17:01:34 <RRSAgent> RRSAgent has joined #wpwg-spc
17:01:34 <RRSAgent> logging to https://www.w3.org/2021/12/06-wpwg-spc-irc
17:01:41 <Ian> Meeting: SPC Task Force
17:01:43 <Ian> Chair: Ian
17:01:44 <Ian> Agenda:
17:01:47 <Ian> Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Dec/0003.html
17:01:49 <Ian> Scribe: Ian
17:01:55 <Ian> present+ Rolf_Lindemann
17:01:58 <Ian> present+ Jeff_Hodges
17:02:06 <Ian> present+ Stephen_McGruer
17:02:09 <Ian> present+ Ian_Jacobs
17:03:10 <Ian> present+ Doug_Fisher
17:03:29 <Ian> present+ Praveena_Subrahmanyan
17:03:36 <Ian> present+ Gerhard_Oosthuizen
17:03:48 <Ian> -> https://lists.w3.org/Archives/Public/public-payments-wg/2021Dec/0003.html Agenda
17:04:12 <Doug> Doug has joined #wpwg-spc
17:04:15 <Ian>  See recap by John Bradley:
17:04:15 <Ian>  https://github.com/w3c/webauthn/issues/1667#issuecomment-983962193
17:04:15 <Ian>  More from John on some options:
17:04:15 <Ian>  https://github.com/w3c/webauthn/issues/1667#issuecomment-984793763
17:04:30 <smcgruer_[EST]> q+
17:04:55 <Ian> ack smcgruer_[EST]
17:05:05 <Ian> smcgruer_[EST]: Summary of where I think we are:
17:05:19 <Ian> 1) Path #1 - namespace concept
17:05:33 <Ian> ...with a change to WebAuthn one could make the namespace concept work with login flows as well
17:05:42 <Ian> ...you'd have to say "I want to use for SPC AND login"
17:05:59 <Ian> ...it's a minor change but not great ergonomics
17:06:05 <Gerhard> Gerhard has joined #wpwg-spc
17:06:09 <Ian> 2) Path #2 - do the right thing
17:06:33 <Ian> a) CTAP would need to change to allow for more bits, and authenticators would need firmware updates
17:06:37 <Gerhard> q+ For option 1 (space), would it work on browsers that does not support SPC.
17:06:47 <Ian> ...but platform authenticators could change sooner
17:07:02 <Ian> ...not sure what the timeline would be, but would be faster than remote authenticators
17:07:12 <Ian> smcgruer_[EST]: We could take either or both paths
17:07:20 <Ian> ack Ger
17:07:20 <Zakim> Gerhard, you wanted to option 1 (space), would it work on browsers that does not support SPC.
17:08:01 <Ian> Gerhard: Obviously doing it the right way would lead us to better long-term outcomes. How quickly do platform authenticators change?
17:08:21 <Ian> ...if we go with the namespace approach ("spc:") - question is who defines the space?
17:08:31 <Ian> ...what would the implication be for other implementations?
17:08:57 <Ian> smcgruer_[EST]: Authenticators would need to support the Webauthn change
17:09:21 <Ian> present+ John_Bradley
17:09:45 <Ian> smcgruer_[EST]: Browsers would have to implement the WebAuthn change (to allow namespaces) even if they don't do SPC.
17:12:12 <Rolf> Rolf has joined #wpwg-spc
17:12:21 <Ian> Gerhard: I think that the dialog is more important than the cross-domain capability in SPC.
17:12:30 <Ian> q+
17:13:11 <Ian> John_Bradley: I got the impression that there was an objection to allowing a vanilla WebAuthn credential to be used in a payment flow.
17:13:22 <Ian> Stephen: I disagree with that view.
17:13:29 <praveena> praveena has joined #wpwg-spc
17:14:03 <Ian> [Discussion of clientJSONData]
17:14:18 <Ian> JeffH: We have the term "client platform" in the spec...that line can move depending on platform
17:14:25 <Ian> present+ Susan_Pandy
17:14:46 <Ian> JeffH: Why shouldn't a vanilla WebAuthn credential be used for payment?
17:14:59 <Ian> Rolf: If in a 1p context, isn't it up to the RP?
17:15:30 <Gerhard> q+
17:15:46 <Ian> John_Bradley: I tried to make the argument that regular WebAuthn in the WebAuthn namespace should be usable in SPC in a 1p context, but not sure I convinced the person
17:15:50 <Ian> queue==Gerhard, Ian
17:16:00 <Ian> John_Bradley: So the special namespace would only apply to 3p SPC
17:16:22 <smcgruer_[EST]> q?
