16:52:12 <RRSAgent> RRSAgent has joined #wpwg-spc
16:52:12 <RRSAgent> logging to https://www.w3.org/2021/11/08-wpwg-spc-irc
16:52:27 <Ian> Meeting: SPC Task Force
16:52:29 <Ian> Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Nov/0001.html
16:52:30 <Ian> Chair: Ian
16:52:33 <Ian> Scribe: Ian
16:52:42 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/08-wpwg-spc-minutes.html Ian
17:02:27 <Ian> present+ Anne
17:02:29 <Ian> present+ Clinton
17:02:32 <John_Bradley> John_Bradley has joined #wpwg-spc
17:02:34 <Ian> present+ John_Bradley
17:02:40 <Ian> present+ Praveena
17:02:42 <Ian> present+ Sameer
17:02:56 <Ian> present+ Stephen
17:03:13 <Ian> present+ Doug_Fisher
17:03:26 <Anne> Anne has joined #wpwg-spc
17:03:32 <Ian> present+ JeffH
17:03:36 <Ian> Topic: What are requirements when more than one SPC credential matches?
17:03:55 <Ian> present+ Michel Weksler
17:04:08 <Ian> Stephen: Today in the implementation we accept the first credential that matches.
17:04:16 <SameerT> SameerT has joined #wpwg-spc
17:04:18 <clinton> clinton has joined #wpwg-spc
17:04:20 <Ian> ...WebAuthn as a model also views as a decreasing order of pref
17:04:31 <Ian> ..but they expect prompting of the user to pick the first one they like
17:04:49 <Ian> John_Bradley: authenticators in CTAP will choose the "most recently created credential" of the allow list.
17:05:37 <Ian> Ian: Is the goal "get one back however that is determined"?
17:05:51 <Ian> John_Bradley: Nothing in allow list causes a list to be showing in CTAP
17:06:10 <Ian> ...nothing about credential IDs says "This is your blue authenticator"
17:06:13 <Ian> ack Doug
17:06:22 <SameerT> q+ : Ian, can you please run through the problem statement/scenario again
17:06:32 <Ian> ack Sam
17:06:32 <Zakim> SameerT, you wanted to say Ian, can you please run through the problem statement/scenario again
17:06:54 <Ian> Doug: From a 3DS perspective it would be great if credentials were shown and nothing else.
17:07:41 <Ian> ...let's say SPC use case
17:08:01 <smcgruer_[EST]> q+ to ask John to clarify behavior in CTAP vs "WebAuthn Authenticator Model" section of WebAuthn
17:09:25 <Ian> Stephen: There are two levels: "Multiple authenticators are available" ...may want to ask the user to pick one.
17:09:45 <Ian> ...when credentials are from the same authenticator...the authenticator picks the most recent one.
17:09:49 <Ian> ack sm
17:09:49 <Zakim> smcgruer_[EST], you wanted to ask John to clarify behavior in CTAP vs "WebAuthn Authenticator Model" section of WebAuthn
17:10:03 <Ian> John_Bradley: WebAuthn pretty much always shows you a dialog.
17:10:08 <Ian> present+ Ryan_Watkins
17:10:14 <Ian> present+ Christian_Aabye
17:10:41 <SameerT> q+
17:10:41 <Ian> John_Bradley: The platform authenticator will give you list of credentials it has and an option to use a roaming authenticator.l
17:10:46 <Ian> ...lots of innovation in this space
17:10:48 <Ian> ack SameerT
17:13:46 <Ian> IJ: Summary:
17:13:52 <SameerT_> SameerT_ has joined #wpwg-spc
17:14:02 <Ian> - When multiple authenticators, should user pick one?
17:14:19 <Ian> - When multiple credential IDs for the same authenticator, implementation detail how one is chosen.
17:14:33 <Ian> John_Bradley: Authenticator might show a pick list
17:15:06 <Ian> ...platform authenticators typically do a user verification before they present a pick list
17:15:50 <Ian> smcgruer_[EST]: In case where user has one matching platform, the only issue I see is how the browser/OS presents option to plug in a security key
17:15:58 <Ian> s/security key/roaming authenticator
17:18:07 <Ian> IJ: should we have requirements?
