers? 14:42:49 q+ to reply 14:43:02 rolf: How can you get around the barriers? There is UX only related to payments? 14:43:10 Weiler: Imagine you have a set of RPs that want to break the barrier. 14:43:24 ack rouslan 14:43:24 rouslan, you wanted to reply 14:43:41 rouslan: We think that all of WebAuthn will have the ability to create credentials in a cross-origin fashion. 14:44:04 ...the only way for a 3rd party to query the credential is through payment specific UX 14:44:54 Weiler: There might be social engineering to try to fool the user. 14:45:04 Rolf: I don't understand how the RP would know the public key 14:45:20 Weiler: I'm imagining a case where RPs want to break down the barriers between origins 14:45:21 q- 14:45:37 Rolf: The RP that is tied to the credential would need to publish the public key 14:45:43 AdrianHB: There's always a user interaction 14:46:15 present+ Christian_Aabye 14:46:20 q?? 14:46:55 q+ 14:46:57 Weiler: I am concern bad RPs will try to train users to get around limitations 14:47:12 Alain: I had not realized you needed to do register explicitly for SPC 14:47:22 q+ to reply 14:47:47 Stephen: The WebAuthn raised a concern. We had wondered whether vanilla WebAuthn should "Just work" 14:48:03 ...but the WebAuthn folks imagined login attacks (malicious attacker, innocent RP) 14:48:20 ...the RP might accidentally not verify credentials correctly. 14:48:26 ..there was also a user experience concern... 14:48:37 ...SPC allows a dialog to appear with another origin's name on it 14:49:09 Alain: A down side is that the user will tend to only register with a few merchants. 14:49:23 q+ 14:49:30 Stephen: Going forward, if you register with your bank for SPC, then you can reuse that across transactions. 14:49:46 -> https://www.w3.org/blog/wpwg/2021/10/06/spc-design-choices-for-flexibility-and-scale/ Blog post 14:49:58 jrossi has joined #wpwg 14:50:09 q? 14:50:15 q? 14:50:16 ack Alain 14:50:19 ack AdrianHB 14:50:19 AdrianHB_, you wanted to ask if the plan is still to move to credentials.get instead of PR.show? 14:50:21 q- 14:50:40 AdrianHB: We discussed API shape on GitHub some time ago. Is the plan to still move away from PR API and closer to some other API? 14:50:58 Rouslan: I think the plan is to take a look at the API shape and decide if navigator.get is preferable 14:51:14 ...I'm pretty sure it would be better. But we may need to make adjustments like requiring user gestures. 14:51:37 Stephen: There's no concrete plan at this time, but we do think some change should happen to make the API more ergonomic 14:52:03 AdrianHB: But roughly the goal is for SPC to work with vanilla WebAuthn credentials without a need for an extension 14:52:18 ...but some features need to be available to support this like discoverable credentials. 14:52:29 does SPC allow a merchant to specify currencies they accept, and have the user shown only the subset of instruments that provide those? 14:52:36 Stephen: So far the WebAuthn WG is pretty set that a vanilla WebAuthn SHOULD NOT have the ability to perform a cross origin ceremony 14:52:42 q+ ljharb 14:53:06 ack weil 14:53:06 weiler, you wanted to ask re: the prohibition on roaming authenticators (e.g. YubiKeys) 14:53:12 thanks 14:53:16 weiler: What about the prohibition on roaming authenticators? 14:53:41 Stephen: We would like to take advantage of roaming authenticators, but have not figured out how to do so 14:54:05 ...some ideas like "Plug in your authenticator if you have one" 14:54:31 weiler: I see there is a milestone for roaming authenticators that says "complete"; where does the WG want to track roaming auth support? 14:54:47 [Same reopens an issue] 14:54:59 ack Ger 14:55:23 Thank you everyone, I have to drop out but I will see you all for our next session tomorrow. Very interesting work on SPC. 14:55:39 Gerhard: Thanks for the walk-through. I think we will almost always create the credential with the flag set. 14:55:46 ...is that a desirable outcome? 