Meeting minutes
TPAC debrief
TPAC agenda (with links to minutes)
Ian: Any thoughts to share to get started?
Carey: Fantastic TPAC, helped me get more involved.
Ian: How was the AV?
Praveena: Really good
[Action review]
Stephen to check whether the attestation is available during SPC flow
smcgruer_[EST]: I think the answer is "not yet" due to current WebAuthn. But passkeys will make this a thing, but without a guarantee.
… we should find out whether you'll have to ask for it.
* Sameer to see about enhancing 3DS flow to include attestation if available in SPC context
SameerT: We are relying on output of SPC; so we're already covered if it's just part of the usual output.
smcgruer_[EST]: If 3DS allows bundling of the assertion should be covered.
SameerT: Need to ensure size not a problem, otherwise ok
* Stephen to get info on priority of more icons in transaction dialog from design team
smcgruer_[EST]: I spoke to UX people; hoping to see this tackled in Q4.
* Sameer to work with the 3DS WG to write down in more detail the "non-payment transaction" use case.
Sameer: We haven't discussed yet, but likely to take up over next few weeks then will have a timeline
On Auth failure after authentication
Ian: With SPC, could one display an error before calling complete()?
[Review of another pay experience]
Ian: Could a merchant "do the right thing"?
smcgruer_[EST]: Good question what will happen if you call complete(fail).
smcgruer_[EST]: I think the concerns I heard were more about defense against malicious merchant.
SameerT: One thing that might help is to look at sequence of steps that happens.
… the merchant uses results of 3DS to send for authorization.
SPC updates
https://
https://
smcgruer_[EST]: I was working on some SPC feature detection ideas.
… today's approach is clunky.
… the issue now has a proposal
… there are some side issues not covered like "is spc available in a form that I want it" (e.g., use platform authenticator only)
… I think we need developer input on this topic
Ian: Any comments on 3DS integration?
smcgruer_[EST]: No impact
praveena: Adyen had brought this up early in the pilot development.
… I think it would make life easier
smcgruer_[EST]: Probably true that "existing user" input is not as available as "new user"
smcgruer_[EST]: We would do this except that we keep debating the overall shape of the API.
praveena: +1
[On getting SPC to CR]
Ian: TAG now satisfied, I18N now satisfied
Ian: Check with WG about waiting a bit longer for Webkit input before going to CR
https://
SameerT: Process question - once a feature is in CR is there a qualification process to not make breaking changes?
[On EMVCo process and breaking changes]
[And time required to respond to breaking changes]
Ian: Any new updates?
smcgruer_[EST]: We are looking at M108 android.
smcgruer_[EST]: We've been watching SPC traffic; saw a spike 2 weeks ago; success rate of those authentications was very high.
smcgruer_[EST]: Our opt-out origin trial ends end-of-year; we'll make a decision then based on partner demand.
smcgruer_[EST]: We did bring up create() in cross-origin iframe within webAuthn WG last week
… there is ongoing discussion
<smcgruer_[EST]> https://
Rolf: Any signals from other browser vendors re: SPC?
[None heard]
Next meeting
Ian: EMVCo meets then
13th Oct