13:56:37 <RRSAgent> RRSAgent has joined #wpwg
13:56:37 <RRSAgent> logging to https://www.w3.org/2022/04/14-wpwg-irc
13:56:42 <Ian> Meeting: Web Payments WG
13:56:49 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20220414
13:56:50 <Ian> Chair: Ian
13:56:52 <Ian> Scribe: Ian
13:57:00 <Ian> Regrets+ Praveena
13:57:06 <Ian> Regrets+ Nick_Telford-Reed
13:57:12 <Ian> Regrets+ David_Benoit
13:57:33 <Ian> agenda+ Updated on issue 172: Opt-out
13:57:47 <Ian> agenda+ Update on issue 157: Cross-origin use of credentials
13:58:02 <Ian> agenda+ Any feedback on UA string reduction from payments community?
13:58:06 <Ian> agenda+ SPC demos
13:58:12 <Ian> agenda+ Next meeting - remote 3-5 May
14:00:13 <Ian> present+ Ian_Jacobs
14:00:19 <Ian> present+ Anne_Pouillard
14:00:41 <Ian> present+ Rolf_Lindemann
14:01:10 <Ian> agenda+ TPAC 2022
14:01:23 <Ian> present+ Ryan_Watkins
14:01:34 <Ian> present+ Suzie_Annezo-Sebire
14:01:39 <Ian> present+ Jean_Emer
14:01:42 <Ian> present+ Christian_Aabye
14:02:01 <Ian> present+ Stephen_McGruer
14:02:02 <Rolf> Rolf has joined #wpwg
14:02:45 <Ian> present+ Steve_Cole
14:02:48 <Ian> present+ Doug_Fisher
14:02:54 <Ian> present+ Tomoya_Horiguchi
14:03:01 <Ian> present+ Chris_Wood
14:03:13 <ChristianA> ChristianA has joined #wpwg
14:03:52 <Ian> zakim, take up item 1
14:03:52 <Zakim> agendum 1 -- Updated on issue 172: Opt-out -- taken up [from Ian]
14:03:59 <Ian> present+ Jean-Michel_Girard
14:04:17 <Ian> https://github.com/w3c/secure-payment-confirmation/issues/172
14:04:29 <Ian> present+ Gerhard_Oosthuizen
14:04:34 <Ian> present+ Michael_Horne
14:04:38 <Ian> present+ John_Fontana
14:04:56 <Gerhard> Gerhard has joined #wpwg
14:05:03 <Ian> Stephen: Regarding 172, Stripe suggested that there be an ability for the user to let the RP know to remove stored data (for GDPR)
14:05:13 <Ian> ...Proposal1: Stripe suggested a link to the RP domain
14:05:36 <JMGirard> JMGirard has joined #wpwg
14:05:44 <Ian> ...Chrome Team is concerned about that approach, concern that secure UX could be seen as "endorsing" link to (potentially malicious) RP site
14:05:51 <Ian> present+ Chris_Dee
14:06:11 <Ian> Stephen: We don't want a situation where, e.g., RP phishes (e.g., for card numbers)
14:06:12 <jcemer> jcemer has joined #wpwg
14:06:28 <Ian> Stephen: Proposal 2 is for user to stay in the browser experience, but browser sends a signal to the RP (e.g., an assertion)
14:06:37 <Ian> ...the RP does not get card information; only gets an assertion
14:06:51 <Gerhard> present+
14:07:02 <Ian> Stephen: Both proposals involve complex UX; we are looking for input from people on whether these work, and whether opt-out required at all
14:07:26 <smcgruer_[EST]> q?
14:07:40 <Gerhard> q+
14:07:41 <Ian> Rolf: You need a way to delete an account. Not sure the link needs to be in the SPC dialog
14:08:08 <Anne> Anne has joined #wpwg
14:09:05 <Ian> IJ: I think problem in delegated flow is that the user does not know the RP.
14:09:13 <Ian> ...user doesn't know Stripe. User knows merchant or bank.
14:09:18 <smcgruer_[EST]> q?
14:09:19 <dfisher> dfisher has joined #wpwg
14:09:52 <smcgruer_[EST]> q+ to comment on per-merchant as well
14:10:06 <Ian> Rolf: To whom is the user authenticating?
14:10:19 <Ian> Stephen: It is Stripe (in this delegated flow)
14:10:22 <Ian> present+ John_Bradley
14:10:44 <Ian> Stephen: Merchant A hands authentication to Stripe who is the RP
14:11:02 <Ian> ...so Stripe stores data. But the function of Stripe here is often invisible to users.
14:11:35 <Ian> Rolf: Payment processors exist today. Users can tell payment processors "forget my data"; why isn't current deployment inadequate to the task?
