IRC log of wpwg on 2022-12-08

Timestamps are in UTC.

14:48:39 [RRSAgent]

RRSAgent has joined #wpwg

14:48:39 [RRSAgent]

logging to https://www.w3.org/2022/12/08-wpwg-irc

14:48:52 [Ian]

Meeting: Web Payments Working Group

14:48:54 [Ian]

Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20221208

14:48:56 [Ian]

Scribe: Ian

14:54:25 [Ian]

present+ Ian_Jacobs

14:57:55 [benoit]

benoit has joined #wpwg

14:58:42 [Ian]

present+ Sue_Koomen

14:59:39 [Ian]

present+ Christian_Aabye

14:59:45 [cferro]

cferro has joined #wpwg

14:59:55 [Ian]

present+ Carey_Ferro

15:00:00 [Ian]

present+ David_Benoit

15:01:16 [Ian]

present+ Arman_Aygen

15:01:23 [Ian]

present+ Nick_Burris

15:01:29 [Ian]

present+ Sameer_Tare

15:02:04 [Ian]

present+ Soumya

15:02:09 [Ian]

present+ Praveena

15:02:11 [Ian]

present+ Rouslan

15:02:21 [Ian]

present+ Stephen_McGruer

15:02:26 [Gerhard]

Gerhard has joined #wpwg

15:02:27 [Ian]

present+ Doug_Fisher

15:02:52 [rouslan]

rouslan has joined #wpwg

15:02:56 [rouslan]

present+ Rouslan

15:03:01 [Ian]

present+ Gustavo_Kok

15:03:34 [Ian]

present+ Anne_Pouillard

15:03:49 [Ian]

Chair: Ian

15:03:52 [Ian]

Topic: SPC

15:03:59 [Anne]

Anne has joined #wpwg

15:04:13 [JeanLuc]

JeanLuc has joined #wpwg

15:04:14 [Gerhard]

Present+

15:04:30 [Ian]

present+ Jean-Luc

15:05:07 [Ian]

-> https://github.com/w3c/secure-payment-confirmation/pull/215 Pull request 215 re: opt-out feature

15:05:21 [Ian]

present+ Rick_Byers

15:05:44 [Ian]

smcgruer_[EST]: We did origin trial on this feature and now would like to ship the feature; we need spec support for it.

15:05:54 [Ian]

present+ Ryan_Watkins

15:06:14 [Ian]

present+ Mike_Horne

15:06:18 [Ian]

present+ Clinton_Allen

15:06:25 [Ian]

present+ Bastien_Latge

15:06:51 [Ian]

smcgruer_[EST]: There is an optional parameter that is false by default, but if set, causes the browser to display an opt-out option

15:07:24 [Ian]

...if the user chooses to opt-out, we throw and error and the site processes the error (e.g., tell the user in text that once they complete 3DS that the RP will delete the data).

15:07:37 [Ian]

present+ Frank_Delache

15:08:08 [Ian]

Gustavo: There would be a challenge after the opt-out right?

15:08:24 [nicktr]

present+ Nick Telford-Reed

15:08:32 [Ian]

smcgruer_[EST]: Can't speak to Stripe's exact user flow. In their case, they are the RP; they decide what level of authentication to conduct.

15:08:35 [Gerhard]

q+

15:08:45 [Ian]

ack Gerhard

15:09:46 [Ian]

gerhard: There are different user flows that are related: (1) cancel this authentication (2) opt-out of using this credential 'forever'

15:09:52 [nicktr]

q?

15:10:03 [Ian]

...is there an opportunity to opt-out for "this transaction only"?

15:10:26 [Ian]

...do you think there's a mismatch in the amount of detail the caller gets?

15:10:35 [Ian]

q?

15:10:44 [Ian]

q?

15:11:22 [Ian]

rouslan: I see where you are coming from - one "this transaction" one is "forever". However, I see it slightly differently.

15:11:41 [Ian]

...I see it more that the proposed boolean is to remove stored data (stored by the RP).

15:11:57 [Ian]

...it does not have implications about what happens in the future.

