Meeting minutes
SPC updates
Start with https://
smcgruer_[EST]: This is an alignment with Web Authentication. We used "rp" instead of "rpid" and want to fix that to align with WebAuthn
… this is reasonable but also a breaking change. :(
… the resulting assertion is affected
… the field name changes
… my proposal is for implementations to continue to produce "rp" but also add "rpid"
… and we would deprecate "rp" over time.
<Gerhard> +1 for the change, before larger adoption...
smcgruer_[EST]: an alternative is to not make the change.
smcgruer_[EST]: I think it's reasonable to make the change while small-ish number of users.
Ian: Thoughts on 3DS integration cost?
Bastien: I can check.
… a priori I don't see an issue.
smcgruer_[EST]: Verifying the assertion is out of scope of 3DS strictly speaking
ACTION: Bastien to check with the EMV 3DS WG
PROPOSED: Change "rp" to "rpid" in the SPC specification.
benoit: What would the deprecation plan be?
smcgruer_[EST]: Usually we measure usage of features as part of deprecation. But we don't measure things in this case.
… we would start by producing both fields in the assertion
… I expect we would announce a timeline and talk loudly about it
<GregoireLeleux> "rpId" is part of the webAuthenCredList in 3DS spec
<benoit> +1 support proposal
<GregoireLeleux> yes, that's the input creds
<smcgruer_[EST]> +1 support proposal
<Steve_C> +1
<Anne> +1
rolf: +1
<JMGirard> +1
so RESOLVED
WebAuthn and cross-origin credential creation
https://
smcgruer_[EST]: we've heard both for SPC and other payments use cases with FIDO is a desire to enroll a user in a cross-origin iframe in a merchant page rather than redirect.
… so SPC enables this but WebAuthn does not
… I have heard people say it is useful generally
… so it would be good to migrate this into Web Authn; there's a standing issue there on that topic
… I'd like to get the WPWG's support for this
<Rolf> What is the WebAuthn issue number?
https://
IJ: Any highlights for reasons this did not previously get traction?
smcgruer_[EST]: The three concerns cited previously on this topic:
1) Tracking
… our proposal helps on this by requiring "user activation" which is not originally required in Web Authentication.
2) Regulatory questions
… I think that usage is relevant here and so not inherently problematic.
smcgruer_[EST]: There was also some confusion in the original WebAuthn conversation; the goal is here for origin A to create a credential for itself; not create a credential for another origin.
… I think Google's FIDO folks would be ok with this change.
Rolf: This is different from cross-origin invocation with special bit, right?
smcgruer_[EST]: Correct.
Rolf: If I receive and assertion, can I observe that it was created in a cross-origin iframe?
… the existence of such information could help garner support.
smcgruer_[EST]: I would be open to that.
… we need to think about whether there are privacy implications.
smcgruer_[EST]: Also note that the caller knows that they are creating an assertion .
Rolf: It's not clear you can disable invocation in an iframe easily.
smcgruer_[EST]: There are headers you can load to stop it. It's the caller's javascript the decides where to call.
Rolf: Be sure to tell people that they can disable something, and how to do so.
smcgruer_[EST]: Good point. I can add to the proposal mention of headers and possibly adding topOrigin
ACTION: smcgruer_[EST] to update the proposal to discussion of how to disable the functionality.
<JeanLuc> X-Frame-Options: DENY ?
https://
<smcgruer_[EST]> JeanLuc: I think that is correct, or use SAMEORIGIN
<Rolf> https://
[We observe that there's a flag in WebAuthn that indicates iframe was cross-origin]
smcgruer_[EST]: Jean-Luc, that may be it or another one like "same origin only"
PROPOSAL: Adopt the Proposal to re-raise issue of cross-origin creation with the WebAuthn WG (after stephen's edits)
Ian: +1
<Anne> +1
<JMGirard> yep +1
<Rolf> +1
<Gerhard> +1
<Steve_C> +1
<smcgruer_[EST]> +1 (do I count? ;))
so RESOLVED
TPAC check-in
https://
<smcgruer_[EST]> Rolf: https://
<smcgruer_[EST]> Rolf: It does include such an extension in the WebAuthn space which maps to the FIDO CTAP bit
<smcgruer_[EST]> Sorry, the above is said from Stephen to Rolf, for clarity
Rolf: RP can ask the user in advance if they want to use cross-origin.
https://
Ian: Any suggestions for topics?
<careyf> Fun fact: there's another TPAC also happening at the same time in Vancouver as our W3C TPAC
<smcgruer_[EST]> And they're first when you google "TPAC Vancouver" ! :D
<smcgruer_[EST]> 'Third Party Advantage Conference'
<careyf> I saw that Stephen! lol
canMakePayments
(This relates to Payment Request)
"Request for use cases: "canmakepayment" event"
smcgruer_[EST]: We are looking at privacy topics generally (Sandbox) and this touches on all APIs, including PR API and PH API.
… we've published a list of issues
https://
smcgruer_[EST]: we have some ideas for mitigations of these concerns
… we'll discuss more at TPAC
… canMakePayment (and equivalent in Android) carries a lot of information
… so we'd like to be sure we understand the use cases for this functionality so that we can properly mitigate the risks.
Ian: Would be good at TPAC to hear more about Chrome [And Other] view of PR API future
smcgruer_[EST]: Yes, let's chat
Next meeting
TPAC
(No meeting 1 or 8 Sep)