17:16:25 <Ian> ...there could be 2 namespaces (one for 1p, one for 3p) but more complicated
17:16:31 <Ian> ack gerhard
17:17:21 <Ian> Gerhard: It's perhaps interesting to hear the comment.  EMVCo's usage of FIDO in 3DS 2.3 suggests "FIDO is good for payments" so to hear "not good for payments" is unexpected.
17:21:05 <Ian> Ian: Can we write up a short term /long term proposal with (1) 1p and 3p implementation today and (2) changes to CTAP further out
17:21:43 <Ian> John_Bradley: There seemed to be less resistance to some tweaks to allowing SPC for login; some client platforms could be adjusted
17:22:51 <Ian> Ian: Would WebAuthn be modified to allow this? Or just implementation?
17:23:39 <Ian> John_Bradley: Extension definition
17:24:04 <Ian> ...we'd need something to (1)make the extension and then (2) accepting them.
17:24:15 <smcgruer_[EST]> q?
17:24:24 <smcgruer_[EST]> qq+
17:24:59 <Ian> Ian: Where do we define the spc: namespace?
17:25:42 <Ian> John_Bradley: WebAuthn extension defines the namespace; how you make it and look for it. SPC defines browser behavior in SPC terms
17:25:58 <Ian> ack smcgruer_[EST]
17:25:58 <Zakim> smcgruer_[EST], you wanted to react to Gerhard
17:26:01 <Ian> ack me
17:26:29 <Ian> smcgruer_[EST]: What if our 1p/3p immediate solution is the current hack in chrome. What would a namespace give us beyond that?
17:26:41 <Ian> ..maybe some small benefits like "could work across different browsers"
17:26:50 <Ian> ..but SPC also currently relies on the conditional UI concept
17:27:06 <Ian> ...we still need local cache
17:27:35 <Ian> John_Bradley: So the question is - other than the cross-origin authentication property of an SPC credential, what other properties would need to be tracked?
17:27:58 <Ian> ...what needs to be added to a generic WebAuthn discoverable or non-discoverable credential?
17:28:33 <Ian> Gerhard: (1) payment (2) cross-origin
17:29:30 <Rolf> In WebAuthn-L2 (https://www.w3.org/TR/webauthn-2/#sctn-verifying-assertion) section 7.2 step #13, the origin needs to be verified against the RP ID.  So you could argue that from that perspective you *cannot* use it in a 3rd party context - even without any introduction of namespaces.
17:30:05 <smcgruer_[EST]> Rolf: I maybe misunderstand, but thats why https://w3c.github.io/secure-payment-confirmation/#client-extension-processing-authentication patches it
17:30:09 <Rolf> So why do we want the Browser to not show the specific SPC UI even before.
17:30:28 <smcgruer_[EST]> Rolf: https://w3c.github.io/secure-payment-confirmation/#sctn-verifying-assertion
17:31:20 <Rolf> I think I don't understand the concerns that drive the need for the namespace.
17:33:55 <Ian> John_Bradley: Let's sort out 1p context first, then 3p context.
17:34:04 <Ian> ...do we need to do anything special in 1p context?
17:34:19 <Ian> Next meeting: 13 Dec
17:35:15 <Ian> ACTION: Ian to write down a proposal that allows 1p usage, 3p usage, and future CTAP tweak
17:35:52 <Gerhard> Dropping off.
17:35:55 <Gerhard> Thanks everyone.
17:36:08 <Ian> RRSAGENT, make minutes
17:36:08 <RRSAgent> I have made the request to generate https://www.w3.org/2021/12/06-wpwg-spc-minutes.html Ian
17:36:12 <Ian> RRSAGENT, set logs public
17:38:28 <Ian> RRSAGENT, bye
17:38:28 <RRSAgent> I see 1 open action item saved in https://www.w3.org/2021/12/06-wpwg-spc-actions.rdf :
17:38:28 <RRSAgent> ACTION: Ian to write down a proposal that allows 1p usage, 3p usage, and future CTAP tweak [1]
17:38:28 <RRSAgent>   recorded in https://www.w3.org/2021/12/06-wpwg-spc-irc#T17-35-15
17:38:30 <Ian> zakim, bye
17:38:30 <Zakim> leaving.  As of this point the attendees have been Rolf_Lindemann, Jeff_Hodges, Stephen_McGruer, Ian_Jacobs, Doug_Fisher, Praveena_Subrahmanyan, Gerhard_Oosthuizen, John_Bradley,
17:38:30 <Zakim> Zakim has left #wpwg-spc