14:58:38 <RRSAgent> RRSAgent has joined #wpwg
14:58:39 <RRSAgent> logging to https://www.w3.org/2022/11/10-wpwg-irc
14:58:51 <Ian> Meeting: Web Payments Working Group
14:59:02 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20221110
14:59:06 <Ian> Chair: Nick
14:59:13 <Ian> Scribe: Ian
14:59:39 <Ian> present+ Ian
14:59:43 <Ian> present+ Clinton_Allen
14:59:47 <JeanLuc> JeanLuc has joined #WPWG
14:59:54 <Ian> present+ Jean-Luc_Di_Manno
14:59:56 <Ian> present+ Doug_Fisher
15:00:05 <Ian> present+ Gerhard_Oosthuizen
15:00:22 <Gregoire> Gregoire has joined #WPWG
15:00:55 <Ian> present+ Stephen_McGruer
15:01:04 <Ian> present+ Erhard_Brand
15:01:08 <Ian> present+ Rolf_Lindemann
15:01:15 <Ian> present+ Jean-Michel_Girard
15:01:23 <Gerhard> present+
15:01:36 <Rolf> Rolf has joined #wpwg
15:01:45 <Ian> present+ Steve_Cole
15:01:51 <Ian> present+ Christian_Aabye
15:01:53 <JMGirard> JMGirard has joined #wpwg
15:01:57 <Ian> present+ Gregoire_Leleux
15:02:09 <Ian> present+ Arno_van_dr_Merwe
15:02:33 <SuzieAS> SuzieAS has joined #wpwg
15:02:56 <Ian> present+ Rouslan
15:03:00 <Ian> present+ Ryan_Watkins
15:03:06 <Ian> present+ Arman
15:03:15 <Ian> present+ Suzie_Annezo-Sebire
15:03:33 <Rolf> present+
15:03:34 <benoit> benoit has joined #wpwg
15:03:42 <Ian> present+ Carey_Ferro
15:03:59 <benoit> present+
15:04:24 <Ian> present+ Vincent_Kuntz
15:04:59 <Ian> -> https://github.com/w3c/webpayments/wiki/Agenda-20221110 Agenda
15:05:08 <ChristianA> ChristianA has joined #wpwg
15:05:19 <rouslan> rouslan has joined #wpwg
15:05:19 <Steve_C_> Steve_C_ has joined #wpwg
15:05:25 <cferro> cferro has joined #wpwg
15:05:46 <Ian> -> https://docs.google.com/presentation/d/1Dq2M1k0L5KhTSwFKvUYb-nd39-7y5M3naVD812_w6jk/edit?usp=sharing Stephen's Slides
15:06:04 <vkuntz> vkuntz has joined #wpwg
15:06:05 <Ian> Topic: FedCM
15:06:24 <Ian> smcgruer_[EST]: FedCM may have applications to payments in terms of user recognition.
15:06:32 <vkuntz> present+
15:06:46 <Ian> ...this story starts with the tracking issue that is enabled by cookies
15:07:10 <Dougf> Dougf has joined #wpwg
15:07:23 <Ian> ...browsers changing to avoid tracking without the user's permission or awareness
15:08:01 <Ian> ...we are getting rid of 3p cookies so need to find alternatives for well-known use cases such as federated login
15:08:43 <Ian> ...aggregation of logins in identity providers (IDP)
15:08:53 <Ian> ...simplifies life for web sites who can hand over login to IDPs
15:09:15 <Ian> ...there are downsides to current approaches (not part of today's discussion)
15:09:32 <Ian> ...seamless federated login as practiced today relies on 3p cookies
15:10:01 <Ian> ...RP.com reached out to idp.com who keeps track of login state...but in a 3p context
15:10:21 <Ian> ...the emerging solution is FedCM: browser mediates the identity discussion
15:10:30 <Ian> ...the site lists supported IDPs.
15:10:54 <Ian> ..the browser goes to the IDPs without telling the IDPs why it's asking. The IDP can access cookies in a 1p context.
15:11:16 <Ian>  ...the IDP can tell the browser what accounts the IDP knows.
15:11:55 <Ian> ...the browser can display these choices to the user (without showing merchant yet) and allow the user to consent to identify themselves (via browser UX)
15:12:12 <Ian> ...after the user selects an identity, there are other flows between the RP and IDP (not discussed here).
15:12:16 <Ian> ...summary:
15:12:40 <Ian> * The browser enforces isolation, which allows IDP to access 1p cookies. The IDP does not know who is asking.
15:12:59 <Ian> * There is a privacy issue - what happens if there is *no account*?
15:13:23 <Ian> ...right now they are not showing the user any dialog if there are no accounts, and they are also not telling the merchant site.