14:56:50 ...I would like to decouple capabilities (1) cross-browser availability and (2) using a WebAuthn for payment confirmation 14:57:17 ...what does it mean if RPs always set the payments flag just to be sure? 14:58:08 qq+ 14:58:39 Gerhard: Are we prepared to say "best practice" is to set the bit? 14:58:44 ...I think it will become the norm 14:59:21 weiler: Just to note, my concern earlier was about credentials not being used for credentials. 14:59:37 Gerhard: +1 to a tick box to "untick" a payment capability 14:59:45 (That was suggested by Sam) 15:00:00 zakim, who's here? 15:00:00 Present: Ian, Rouslan, benoit, Jordan_Harband, Alain_Martin, Takashi_Minamii, Ryan_Watkins, Erhard_Brand, Stephen_McGruer, Clinton_Allen, Hemnath_Dhananjayan, 15:00:04 ... Haribalu_Venkataramanaraju, Julien_Ross, Ninika, Bastien_Latge, Chris_Dee, nick_s, Nick_Shearer, Rolf_Lindemann, Sam_Weiler, Uno_Veski, Jayadevi_Natarajan, Frank_Hoffmann, 15:00:04 ... Brian_May, Anne_Pouillard, Jean_Luc_Di_Manno, Aleksei_Akimov, Manish_Garg, Krunal_Patel, Bastien, Solaiyappan_Perichiappan, Antoine_Cathelin, Tomasz_Blachowicz, Geun-Hyung_Kim, 15:00:09 ... Rufus, Bryan_Luo, aleksei, Gerhard_Oosthuizen, Arno_van_der_Merwe, Max, bryanluo, Adrian_Hope_Bailie, Emil_Lundberg, Gargi, Susan_Pandy, Doug_Fisher, Chris_Wood, Eric_Mwobobia, 15:00:09 ... Bart_de_Water, Christian_Aabye 15:00:09 On IRC I see jrossi, bdewater, ChristianA, Gerhard_, kirkwood, clinton_, rwatkins_mc, Solai, Krunal, Rufus, Manish, frank_hoffmann, bryanluo, Gerhard, aleksei, Chris_Wood, Anne, 15:00:13 present+ Julien_Rossi 15:00:14 ... ChrisD, AdrianHB_, Bastien, bmay, Jean-Luc, nick_s, weiler, Rolf, Takashi_, ljharb, RRSAgent, Ninika_, Zakim, rouslan, jeff, pea13, canton, benoit, rowan_m, dlehn, manu, 15:00:14 ... dlongley, slightlyoff, Travis, hadleybeeman, falken_, tobie, nicktr, hober, smcgruer_[EST], Joshue108, ntelford, mkwst, Ian, jeffh, AdrianHB 15:00:32 Hemnath_Dhananjayan has joined #wpwg 15:00:33 q? 15:00:37 ach Weiler 15:00:50 ack Weiler 15:00:50 weiler, you wanted to react to Gerhard 15:01:21 rolf: I'm still trying to understand the risk associated with Sam's use case. Federation is available today to enable parties to share a credential. 15:01:26 ack Rolf 15:01:54 Rolf: Cross-origin iframe WebAuthn authentication also works today. 15:02:05 present+ Nick_Telford-Reed 15:02:33 Rolf: With SPC, the browser renders the dialog; the assertion goes back to the PSP who sends it to the RP 15:03:19 ...if the PSP and RP collaborate, then it will still be confusing to the user to see a payment dialog (instead of the typical terms and conditions screen) 15:03:34 ...so I don't see how the Payment UX can be practically used abusively 15:03:56 ack ljharb 15:04:16 jonathan has joined #wpwg 15:04:29 Jordan: Does SPC support instrument selection logic? 15:04:36 Rouslan: That's not part of SPC 15:05:04 ...SPC does not evaluate the currency provided as input to the PR API call for SPC 15:05:11 ...the browser just displays it in the dialog 15:05:42 ...the currency code is part of the signature to tell the RP that the user agreed to what was displayed 15:05:57 q+ 15:06:23 did i drop out? 15:06:25 i can't hear anything 15:06:29 i can't hear you 15:06:35 sorry 15:06:45 we see you 15:06:46 the question was "was that an oversight, or is there a technical or non-technical constraint that prevents that" 15:07:01 (I'm not sure what the question was yet....) 15:07:10 (Instrument selection happens pre SPC call) 15:08:08 q? 15:08:19 agenda? 15:08:25 did my question come through? 15:08:36 if not i'll drop and reconnect 15:08:45 (very choppy alas) 15:08:48 k 15:09:14 David: Regarding "merchant of record" style purchases. 15:09:16 my internet's down because of a storm, so this is all on cellular :-( 15:09:55 David: Sometimes merchants are working with providers specifically to facilitate payments. If the PSP is the merchant of record, how can I set that up? 15:10:18 Rouslan: There are 4 origins in the signature: 15:10:45 - Two of them are displayed to the user. In the address page it's the current page (which might be PSP). In the UX it's the PayeeOrigin (e.g., merchant) 15:11:08 q+ 15:11:10 ...if you redirect from Walmart to PayPal you still want the PayeeOrigin to be Walmart 15:11:13 ack benoit 15:11:47 Rouslan: The signature will also include the origin