IRC log of wpwg on 2022-11-10
Timestamps are in UTC.
- 14:58:38 [RRSAgent]
- RRSAgent has joined #wpwg
- 14:58:39 [RRSAgent]
- logging to https://www.w3.org/2022/11/10-wpwg-irc
- 14:58:51 [Ian]
- Meeting: Web Payments Working Group
- 14:59:02 [Ian]
- Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20221110
- 14:59:06 [Ian]
- Chair: Nick
- 14:59:13 [Ian]
- Scribe: Ian
- 14:59:39 [Ian]
- present+ Ian
- 14:59:43 [Ian]
- present+ Clinton_Allen
- 14:59:47 [JeanLuc]
- JeanLuc has joined #WPWG
- 14:59:54 [Ian]
- present+ Jean-Luc_Di_Manno
- 14:59:56 [Ian]
- present+ Doug_Fisher
- 15:00:05 [Ian]
- present+ Gerhard_Oosthuizen
- 15:00:22 [Gregoire]
- Gregoire has joined #WPWG
- 15:00:55 [Ian]
- present+ Stephen_McGruer
- 15:01:04 [Ian]
- present+ Erhard_Brand
- 15:01:08 [Ian]
- present+ Rolf_Lindemann
- 15:01:15 [Ian]
- present+ Jean-Michel_Girard
- 15:01:23 [Gerhard]
- present+
- 15:01:36 [Rolf]
- Rolf has joined #wpwg
- 15:01:45 [Ian]
- present+ Steve_Cole
- 15:01:51 [Ian]
- present+ Christian_Aabye
- 15:01:53 [JMGirard]
- JMGirard has joined #wpwg
- 15:01:57 [Ian]
- present+ Gregoire_Leleux
- 15:02:09 [Ian]
- present+ Arno_van_dr_Merwe
- 15:02:33 [SuzieAS]
- SuzieAS has joined #wpwg
- 15:02:56 [Ian]
- present+ Rouslan
- 15:03:00 [Ian]
- present+ Ryan_Watkins
- 15:03:06 [Ian]
- present+ Arman
- 15:03:15 [Ian]
- present+ Suzie_Annezo-Sebire
- 15:03:33 [Rolf]
- present+
- 15:03:34 [benoit]
- benoit has joined #wpwg
- 15:03:42 [Ian]
- present+ Carey_Ferro
- 15:03:59 [benoit]
- present+
- 15:04:24 [Ian]
- present+ Vincent_Kuntz
- 15:04:59 [Ian]
- -> https://github.com/w3c/webpayments/wiki/Agenda-20221110 Agenda
- 15:05:08 [ChristianA]
- ChristianA has joined #wpwg
- 15:05:19 [rouslan]
- rouslan has joined #wpwg
- 15:05:19 [Steve_C_]
- Steve_C_ has joined #wpwg
- 15:05:25 [cferro]
- cferro has joined #wpwg
- 15:05:46 [Ian]
- -> https://docs.google.com/presentation/d/1Dq2M1k0L5KhTSwFKvUYb-nd39-7y5M3naVD812_w6jk/edit?usp=sharing Stephen's Slides
- 15:06:04 [vkuntz]
- vkuntz has joined #wpwg
- 15:06:05 [Ian]
- Topic: FedCM
- 15:06:24 [Ian]
- smcgruer_[EST]: FedCM may have applications to payments in terms of user recognition.
- 15:06:32 [vkuntz]
- present+
- 15:06:46 [Ian]
- ...this story starts with the tracking issue that is enabled by cookies
- 15:07:10 [Dougf]
- Dougf has joined #wpwg
- 15:07:23 [Ian]
- ...browsers changing to avoid tracking without the user's permission or awareness
- 15:08:01 [Ian]
- ...we are getting rid of 3p cookies so need to find alternatives for well-known use cases such as federated login
- 15:08:43 [Ian]
- ...aggregation of logins in identity providers (IDP)
- 15:08:53 [Ian]
- ...simplifies life for web sites who can hand over login to IDPs
- 15:09:15 [Ian]
- ...there are downsides to current approaches (not part of today's discussion)
- 15:09:32 [Ian]
- ...seamless federated login as practiced today relies on 3p cookies
- 15:10:01 [Ian]
- ...RP.com reached out to idp.com who keeps track of login state...but in a 3p context
- 15:10:21 [Ian]
- ...the emerging solution is FedCM: browser mediates the identity discussion
- 15:10:30 [Ian]
- ...the site lists supported IDPs.
