13:59:57 RRSAgent has joined #wpwg 14:00:02 logging to https://www.w3.org/2024/03/14-wpwg-irc 14:00:02 Gregoire has joined #wpwg 14:00:02 Meeting: Web Payments WG 14:00:25 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20240314 14:00:35 Chair: Ian 14:00:38 regrets: Praveena 14:00:39 present+ 14:00:42 present+ 14:00:44 present+ Stephen_McGruer 14:00:47 present+ Doug_Fisher 14:00:51 present+ Jean-Luc_di_Manno 14:01:07 present+ Grégoire_LeLeux 14:01:07 present+ Steve_Cole 14:01:08 present+ Vasilii 14:01:15 present+ Melissa_Sebastian 14:01:19 jpm has joined #wpwg 14:01:28 present+ Juan-Pablo_Marzetti 14:01:33 present+ Haribalu 14:01:43 present+ Rolf_Lindemann 14:01:43 present+ Tomasz_Blachowicz 14:01:48 present+ Anne_Pouillard 14:01:59 Anne has joined #wpwg 14:02:00 present+ Yannick_Seveant 14:02:06 Rolf has joined #wpwg 14:02:06 Tomasz has joined #wpwg 14:02:09 Hari has joined #wpwg 14:02:21 present+ Imran_Ahmed 14:02:27 present+ 14:02:32 zakim, who's here? 14:02:32 Present: Ian, Sameer, Stephen_McGruer, Anne_Pouillard, Kenneth_Diaz, Gerhard_Oosthuizen, Fahad_Saleem, Jean-Michel_Girard, Doug_Fisher, Steve_Cole, Gerhard, Grégoire_Leleux, 14:02:37 ... Haribalu, Rolf_Lindemann, benoit, Davoid_Benoit, Tomasz_Blachowizc, Juliana_Cafik, Nick_Telford-Reed, Mike_Horne, benoit_, Jean-Luc_di_Manno, Vasilii, Melissa_Sebastian, 14:02:37 ... Juan-Pablo_Marzetti, Tomasz_Blachowicz, Yannick_Seveant, Imran_Ahmed, Tomasz 14:02:37 On IRC I see Hari, Tomasz, Rolf, Anne, jpm, Gregoire, RRSAgent, Seveant_Yannick, JeanLuc, pea1358, canton_, hober, rbyers, nicktr, tobie_, hadleybeeman, ljharb, rouslan, 14:02:40 ... slightlyoff, bkardell_, smcgruer_[EST], benoit_, dlehn, Zakim, NaelMohammad, npd, imlostlmao, AnthonySpencer, Github, James1, nelsoncwwu, joraboi445, TimCappalli, Ian 14:02:44 vasilii has joined #wpwg 14:02:44 present+ Nick_Shearer 14:02:56 MelissaVS has joined #wpwg 14:03:58 nick_s has joined #wpwg 14:04:18 Topic: Chrome updates 14:04:23 nick_s_ has joined #wpwg 14:04:27 [Stephen presents] 14:05:13 smcgruer_[EST]: Google password manager passwords -> passkeys 14:05:23 ...NickTR asked about this 14:05:55 ...another topic was UVI and UVM 14:06:07 ...UVI no longer a thing 14:06:14 ...UVM is "user verification method" 14:06:33 ...it is implemented in some authenticators but generally discouraged by WebAuthn and implementations may be broken 14:06:40 present+ Jean-Michel_Girard 14:07:11 ...but FIDO is hearing that regulations require reporting of what authentication method was used. 14:07:23 ...so there may be some movement to expose UVM again 14:07:33 present+ NickTR 14:08:14 JMGirard has joined #wpwg 14:08:22 Rolf: If you combine UVI and UVM, it WOULD be different (you could verify it is the same fingerprint as used before) 14:08:58 q+ 14:09:13 ack nick 14:09:31 nick_s: I'd have to confirm but I think we'd consider exposing UVM a privacy risk 14:09:46 ...we might be able to expose whether a value had changed (e.g., since signup) 14:10:28 Rolf: I agree it adds a bit of entropy, but if there are three types of authentication around the world, it might not add a lot of entropy 14:12:05 smcgruer_[EST]: The fact that some people may not use fingerprints (temporarily or permanently) was one reason to discourage people from saying "I only use fingerprints" 14:12:12 present+ Fahad_Saleem 14:12:27 smcgruer_[EST]: Now some perspectives (personally) on SPC 14:12:35 ...work is continuing on UX 14:12:47 ...I hope to have eng working on implementing in Q2 14:13:16 ...sooner rather than later: prototype fallback UX (e.g., transaction UX always appears; with clearer outcome results) 14:13:50 ...will make it easier to distinguish three outcomes: success, user does not want to continue, cancel transaction 14:13:55 ..updated UX as well 14:14:14 ...things for the WG to drive: 14:14:18 * Device binding 14:14:26 * signature even if no webauthn credential present 14:14:29 * recurring paymetns 14:14:33 * hybrid/remote authenticators 14:15:04 smcgruer_[EST]: People are looking for partners who want device binding who want to ship something. 14:15:40 present+ Kenneth_Diaz 14:15:44 imran has joined #wpwg 14:16:52 smcgruer_[EST]: There is a lot the WG could be doing on recurring payments; e.g., working with EMVCo on how they represent that and could we translate to SPC 14:17:05 ...could it be aligned with how other *Pay present information 14:17:14 ...that might be useful for PR API more broadly. 14:17:42 q? 14:17:46 ...regarding remote authenticators; we could work on how to check whether (remote) credentials are available. 14:17:58 smcgruer_[EST]: Things that we don't expect to do soon: android native SPC; non-payment use cases 14:18:11 ...that's more of a webauthn thing 14:19:30 Ian: What is relationship to this in webauthn: 14:19:31 https://github.com/w3c/webauthn/pull/2020 14:19:48 Rolf: It's explicitly for non-payments use cases (e.gl, share health data) 14:19:56 ...there's a need for trusted UI going forward. 