IRC log of wpwg on 2022-11-10

Timestamps are in UTC.

14:58:38 [RRSAgent]
RRSAgent has joined #wpwg
14:58:39 [RRSAgent]
logging to
14:58:51 [Ian]
Meeting: Web Payments Working Group
14:59:02 [Ian]
14:59:06 [Ian]
Chair: Nick
14:59:13 [Ian]
Scribe: Ian
14:59:39 [Ian]
present+ Ian
14:59:43 [Ian]
present+ Clinton_Allen
14:59:47 [JeanLuc]
JeanLuc has joined #WPWG
14:59:54 [Ian]
present+ Jean-Luc_Di_Manno
14:59:56 [Ian]
present+ Doug_Fisher
15:00:05 [Ian]
present+ Gerhard_Oosthuizen
15:00:22 [Gregoire]
Gregoire has joined #WPWG
15:00:55 [Ian]
present+ Stephen_McGruer
15:01:04 [Ian]
present+ Erhard_Brand
15:01:08 [Ian]
present+ Rolf_Lindemann
15:01:15 [Ian]
present+ Jean-Michel_Girard
15:01:23 [Gerhard]
15:01:36 [Rolf]
Rolf has joined #wpwg
15:01:45 [Ian]
present+ Steve_Cole
15:01:51 [Ian]
present+ Christian_Aabye
15:01:53 [JMGirard]
JMGirard has joined #wpwg
15:01:57 [Ian]
present+ Gregoire_Leleux
15:02:09 [Ian]
present+ Arno_van_dr_Merwe
15:02:33 [SuzieAS]
SuzieAS has joined #wpwg
15:02:56 [Ian]
present+ Rouslan
15:03:00 [Ian]
present+ Ryan_Watkins
15:03:06 [Ian]
present+ Arman
15:03:15 [Ian]
present+ Suzie_Annezo-Sebire
15:03:33 [Rolf]
15:03:34 [benoit]
benoit has joined #wpwg
15:03:42 [Ian]
present+ Carey_Ferro
15:03:59 [benoit]
15:04:24 [Ian]
present+ Vincent_Kuntz
15:04:59 [Ian]
-> Agenda
15:05:08 [ChristianA]
ChristianA has joined #wpwg
15:05:19 [rouslan]
rouslan has joined #wpwg
15:05:19 [Steve_C_]
Steve_C_ has joined #wpwg
15:05:25 [cferro]
cferro has joined #wpwg
15:05:46 [Ian]
-> Stephen's Slides
15:06:04 [vkuntz]
vkuntz has joined #wpwg
15:06:05 [Ian]
Topic: FedCM
15:06:24 [Ian]
smcgruer_[EST]: FedCM may have applications to payments in terms of user recognition.
15:06:32 [vkuntz]
15:06:46 [Ian]
...this story starts with the tracking issue that is enabled by cookies
15:07:10 [Dougf]
Dougf has joined #wpwg
15:07:23 [Ian]
...browsers changing to avoid tracking without the user's permission or awareness
15:08:01 [Ian]
...we are getting rid of 3p cookies so need to find alternatives for well-known use cases such as federated login
15:08:43 [Ian]
...aggregation of logins in identity providers (IDP)
15:08:53 [Ian]
...simplifies life for web sites who can hand over login to IDPs
15:09:15 [Ian]
...there are downsides to current approaches (not part of today's discussion)
15:09:32 [Ian]
...seamless federated login as practiced today relies on 3p cookies
15:10:01 [Ian] reached out to who keeps track of login state...but in a 3p context
15:10:21 [Ian]
...the emerging solution is FedCM: browser mediates the identity discussion
15:10:30 [Ian]
...the site lists supported IDPs.
15:10:54 [Ian]
..the browser goes to the IDPs without telling the IDPs why it's asking. The IDP can access cookies in a 1p context.
15:11:16 [Ian]
...the IDP can tell the browser what accounts the IDP knows.
15:11:55 [Ian]
...the browser can display these choices to the user (without showing merchant yet) and allow the user to consent to identify themselves (via browser UX)
15:12:12 [Ian]
...after the user selects an identity, there are other flows between the RP and IDP (not discussed here).
15:12:16 [Ian]
15:12:40 [Ian]
* The browser enforces isolation, which allows IDP to access 1p cookies. The IDP does not know who is asking.
15:12:59 [Ian]
* There is a privacy issue - what happens if there is *no account*?
15:13:23 [Ian]
...right now they are not showing the user any dialog if there are no accounts, and they are also not telling the merchant site.