15:13:31 <Ian> ...perhaps in the future there might be an SPC-like failure screen
15:13:46 <Ian> [We see UX]
15:14:02 <Ian> present+ Fahad
15:14:06 <Ian> present+ Mike_Horne
15:14:19 <Ian> [Status]
15:14:35 <Ian> * Single-IDP option-UX shipping in Chrome 108
15:14:47 <Ian> * Spec is in development in the FedIDCG
15:14:56 <Ian> * Two other browser vendors have indicated support for this publicly
15:15:06 <Ian> * There are things not yet implemented
15:15:16 <Ian>  - Auto sign-in for returning users (but 1p cookies could be use)
15:15:26 <Ian>  - Multi-IDP support....early discussions are happening
15:15:44 <Ian> - Handling not-signed-in IDPs not yet supported
15:16:00 <Ian> - Work still happening on UX
15:16:05 <Ian> [What about payments]
15:16:28 <Ian> smcgruer_[EST]: FedCM will always require user understanding and consent...and returning flows will at least show the user something
15:16:34 <Ian> ..but I think FedCM could still be useful
15:16:45 <Ian> ..e.g., PSPs that offer a service across merchants
15:17:00 <Ian> ...or banks/PSDs wanting to authenticate the user without redirect/popup
15:17:11 <Ian> [Demo of FedCM with SRC]
15:17:45 <Ian> q+
15:18:52 <nicktr> q+
15:18:56 <Ian> ack me
15:19:03 <Gerhard> q+
15:19:11 <Ian> ack nick
15:19:28 <Ian> ack Gerhard
15:19:41 <Ian> Gerhard: Really interesting; gives me a payment handler kind of feeling
15:19:53 <Ian> ...the little window that popped up...is that a 1p iframe?
15:19:57 <Ian> ..is the size changeable?
15:20:19 <Ian> smcgruer_[EST]: That iframe in my demo is opened by Visa (3p)
15:20:22 <JeanLuc> q+
15:20:30 <Fahad> Fahad has joined #wpwg
15:21:03 <Ian> Gerhard: What identifier is passed back?
15:21:11 <Fahad_> Fahad_ has joined #wpwg
15:21:37 <Ian> smcgruer_[EST]: The merchant passes a list of IDPs to the browser
15:21:42 <nicktr> q+
15:21:49 <Ian> ..the browser talks to each SRC system (with cookies)
15:21:57 <Ian> ..those SRC systems are asked to return "list of accounts"
15:22:11 <Ian> ...so for my demo I provided card list rather than login names
15:22:16 <Ian> q+
15:22:32 <Fahad_> q+
15:22:51 <Ian> smcgruer_[EST]: What the user cannot see is that there's a token associated with what the user selects (e.g., some user identifier that enables the rest of the flow)
15:23:05 <Ian> Gerhard: There's no requirement to do any other UX after the FedCM.
15:23:07 <Ian> smcgruer_[EST]: Correct
15:23:36 <Ian> ack JeanLuc
15:24:23 <rouslan_> rouslan_ has joined #wpwg
15:24:29 <clinton> q+
15:24:31 <Ian> JeanLuc: Thanks for this presentation. The demo basically shows the browser as an SRC-I. Could you use FedCM 	instead as an alternative to the recognition domain?
15:24:51 <Ian> smcgruer_[EST]: You could take the more "traditional" view of FedCM -- you could simply present the user's SRC identity (e.g,. my email address).
15:25:07 <Ian> ...any SRC system that has a cookie in its domain could send back that identity.
15:25:30 <Ian> ...one issue here is that you might of N identical identities in this case, and there is no de-duplication function here.
15:25:52 <Ian> ...so maybe there's a way with FedCM to tell the browser "where you see identical strings, just pick any one"
15:26:01 <Ian> JeanLuc: Very interesting
15:26:05 <Ian> ack nicktr
15:26:10 <clinton> q-
15:26:16 <Ian> nicktr: Really cool.
15:26:26 <Ian> ...can you call FedCM from inside of a payment handler
15:26:46 <Ian> smcgruer_[EST]: Technically there's no reason you couldn't...but I don't know what will happen in mobile windows
15:26:51 <Ian> ack me
15:27:39 <Ian> Ian: How is privacy handled in passing of IDP info?
15:27:53 <Ian> smcgruer_[EST]: Domain only. Probably a .well-known
15:30:27 <Ian> q?
15:30:30 <Ian> ack Fahad_
15:31:37 <Ian> Fahad_: For multi-IDP there might be different ways to de-dup, e.g., "stop as soon as you find one"
15:31:51 <Ian> present+ Manish_Garg
15:32:21 <Ian> smcgruer_[EST]: Multi-IDP is very early stage exploration; this would be good feedback to the FedIDCG
15:32:40 <Ian> ...my idea for this is that there would be a deduplication field. The browser shows only one.
15:33:11 <Ian> Fahad_: What happens when the user returns to RP.com?
15:33:20 <Ian> smcgruer_[EST]: With FedCM today, the user would have to choose to continue.
