14:51:59 RRSAgent has joined #wpwg 14:52:03 logging to https://www.w3.org/2024/02/29-wpwg-irc 14:52:07 Meeting: Web Payments Working Group 14:52:12 Chair: NickTR 14:52:17 Scribe: Ian 14:53:04 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20240229 14:53:17 agenda+ Ideas for SPC 14:53:23 agenda+ Payment Request updates 14:53:26 agenda+ Next meeting 14:58:27 Gregoire has joined #wpwg 15:01:01 present+ 15:01:03 present+ Sameer 15:01:14 Anne has joined #wpwg 15:01:24 present+ Stephen_McGruer 15:01:35 present+ Anne_Pouillard 15:01:35 present+ Kenneth_Diaz 15:01:38 present+ Gerhard_Oosthuizen 15:01:49 present+ Fahad_Saleem 15:01:55 present+ Jean-Michel_Girard 15:02:01 SameerT has joined #wpwg 15:02:03 present+ Doug_Fisher 15:02:07 present+ Steve_Cole 15:02:09 Gerhard has joined #wpwg 15:02:15 present+ 15:02:20 present+ Grégoire_Leleux 15:02:25 present+ Haribalu 15:02:29 present+ Rolf_Lindemann 15:02:33 present+ 15:02:45 present+ Davoid_Benoit 15:02:56 zakim, who's here? 15:02:56 Present: Ian, Sameer, Stephen_McGruer, Anne_Pouillard, Kenneth_Diaz, Gerhard_Oosthuizen, Fahad_Saleem, Jean-Michel_Girard, Doug_Fisher, Steve_Cole, Gerhard, Grégoire_Leleux, 15:03:00 ... Haribalu, Rolf_Lindemann, benoit, Davoid_Benoit 15:03:00 On IRC I see Gerhard, SameerT, Anne, Gregoire, RRSAgent, Zakim, pea1358, canton_, bkardell_, benoit, ljharb, slightlyoff, dlehn, NaelMohammad, npd, imlostlmao, AnthonySpencer, 15:03:00 ... Github, James1, nelsoncwwu, joraboi445, TimCappalli, hober, rbyers, smcgruer_[EST], rouslan, hadleybeeman, tobie, nicktr, Ian 15:03:39 present+ Tomasz_Blachowizc 15:03:57 present+ Steve_Cole 15:04:04 Rolf has joined #wpwg 15:04:15 Tomasz has joined #wpwg 15:04:39 zakim, take up item 1 15:04:39 agendum 1 -- Ideas for SPC -- taken up [from Ian] 15:04:41 Kenneth_Diaz has joined #wpwg 15:04:56 present+ Juliana_Cafik 15:05:22 agenda+ Chrome updates 15:05:38 JMGirard has joined #wpwg 15:05:38 [Gerhard Oosthuizen presentation] 15:06:27 present+ Nick_Telford-Reed 15:06:32 present+ Mike_Horne 15:06:50 zakim, who is here? 15:06:50 Present: Ian, Sameer, Stephen_McGruer, Anne_Pouillard, Kenneth_Diaz, Gerhard_Oosthuizen, Fahad_Saleem, Jean-Michel_Girard, Doug_Fisher, Steve_Cole, Gerhard, Grégoire_Leleux, 15:06:53 ... Haribalu, Rolf_Lindemann, benoit, Davoid_Benoit, Tomasz_Blachowizc, Juliana_Cafik, Nick_Telford-Reed, Mike_Horne 15:06:53 On IRC I see JMGirard, Kenneth_Diaz, Tomasz, Rolf, Gerhard, SameerT, Anne, Gregoire, RRSAgent, Zakim, pea1358, canton_, bkardell_, benoit, ljharb, slightlyoff, dlehn, NaelMohammad, 15:06:53 ... npd, imlostlmao, AnthonySpencer, Github, James1, nelsoncwwu, joraboi445, TimCappalli, hober, rbyers, smcgruer_[EST], rouslan, hadleybeeman, tobie, nicktr, Ian 15:07:51 [Ian does not minute the presentation but will minute discussion] 15:09:36 outcome expectations apply equally to issuer (issuer also doesnt know if the credential is present on that device/removed etc) 15:10:11 I have made the request to generate https://www.w3.org/2024/02/29-wpwg-minutes.html Ian 15:10:15 RRSAGENT, set logs public 15:10:17 Dfisher has joined #wpwg 15:11:08 Gerhard: We still want the API to be useful, even if a credential is not available. 15:12:14 ...so part of the proposal is that SPC be a confirmation, not necessarily always a challenge. 15:13:28 q? 15:14:16 Hari has joined #wpwg 15:14:29 Gerhard: So there are three main proposals and some sub-proposals: 15:14:38 A. Always show the SPC dialog and make WebAuthn conditional 15:14:45 B. Provide a clear error to what happened on SPC page 15:14:54 C. Generate a browser possession signal 15:14:58 Sub proposals: 15:15:06 D. Require a transaction specific approval to allow signal generation 15:15:15 E. Don't allow JS/HTML to access/edit the signature 15:15:28 F. Allow a PaymentRequest caller to decide if WebAuthn is required 15:15:38 G. Enable users to opt out of sharing a returning browser signal 15:15:43 H. Allow registration to be silent 15:17:35 [Gerhard shows slide about how the 8 proposals address the four main obstacles he cited] 15:21:35 IJ: what is value of having both a browser signal and webauthn signal? 15:21:44 Gerhard: Device info. 15:22:13 Rolf: Where can privacy come from? 15:22:19 Gerhard: Let's dig in. 15:22:50 * Generated keys would be bound to a top-level/3p origin pair 15:23:02 * Signature requires positive user gesture 15:23:08 * Keypair may be cleared 15:23:33 Gerhard: I think there are multiple ways the browserSignature key pair could be issued: 15:23:44 - Dedicated registration/issuing journey. 15:24:12 ...this could be analogous to WebAuthn, but in software or hardware (e.g., using DBSC) 15:24:36 - Generate a key pair managed by the browser 15:24:46 - Generate a key pair as part of an HTTP Response Header by the issuer 15:24:55 - Use the same key provisioned by DBSC 15:26:51 Gerhard: We could gather user consent via the SPC dialog. The text could make clear that the signal can be used to not require a step up challenge. 