15:13:31 [Ian]
...perhaps in the future there might be an SPC-like failure screen
15:13:46 [Ian]
[We see UX]
15:14:02 [Ian]
present+ Fahad
15:14:06 [Ian]
present+ Mike_Horne
15:14:19 [Ian]
15:14:35 [Ian]
* Single-IDP option-UX shipping in Chrome 108
15:14:47 [Ian]
* Spec is in development in the FedIDCG
15:14:56 [Ian]
* Two other browser vendors have indicated support for this publicly
15:15:06 [Ian]
* There are things not yet implemented
15:15:16 [Ian]
- Auto sign-in for returning users (but 1p cookies could be use)
15:15:26 [Ian]
- Multi-IDP support....early discussions are happening
15:15:44 [Ian]
- Handling not-signed-in IDPs not yet supported
15:16:00 [Ian]
- Work still happening on UX
15:16:05 [Ian]
[What about payments]
15:16:28 [Ian]
smcgruer_[EST]: FedCM will always require user understanding and consent...and returning flows will at least show the user something
15:16:34 [Ian]
..but I think FedCM could still be useful
15:16:45 [Ian]
..e.g., PSPs that offer a service across merchants
15:17:00 [Ian]
...or banks/PSDs wanting to authenticate the user without redirect/popup
15:17:11 [Ian]
[Demo of FedCM with SRC]
15:17:45 [Ian]
15:18:52 [nicktr]
15:18:56 [Ian]
ack me
15:19:03 [Gerhard]
15:19:11 [Ian]
ack nick
15:19:28 [Ian]
ack Gerhard
15:19:41 [Ian]
Gerhard: Really interesting; gives me a payment handler kind of feeling
15:19:53 [Ian]
...the little window that popped that a 1p iframe?
15:19:57 [Ian] the size changeable?
15:20:19 [Ian]
smcgruer_[EST]: That iframe in my demo is opened by Visa (3p)
15:20:22 [JeanLuc]
15:20:30 [Fahad]
Fahad has joined #wpwg
15:21:03 [Ian]
Gerhard: What identifier is passed back?
15:21:11 [Fahad_]
Fahad_ has joined #wpwg
15:21:37 [Ian]
smcgruer_[EST]: The merchant passes a list of IDPs to the browser
15:21:42 [nicktr]
15:21:49 [Ian]
..the browser talks to each SRC system (with cookies)
15:21:57 [Ian]
..those SRC systems are asked to return "list of accounts"
15:22:11 [Ian] for my demo I provided card list rather than login names
15:22:16 [Ian]
15:22:32 [Fahad_]
15:22:51 [Ian]
smcgruer_[EST]: What the user cannot see is that there's a token associated with what the user selects (e.g., some user identifier that enables the rest of the flow)
15:23:05 [Ian]
Gerhard: There's no requirement to do any other UX after the FedCM.
15:23:07 [Ian]
smcgruer_[EST]: Correct
15:23:36 [Ian]
ack JeanLuc
15:24:23 [rouslan_]
rouslan_ has joined #wpwg
15:24:29 [clinton]
15:24:31 [Ian]
JeanLuc: Thanks for this presentation. The demo basically shows the browser as an SRC-I. Could you use FedCM instead as an alternative to the recognition domain?
15:24:51 [Ian]
smcgruer_[EST]: You could take the more "traditional" view of FedCM -- you could simply present the user's SRC identity (e.g,. my email address).
15:25:07 [Ian]
...any SRC system that has a cookie in its domain could send back that identity.
15:25:30 [Ian] issue here is that you might of N identical identities in this case, and there is no de-duplication function here.
15:25:52 [Ian] maybe there's a way with FedCM to tell the browser "where you see identical strings, just pick any one"
15:26:01 [Ian]
JeanLuc: Very interesting
15:26:05 [Ian]
ack nicktr
15:26:10 [clinton]
15:26:16 [Ian]
nicktr: Really cool.
15:26:26 [Ian]
...can you call FedCM from inside of a payment handler
15:26:46 [Ian]
smcgruer_[EST]: Technically there's no reason you couldn't...but I don't know what will happen in mobile windows
15:26:51 [Ian]
ack me
15:27:39 [Ian]
Ian: How is privacy handled in passing of IDP info?
15:27:53 [Ian]
smcgruer_[EST]: Domain only. Probably a .well-known
15:30:27 [Ian]
15:30:30 [Ian]
ack Fahad_
15:31:37 [Ian]
Fahad_: For multi-IDP there might be different ways to de-dup, e.g., "stop as soon as you find one"
15:31:51 [Ian]
present+ Manish_Garg
15:32:21 [Ian]
smcgruer_[EST]: Multi-IDP is very early stage exploration; this would be good feedback to the FedIDCG
15:32:40 [Ian] idea for this is that there would be a deduplication field. The browser shows only one.
15:33:11 [Ian]
Fahad_: What happens when the user returns to
15:33:20 [Ian]
smcgruer_[EST]: With FedCM today, the user would have to choose to continue.