of the iframe (e.g., if PayPal is embedded in Stripe) 15:11:56 ...and finally the relying party ID is in the signature 15:12:15 present+ Jonathan_Grossar 15:13:13 benoit: I would love to see more on intelligence we can do on that data 15:13:22 q- 15:13:32 my audio device isn't working, sorry about that 15:13:41 talk 15:13:45 q+ to talk about issuer side verifications 15:13:48 ack ros 15:13:49 i can't hear anything 15:14:22 Rouslan: Regarding 'issuer side intelligence', if your issuer is the RP, they are enrolling the user and they will be able to collect all the data and verify it. 15:14:29 ...if you delegate, then that party can do it, etc. 15:14:40 q+ asking about filtering instruments, take 2 15:14:47 q+ to ask about filtering instruments, take 2 15:14:49 ....there are server-side libraries to do validation 15:15:05 ...if you pass a WebAuthn signature to the JS library and a public key, it will return a boolean 15:15:18 ..if you pass an SPC signature to the JS library it will BREAK 15:15:34 ..but that's intentional. We don't want RPs to unknowingly accept payment signatures for login 15:16:00 ...but there's a branch on the particular JS library @@name@@ with a separate method for verifying a payment-related signature 15:16:13 ..and there are more things you can check for (e.g., instrument display, merchant, amount, etc) 15:16:53 https://github.com/webauthn4j/webauthn4j 15:16:59 ack ljh 15:16:59 ljharb, you wanted to ask about filtering instruments, take 2 15:17:12 SPC branch: https://github.com/webauthn4j/webauthn4j/tree/spc-dev 15:18:47 q+ to disagree with Ian :P 15:18:53 q- 15:18:54 thanks, that answers my question, sorry if it's off topic for SPC. 15:19:16 q- ok nevermind, I misunderstood Ian 15:19:23 q- 15:20:43 [Ian on architecture] 15:21:17 zakim, close item 3 15:21:17 agendum 3, SPC status in Chrome, closed 15:21:18 I see 1 item remaining on the agenda: 15:21:18 4. SPC issue review [from Ian] 15:21:23 zakim, take up item 4 15:21:23 agendum 4 -- SPC issue review -- taken up [from Ian] 15:21:41 https://github.com/w3c/secure-payment-confirmation/issues?q=is%3Aissue+is%3Aopen+label%3Aagenda%2B 15:23:08 https://github.com/w3c/secure-payment-confirmation/issues/93 15:23:37 Stephen: Issue here is where information (e.g, text on instrument string) is internationalized (direction, language). Important for rendering, screen readers, etc. 15:23:54 ...there's a proposal on the thread. 15:23:57 ..but Localizable does not yet exist 15:24:35 Ian: We'll discuss with I18N folks this week 15:24:48 https://github.com/w3c/secure-payment-confirmation/issues/101 15:25:40 Stephen: This works today (we support data URLs) but there was an issue about including data URLs in JSON clientData 15:25:48 ...and that might be a lot of data for authenticators with limited storage 15:26:16 ...we now have at least 2 implementers who have things up and running and there are not any complaints 15:26:38 AdrianHB: If you include a regular URL you have no idea what was fetched 15:26:38 q+ 15:27:18 q+ 15:27:27 Ian: I heard "no that's not important" 15:27:29 ack rous 15:27:43 AdrianHB: Then it becomes a risk decision topic 15:28:01 q+ 15:28:06 rouslan: The data URL solution solves the "exact bits" approach when needed 15:28:07 ack me 15:28:22 q- 15:28:24 AdrianHB: So the RP can make local policies 15:29:03 q- 15:29:10 Ian: Let's provide some informative note in the spec to say "use data URLs if you want a record of the bits shown" 15:29:19 AdrianHB: +1 15:29:30 SGTM, ship it 15:29:50 ACTION: Stephen to write a pull request for a note about data URL v HTTP(S) URL 15:29:53 +1 to close the issue too 15:30:16 IJ: So what is signed? 15:30:22 AdrianHB: The URL 15:30:42 ...also, they hash data before it's sent to the authenticator so storage limits not really an issue 15:30:43 jcemer has joined #wpwg 15:31:35 PROPOSAL: Specification today satisfies issue 101. Add a note on usage of data URLs. 15:31:50 +1 15:31:52 +1 15:31:54 +1 15:31:56 +1 15:31:56 +1 15:32:00 +1 15:32:12 SO RESOLVED: 15:32:24 ACTION: Ian to close issue 101 with note to minutes 15:32:26 +1 15:32:36 https://github.com/w3c/secure-payment-confirmation/issues/125 15:32:47 Should SPC allow for a failed download of the payment instrument icon? 15:32:59 Stephen: This originally came up as a bug in chrome. 