15:12:01 [smcgruer_[EST]]

q+

15:12:34 [Ian]

rouslan: I would prefer that this opt-out is about "removing current information" rather than saying anything about whether I might use a different credential in the future

15:12:35 [Ian]

ack smcgruer_[EST]

15:13:21 [Ian]

smcgruer_[EST]: Gerhard has it right - regarding the privacy question; we haven't changed our norms here. The opt-out flow is shown on both flows (authentication flow and notification flow that there are no matching credentials); even if that's not a great UX, the option is shown on both.

15:13:29 [nicktr]

q?

15:14:39 [Ian]

Gerhard: Giving more options to cancel might lead to confusion.

15:15:11 [Ian]

Gustavo: Do we expect the opt-out need to be the same for the issuer?

15:15:46 [Ian]

smcgruer_[EST]: My understanding is that the general feeling is that when the issuer is the RP, the user knows where to go to opt out

15:16:19 [Ian]

sameer: From 3DS POV we wanted this feature to be optional

15:16:25 [Ian]

pfresent+ Makjo_Shishkov

15:17:50 [Ian]

present+ Nakjo_Shiskov

15:18:17 [Ian]

smcgruer_[EST]: Note that there is user intent here (browser-owned message); but also message shown on both screens.

15:18:50 [Ian]

Gerhard: Is it worthwhile to have a discussion with privacy folks on this?

15:18:54 [Ian]

present+ Fahad_Saleem

15:20:13 [Ian]

Gerhard: Not a good UX if I "cancel' and am shown other authentication experiences. I may mean "I want to cancel the transaction".

15:20:20 [smcgruer_[EST]]

q?

15:20:22 [smcgruer_[EST]]

q+

15:20:24 [Ian]

q+

15:20:32 [Ian]

ack smcgruer_[EST]

15:20:56 [Ian]

smcgruer_[EST]: What about on the transaction ux there are three options:

15:20:57 [Ian]

1) Verify

15:21:01 [Ian]

2) Use a different auth method

15:21:04 [Ian]

3) Cancel

15:21:09 [Ian]

...then on the no-matching credentials dialog:

15:21:21 [Ian]

1) Use a different auth method

15:21:25 [Ian]

2) Cancel the transaction

15:21:41 [Ian]

...so the 2 different "user a different" and "cancel" look the same.

15:22:25 [Gerhard]

q+

15:22:25 [Ian]

Ian: What if "opt-out" only shows up after "cancel"?

15:22:31 [Ian]

ack me

15:22:33 [Ian]

ack Gerhard

15:23:00 [Ian]

Gustavo: It has to be very clear what "cancel" means (namely: this transaction)

15:23:32 [Ian]

...there may be confusion if user does not understand what they are opting out from.

15:23:57 [Ian]

..in Ian's comment, is "opt-out" shown only when credential is available?

15:24:25 [Ian]

Gerhard: It gets complicated given the number of parties involved (cf. also 3DS UX with multiple logos)

15:25:29 [Ian]

Ian: Next steps?

15:25:52 [Ian]

smcgruer_[EST]: On opt-out, I want to ask whether anyone objects to this being added? I don't think it affects other ideas we've discussed here.

15:26:19 [Ian]

present+ Steve_Cole

15:27:16 [Ian]

Gerhard: Ongoing concerns about various options _during_ a transaction.

15:27:34 [Ian]

...I think we need to ensure customer clarity for non-happy path scenarios.

15:27:37 [Ian]

...would be good to get some bank input.

15:28:03 [Ian]

Propose: Adopt the opt-out feature into SPC v1

15:28:54 [cferro]

+1

15:29:09 [SameerT]

SameerT has joined #wpwg

15:29:26 [benoit]

+1

15:29:51 [nicktr]

+1

15:29:54 [Ian]

Ian: Not a lot of +1....any reasons people want to articulate to not adopt?

15:30:01 [Bastien]

Bastien has joined #WPWG

15:30:32 [Ian]

doug: There's not a rush; it would be good to understand overall requirements before adopting this feature

15:30:56 [Gerhard]

Adoption is key, so would support. But not if it will mean backwards compatibility/issues with not having a set of these options available. A bit unclear of the implications of 'making the API clear'.