- 15:10:54 [Ian]
- ..the browser goes to the IDPs without telling the IDPs why it's asking. The IDP can access cookies in a 1p context.
- 15:11:16 [Ian]
- ...the IDP can tell the browser what accounts the IDP knows.
- 15:11:55 [Ian]
- ...the browser can display these choices to the user (without showing merchant yet) and allow the user to consent to identify themselves (via browser UX)
- 15:12:12 [Ian]
- ...after the user selects an identity, there are other flows between the RP and IDP (not discussed here).
- 15:12:16 [Ian]
- ...summary:
- 15:12:40 [Ian]
- * The browser enforces isolation, which allows IDP to access 1p cookies. The IDP does not know who is asking.
- 15:12:59 [Ian]
- * There is a privacy issue - what happens if there is *no account*?
- 15:13:23 [Ian]
- ...right now they are not showing the user any dialog if there are no accounts, and they are also not telling the merchant site.
- 15:13:31 [Ian]
- ...perhaps in the future there might be an SPC-like failure screen
- 15:13:46 [Ian]
- [We see UX]
- 15:14:02 [Ian]
- present+ Fahad
- 15:14:06 [Ian]
- present+ Mike_Horne
- 15:14:19 [Ian]
- [Status]
- 15:14:35 [Ian]
- * Single-IDP option-UX shipping in Chrome 108
- 15:14:47 [Ian]
- * Spec is in development in the FedIDCG
- 15:14:56 [Ian]
- * Two other browser vendors have indicated support for this publicly
- 15:15:06 [Ian]
- * There are things not yet implemented
- 15:15:16 [Ian]
- - Auto sign-in for returning users (but 1p cookies could be use)
- 15:15:26 [Ian]
- - Multi-IDP support....early discussions are happening
- 15:15:44 [Ian]
- - Handling not-signed-in IDPs not yet supported
- 15:16:00 [Ian]
- - Work still happening on UX
- 15:16:05 [Ian]
- [What about payments]
- 15:16:28 [Ian]
- smcgruer_[EST]: FedCM will always require user understanding and consent...and returning flows will at least show the user something
- 15:16:34 [Ian]
- ..but I think FedCM could still be useful
- 15:16:45 [Ian]
- ..e.g., PSPs that offer a service across merchants
- 15:17:00 [Ian]
- ...or banks/PSDs wanting to authenticate the user without redirect/popup
- 15:17:11 [Ian]
- [Demo of FedCM with SRC]
- 15:17:45 [Ian]
- q+
- 15:18:52 [nicktr]
- q+
- 15:18:56 [Ian]
- ack me
- 15:19:03 [Gerhard]
- q+
- 15:19:11 [Ian]
- ack nick
- 15:19:28 [Ian]
- ack Gerhard
- 15:19:41 [Ian]
- Gerhard: Really interesting; gives me a payment handler kind of feeling
- 15:19:53 [Ian]
- ...the little window that popped up...is that a 1p iframe?
- 15:19:57 [Ian]
- ..is the size changeable?
- 15:20:19 [Ian]
- smcgruer_[EST]: That iframe in my demo is opened by Visa (3p)
- 15:20:22 [JeanLuc]
- q+
- 15:20:30 [Fahad]
- Fahad has joined #wpwg
- 15:21:03 [Ian]
- Gerhard: What identifier is passed back?
- 15:21:11 [Fahad_]
- Fahad_ has joined #wpwg
- 15:21:37 [Ian]
- smcgruer_[EST]: The merchant passes a list of IDPs to the browser
- 15:21:42 [nicktr]
- q+
- 15:21:49 [Ian]
- ..the browser talks to each SRC system (with cookies)
- 15:21:57 [Ian]
- ..those SRC systems are asked to return "list of accounts"
- 15:22:11 [Ian]
- ...so for my demo I provided card list rather than login names
- 15:22:16 [Ian]
- q+
- 15:22:32 [Fahad_]
- q+
- 15:22:51 [Ian]
- smcgruer_[EST]: What the user cannot see is that there's a token associated with what the user selects (e.g., some user identifier that enables the rest of the flow)
- 15:23:05 [Ian]
- Gerhard: There's no requirement to do any other UX after the FedCM.
