14:48:39 RRSAgent has joined #wpwg 14:48:39 logging to https://www.w3.org/2022/12/08-wpwg-irc 14:48:52 Meeting: Web Payments Working Group 14:48:54 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20221208 14:48:56 Scribe: Ian 14:54:25 present+ Ian_Jacobs 14:57:55 benoit has joined #wpwg 14:58:42 present+ Sue_Koomen 14:59:39 present+ Christian_Aabye 14:59:45 cferro has joined #wpwg 14:59:55 present+ Carey_Ferro 15:00:00 present+ David_Benoit 15:01:16 present+ Arman_Aygen 15:01:23 present+ Nick_Burris 15:01:29 present+ Sameer_Tare 15:02:04 present+ Soumya 15:02:09 present+ Praveena 15:02:11 present+ Rouslan 15:02:21 present+ Stephen_McGruer 15:02:26 Gerhard has joined #wpwg 15:02:27 present+ Doug_Fisher 15:02:52 rouslan has joined #wpwg 15:02:56 present+ Rouslan 15:03:01 present+ Gustavo_Kok 15:03:34 present+ Anne_Pouillard 15:03:49 Chair: Ian 15:03:52 Topic: SPC 15:03:59 Anne has joined #wpwg 15:04:13 JeanLuc has joined #wpwg 15:04:14 Present+ 15:04:30 present+ Jean-Luc 15:05:07 -> https://github.com/w3c/secure-payment-confirmation/pull/215 Pull request 215 re: opt-out feature 15:05:21 present+ Rick_Byers 15:05:44 smcgruer_[EST]: We did origin trial on this feature and now would like to ship the feature; we need spec support for it. 15:05:54 present+ Ryan_Watkins 15:06:14 present+ Mike_Horne 15:06:18 present+ Clinton_Allen 15:06:25 present+ Bastien_Latge 15:06:51 smcgruer_[EST]: There is an optional parameter that is false by default, but if set, causes the browser to display an opt-out option 15:07:24 ...if the user chooses to opt-out, we throw and error and the site processes the error (e.g., tell the user in text that once they complete 3DS that the RP will delete the data). 15:07:37 present+ Frank_Delache 15:08:08 Gustavo: There would be a challenge after the opt-out right? 15:08:24 present+ Nick Telford-Reed 15:08:32 smcgruer_[EST]: Can't speak to Stripe's exact user flow. In their case, they are the RP; they decide what level of authentication to conduct. 15:08:35 q+ 15:08:45 ack Gerhard 15:09:46 gerhard: There are different user flows that are related: (1) cancel this authentication (2) opt-out of using this credential 'forever' 15:09:52 q? 15:10:03 ...is there an opportunity to opt-out for "this transaction only"? 15:10:26 ...do you think there's a mismatch in the amount of detail the caller gets? 15:10:35 q? 15:10:44 q? 15:11:22 rouslan: I see where you are coming from - one "this transaction" one is "forever". However, I see it slightly differently. 15:11:41 ...I see it more that the proposed boolean is to remove stored data (stored by the RP). 15:11:57 ...it does not have implications about what happens in the future. 15:12:01 q+ 15:12:34 rouslan: I would prefer that this opt-out is about "removing current information" rather than saying anything about whether I might use a different credential in the future 15:12:35 ack smcgruer_[EST] 15:13:21 smcgruer_[EST]: Gerhard has it right - regarding the privacy question; we haven't changed our norms here. The opt-out flow is shown on both flows (authentication flow and notification flow that there are no matching credentials); even if that's not a great UX, the option is shown on both. 15:13:29 q? 15:14:39 Gerhard: Giving more options to cancel might lead to confusion. 15:15:11 Gustavo: Do we expect the opt-out need to be the same for the issuer? 15:15:46 smcgruer_[EST]: My understanding is that the general feeling is that when the issuer is the RP, the user knows where to go to opt out 15:16:19 sameer: From 3DS POV we wanted this feature to be optional 15:16:25 pfresent+ Makjo_Shishkov 15:17:50 present+ Nakjo_Shiskov 15:18:17 smcgruer_[EST]: Note that there is user intent here (browser-owned message); but also message shown on both screens. 15:18:50 Gerhard: Is it worthwhile to have a discussion with privacy folks on this? 15:18:54 present+ Fahad_Saleem 15:20:13 Gerhard: Not a good UX if I "cancel' and am shown other authentication experiences. I may mean "I want to cancel the transaction". 