15:33:16 ...but partner indicated they'd rather have something other than a fatal error. 15:33:27 alt text in this case? text that would also be signed as part of the request? 15:33:32 ...my proposal at this point is to close the issue and leave it as fatal. 15:33:43 ...Erhard proposed to catch first failure and retry 15:33:54 ..but Rouslan pointed out that another user activation would be important 15:33:58 ...but we're not hearing demand so I propose to close it 15:34:06 alt text might also promote accessibility 15:34:17 (David, see issue on icon accessibility coming up) 15:34:29 AdrianHB: What is in signature to indicate something failed? 15:35:09 Stephen: We'd sign empty URL or a bit that said we have not displayed it. 15:36:16 Stephen: today the promise is rejected with a general issue. We can have a more specific error message. 15:36:17 q+ to ask if the inability to download a card image would then cause a payment to fail - merchants won't like this 15:36:31 Stephen: The proposal was to do UX with a blank icon 15:37:14 q? 15:37:33 AdrianHB: We could also add an explicit bit in the signature "Image was displayed" 15:37:48 ..I'm suggesting that rather than show an error, we could just indicate in the response that the image was shown or not 15:38:04 q+ to reply 15:38:14 ...there might be NON ERROR reasons to not show an image (e.g., constrained display) 15:38:39 ack ChrisD: 15:39:33 ChrisD: If I've understood correctly, if the browser cannot load the icon from the RP, that results in failure. I think that is an issue if that leads to payment failure. 15:39:48 ...there might be different service levels between payments and image servers. 15:40:20 q? 15:40:26 ack ChrisD 15:40:26 ChrisD, you wanted to ask if the inability to download a card image would then cause a payment to fail - merchants won't like this 15:40:30 ack Rous 15:40:30 rouslan, you wanted to reply 15:40:48 Rouslan: First, I think that SPC is essentially used as a step-up (in 3DS terms) 15:41:05 ...it is quite possible that the user uses an existing card on a new device 15:41:22 ...it's normal in that case for SPC to fail, and that should result in some other form of authentication. 15:42:06 ...nothing in SPC requires that the icon has to come from the bank. 15:42:42 ...data URLs can also help against server issues 15:43:36 q+ to challenge whether SPC can rely on another authentication method being used as a fallback 15:43:40 Rouslan: I like AdrianHB's idea regarding an explicit bit to say the image was shown. But I doubt we would add it to the spec just yet. But please raise as an issue 15:44:09 ACTION: AdrianHB to add an issue about an explicit bit in the signature whether browser displayed image 15:44:11 ack ChrisD 15:44:11 ChrisD, you wanted to challenge whether SPC can rely on another authentication method being used as a fallback 15:44:44 I think the assertion (clientData JSON) should contain an optional bit that indicates the instrument image was *not shown*. RPs can choose to consider this in their risk evaluation. 15:44:47 q+ 15:45:14 q+ to reply about emvco 3ds 15:45:36 ChrisD: I heard Rouslan say "We don't need to make SPC super resilient to URL availability" since we can fall back to other authentication mechanisms. And I kind of understand that. It feels to me that wherever you add friction, you increase the risk of abandonment. 15:45:49 ...I'm not sure there are benefits to not handling URLs. 15:46:16 Stephen: If we allow for a failed URL download, the user will see UX. What if the RP does not accept that? What if the RP really wants the icon to be shown? 15:46:49 ...but the user experience would be for the user to confirm then get a second step up (e.g. OTP) because the RP did not accept the image not being show 15:47:08 ...today, the failure is silent, so there's no extra user friction when there is a failed download. 