13:28:31 RRSAgent has joined #wpwg 13:28:36 logging to https://www.w3.org/2023/10/26-wpwg-irc 13:28:37 Meeting: Web Payments Working Group 13:28:40 Chair: Ian 13:28:55 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20231026 13:29:00 Scribe: Ian 13:59:33 present+ 13:59:38 present+ Doug_Fisher 13:59:46 present+ Tomasz_Blachowicz 14:00:17 present+ Stephen_McGruer 14:00:36 regrets+ NickTR 14:00:40 regrets+ Praveena 14:00:45 agenda+ SPC updates 14:00:46 Tomasz has joined #wpwg 14:00:48 agenda+ Berlin Group meeting 14:00:54 agenda+ Hybrid meeting? 14:01:00 agenda+ Next meeting 14:01:11 JeanLuc has joined #WPWG 14:01:17 present+ Jean-Luc_di_Manno 14:01:29 present+ Fahad_Saleem 14:01:29 present+ 14:02:08 present+ Bastien_Latge 14:02:08 present+ Rick_Byers 14:02:15 present+ Jean-Michel_Girard 14:02:49 JMGirard has joined #wpwg 14:03:43 present+ Tony_England 14:04:22 zakim, take up item 1 14:04:22 agendum 1 -- SPC updates -- taken up [from Ian] 14:04:22 present+ Steve_Cole 14:04:22 present+ Rick_Byers 14:04:36 smcgruer_[EST]: We'll start today with "what we heard at TPAC" 14:04:49 -> https://docs.google.com/presentation/d/16lnWeu9uKMSug6hhjv7-MxQvc5_ZbsobprEHCD5ABFs/edit#slide=id.p Stephen's slides on SPC requests 14:04:56 smcgruer_[EST]: We'd like to prioritize those things we've heard 14:05:10 present+ Ryan_Watkins 14:05:57 smcgruer_[EST]: We've completed two things recently: (1) spc can be called without user activation; shipping in M118 (stable) 14:05:57 ...this "no user activation" is limited to once per page load 14:06:19 ...second thing done is (2) SPC support for device-binding extension (M120) 14:06:27 ..SPC allows you to set web authentication extensions. 14:06:49 ...this is distinct from DPK shipping....but the point is SPC allows you use these extensions 14:07:09 ian: Did allow extensions involve changes to the spec? 14:07:14 ..there was no change to the spec (which already allowed this) 14:07:21 ...it's just the implementation that caught up 14:07:40 Ian: Were the people who most wanted the no user activation informed of this? Do they know it shipped? 14:07:59 smcgruer: don't know, hope they're in the room? 14:08:02 Doug: We tested the "no user activation"; works well 14:08:39 smcgruer_[EST]: Now let's walk through the other requests we've heard. We'd like to start to understand priorities 14:09:00 ...in the slides I've listed an approximate effort level required to implement 14:09:02 q+ 14:09:10 present+ Rolf_Lindemann 14:10:13 smcgruer_[EST]: "Support for userVerification=discouraged"; this would allow for some uses without full biometric. 14:10:22 ack rbyers 14:10:46 rbyers: Re prioritization - we'd like to understand where we get bang for our buck. Are there things here that are adoption blockers? 14:11:11 q+ 14:11:15 ...at this point we want to know if there are blockers or whether we should stop investing 14:11:19 ack Jean 14:11:41 Anne has joined #wpwg 14:11:45 JeanLuc: This userVerification=discourage could help with device recognition; I have been thinking about this for other use cases as well 14:11:51 present+ Anne_Pouillard 14:11:52 present+ 14:12:11 JeanLuc: E.g., it might be used to identify the platform not just the user. I am doing more investigations. 14:12:52 smcgruer_[EST]: (2) Card art icon is too small. This is "moderate" effort because relates to UX 14:13:08 smcgruer_[EST]: (3) Fallback UX improvements. (No matching credentials UX). 14:13:24 ...previously we have discussed tri-state outcomes. 14:13:50 smcgruer_[EST]: (4) Issuer/network icons (and more generally icons representing entities involved in the transaction) 14:14:01 smcgruer_[EST]: (5) Native SPC for Android 14:14:04 Fahad has joined #wpwg 14:14:43 smcgruer_[EST]: (6) Allow normal WebAuthn credentials for first-party SPC. 14:15:22 ...this is possible on both Windows and MacOS. We could add this support if there are e.g., banks who want to use existing credentials or simply don't want others to use their credentials 14:15:33 smcgruer_[EST]: (7) MacOS same 14:16:04 smcgruer_[EST]: (8) Support roaming authenticators. For this we would need to revisit SPC UX 14:16:04 smcgruer_[EST]: (9) Support hybrid authenticators 14:16:36 smcgruer_[EST]: (10) Minor experimental UX tweaks. This is low effort and we can experiment easily (behind a flag) 14:16:36 ...if people have minor ux tweaks they want to experiment with, ask! 14:17:13 smcgruer_[EST]: (11): Remove/change primary iconography on SPC dialog. (e.g., vaguely fingerprint thing on MacOS). Moderate effort due to UX effort 14:17:29 smcgruer_[EST]: (12) Showing RP origin in SPC transaction dialog. This is low effort. 