15:20:20 q? 15:20:22 q+ 15:20:24 q+ 15:20:32 ack smcgruer_[EST] 15:20:56 smcgruer_[EST]: What about on the transaction ux there are three options: 15:20:57 1) Verify 15:21:01 2) Use a different auth method 15:21:04 3) Cancel 15:21:09 ...then on the no-matching credentials dialog: 15:21:21 1) Use a different auth method 15:21:25 2) Cancel the transaction 15:21:41 ...so the 2 different "user a different" and "cancel" look the same. 15:22:25 q+ 15:22:25 Ian: What if "opt-out" only shows up after "cancel"? 15:22:31 ack me 15:22:33 ack Gerhard 15:23:00 Gustavo: It has to be very clear what "cancel" means (namely: this transaction) 15:23:32 ...there may be confusion if user does not understand what they are opting out from. 15:23:57 ..in Ian's comment, is "opt-out" shown only when credential is available? 15:24:25 Gerhard: It gets complicated given the number of parties involved (cf. also 3DS UX with multiple logos) 15:25:29 Ian: Next steps? 15:25:52 smcgruer_[EST]: On opt-out, I want to ask whether anyone objects to this being added? I don't think it affects other ideas we've discussed here. 15:26:19 present+ Steve_Cole 15:27:16 Gerhard: Ongoing concerns about various options _during_ a transaction. 15:27:34 ...I think we need to ensure customer clarity for non-happy path scenarios. 15:27:37 ...would be good to get some bank input. 15:28:03 Propose: Adopt the opt-out feature into SPC v1 15:28:54 +1 15:29:09 SameerT has joined #wpwg 15:29:26 +1 15:29:51 +1 15:29:54 Ian: Not a lot of +1....any reasons people want to articulate to not adopt? 15:30:01 Bastien has joined #WPWG 15:30:32 doug: There's not a rush; it would be good to understand overall requirements before adopting this feature 15:30:56 Adoption is key, so would support. But not if it will mean backwards compatibility/issues with not having a set of these options available. A bit unclear of the implications of 'making the API clear'. 15:31:24 Sue has joined #wpwg 15:31:31 smcgruer_[EST]: I think it's ok to leave the pull request open for short term. But Chrome still needs to make a decision to ship. 15:31:37 smcgruer_[EST]: This is a niche feature IMO; we could unship it. 15:31:43 +1 15:32:01 Gerhard: I am ok to adopt if we can unship the feature. 15:32:45 With my blink API owner hat on, +1 to likely being able to remove in the future. 15:34:09 Propose: Adopt the opt-out feature into SPC v1 with understanding we might undo this based on future UX improvements 15:34:18 +1 15:34:35 +1 15:34:37 +1 15:34:40 +1 15:35:13 IJ: Defer to chairs 15:35:41 Gerhard: smcgruer_[EST] and Rouslan have done good work; there's a client that needs this feature; if they are open to review this; I suggest we go with this 15:36:33 praveena: +1 to Gerhard; I think including the feature will get us more real-world experience 15:36:53 SO RESOLVED 15:37:53 Gustavo: +1 15:38:17 smcgruer_[EST]: For the UX topic, we'll start internal chats and welcome input. 15:38:40 ACTION: Gerhard to gather some input on UX flow needs 15:39:02 Gerhard: Mockups would help! 15:39:19 Thank you all. We always much prefer to ship things that have landed in the official spec, and I really appreciate the urgency for supporting real-world adoption. 15:39:34 Topic: User activation 15:39:41 -> https://github.com/w3c/secure-payment-confirmation/issues/216 Proposal to remove user activation requirement 15:40:16 smcgruer_[EST]: We've heard from multiple partners that requiring user activation to trigger SPC is a significant problem. Both Stripe and Adyen are in situations where they don't get a user activation (e.g,. after a redirect) 15:40:31 ...the user hasn't clicked anything when they arrive on the PSP to authenticate. 15:40:41 ...so we reviewed WHY we had included user activation 15:41:08 ..the main reason was that user activation is an important defense when an API can be spammy (e.g., popup windows) 15:41:26 ...or if the API can be subversive (e.g., full screen API to quietly fool the user) 15:41:48 ...in the case of SPC, we asked where is spamminess and where is subversion? 15:42:02 ...after internal discussions we reached conclusion that the one concern was "click-jacking" 15:42:23 ...right before the user clicks SPC would be swapped in ... so we propose a simple defense of a short delay. 