W3C

Web Payments Working Group

09 November 2023

Attendees

Present
Anne Pouillard (Worldline), Arman Aygen (EMVCo), Bastien Latge (EMVCo), Clinton Allen (American Express), Doug Fisher (Visa), Fahad Saleem (Mastercard), Gerhard Oosthuizen (Entersekt), Ian Jacobs (W3C), Jean-Luc di Manno (FIME), Jeff Owenson (Discover), Rolf Lindemann (Nok Nok Labs), Ryan Watkins (Mastercard), Sameer Tare (Mastercard), Sami Tikkala (Visa), Stephen McGruer (Google), Steve Cole (MAG), Tomasz Blachowicz (Mastercard), Yannick Seveant (FIME)
Regrets
NickTR, Praveena Subrahmanyam
Chair
Ian
Scribe
Ian

Meeting minutes

SPC Prioritization

Spreadsheet where Ian is tracking feedback

(Anne presents the Worldline feedback)

Anne: The main requests relate to 3DS.
… Issuer and network iconography are required in the ACS UI

Anne: Recurring payments are important to us
… non-payment use cases are also important.
… but the most important request relates to receiving an attestation (relates to PSD2); we have to differentiate devices and understand their capabilities.
… it's also very important that we see interoperability (e.g., Webkit implementation)

Anne: Also, the authenticator dialog should stop saying "Sign-in"
… this conveys the wrong message to the user; but this is slightly less critical than others

[We walk through FIME prioritization reply from Jean-Luc]

smcgruer_[EST]: I wonder whether "roaming" in FIME feedback also implies "hybrid"

smcgruer_[EST]: Summary - other payments use cases, show RP origin, roaming, android native, some UX changes (bigger icon, fallback UX, issuer/network)

Sameer: We are close to finalizing our list from the 3DS WG
… we are trying to put more structure into our feedback to include "blockers" from our perspective e

Rolf: Main feedback is to get additional browser support.
… get the attestation stuff done (for PSD2)
… support roaming authenticators
… vanilla webauthn credentials for use by RP.

IJ: Stephen what's your vision related to this last point? I imagine usage in both top-level and cross-origin iframe.

Rolf: you can name Nok Nok in the spreadsheet

Anne: When we tried to classify the requests, it was not clear what userVerification=discouraged

smcgruer_[EST]: WebAuthn allows the caller to specify whether to verify the user (biometric) or only user presence check.
… when userVerification is discouraged, e.g., the user might just click a button. This is sufficient for "user presence". The cryptogram result is of less value of course. But there's some interest in the for use cases that don't require as strong security.
… but note that the authenticator can always choose to do userVerification anyway, and we know that Windows Hello always does userVerification.

SameerT: If the userVerification=discouraged and user verification IS performed, is the verification data in the assertion?

Rolf: The method won't be known, but the authenticator will indicate whether the user was verified in the response.

[We run a Zoom poll and look at the poll results: poll 1, poll 2, poll 3]

Jean-Luc: I would distinguish roaming and hybrid

Ian: I will add the data to the spreadsheet

smcgruer_[EST]: Thanks for all the feedback, this is great. We are looking at this and our investment of SPC.
… all feedback (whether same or different than others) valued.

Updates

Ian:

- Making progress on contributing SPC documentation to MDN Web Docs; see discussion related to MDN pull request 28705

Ian:

- Any suggestions for conference presentations?

Rolf: +1 to these types of presentations; lots of value. I don't have a list. But Money 20/20 a candidate
… we could do something in Europe where multiple companies cooperate to spread the word.
… I think this was a key to passkey success
… good to have different kinds of stakeholders talking about this from various perspectives.

Steve: ETA Transact

Arman: US Payments Forum

Doug: Merchant Risk Conf

Ian:

- We had an idea to create a "How to SPC" document inspired by How to FIDO.

IJ: What is status of How to FIDO?

Rolf: Really targeting engineers. I think the case of SPC, there will be a smaller number of implementers. Most of the people will be using 3rd party tools. For them we need a document on a different level.
… mainly about educating merchants and issuers on the value of SPC.
… but they typically don't implement it themselves. They get it through their 3DS SDKs

Sami: +1

Sameer: +1

upcoming meetings

23 Nov: Canceled

7 Dec: Scheduled

21 Dec: Canceled

4 January 2024: Canceled

Any other business?

Jean-Luc: There is a lot of discussion on quantum computing.
… is there any impact on SPC (or WebAuthN) regarding crypto agility?

smcgruer_[EST]: All the impact on SPC would also impact WebAuthn

<Rolf> +1

smcgruer_[EST]: with WebAuthn you specify which crypto algorithms when you create the credential

IJ: Has this been discussed in WebAuthn?

Rolf: The algorithms are registered in IANA
… we rely on other groups to give us algorithm identifiers.

[Adjourned until 7 Dec]

Minutes manually created (not a transcript), formatted by scribe.perl version 221 (Fri Jul 21 14:01:30 2023 UTC).

Diagnostics

Maybe present: Anne, Arman, Doug, IJ, Jean-Luc, Rolf, Sameer, Sami, smcgruer_[EST], Steve

All speakers: Anne, Arman, Doug, Ian, IJ, Jean-Luc, Rolf, Sameer, SameerT, Sami, smcgruer_[EST], Steve

Active on IRC: Anne, Ian, JeanLuc, Rolf, SameerT, smcgruer_[EST]