14:17:38 present+ Sameer_Tare 14:17:50 I have made the request to generate https://www.w3.org/2023/10/26-wpwg-minutes.html Ian 14:18:01 smcgruer_[EST]: (13) Recurring payments 14:18:05 SameerT has joined #wpwg 14:18:06 smcgruer_[EST]: (14) Non-payment use cases 14:18:11 present+ 14:18:21 smcgruer_[EST]: We also have heard a number of requests related to capabilities not in browser control 14:18:40 smcgruer_[EST]: (1) Authenticator support for thirdPartyPayment bit in windows, macOS 14:18:46 smcgruer_[EST]: (2) Safari support 14:18:59 smcgruer_[EST]: (3) Require biometrics for an authentication 14:19:06 q+ 14:19:09 ...this would require work across FIDO or the platform authenticators 14:19:24 ack Tom 14:19:47 Tomasz: Regarding these last 2-3 items. I think these are blockers to adoption of SPC. 14:20:26 ...until there is more browser support (of SPC and thirdPartyPayment bits and UI improvements) we may not see more adoption 14:20:50 ...perhaps as a WG we can exercise more influence on the other parts of the ecosystem. 14:21:04 q+ 14:21:08 ack rbyers 14:21:48 rbyers: We generally have to build usage in a constrained way first in order to get broader browser adoption. 14:22:19 q? 14:25:22 smcgruer_[EST]: Other things on the list - attestation, know which authenticator method was used, combine SPC with FIDO biometric, get platform auth dialogs to stop saying "sign in" 14:25:38 smcgruer_[EST]: There might be some work in WebAuthn on nature of biometric. 14:26:32 Ian: Anyone at authenticate conference have things to share? 14:26:48 Rolf: Regarding adoption, EMVCO has added SPC to 3DS, but to see adoption might take some time 14:27:05 ...need to get this into ACS's then we can get more pilots out 14:27:15 ...I am getting positive feedback on pilots. 14:27:43 Rolf: Regarding attestation; this is progressing (esp. for passkeys) 14:27:54 ...we are seeing convergence to security-style attestation 14:28:09 ...I think there's a new proposal for the device binding extension 14:28:22 ...from a FIDO we should have done enough to allow the use of security keys for SPC 14:29:10 Ian: Talked with someone that device public key has some concerns, but perhaps less in SPC scenarios? 14:29:38 Rolf: There are regulatory environments where strong device binding is required. 14:29:38 q+ 14:29:39 ack ray 14:29:48 rbyers: We do have DPK working behind a flag. 14:30:01 ...I like the idea that the bar is different for SPC than WebAuthn generally 14:30:24 ...if people would like to get SPC + DPK working, I could discuss internally a version of DPK with SPC before WebAuthn generally 14:30:52 Rolf: I don't think that the only need is SPC. There are two use cases - another one was implemented early on (MFA). 14:31:06 ...those people need a solution quickly. 14:31:26 rbyers: Email Stephen if you want to test it out behind a flag. 14:32:08 smcgruer_[EST]: Any prioritization people want to discuss today? 14:32:17 ...are there any suggestions that I've missed? 14:33:17 Ian: Ones Tomasz and Rolf mentioned was getting 2nd browser support and authenticator support for 3p payment bit. Why is that a high priority? 14:34:01 Tomasz: didn't mean to suggest 3p payment bit was necessarily high priority, not prepared to prioritize the list now. 14:34:04 q+ 14:34:16 ack SameerT 14:34:22 Ian: maybe if folks could come back with their top 5 list? Maybe in 3DS working group? 14:34:25 SameerT: from a 3DS WG POV we can classify these 14:34:29 ...and flag blockers 14:34:54 ACTION: SameerT to work with the 3DS WG to come with a priority list and identify blockers. 14:35:08 https://docs.google.com/presentation/d/16lnWeu9uKMSug6hhjv7-MxQvc5_ZbsobprEHCD5ABFs/edit#slide=id.p 14:35:09 ack rbyers 14:36:02 ACTION: Ian to send list to WG to ask for prioritization + some non-WG partners 14:36:11 zakim, close item 1 14:36:11 agendum 1, SPC updates, closed 14:36:12 I see 3 items remaining on the agenda; the next one is 14:36:12 2. Berlin Group meeting [from Ian] 14:36:23 zakim, take up item 2 14:36:23 agendum 2 -- Berlin Group meeting -- taken up [from Ian] 14:37:52 q+ 14:37:59 https://lists.w3.org/Archives/Public/public-payments-wg/2023Oct/0002.html 14:38:25 Rolf has joined #wpwg 14:39:01 ack Jean 14:39:41 JeanLuc: I read the doc. The proposal involves signing the payload. Maybe we should do the same with SPC. 14:40:03 ...cf interesting Yubico proposal involving hash of payload. Should we sign hash of payload? 