15:33:40 [Ian] could put a first party cookie; that's feasible but there are downsides
15:33:56 [Ian] would be good to engage with the CG on returning user flow
15:34:15 [Ian]
...we'd probably tell the user "you are being logged in" rather than doing it silently
15:34:37 [Ian]
Fahad_: The spec has a client id. When the IDP returns info they talk about "already approved client id"
15:34:51 [Ian]
present+ Praveena
15:35:11 [Ian]
smcgruer_[EST]: The IDP could lie and that would lead to tracking silently
15:35:39 [Ian]
..but I personally think that if a user comes back to a site where the user has previously used FedCM, the site should be able to trivially get back identity via FedCM
15:35:55 [Ian]
Fahad_: In the browser UX .. is the IDP name set by
15:36:03 [Ian]
...can multiple IDPs have the same display name?
15:36:11 [Ian]
smcgruer_[EST]: The IDPs are represented by their origin
15:36:29 [Ian]
Fahad_: We were interested with "Sign in with click to pay"
15:37:27 [Ian]
Topic: SPC use cases
15:37:45 [Ian]
[Gerhard slides]
15:38:31 [Ian]
[Progress so far]
15:38:51 [Ian]
Gerhard: Both Open Banking and 3DS support more than just single transaction. What might we do next with SPC?
15:40:13 [Ian]
[we look at current fields displayed by SPC transaction dialog, primary use case, and primary authentication approach]
15:40:34 [Ian]
Gerhard: We'd like to start here discussion of next use cases for SPC
15:40:36 [Ian]
15:41:06 [Ian]
Gerhard: I can see three axes for extension -- (1) additional display fields (2) new use cases/transactions (3) other forms of authentication
15:41:34 [RRSAgent]
I have made the request to generate Ian
15:41:41 [RRSAgent]
I'm logging. Sorry, nothing found for 'who's here'
15:41:54 [RRSAgent]
I'm logging. Sorry, nothing found for 'who's here'
15:43:14 [clinton2]
clinton2 has joined #wpwg
15:43:21 [Ian]
Gerhard: there are some additional UX topics (not part of my 3 categories above) - opt-out, icon size
15:44:02 [Ian]
[Trusted merchant list]
15:44:10 [Ian]
Gerhard: "Trust this merchant" in the display.
15:44:16 [Ian]
...another one is "Trust this device"
15:44:47 [Ian]
15:45:10 [Ian]
Gerhard: Imagine we are doing this in open banking...the user journey would start with "pay with my bank"
15:45:14 [Ian]
..there would be a redirect to the bank
15:45:25 [Ian]
...the SPC confirmation could happen in that context, followed by a redirect
15:45:30 [Ian] we need a redirect capability
15:47:08 [Ian]
Ian: How does this relate to SPC?
15:48:20 [Ian]
Gerhard: Want to "trust a merchant"; the user could say essentially "don't do a step up in the future". The issuer could record that information.
15:50:15 [Ian]
Ian: Why does the user's view matter?
15:50:24 [Ian]
Gerhard: It's part of EMVCo requirement
15:50:29 [Ian] offer this option
15:51:08 [JeanLuc]
15:51:11 [Ian]
ack me
15:51:12 [Ian]
ack JeanLuc
15:51:59 [Ian]
JeanLuc: If I understand correctly, the merchant could populate the field without any user validation.
15:52:44 [Ian]
Gerhard: For me, the point is that the SPC display is browser-controlled and thus the merchant can't fake it
15:53:28 [Ian]
JeanLuc: The merchant could attack in the second AREQ
15:55:23 [Ian]
Topic: Charter
15:55:38 [Ian]
15:56:30 [Ian]
15:56:41 [Ian]
Topic: Schedule
15:57:09 [Ian]
Next meeting: 8 December
15:57:50 [mg]
mg has joined #wpwg
15:58:30 [Ian]
Topic: FTF?
15:58:44 [clinton2]
+1 (either)
15:58:49 [Gerhard]
15:58:50 [JeanLuc]
15:58:51 [mg]
15:58:51 [benoit]
+1 (either)
15:58:52 [Ian]
+1 for a FTF
15:58:53 [Fahad_]
15:58:55 [cferro]
May is better I think! +1
15:59:00 [ChristianA]
15:59:01 [Rolf]
15:59:11 [rouslan_]
+1 (may have to be virtual for me)
15:59:21 [clinton2]
as long at it does not overlap!
15:59:32 [Ian]
RRSAGENT, make minutes
15:59:32 [RRSAgent]
I have made the request to generate Ian
15:59:36 [Ian]
RRSAGENT, set logs public
15:59:38 [arman]
arman has joined #wpwg
16:00:16 [cferro]
cferro has left #wpwg
16:00:18 [mg]
mg has left #wpwg
16:01:36 [Gerhard]
Gerhard has left #wpwg
16:02:17 [Gregoire]
Gregoire has left #wpwg
18:00:10 [Zakim]
Zakim has left #wpwg