- 15:23:07 [Ian]
- smcgruer_[EST]: Correct
- 15:23:36 [Ian]
- ack JeanLuc
- 15:24:23 [rouslan_]
- rouslan_ has joined #wpwg
- 15:24:29 [clinton]
- q+
- 15:24:31 [Ian]
- JeanLuc: Thanks for this presentation. The demo basically shows the browser as an SRC-I. Could you use FedCM instead as an alternative to the recognition domain?
- 15:24:51 [Ian]
- smcgruer_[EST]: You could take the more "traditional" view of FedCM -- you could simply present the user's SRC identity (e.g,. my email address).
- 15:25:07 [Ian]
- ...any SRC system that has a cookie in its domain could send back that identity.
- 15:25:30 [Ian]
- ...one issue here is that you might of N identical identities in this case, and there is no de-duplication function here.
- 15:25:52 [Ian]
- ...so maybe there's a way with FedCM to tell the browser "where you see identical strings, just pick any one"
- 15:26:01 [Ian]
- JeanLuc: Very interesting
- 15:26:05 [Ian]
- ack nicktr
- 15:26:10 [clinton]
- q-
- 15:26:16 [Ian]
- nicktr: Really cool.
- 15:26:26 [Ian]
- ...can you call FedCM from inside of a payment handler
- 15:26:46 [Ian]
- smcgruer_[EST]: Technically there's no reason you couldn't...but I don't know what will happen in mobile windows
- 15:26:51 [Ian]
- ack me
- 15:27:39 [Ian]
- Ian: How is privacy handled in passing of IDP info?
- 15:27:53 [Ian]
- smcgruer_[EST]: Domain only. Probably a .well-known
- 15:30:27 [Ian]
- q?
- 15:30:30 [Ian]
- ack Fahad_
- 15:31:37 [Ian]
- Fahad_: For multi-IDP there might be different ways to de-dup, e.g., "stop as soon as you find one"
- 15:31:51 [Ian]
- present+ Manish_Garg
- 15:32:21 [Ian]
- smcgruer_[EST]: Multi-IDP is very early stage exploration; this would be good feedback to the FedIDCG
- 15:32:40 [Ian]
- ...my idea for this is that there would be a deduplication field. The browser shows only one.
- 15:33:11 [Ian]
- Fahad_: What happens when the user returns to RP.com?
- 15:33:20 [Ian]
- smcgruer_[EST]: With FedCM today, the user would have to choose to continue.
- 15:33:40 [Ian]
- ...RP.com could put a first party cookie; that's feasible but there are downsides
- 15:33:56 [Ian]
- ...it would be good to engage with the CG on returning user flow
- 15:34:15 [Ian]
- ...we'd probably tell the user "you are being logged in" rather than doing it silently
- 15:34:37 [Ian]
- Fahad_: The spec has a client id. When the IDP returns info they talk about "already approved client id"
- 15:34:51 [Ian]
- present+ Praveena
- 15:35:11 [Ian]
- smcgruer_[EST]: The IDP could lie and that would lead to tracking silently
- 15:35:39 [Ian]
- ..but I personally think that if a user comes back to a site where the user has previously used FedCM, the site should be able to trivially get back identity via FedCM
- 15:35:55 [Ian]
- Fahad_: In the browser UX .. is the IDP name set by RP.com?
- 15:36:03 [Ian]
- ...can multiple IDPs have the same display name?
- 15:36:11 [Ian]
- smcgruer_[EST]: The IDPs are represented by their origin
- 15:36:29 [Ian]
- Fahad_: We were interested with "Sign in with click to pay"
- 15:37:27 [Ian]
- Topic: SPC use cases
- 15:37:45 [Ian]
- [Gerhard slides]
- 15:38:31 [Ian]
- [Progress so far]
- 15:38:51 [Ian]
- Gerhard: Both Open Banking and 3DS support more than just single transaction. What might we do next with SPC?
- 15:40:13 [Ian]
- [we look at current fields displayed by SPC transaction dialog, primary use case, and primary authentication approach]
- 15:40:34 [Ian]
- Gerhard: We'd like to start here discussion of next use cases for SPC
- 15:40:36 [Ian]
- q?