15:31:24 [Sue]

Sue has joined #wpwg

15:31:31 [Ian]

smcgruer_[EST]: I think it's ok to leave the pull request open for short term. But Chrome still needs to make a decision to ship.

15:31:37 [Ian]

smcgruer_[EST]: This is a niche feature IMO; we could unship it.

15:31:43 [Gerhard]

+1

15:32:01 [Ian]

Gerhard: I am ok to adopt if we can unship the feature.

15:32:45 [rbyers]

With my blink API owner hat on, +1 to likely being able to remove in the future.

15:34:09 [Ian]

Propose: Adopt the opt-out feature into SPC v1 with understanding we might undo this based on future UX improvements

15:34:18 [cferro]

+1

15:34:35 [Anne]

+1

15:34:37 [Sue]

+1

15:34:40 [JeanLuc]

+1

15:35:13 [Ian]

IJ: Defer to chairs

15:35:41 [Ian]

Gerhard: smcgruer_[EST] and Rouslan have done good work; there's a client that needs this feature; if they are open to review this; I suggest we go with this

15:36:33 [Ian]

praveena: +1 to Gerhard; I think including the feature will get us more real-world experience

15:36:53 [Ian]

SO RESOLVED

15:37:53 [Ian]

Gustavo: +1

15:38:17 [Ian]

smcgruer_[EST]: For the UX topic, we'll start internal chats and welcome input.

15:38:40 [Ian]

ACTION: Gerhard to gather some input on UX flow needs

15:39:02 [Ian]

Gerhard: Mockups would help!

15:39:19 [rbyers]

Thank you all. We always much prefer to ship things that have landed in the official spec, and I really appreciate the urgency for supporting real-world adoption.

15:39:34 [Ian]

Topic: User activation

15:39:41 [Ian]

-> https://github.com/w3c/secure-payment-confirmation/issues/216 Proposal to remove user activation requirement

15:40:16 [Ian]

smcgruer_[EST]: We've heard from multiple partners that requiring user activation to trigger SPC is a significant problem. Both Stripe and Adyen are in situations where they don't get a user activation (e.g,. after a redirect)

15:40:31 [Ian]

...the user hasn't clicked anything when they arrive on the PSP to authenticate.

15:40:41 [Ian]

...so we reviewed WHY we had included user activation

15:41:08 [Ian]

..the main reason was that user activation is an important defense when an API can be spammy (e.g., popup windows)

15:41:26 [Ian]

...or if the API can be subversive (e.g., full screen API to quietly fool the user)

15:41:48 [Ian]

...in the case of SPC, we asked where is spamminess and where is subversion?

15:42:02 [Ian]

...after internal discussions we reached conclusion that the one concern was "click-jacking"

15:42:23 [Ian]

...right before the user clicks SPC would be swapped in ... so we propose a simple defense of a short delay.

15:42:34 [Ian]

...our plan would be to introduce an origin trial for this and see if flows improve

15:42:44 [Ian]

...there are security implications and we welcome additional input

15:42:57 [Gerhard]

+1 for this.

15:43:15 [Ian]

Proposal is to remove user activation requirement

15:43:27 [Gerhard]

Less clicks are better, and SPC shows the real transaction and that's followed with WebAuthn as well.

15:43:39 [Gerhard]

So a third forced click seems unneeded.

15:43:45 [Gerhard]

And we have in-field feedback for this.

15:44:10 [Ian]

Ian: Time frame for adopting this one?

15:44:12 [cferro]

+1 to Gerhard's comments

15:44:13 [Arman]

Arman has joined #WPWG

15:44:19 [JeanLuc]

+1

15:44:24 [JeanLuc]

q+

15:44:30 [Ian]

smcgruer_[EST]: Let's say half way through Q1

15:44:44 [Ian]

smcgruer_[EST]: Tell us if important to you

15:45:00 [Ian]

Jean-Luc: I saw the delay to resist click-jacking.

15:45:07 [Gerhard]

q+

15:45:34 [Ian]

JeanLuc: In EMVCo 3DS there is a timeout; how would the "cool down" period be defined; don't want to interfere with 3DS timeout

15:45:44 [Ian]

ack JeanLuc

15:46:07 [Ian]

smcgruer_[EST]: The initial recommendation was 2-3 seconds. I think it could be .5 seconds or 1 second.