17:18:28 <Ian> John_Bradley: If there is an allow list you'll get back one (per CTAP). Windows shows a choosers
17:20:18 <Ian> Ian: Could we just say "it's up to the implementation to get to 1, and it's an implementation detail?"
17:20:31 <Ian> John_Bradley: What is the expectation about sequencing of uX?
17:20:47 <Ian> ...do you silently probe and then go back and do a get() with one credential id?
17:20:59 <Ian> Stephen: The latter.
17:21:09 <Ian> 1) Browser receives a list of credential IDs.
17:21:24 <Ian> 2) Can ask (in the future) whether the platform authenticator knows it (Conditional UI)
17:21:41 <Ian> 3) our "no match" dialog could be extended to ask user to plug in roaming authenticator
17:22:08 <Ian> John_Bradley: As long as we say credentials are created with cred protect levels 0 or 2
17:22:42 <Ian> ...at level 2, you need the credential ID
17:22:55 <Ian> ..at level 0, there's no privacy as long as the rpid is known
17:23:10 <Ian> ...Chrome currently uses cred level 2 for discoverable
17:24:05 <Ian> ...assuming you had, say, a Yubikey, Chrome could iterate over credentials with user presence 0, user verified 0 to determine whether available before user is prompted
17:24:33 <Ian> ...there's also an NFC use case where user needs to do a tap operation then they might need a dialog
17:25:12 <Ian> ...may be ok to only present "roaming" option if there's no platform credential available
17:25:28 <Ian> Stephen: Good question.
17:26:16 <Ian> John_Bradley: I think in most cases, you'd proceed with the platform authenticator if the issuer has provisioned it
17:26:46 <Ian> Stephen: I'd be happy to punt to WebAuthn. The WebAuthn implementation could go ahead to resolve it.
17:26:57 <Ian> Doug: Great discussion. We do have questions on 3DS side re: UX
17:27:17 <smcgruer_[EST]> q?
17:27:19 <smcgruer_[EST]> q
17:27:20 <Ian> ...we should allow the RP to create more than one credential (may be done at PAN level rather than identity level)
17:27:59 <smcgruer_[EST]> q+
17:28:02 <Ian> ...could the OS give an option to insert a roaming authenticator, and if the used it, could the assertion fail if there was no credential...would the RP know?
17:28:12 <smcgruer_[EST]> q-
17:28:25 <Ian> John_Bradley: That could not happen if you are using an allow list
17:28:52 <smcgruer_[EST]> q+
17:29:26 <Ian> John_Bradley: The list of credential ids doesn't tell you about which authenticator (platform or roaming) or if on this machine or not
17:29:48 <smcgruer_[EST]> q-
17:30:08 <Ian> JeffH: Doug brings up a key question - the data model.
17:30:17 <Ian> ...the data model needs to get decided
17:30:35 <Ian> ..if I understood correctly, it's whether the issuer is mapping the credentials to accounts or instruments.
17:30:49 <Ian> q+
17:32:27 <Ian> John_Bradley: If you have one credential per PAN, where does WEbAuthn get info it will present.
17:32:50 <Ian> Stephen: We don't do instrument selection; the merchant (and account provider) have chosen the instrument before SPC is called
17:34:27 <Ian> John_Bradley: The answer to the question is "one response". We may want to clarify "what goes in the user id" and we could help avoid a pick list.
17:34:41 <Ian> Stephen: At registration time, the RP should "be consistent"
17:35:02 <Ian> John_Bradley: Yes, the RP should be consistent at registration time, otherwise there might be some UX issue.
17:36:30 <Ian> ACTION: Ian to follow up with Stephen about next steps.
17:36:39 <Ian> Topic: Next meeting
17:36:54 <Ian> 15 Nov
17:37:03 <Ian> RRSAGENT, make minutes
17:37:03 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/08-wpwg-spc-minutes.html Ian
17:37:12 <Ian> RRSAGENT, set logs public
17:42:43 <Ian> zakim, bye
17:42:43 <Zakim> leaving.  As of this point the attendees have been Anne, Clinton, John_Bradley, Praveena, Sameer, Stephen, Doug_Fisher, JeffH, Michel, Weksler, Ryan_Watkins, Christian_Aabye
17:42:43 <Zakim> Zakim has left #wpwg-spc
17:42:45 <Ian> reagent, bye