- 15:41:06 [Ian]
- Gerhard: I can see three axes for extension -- (1) additional display fields (2) new use cases/transactions (3) other forms of authentication
- 15:41:34 [RRSAgent]
- I have made the request to generate https://www.w3.org/2022/11/10-wpwg-minutes.html Ian
- 15:41:41 [RRSAgent]
- I'm logging. Sorry, nothing found for 'who's here'
- 15:41:54 [RRSAgent]
- I'm logging. Sorry, nothing found for 'who's here'
- 15:43:14 [clinton2]
- clinton2 has joined #wpwg
- 15:43:21 [Ian]
- Gerhard: there are some additional UX topics (not part of my 3 categories above) - opt-out, icon size
- 15:44:02 [Ian]
- [Trusted merchant list]
- 15:44:10 [Ian]
- Gerhard: "Trust this merchant" in the display.
- 15:44:16 [Ian]
- ...another one is "Trust this device"
- 15:44:47 [Ian]
- q+
- 15:45:10 [Ian]
- Gerhard: Imagine we are doing this in open banking...the user journey would start with "pay with my bank"
- 15:45:14 [Ian]
- ..there would be a redirect to the bank
- 15:45:25 [Ian]
- ...the SPC confirmation could happen in that context, followed by a redirect
- 15:45:30 [Ian]
- ...do we need a redirect capability
- 15:47:08 [Ian]
- Ian: How does this relate to SPC?
- 15:48:20 [Ian]
- Gerhard: Want to "trust a merchant"; the user could say essentially "don't do a step up in the future". The issuer could record that information.
- 15:50:15 [Ian]
- Ian: Why does the user's view matter?
- 15:50:24 [Ian]
- Gerhard: It's part of EMVCo requirement
- 15:50:29 [Ian]
- ...to offer this option
- 15:51:08 [JeanLuc]
- q+
- 15:51:11 [Ian]
- ack me
- 15:51:12 [Ian]
- ack JeanLuc
- 15:51:59 [Ian]
- JeanLuc: If I understand correctly, the merchant could populate the field without any user validation.
- 15:52:44 [Ian]
- Gerhard: For me, the point is that the SPC display is browser-controlled and thus the merchant can't fake it
- 15:53:28 [Ian]
- JeanLuc: The merchant could attack in the second AREQ
- 15:55:23 [Ian]
- Topic: Charter
- 15:55:38 [Ian]
- https://lists.w3.org/Archives/Public/public-payments-wg/2022Nov/0000.html
- 15:56:30 [Ian]
- https://www.w3.org/2004/01/pp-impl/83744/join
- 15:56:41 [Ian]
- Topic: Schedule
- 15:57:09 [Ian]
- Next meeting: 8 December
- 15:57:50 [mg]
- mg has joined #wpwg
- 15:58:30 [Ian]
- Topic: FTF?
- 15:58:44 [clinton2]
- +1 (either)
- 15:58:49 [Gerhard]
- +1
- 15:58:50 [JeanLuc]
- +1
- 15:58:51 [mg]
- +1
- 15:58:51 [benoit]
- +1 (either)
- 15:58:52 [Ian]
- +1 for a FTF
- 15:58:53 [Fahad_]
- +1
- 15:58:55 [cferro]
- May is better I think! +1
- 15:59:00 [ChristianA]
- +1
- 15:59:01 [Rolf]
- +1
- 15:59:11 [rouslan_]
- +1 (may have to be virtual for me)
- 15:59:21 [clinton2]
- as long at it does not overlap!
- 15:59:32 [Ian]
- RRSAGENT, make minutes
- 15:59:32 [RRSAgent]
- I have made the request to generate https://www.w3.org/2022/11/10-wpwg-minutes.html Ian
- 15:59:36 [Ian]
- RRSAGENT, set logs public
- 15:59:38 [arman]
- arman has joined #wpwg
- 16:00:16 [cferro]
- cferro has left #wpwg
- 16:00:18 [mg]
- mg has left #wpwg
- 16:01:36 [Gerhard]
- Gerhard has left #wpwg
- 16:02:17 [Gregoire]
- Gregoire has left #wpwg
- 18:00:10 [Zakim]
- Zakim has left #wpwg