14:20:23 ...regulators want protection against issues like MITM or injection attacks 14:20:36 ..there is a push for more "sign what you see" secure UX 14:20:42 ...we heard general interest from Chrome 14:20:54 ...have not heard back from other browser vendors yet 14:21:09 ...this is an ongoing discussion 14:21:09 q+ 14:21:27 q+ 14:22:00 Steve_C has joined #wpwg 14:22:43 ack Ian 14:22:53 Ian: Why is this different from what SPC is doing? 14:23:05 Rolf: Not intended for use with non-ops 14:23:12 s/non-ops/non-RPs/ 14:23:24 ...also this is not currently designed for structured data 14:24:34 ...also SPC as designed today is browser-based. There is a need for a more secure / trusted UI 14:25:00 ...in tx proposal, the display could be done by the authenticator. 14:25:12 ...security keys could display information 14:25:19 q? 14:25:38 ack Tom 14:26:07 Tomasz: Regarding this WebAuthn extension - in the assertion is there a hash of the info that was displayed to the user? 14:26:11 present+ Sue_Koomen 14:26:27 Tomasz: (I have not read the pull request yet) 14:26:46 Rolf: Yes. There are two places that could be signed: collected client data (the authenticator signs "blindly") 14:27:04 ...there's a second place is the extension which is part of the "to be signed" object. 14:27:09 q+ 14:27:15 Rolf:...SPC only supports the first; the extension supports both 14:27:48 ...if the authenticator has shown the information, it is included in the "to be signed" object; that's a different kind of security guarantee. It is an attested entity in some cases 14:27:51 ack smcgruer_[EST] 14:28:10 smcgruer_[EST]: SPC does not support that today but it could pass the data to the authenticator. 14:28:38 [Discussion of what you get without attestation] 14:28:46 Rolf: You still get attestations in some cases; and that's a higher value 14:28:50 q? 14:29:13 smcgruer_[EST]: Privacy sandbox update 14:29:24 ...regarding 3p cookie desperation 14:29:30 s/desperation/deprecation 14:29:42 ...current timeline is 100% of third-party cookie deprecation during Q3 14:29:49 ...so far we have heard limited impact on payments folks 14:30:01 ...if you are impacted, time is running out; please contact us 14:31:55 smcgruer_[EST]: With passkeys and pluggable passkey providers there is a reality where passkey providers don't do fresh authentication. 14:32:04 ...we need to keep an eye on this for SPC. 14:32:21 ...there's a question on how that would be represented. 14:32:36 ...there is another WebAuthn issue on user verification caching 14:32:56 Doug: Got a timeline on DBSC availability in Chrome? 14:33:00 smcgruer_[EST]: No idea. 14:33:36 ACTION: Ian to dig up info on DBSC timeline from authors 14:33:39 User Verification Caching extension, see https://github.com/w3c/webauthn/pull/2021 14:34:44 Topic: Payment Request Updates 14:35:31 https://lists.w3.org/Archives/Public/public-payments-wg/2024Feb/0004.html 14:37:35 IJ: Next is CfC 14:38:46 Topic: TPAC 2024 14:38:56 23-27 September in Anaheim, California 14:39:32 IJ: any conflicts people are aware of? 14:40:21 IJ: Default will be M/T for WPWG unless we hear of conflicts. 14:40:48 q+ 14:40:56 ack Jean 14:41:11 Jean-Luc: Question related to earlier topic of passkeys and SPC 14:41:45 ...CTAP 2.2 will support 3p bit. Does that have an impact on SPC and synchronization in the cloud? 14:41:57 https://passkeys.dev/docs/reference/specs/ 14:42:00 smcgruer_[EST]: I'm not familiar with passkeys being tied to specific CTAP versions 14:42:47 ...platform authenticators can already support 3p bit and sync passkeys (that's the case with Android) 14:43:27 ...I don't think the CTAP version really matters; it's really for roaming authenticators 14:44:27 IJ: What does the API need? 14:44:55 smcgruer_[EST]: "Check if credential is available right now" but that doesn't work for roaming authenticators; spec needs a way to deal with "not available right now but might be" 14:45:53 ...somehow we need to say "if you don't know if the key is available right now; we should still show tx dialog" 14:46:08 ...and add a note that the dialog must allow the user to use a security key. 14:46:47 Rolf: I'd be happy look into that. 14:47:15 ACTION: Ian to reach out to Rolf to discuss spec support for roaming authenticators 14:47:58 topic: Next meeting 14:48:17 28 March 14:48:20 No meeting 11 April 14:48:38 RRSAGENT, make minutes 14:48:39 I have made the request to generate https://www.w3.org/2024/03/14-wpwg-minutes.html Ian 14:48:42 RRSAGENT, set logs public 14:49:14 MelissaVS has left #wpwg 14:54:01 TallTed has joined #wpwg 14:55:47 Seveant_Yannick has left #wpwg 15:08:04 vasilii has joined #wpwg