14:40:04 ...in SPC 14:40:29 ...this would create synergy between our proposal and theirs. 14:40:37 https://developers.yubico.com/WebAuthn/Concepts/Using_WebAuthn_for_Signing.html 14:40:41 Rolf: Whatever you get as client data is outside of control of authenticator 14:41:05 ...maybe it's more like adding a transaction hash value to the collected client data...at the same level that SPC sits today 14:41:06 q? 14:41:24 TallTed has joined #wpwg 14:41:29 Rolf: So basically augment collected client data 14:42:01 Ian: if WebAuthn took as input to the client data a hash value (in addition to whatever else), that would work if just doing WebAuthn, right? 14:42:27 Rolf: What we really want with SPC is an assertion that the user has seen what they signed 14:42:35 ..that's controlled by the client platform int he case of SPC 14:42:45 ..in that case, it makes sense to include structured data, not just hash 14:43:04 ...in WebAuthn Level 1 there's an extension (defined at authenticator level) 14:43:26 ...that TX extension could be reworked to sit on SPC level. 14:44:17 Ian: So don't replace, but allow to augment with a hash? Did you think the Berlin group needed to modify their proposal so that SPC might be used with theirs? 14:44:25 WebAuthn Level 1 txAuthSimple extension: https://www.w3.org/TR/webauthn-1/#sctn-simple-txauth-extension 14:44:26 JeanLuc: For JWS maybe 14:44:45 JeanLuc: But with XMLSig they are able to do it. 14:44:54 q? 14:44:57 Ian: will you be on the call monday to carry forward your thinking?. 14:45:08 Rolf: How would the client platform verify it was shown to the user? 14:46:27 Ian: can't see SPC adding full content, and hash isn't useful without full content. But maybe worth discussing if we can add a hash to spc? 14:46:42 JeanLuc: Could the challenge provided to SPC be a hash? 14:47:10 Rolf: Yes, it's up to the RP. But if you want to convey "what the user has seen" that's different. 14:47:39 q+ 14:48:39 Ian: I don't see the challenge. Today challenge is used to avoide replay attacks. The fact that it might have meaning separately is nobody's business but RP. But if RP used challenge derived from data displayed (plus random number etc.) then they could make that cacluation without affecting anyway 14:48:48 s/anyway/anybody/ 14:49:15 Rolf: There might be additional value; we'd need to understand what it is. You might want to factor in the hash into the challenge (rather than replace the challenge) 14:49:16 ack rbyers 14:49:44 rbyers: Agree that the key value of SPC here is trusting the browser that the user saw something. I can imagine an argument that the browser should include a hash of what the user saw, along with the signature. 14:50:50 ...I could imagine a simpler version of the BG proposal. You can (kind of) imagine the browser doing a screen shot and making available both to the RP and a hash of it available as well. 14:51:48 zakim, take up item 3 14:51:48 agendum 3 -- Hybrid meeting? -- taken up [from Ian] 14:53:40 Any conflicts in March? 14:53:56 Steve: No MAG meetings; there is an EMVCo one 14:54:16 don't see any FIDO meetings in March as of now 14:54:53 RRSAGENT, make minutes 14:54:54 I have made the request to generate https://www.w3.org/2023/10/26-wpwg-minutes.html Ian 14:54:55 RRSAGENT, set logs public 15:00:52 Tomasz has left #wpwg 15:16:03 rrsagent, bye 15:16:03 I see 2 open action items saved in https://www.w3.org/2023/10/26-wpwg-actions.rdf : 15:16:03 ACTION: SameerT to work with the 3DS WG to come with a priority list and identify blockers. [1] 15:16:03 recorded in https://www.w3.org/2023/10/26-wpwg-irc#T14-34-54 15:16:03 ACTION: Ian to send list to WG to ask for prioritization + some non-WG partners [2] 15:16:03 recorded in https://www.w3.org/2023/10/26-wpwg-irc#T14-36-02 15:16:07 zakim, bye 15:16:07 leaving. As of this point the attendees have been Ian, Doug_Fisher, Tomasz_Blachowicz, Stephen_McGruer, Jean-Luc_di_Manno, Fahad_Saleem, Tomasz, Bastien_Latge, Rick_Byers, 15:16:07 Zakim has left #wpwg 15:16:10 ... Jean-Michel_Girard, Tony_England, Steve_Cole, Ryan_Watkins, Rolf_Lindemann, Anne_Pouillard, Anne, Sameer_Tare, SameerT