15:27:43 Gerhard: Regarding how to trust the signal: 15:27:57 - Trust it increasingly over time (as is done with fingerprints today) 15:28:19 - Hardware-bound keys with device attestation 15:28:25 - Only send the signature in an HTTPS header 15:28:37 - Issue the key as a request in an HTTPS response when the issuer has validated the device (DBSC) 15:28:56 - Deliver the signature via back-channel API or .wellknown flows (cf. FedCM) 15:29:47 Gerhard: Suggest preference attribute: required to use webAuthn / preferred / don't use 15:30:14 q? 15:30:22 Gerhard: one idea is an "opt out" box for possible tracking. Not a big fan for this option. 15:30:56 Gerhard: I think that we can increase SPC adoption if there are ways to use it without WebAuthn 15:31:10 ...flows and sequencing are same with lower development costs 15:31:51 I have made the request to generate https://www.w3.org/2024/02/29-wpwg-minutes.html Ian 15:32:31 Gerhard: This would allow us to move faster in a 3-D Secure context (replacing OTPs) 15:34:58 q+ 15:35:01 q- 15:35:41 smcgruer_[EST]: This is great work and well-presented. I think that the two parts about providing callers with a clear response and using consistent UX we should just do. 15:36:01 ...agree with (1) sign what you see. 15:36:11 ...(2) Customer consent is interesting 15:36:23 ..(3) Privacy looks interesting but we also need to discuss. 15:37:02 smcgruer_[EST]: I think this is all interesting and worth looking at as a group and testing in an implementation 15:37:12 ...we should just do the change in the flow overall 15:37:24 ack Ger 15:37:44 Gerhard: All improvements welcome 15:38:06 q+ 15:38:39 Gerhard: It would be valuable to have a good fallback when WebAuthn not available. 15:39:06 ack SameerT 15:40:06 SameerT: Where you say the modal should always be displayed - say more on the options 15:40:18 Gerhard: Multiple options, e.g., issuer could do SPC and avoid OTP 15:40:55 ..if the merchant adopts SPC with 3DS 2.3.1, the merchant could do the UX after the ACS says "ok to do this without webauthn credentials" 15:41:15 ...the ACS could accept the result and still decide to do some other step-up 15:41:41 q+ 15:42:20 SameerT: So in both cases you cited, the issuer was the RP. 15:42:44 ...so the idea is that there is a user gesture 15:42:56 ...and only if there is a strong signature then it qualifies for frictionless 15:44:23 Ian: Is seeing public key again and again à la WebAuthn as input to 3DS? 15:46:01 IJ: I see two scenarios: 15:46:10 a) Registration and strong confidence in key 15:46:17 b) No registration and gradual trust in key 15:47:11 Gerhard: But there's a third option where is late key pair generation (after HTTPS response), where the key pair generation is done by the issuer and sent to the browser. 15:49:40 IJ: What would be needed in 3DS to do a minimal version of this? 15:50:16 Gerhard: 3DS already has a way to handle "no credentials" and also proof. 15:50:31 ...there's no place yet to handle 2 signatures or pref. 15:50:48 q+ 15:51:00 Sameer: Looking at the options on slide 19, I think 1, 3, and 4 could be done today 15:51:24 ...I think delegated key pair version could be handled. 15:52:18 ...we'd need to look at case of empty credentials and tx dialog. 15:52:54 ...if 3DS method can do this in hidden iframe, then that's possible 15:53:28 Gerhard: One thought i had - what if we use a payment handler (service worker) that kicks of SPC without showing a payment page to begin with. 15:53:42 ...so the issuer could use a payment handler without a page, just to kick of SPC 15:53:55 ...that way the merchant would know the secure display was coming from an issuer context 15:54:59 ack rolf 15:55:01 ack me 15:55:25 https://github.com/w3c/webauthn/issues/1568 15:55:53 TallTed has joined #wpwg 15:55:57 rolf: What would happen if there are no credentials? Could you have a flag to SPC to say "If I don't have a webauthn credential, generate one on the fly without necessarily requiring a user gesture." 15:56:37 ...so your key-that-gains-trust over time might be do-able with WebAuthn 15:57:02 Gerhard: Issuer would still need to be able to manage webauthn credentials. 15:58:56 Ian: That's not clear to me. 15:59:07 Gerhard: Can it be done without biometric? 16:00:26 Rolf: You should be able to get a key with user consent. And could be generated automatically. See issue related to get/create operation. I think the predictability is valuable. 16:00:51 ...what the issuer does with the credential is up to the user. E.g., in the future the issuer could ask the user to confirm it's really her. 16:01:44 Gerhard: I don't want people to trust something that is not a MFA signal. 16:03:27 Topic: Next meeting 16:03:29 14 March 16:03:40 Ian: Sorry, Stephen had some chrome info we didn't get to and we'll talk about at next meeting 16:03:56 I have made the request to generate https://www.w3.org/2024/02/29-wpwg-minutes.html Ian