15:33:40 <Ian> ...RP.com could put a first party cookie; that's feasible but there are downsides
15:33:56 <Ian> ...it would be good to engage with the CG on returning user flow
15:34:15 <Ian> ...we'd probably tell the user "you are being logged in" rather than doing it silently
15:34:37 <Ian> Fahad_: The spec has a client id. When the IDP returns info they talk about "already approved client id"
15:34:51 <Ian> present+ Praveena
15:35:11 <Ian> smcgruer_[EST]: The IDP could lie and that would lead to tracking silently
15:35:39 <Ian> ..but I personally think that if a user comes back to a site where the user has previously used FedCM, the site should be able to trivially get back identity via FedCM
15:35:55 <Ian> Fahad_: In the browser UX .. is the IDP name set by RP.com?
15:36:03 <Ian> ...can multiple IDPs have the same display name?
15:36:11 <Ian> smcgruer_[EST]: The IDPs are represented by their origin
15:36:29 <Ian> Fahad_: We were interested with "Sign in with click to pay"
15:37:27 <Ian> Topic: SPC use cases
15:37:45 <Ian> [Gerhard slides]
15:38:31 <Ian> [Progress so far]
15:38:51 <Ian> Gerhard: Both Open Banking and 3DS support more than just single transaction. What might we do next with SPC?
15:40:13 <Ian> [we look at current fields displayed by SPC transaction dialog, primary use case, and primary authentication approach]
15:40:34 <Ian> Gerhard: We'd like to start here discussion of next use cases for SPC
15:40:36 <Ian> q?
15:41:06 <Ian> Gerhard: I can see three axes for extension -- (1) additional display fields (2) new use cases/transactions (3) other forms of authentication
15:41:34 <RRSAgent> I have made the request to generate https://www.w3.org/2022/11/10-wpwg-minutes.html Ian
15:41:41 <RRSAgent> I'm logging.  Sorry, nothing found for 'who's here'
15:41:54 <RRSAgent> I'm logging.  Sorry, nothing found for 'who's here'
15:43:14 <clinton2> clinton2 has joined #wpwg
15:43:21 <Ian> Gerhard: there are some additional UX topics (not part of my 3 categories above) - opt-out, icon size
15:44:02 <Ian> [Trusted merchant list]
15:44:10 <Ian> Gerhard: "Trust this merchant" in the display.
15:44:16 <Ian> ...another one is "Trust this device"
15:44:47 <Ian> q+
15:45:10 <Ian> Gerhard: Imagine we are doing this in open banking...the user journey would start with "pay with my bank"
15:45:14 <Ian> ..there would be a redirect to the bank
15:45:25 <Ian> ...the SPC confirmation could happen in that context, followed by a redirect
15:45:30 <Ian> ...do we need a redirect capability
15:47:08 <Ian> Ian: How does this relate to SPC?
15:48:20 <Ian> Gerhard: Want to "trust a merchant"; the user could say essentially "don't do a step up in the future". The issuer could record that information.
15:50:15 <Ian> Ian: Why does the user's view matter?
15:50:24 <Ian> Gerhard: It's part of EMVCo requirement
15:50:29 <Ian> ...to offer this option
15:51:08 <JeanLuc> q+
15:51:11 <Ian> ack me
15:51:12 <Ian> ack JeanLuc
15:51:59 <Ian> JeanLuc: If I understand correctly, the merchant could populate the field without any user validation.
15:52:44 <Ian> Gerhard: For me, the point is that the SPC display is browser-controlled and thus the merchant can't fake it
15:53:28 <Ian> JeanLuc: The merchant could attack in the second AREQ
15:55:23 <Ian> Topic: Charter
15:55:38 <Ian> https://lists.w3.org/Archives/Public/public-payments-wg/2022Nov/0000.html
15:56:30 <Ian> https://www.w3.org/2004/01/pp-impl/83744/join
15:56:41 <Ian> Topic: Schedule
15:57:09 <Ian> Next meeting: 8 December
15:57:50 <mg> mg has joined #wpwg
15:58:30 <Ian> Topic: FTF?
15:58:44 <clinton2> +1 (either)
15:58:49 <Gerhard> +1
15:58:50 <JeanLuc> +1
15:58:51 <mg> +1
15:58:51 <benoit> +1 (either)
15:58:52 <Ian> +1 for a FTF
15:58:53 <Fahad_> +1
15:58:55 <cferro> May is better I think! +1
15:59:00 <ChristianA> +1
15:59:01 <Rolf> +1
15:59:11 <rouslan_> +1 (may have to be virtual for me)
15:59:21 <clinton2> as long at it does not overlap!
15:59:32 <Ian> RRSAGENT, make minutes
15:59:32 <RRSAgent> I have made the request to generate https://www.w3.org/2022/11/10-wpwg-minutes.html Ian
15:59:36 <Ian> RRSAGENT, set logs public
15:59:38 <arman> arman has joined #wpwg
16:00:16 <cferro> cferro has left #wpwg
16:00:18 <mg> mg has left #wpwg
16:01:36 <Gerhard> Gerhard has left #wpwg
16:02:17 <Gregoire> Gregoire has left #wpwg
18:00:10 <Zakim> Zakim has left #wpwg