14:11:52 <Ian> ...it may be the merchant's responsibility to give link
14:12:17 <jeanluc> jeanluc has joined #wpwg
14:12:21 <Ian> Stephen: So a third alternative is that this opt-out should happen outside SPC (with a link to the RP)
14:12:35 <Ian> ..I've heard an argument against that ... merchants don't want those links.
14:13:05 <Ian> Jean: What happened is this - where are using our 3DS authentication to enroll credentials. At this point we need to indicate that Stripe will store information (opt-in).
14:13:18 <Ian> ...since we are allowing opt-in, we need to display (at some point) an easy way to opt-out.
14:13:21 <Ian> q?
14:13:23 <dfisher> q+
14:13:32 <Ian> present+ Nick_Burris
14:13:42 <Ian> present+ Jean-Luc_di_Manno
14:13:46 <Ian> ack Gerhard
14:13:56 <smcgruer_[EST]> q?
14:14:05 <smcgruer_[EST]> q-
14:14:39 <Ian> Gerhard: Suppose I am shopping and I say "remember my card for future shopping" and the card is remembered by Stripe. There is a place to go to see your cards (on the merchant site)
14:15:58 <Ian> ...I think it will be tricky to do this opt-out during shopping
14:16:11 <Ian> ...suggest merchant gives access to partner where user can manage stored data
14:16:19 <Ian> q?
14:16:43 <Ian> Gerhard: This should not be in SPC dialog; rather offered by service provider
14:16:45 <Ian> ack dfisher
14:17:02 <Ian> dfisher: +1 to Gerhard's view
14:17:17 <Ian> ...at the most recent WPSIG call EMVCo provided feedback on the opt-out issue
14:17:28 <Ian> ...we don't support incorporation of the opt-out link into the SPC UI
14:18:29 <smcgruer_[EST]> q?
14:18:32 <Ian> Rolf: +1
14:19:28 <Ian> Ian: What are limitations of approach where SPC sends assertion to the RP?
14:19:41 <Ian> Stephen: I'm hearing the critique of proposal 1 is also a critique of proposal 2.
14:19:58 <Ian> ...meanwhile, the downside of proposal 2 is user understanding.
14:20:08 <Ian> ...does user understand what user is opting out of? And to whom?
14:20:15 <SteveC_> SteveC_ has joined #wpwg
14:20:29 <Ian> ...the browser signal is also a bit more complex to implement (e.g., RP has a well-known domain, or server is down, etc.)
14:21:13 <Gerhard> q+
14:21:47 <Ian> ack Ger
14:22:11 <smcgruer_[EST]> q?
14:22:18 <Ian> Gerhard: The term "delegated authentication" as used here typically refers to the account provider (e.g., the bank) delegating authentication to the merchant / PSP
14:24:18 <Ian> Gerhard: Store A and Store B should indicate that they are using a shared resource (e.g., Stripe) to make payments easier.
14:25:06 <jeanluc> q+
14:26:39 <dfisher> q+
14:26:45 <Chris_D> Chris_D has joined #wpwg
14:26:48 <smcgruer_[EST]> q?
14:27:13 <Ian> Gerhard: I think there are 3 permutations:
14:27:23 <Ian> 1) ACS can approve context in ACS context
14:27:47 <Ian> 2a) Delegated auth: Merchant A shopping and Merchant A credential. Over time Merchant A credential may be more trusted over time
14:28:13 <Ian> 2b) SPC: PSP credentials are used within Merchant B context.
14:28:41 <Ian> Gerhard: In all cases, it's important to indicate who the RP is.
14:28:44 <Ian> ack jean-
14:28:46 <Ian> ack jean
14:29:04 <Ian> jeanluc: Key point re: delegation is who has liability.
14:29:17 <Chris_D> q+ EMVCo delegated authentication actually delegates authentication from issuer to merchant or another party; SPC is different - the issuer still authenticating the user but via a process which involves the merchant/PSP to respond to a FIDO challenge - this does impact liability shift as Jeanluc is saying
14:30:09 <Ian> jeanluc: There is both "capture" and "validation"; validation here is ultimately done by the ACS.
14:30:20 <Ian> q?
14:30:26 <Chris_D> q+ to comment that EMVCo delegated authentication actually delegates authentication from issuer to merchant or another party; SPC is different - the issuer still authenticating the user but via a process which involves the merchant/PSP to respond to a FIDO challenge - this does impact liability shift as Jeanluc is saying
14:30:27 <Ian> ack df
14:31:04 <Ian> dfisher: I did want to refer to one of Ian's comment about merchant-initiated and issuer-supported use cases. I want to distinguish "merchant-initiated" from what Stripe is doing.