15:42:34 ...our plan would be to introduce an origin trial for this and see if flows improve 15:42:44 ...there are security implications and we welcome additional input 15:42:57 +1 for this. 15:43:15 Proposal is to remove user activation requirement 15:43:27 Less clicks are better, and SPC shows the real transaction and that's followed with WebAuthn as well. 15:43:39 So a third forced click seems unneeded. 15:43:45 And we have in-field feedback for this. 15:44:10 Ian: Time frame for adopting this one? 15:44:12 +1 to Gerhard's comments 15:44:13 Arman has joined #WPWG 15:44:19 +1 15:44:24 q+ 15:44:30 smcgruer_[EST]: Let's say half way through Q1 15:44:44 smcgruer_[EST]: Tell us if important to you 15:45:00 Jean-Luc: I saw the delay to resist click-jacking. 15:45:07 q+ 15:45:34 JeanLuc: In EMVCo 3DS there is a timeout; how would the "cool down" period be defined; don't want to interfere with 3DS timeout 15:45:44 ack JeanLuc 15:46:07 smcgruer_[EST]: The initial recommendation was 2-3 seconds. I think it could be .5 seconds or 1 second. 15:46:18 ...do those numbers sound scary? 15:46:51 Ian: What is order of magnitude in 3DS? 15:47:25 JeanLuc: Just want to be sure we don't exceed 3DS timeout 15:47:30 q+ 15:47:52 smcgruer_[EST]: I think the user won't have time to make a decision before the timeout has completed. 15:48:01 ack rby 15:48:40 rbyers: The point of this feature is to reduce friction. If we add a timeout that slows user's down; that's a problem. But if the user is reading the dialog, we should not have any problem at all with this additional delay. 15:48:50 ...it's a problem if the user is not reading the dialog anyway. 15:48:53 ack Gerhard 15:49:09 Gerhard: Is there a difference between transaction dialog in 1p or 3p context? 15:49:35 ...is there anything that could be factored into this delay consideration? 15:50:05 smcgruer_[EST]: I don't think so. One consideration is a slightly different is cross-origin (and the permissions policy helps) 15:50:32 s/cross-origin/cross-origin iframe 15:51:04 Gerhard: Another flow we are thinking about is OAuth flow where you are in same domain but redirect to a different site then back 15:53:05 Gerhard: Timing delays are fairly common in banking flows; I'm comfortable with the delay 15:53:58 fdelache has joined #wpwg 15:54:28 Topic: Pull request to remove user-identifiable information from canMakePayment 15:54:33 https://github.com/w3c/payment-handler/pull/404 15:54:55 smcgruer_[EST]: This is a follow-on from TPAC discussion regarding making payment handlers more consistent with privacy sandbox 15:55:08 ...we want to avoid using them to recreate 3p cookies 15:55:21 ...the proposal here is to reduce what information is shared through canMakePayment() 15:55:57 q+ 15:57:43 Ian: Are you thinking about this a payment handlers being able to access 1p context (like FedCM) 15:58:01 smcgruer_[EST]: Yes. But note that this change really removes value of canMakePayment, but we don't have people using it much. 15:58:50 ...this goes back to payment handlers...how do we create a good experience without destroying user privacy. 15:59:15 Topic: 19 January 15:59:27 RRSAGENT, make minutes 15:59:27 I have made the request to generate https://www.w3.org/2022/12/08-wpwg-minutes.html Ian 15:59:34 RRSAGENT, set logs public 15:59:41 Bastien has left #wpwg 15:59:47 Arman has left #wpwg 15:59:52 cferro has left #wpwg 16:02:01 fdelache has left #wpwg 16:25:16 https://opotonniee.github.io/fido-mds-explorer/ 16:29:29 https://github.com/w3c/webauthn/issues/1816 16:42:33 zakim, bye 16:42:33 leaving. As of this point the attendees have been Ian_Jacobs, Sue_Koomen, Christian_Aabye, Carey_Ferro, David_Benoit, Arman_Aygen, Nick_Burris, Sameer_Tare, Soumya, Praveena, 16:42:33 Zakim has left #wpwg 16:42:36 rrsagent, bye 16:42:36 I see 1 open action item saved in https://www.w3.org/2022/12/08-wpwg-actions.rdf : 16:42:36 ACTION: Gerhard to gather some input on UX flow needs [1] 16:42:36 recorded in https://www.w3.org/2022/12/08-wpwg-irc#T15-38-40