15:47:26 Or we need to do both... 15:48:15 Ian: Should we just note for RPs what to do (more "good practice" for RPs) 15:48:49 ChrisD: I would need to think more about whether there should be alternate behavior where the RP can say in advance "I accept if the browser cannot download the image" 15:48:50 q+ 15:48:56 ack smc 15:49:16 ack ros 15:50:17 rouslan: In response to the question about 3DS, when were working on adding SPC to 3DS v 2.3, some members of our organization were very aware of image download reliability issues, and pushed to ONLY allow data URLs. We got pushback on ONLY using data uRLs. So 3DS v 2.3 allows both kinds of URLs. 15:50:31 ...+1 to the note on data Urls as we suggested 15:50:48 lots of reasons to ONLY support data URLS 15:51:40 Manish has left #wpwg 15:51:41 q+ 15:51:45 ack rou 15:51:45 rouslan, you wanted to reply about emvco 3ds 15:51:46 ack ian 15:51:49 ack aleksei 15:52:13 Ian: You could also allow the RP to specify some backup behavior (whatever that might be; e.g., enum of options) 15:52:35 q+ to reply to a comment on having a good error 15:52:44 Aleksei: +1 to a recovery mechanism in the API 15:53:02 ack smcgruer_[EST] 15:53:02 smcgruer_[EST], you wanted to reply to a comment on having a good error 15:53:29 Stephen: Today Chrome (incorrectly) returns the generic WebAuthn error. What is more useful to the RP? 15:53:36 1) Failure with a proper error message or 15:53:48 2) Transaction completes with signature over error condition 15:54:00 Aleksei: I think second...gives developers some options 15:54:07 Stephen: I hear "fix chrome bug to start" 15:54:40 q? 15:54:44 q+ to note time and draw this to a 'close' ? 15:54:51 ack sm 15:54:51 smcgruer_[EST], you wanted to note time and draw this to a 'close' ? 15:55:07 Stephen: What we have to determine then is next steps. 15:55:23 ACTION: Stephen to file a bug on Chrome to return a more useful error message when URL download failed. 15:55:44 Stephen: I am hearing from ChrisD and Aleksei that recovery is useful. 15:57:39 q? 15:57:45 RRSAGENT, make minutes 15:57:45 I have made the request to generate https://www.w3.org/2021/10/25-wpwg-minutes.html Ian 15:57:56 RRSAGENT, set logs public 16:04:00 RRSAGENT, make minutes 16:04:00 I have made the request to generate https://www.w3.org/2021/10/25-wpwg-minutes.html Ian 16:06:31 RRSAGENT, make minutes 16:06:31 I have made the request to generate https://www.w3.org/2021/10/25-wpwg-minutes.html Ian 16:11:09 RRSAGENT, make minutes 16:11:09 I have made the request to generate https://www.w3.org/2021/10/25-wpwg-minutes.html Ian 16:47:03 zakim, bye 16:47:03 leaving. As of this point the attendees have been Ian, Rouslan, benoit, Jordan_Harband, Alain_Martin, Takashi_Minamii, Ryan_Watkins, Erhard_Brand, Stephen_McGruer, Clinton_Allen, 16:47:03 Zakim has left #wpwg 16:47:06 ... Hemnath_Dhananjayan, Haribalu_Venkataramanaraju, Julien_Ross, Ninika, Bastien_Latge, Chris_Dee, nick_s, Nick_Shearer, Rolf_Lindemann, Sam_Weiler, Uno_Veski, Jayadevi_Natarajan, 16:47:06 ... Frank_Hoffmann, Brian_May, Anne_Pouillard, Jean_Luc_Di_Manno, Aleksei_Akimov, Manish_Garg, Krunal_Patel, Bastien, Solaiyappan_Perichiappan, Antoine_Cathelin, Tomasz_Blachowicz, 16:47:09 rrsagent, bye 16:47:09 I see 4 open action items saved in https://www.w3.org/2021/10/25-wpwg-actions.rdf : 16:47:09 ACTION: Stephen to write a pull request for a note about data URL v HTTP(S) URL [1] 16:47:09 recorded in https://www.w3.org/2021/10/25-wpwg-irc#T15-29-50 16:47:09 ACTION: Ian to close issue 101 with note to minutes [2] 16:47:09 recorded in https://www.w3.org/2021/10/25-wpwg-irc#T15-32-24 16:47:09 ACTION: AdrianHB to add an issue about an explicit bit in the signature whether browser displayed image [3] 16:47:09 recorded in https://www.w3.org/2021/10/25-wpwg-irc#T15-44-09 16:47:09 ACTION: Stephen to file a bug on Chrome to return a more useful error message when URL download failed. [4] 16:47:09 recorded in https://www.w3.org/2021/10/25-wpwg-irc#T15-55-23 16:47:10 ... Geun-Hyung_Kim, Rufus, Bryan_Luo, aleksei, Gerhard_Oosthuizen, Arno_van_der_Merwe, Max, bryanluo, Adrian_Hope_Bailie, Emil_Lundberg, Gargi, Susan_Pandy, Doug_Fisher, 16:47:10 ... Chris_Wood, Eric_Mwobobia, Bart_de_Water, Christian_Aabye, Julien_Rossi, Nick_Telford-Reed, Jonathan_Grossar