14:31:19 <Ian> ...in merchant-initiated (per 3DS) the merchant is always the RP
14:31:26 <Ian> ...that distinction is important in terms of opt-out
14:31:49 <Ian> ack Chris
14:31:49 <Zakim> Chris_D, you wanted to comment that EMVCo delegated authentication actually delegates authentication from issuer to merchant or another party; SPC is different - the issuer still
14:31:52 <Zakim> ... authenticating the user but via a process which involves the merchant/PSP to respond to a FIDO challenge - this does impact liability shift as Jeanluc is saying
14:32:22 <smcgruer_[EST]> q+
14:32:38 <Ian> ChrisD: I want to reinforce Jean-Luc's point. My understanding of delegated authentication is that it's where the issuer delegates authentication to a 3rd party who says that they've authenticated the shopper and the issuer "allows it to happen"
14:33:22 <Ian> ...and there's a liability shift to the merchant. My understanding of SPC is that it's still the issuer who indicates whether they are happy with the response to the challenge. So it's not really delegated.
14:33:28 <Ian> q+
14:33:30 <Ian> ack smcgruer_[EST]
14:34:17 <Ian> smcgruer_[EST]: First, SPC is an authentication technology that can be used by lots of RPs. It can be used in any of the above scenarios.
14:34:29 <Ian> ...so we should be clearer about saying "This is the integration of SPC into 3DS."
14:34:35 <Ian> ..but that is NOT relevant to what Stripe is doing
14:34:49 <Ian> ...Stripe is using 3DS delegation authentication ... liability being shifted from ACS to Stripe
14:35:01 <dfisher> Q+
14:35:03 <Ian> ....and at that point the merchant can do whatever they want in terms of authentication
14:35:12 <Ian> ...and in Stripe's case, they want to use SPC
14:35:44 <Ian> ...so I think this scenario is still delegated authentication.
14:36:53 <Ian> Ian: So three scenarios:
14:37:01 <Ian> 1) ACS does ceremony + validation
14:37:09 <Ian> 2) Merchant does ceremony + ACS does validation
14:37:19 <Ian> 3) Merchant does ceremony + validation ("delegated authentication")
14:37:22 <Ian> ack dfisher
14:37:26 <Ian> ack Ian
14:37:39 <Ian> dfisher: Logo presentation to show who is the RP is important to user understanding.
14:38:08 <Ian> ...SPC is not dictating who is the RP, but if we can't address UX complexity in these different use cases, may not be usable
14:38:30 <Ian> q?
14:39:33 <Ian> Ian: Are we hearing Proposal 3 should get more attention? (RP works in merchant domain to show user options for managing credentials)?
14:39:58 <Ian> zakim, close item 1
14:39:58 <Zakim> agendum 1, Updated on issue 172: Opt-out, closed
14:39:59 <Zakim> I see 5 items remaining on the agenda; the next one is
14:39:59 <Zakim> 2. Update on issue 157: Cross-origin use of credentials [from Ian]
14:39:59 <Gerhard> So are you saying 'this is not an SPC problem to solve'? If so then +1
14:40:04 <Ian> zakim, take up item 2
14:40:04 <Zakim> agendum 2 -- Update on issue 157: Cross-origin use of credentials -- taken up [from Ian]
14:40:41 <Ian> Stephen: As a reminder, this is our issue about how to integrate SPC into WebAuthn/FIDO so we can do special powers without browser cached information.
14:40:52 <Ian> ...there is a proposal on the table that involves reaching out to the FIDO Technical Working Group
14:41:08 <Ian> ...my expectation is that I will send a pull request in the FIDO GitHub repo (which is private)
14:41:19 <Ian> -> https://github.com/w3c/secure-payment-confirmation/issues/157#issuecomment-1057208347 here's the proposal
14:41:33 <Ian> Stephen: The API access that we want is well-served by the Conditional UI proposal
14:41:59 <Ian> ...and so my colleagues have suggested that where we should focus is on the "bit" stored in the authenticator allowing cross-origin usage
14:42:35 <Ian> ...in terms of Conditional UI I expect in the short term to focus on platform authenticators to get experience then move into FIDO for remote authenticators too
14:42:57 <Ian> JohnBradley: Conditional UI is supposed to work also with remote authenticators.
14:43:05 <Ian> ...only works with discoverable credentials (which SPC is using)
14:43:14 <Ian> ...there's a "user external authenticator" button
14:43:30 <Ian> Stephen: I think we can do something similar with SPC. We would have a "use external authenticator" button
14:43:57 <Gerhard> q+
14:44:28 <Ian> JohnBradley: Conditional UI itself may not expose whether something is a cross-origin credential.
14:44:45 <Ian> ...that's potentially a separate issue.
14:45:20 <Ian> ...as an example, a Windows platform authenticator may not expose that information. If Android does it would be proprietary for the moment.
