Meeting minutes
WPWG Charter update
ian: this week we started to form a council to deal with the formal objection
… we hope that it will come to a swift conclusion
… in the meantime, Apple rejoined the working group yesterday
… That's very exciting and we hope that they will be involved at TPAC in September
… We currently have 17 registered in person for TPAC
… WPSIG is a little lower
… My guess is we might hit 30 participants in person for WPWG
SPC Interop Roadmap
Ian's Roadmap for SPC Interoperability
ian: a few weeks ago, @smcgruer gave a great presentation on some of the dependencies upon which SPC relies
… I used that information to create a "roadmap for SPC interoperability"
… the purpose is as a starting point for closing the gaps
… it doesn't go as far as 3DS or SRC, but is concentrated on making SPC work in browser
… it goes left to right - starting with payment request
… which is "red" for Firefox, though we understand it was developed but never shipped
ian: webauthn level 2 is green across the board
ian: then there's SPC - red on iOS and Safari on MACOS
ian: I listed the conditional UI capability as a signal that credential listing API may be coming
… credential listing API has encouraging signs too
… discoverable credentials is mostly green with upcoming API for MACOS that Chrome plans to use
smcgruer_[EST]: for clarification, this is for platform authenticators
Ian: I will add Hybrid to last column header
smcgruer_[EST]: today on android, when you use a platform authentication, there's a bit which is a third-party payment bit
… that's saved with the credential
… you can interrogate whether that third-party payment bit is set via credential list API
ian: the next column is a desired-implementation. If you are the relying party, you should be able to use a vanilla webauthn credential for payment
smcgruer_[EST]: in 1P context
ian: do you have any data to share, @smcgruer_[EST]
smcgruer_[EST]: I don't know if people are doing this. Stripe might have been doing this but also had the payment bit set
ian: finally we have said we would like to use roaming authenticators but this requires us fix a bunch of UX issues
… We asked the Webauthn working group if there were any updates on roaming updates
Rolf: I think the flag we requested is being merged
ian: I meant roaming authenticators
smcgruer_[EST]: I think Christiaan Brand had some ideas about caching
… I don't believe anyone is working on this
Rolf: There will be an API for browsers to query the authenticators available on their platform but it's very early
ian: is anything missing from this chart?
ian: and what shall we do about the red crosses? We will consider this in detail at TPAC
TPAC agenda
ian: we have started the agenda building
ian: we would love to hear from participants - presentations or demos
ian: we believe we will see a presentation from Netcetera
… we have reached out to Stripe and we still hope to hear from them at TPAC
… we would love to hear from the group
ian: we would also love to hear from 3DS colleagues - demos, implementation, deployment information
ian: gerard will be presenting on SPC in a credential issuing perspective
ian: we can review the issues list
… there are a number of UX issues in particular that have been in stasis for some time
ian: with Apple back in the group, it would be good to talk about next steps for payment request
… in particular with regard to addresses
ian: we may also want to talk about passkeys
… and we have reached out to get updates on PSD3
Ian: UK Finance on push payment fraud?
NickTR: APP (authorized push payment) is where you log in to transfer money. Even though smaller than cards in volume (by factor of 100), level of fraud is same (hence collossal)
<Rolf> regarding WebAuthn: not an API for querying available authenticators, but client capabilities (e.g., hybrid transport, client-pin entry, ...)
ian: we also hope to hear some merchant perspectives
ian: Berlin Group are not available for TPAC but we are looking to schedule a meeting with them on 30th October at 3pm UTC (for early diary awareness)
… I will remind the group nearer the time
… and they have indicated that they are getting closer to dynamic linking features
ian: also for info, at our next meeting, the Chrome team will present on autofill in a 3P context via iframes with a guest attendee from PCI
NickTR: We welcome your presentations!
… handful of bullets suffices
… whether new or old topics
Next meeting
3 August