15:46:18 [Ian]

...do those numbers sound scary?

15:46:51 [Ian]

Ian: What is order of magnitude in 3DS?

15:47:25 [Ian]

JeanLuc: Just want to be sure we don't exceed 3DS timeout

15:47:30 [rbyers]

q+

15:47:52 [Ian]

smcgruer_[EST]: I think the user won't have time to make a decision before the timeout has completed.

15:48:01 [Ian]

ack rby

15:48:40 [Ian]

rbyers: The point of this feature is to reduce friction. If we add a timeout that slows user's down; that's a problem. But if the user is reading the dialog, we should not have any problem at all with this additional delay.

15:48:50 [Ian]

...it's a problem if the user is not reading the dialog anyway.

15:48:53 [Ian]

ack Gerhard

15:49:09 [Ian]

Gerhard: Is there a difference between transaction dialog in 1p or 3p context?

15:49:35 [Ian]

...is there anything that could be factored into this delay consideration?

15:50:05 [Ian]

smcgruer_[EST]: I don't think so. One consideration is a slightly different is cross-origin (and the permissions policy helps)

15:50:32 [smcgruer_[EST]]

s/cross-origin/cross-origin iframe

15:51:04 [Ian]

Gerhard: Another flow we are thinking about is OAuth flow where you are in same domain but redirect to a different site then back

15:53:05 [Ian]

Gerhard: Timing delays are fairly common in banking flows; I'm comfortable with the delay

15:53:58 [fdelache]

fdelache has joined #wpwg

15:54:28 [Ian]

Topic: Pull request to remove user-identifiable information from canMakePayment

15:54:33 [Ian]

https://github.com/w3c/payment-handler/pull/404

15:54:55 [Ian]

smcgruer_[EST]: This is a follow-on from TPAC discussion regarding making payment handlers more consistent with privacy sandbox

15:55:08 [Ian]

...we want to avoid using them to recreate 3p cookies

15:55:21 [Ian]

...the proposal here is to reduce what information is shared through canMakePayment()

15:55:57 [Ian]

q+

15:57:43 [Ian]

Ian: Are you thinking about this a payment handlers being able to access 1p context (like FedCM)

15:58:01 [Ian]

smcgruer_[EST]: Yes. But note that this change really removes value of canMakePayment, but we don't have people using it much.

15:58:50 [Ian]

...this goes back to payment handlers...how do we create a good experience without destroying user privacy.

15:59:15 [Ian]

Topic: 19 January

15:59:27 [Ian]

RRSAGENT, make minutes

15:59:27 [RRSAgent]

I have made the request to generate https://www.w3.org/2022/12/08-wpwg-minutes.html Ian

15:59:34 [Ian]

RRSAGENT, set logs public

15:59:41 [Bastien]

Bastien has left #wpwg

15:59:47 [Arman]

Arman has left #wpwg

15:59:52 [cferro]

cferro has left #wpwg

16:02:01 [fdelache]

fdelache has left #wpwg

16:25:16 [JeanLuc]

https://opotonniee.github.io/fido-mds-explorer/

16:29:29 [JeanLuc]

https://github.com/w3c/webauthn/issues/1816

16:42:33 [Ian]

zakim, bye

16:42:33 [Zakim]

leaving. As of this point the attendees have been Ian_Jacobs, Sue_Koomen, Christian_Aabye, Carey_Ferro, David_Benoit, Arman_Aygen, Nick_Burris, Sameer_Tare, Soumya, Praveena,

16:42:33 [Zakim]

Zakim has left #wpwg

16:42:36 [Ian]

rrsagent, bye

16:42:36 [RRSAgent]

I see 1 open action item saved in https://www.w3.org/2022/12/08-wpwg-actions.rdf :

16:42:36 [RRSAgent]

ACTION: Gerhard to gather some input on UX flow needs [1]

16:42:36 [RRSAgent]

recorded in https://www.w3.org/2022/12/08-wpwg-irc#T15-38-40