14:45:34 <Ian> Stephen: Is there a standard API for "fetch the credential" under Conditional UI hood?
14:45:44 <Ian> John_Bradley: There is not and may never be.
14:46:27 <smcgruer_[EST]> s/fetch the credential/fetch all credentials for a given RP
14:48:01 <Ian> ack Ger
14:48:34 <Ian> Gerhard: Regarding the "bit". We had said 2 potential bits: (1) Enable payment display (2) enable cross-origin
14:50:57 <Ian> Stephen: I would rather we get the platform work done (to allow things to just work)
14:52:13 <Ian> ..my assumption is "let's assume that on a platform, Chrome cannot query for credentials for a given RP; instead it can only initiate authentication."
14:52:34 <Ian> ..we need the API before we decide to show the transaction dialog
14:52:44 <Ian> ..and that's the same API that underlies Conditional UI
14:53:08 <Ian> John_Bradley: We should get clarity on whether and when it will be implemented.
14:53:57 <Ian> q?
14:54:17 <Ian> zakim, close item 2
14:54:17 <Zakim> agendum 2, Update on issue 157: Cross-origin use of credentials, closed
14:54:20 <Zakim> I see 4 items remaining on the agenda; the next one is
14:54:20 <Zakim> 3. Any feedback on UA string reduction from payments community? [from Ian]
14:54:23 <Ian> zakim, take up item 3
14:54:23 <Zakim> agendum 3 -- Any feedback on UA string reduction from payments community? -- taken up [from Ian]
14:54:36 <Ian> -> https://www.w3.org/2022/01/20-wpwg-minutes.html#t04 January discussion of string reduction
14:54:55 <Ian> Stephen: Starting in Chrome 101 (in 2 weeks) we will no longer server minor version of the Chromium version (will be all zeros)
14:55:04 <Ian> ...there are subsequent stages of reduction throughout 2022
14:55:17 <Ian> ...will remove desktop version number
14:55:46 <Ian> ...client hint API is being introduced to get the information (but proactive v. passive)
14:56:19 <Ian> See the antifraud use cases https://github.com/antifraudcg/proposals/blob/main/use-cases/use-cases.md
14:56:26 <Ian> https://github.com/antifraudcg/proposals/
14:56:31 <jeanluc> q+
14:56:36 <Ian> https://github.com/antifraudcg/proposals/issues
14:56:56 <Ian> ack jean
14:57:03 <Ian> jeanluc: This is an important topic
14:57:17 <Ian> ...lots of antifraud providers exploit this information (e.g., UA string)
14:57:47 <Ian> zakim, close this item
14:57:47 <Zakim> agendum 3 closed
14:57:48 <Zakim> I see 3 items remaining on the agenda; the next one is
14:57:48 <Zakim> 4. SPC demos [from Ian]
14:58:12 <Ian> zakim, take up item 4
14:58:12 <Zakim> agendum 4 -- SPC demos -- taken up [from Ian]
14:58:21 <Ian> zakim, close item 4
14:58:21 <Zakim> agendum 4, SPC demos, closed
14:58:22 <Zakim> I see 2 items remaining on the agenda; the next one is
14:58:22 <Zakim> 5. Next meeting - remote 3-5 May [from Ian]
14:58:28 <Ian> zakim, take up item 5
14:58:28 <Zakim> agendum 5 -- Next meeting - remote 3-5 May -- taken up [from Ian]
14:58:32 <Ian> No meeting 28 April
14:58:38 <Ian> zakim, close item 5
14:58:38 <Zakim> agendum 5, Next meeting - remote 3-5 May, closed
14:58:39 <Zakim> I see 1 item remaining on the agenda:
14:58:39 <Zakim> 6. TPAC 2022 [from Ian]
14:58:47 <Ian> https://github.com/w3c/webpayments/wiki/Remote-Agenda-202205
14:59:44 <Ian> zakim, close item 5
14:59:44 <Zakim> agendum 5, Next meeting - remote 3-5 May, closed
14:59:45 <Zakim> I see 1 item remaining on the agenda:
14:59:45 <Zakim> 6. TPAC 2022 [from Ian]
14:59:48 <Ian> zakim, take up item 6
14:59:48 <Zakim> agendum 6 -- TPAC 2022 -- taken up [from Ian]
15:00:36 <Ian> zakim, make minutes
15:00:36 <Zakim> I don't understand 'make minutes', Ian
15:00:42 <Ian> RRSAGENT, make minutes
15:00:42 <RRSAgent> I have made the request to generate https://www.w3.org/2022/04/14-wpwg-minutes.html Ian
15:00:45 <Ian> RRSAGENT, set logs public
15:37:15 <jcemer> jcemer has left #wpwg