Meeting minutes
SPC Prioritization
Spreadsheet where Ian is tracking feedback
(Anne presents the Worldline feedback)
Anne: The main requests relate to 3DS.
… Issuer and network iconography are required in the ACS UI
Anne: Recurring payments are important to us
… non-payment use cases are also important.
… but the most important request relates to receiving an attestation (relates to PSD2); we have to differentiate devices and understand their capabilities.
… it's also very important that we see interoperability (e.g., Webkit implementation)
Anne: Also, the authenticator dialog should stop saying "Sign-in"
… this conveys the wrong message to the user; but this is slightly less critical than others
[We walk through FIME prioritization reply from Jean-Luc]
smcgruer_[EST]: I wonder whether "roaming" in FIME feedback also implies "hybrid"
smcgruer_[EST]: Summary - other payments use cases, show RP origin, roaming, android native, some UX changes (bigger icon, fallback UX, issuer/network)
Sameer: We are close to finalizing our list from the 3DS WG
… we are trying to put more structure into our feedback to include "blockers" from our perspective e
Rolf: Main feedback is to get additional browser support.
… get the attestation stuff done (for PSD2)
… support roaming authenticators
… vanilla webauthn credentials for use by RP.
IJ: Stephen what's your vision related to this last point? I imagine usage in both top-level and cross-origin iframe.
Rolf: you can name Nok Nok in the spreadsheet
Anne: When we tried to classify the requests, it was not clear what userVerification=discouraged
smcgruer_[EST]: WebAuthn allows the caller to specify whether to verify the user (biometric) or only user presence check.
… when userVerification is discouraged, e.g., the user might just click a button. This is sufficient for "user presence". The cryptogram result is of less value of course. But there's some interest in the for use cases that don't require as strong security.
… but note that the authenticator can always choose to do userVerification anyway, and we know that Windows Hello always does userVerification.
SameerT: If the userVerification=discouraged and user verification IS performed, is the verification data in the assertion?
Rolf: The method won't be known, but the authenticator will indicate whether the user was verified in the response.
[We run a Zoom poll and look at the poll results: poll 1, poll 2, poll 3]
Jean-Luc: I would distinguish roaming and hybrid
Ian: I will add the data to the spreadsheet
smcgruer_[EST]: Thanks for all the feedback, this is great. We are looking at this and our investment of SPC.
… all feedback (whether same or different than others) valued.
Updates
Ian:
- Making progress on contributing SPC documentation to MDN Web Docs; see discussion related to MDN pull request 28705
Ian:
- Any suggestions for conference presentations?
Rolf: +1 to these types of presentations; lots of value. I don't have a list. But Money 20/20 a candidate
… we could do something in Europe where multiple companies cooperate to spread the word.
… I think this was a key to passkey success
… good to have different kinds of stakeholders talking about this from various perspectives.
Steve: ETA Transact
Arman: US Payments Forum
Doug: Merchant Risk Conf
Ian:
- We had an idea to create a "How to SPC" document inspired by How to FIDO.
IJ: What is status of How to FIDO?
Rolf: Really targeting engineers. I think the case of SPC, there will be a smaller number of implementers. Most of the people will be using 3rd party tools. For them we need a document on a different level.
… mainly about educating merchants and issuers on the value of SPC.
… but they typically don't implement it themselves. They get it through their 3DS SDKs
Sami: +1
Sameer: +1
upcoming meetings
23 Nov: Canceled
7 Dec: Scheduled
21 Dec: Canceled
4 January 2024: Canceled
Any other business?
Jean-Luc: There is a lot of discussion on quantum computing.
… is there any impact on SPC (or WebAuthN) regarding crypto agility?
smcgruer_[EST]: All the impact on SPC would also impact WebAuthn
<Rolf> +1
smcgruer_[EST]: with WebAuthn you specify which crypto algorithms when you create the credential
IJ: Has this been discussed in WebAuthn?
Rolf: The algorithms are registered in IANA
… we rely on other groups to give us algorithm identifiers.
[Adjourned until 7 Dec]