13:46:00 RRSAgent has joined #wpwg 13:46:04 logging to https://www.w3.org/2025/04/24-wpwg-irc 13:46:05 Meeting: Web Payments Working Group 13:46:20 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20250424 13:46:24 Chair: Ian 13:46:26 Scribe: Ian 13:52:35 Sue has joined #wpwg 13:59:29 present+ Heather_Flanagan 13:59:33 present+ Sue_Koomen 13:59:40 present+ David_Benoit 13:59:47 heatherflanagan has joined #wpwg 14:00:06 present+ Sameer_Tare 14:00:17 present+ Vasilii_Trofimchuk 14:00:17 present+ Heather_Flanagan 14:00:39 vasilii has joined #wpwg 14:00:41 present+ Rogerio_Matsui 14:00:45 present+ Fahad_Saleem 14:00:56 present+ Doug_Fisher 14:01:07 jpm-block has joined #wpwg 14:01:07 agenda+ SPC 14:01:11 agenda+ Charter 14:01:17 agenda+ Next meeting 14:01:25 present+ Gustavo_Kok 14:01:29 present+ Stephen_McGruer 14:01:41 present+ Juan-Pablo_Marzetti 14:01:46 present+ Jeff_Owenson 14:01:49 present+ Ben_Kelly 14:02:53 present+ Ryan_Watkins 14:03:02 present+ Henna_Kapur 14:03:11 Roger has joined #wpwg 14:03:25 present+ 14:03:34 rwatkinsma has joined #wpwg 14:04:12 zakim, take up item 1 14:04:12 agendum 1 -- SPC -- taken up [from Ian] 14:04:34 present+ Rouslan_Solomakhin 14:04:58 present+ Laszlo_Gombos 14:06:21 smcgruer_[EST]: We added "isSecurePaymentConfirmationAvailable" to the spec as part of preparing to ship the feature 14:06:52 ...the API returns an enum of reasons the API might not be available. 14:06:59 ...we are looking to ship in the coming milestone 14:07:07 chrome://flags/#enable-secure-payment-confirmation-availability-api 14:07:17 smcgruer_[EST]: Currently available behind a flag 14:07:28 ...this should make it easier for developers to detect SPC> 14:07:34 gkok has joined #wpwg 14:08:03 doug: Is it possible, if SPC is available, to know whether BBK is available? 14:08:37 ...meaning here "the BBK feature" 14:08:55 smcgruer_[EST]: I don't know if we have a consensus yet on whether to support software BBKs. 14:09:07 ...if so, there will always be a BBK. 14:09:49 ...I can see a world where, if only hardware BBKs are supported, people want to know if the feature is available. We'd have to see whether answering that question would reveal more info. 14:10:11 JeanLuc has joined #WPWG 14:10:52 ACTION: Ian to add an issue about whether we need an API to detect BBK feature availability 14:11:33 -> https://docs.google.com/presentation/d/1BIWimgfOF8Z-_vJCpbYJk9lwoo-cOszi6_pT4w9rTCE/edit?slide=id.p#slide=id.p Chrome UX updates 14:12:11 smcgruer_[EST]: We are working on implementation of new features (but final decisions still pending and things may change) 14:12:46 present+ Jean-Luc_di_Manno 14:14:27 smcgruer_[EST]: We introduce a "details" line for the payment instrument 14:15:17 ...we have the "verify another way" link, for the user journey wants to continue, but not using passkeys (as opposed to cancel) 14:15:56 gkok: Looks great. Do you expect to show a specific "how to authenticate" instruction like "fingerprint" or "scan" 14:16:15 smcgruer_[EST]: We will change the instruction depending on the device; this is a Chrome-controlled string 14:16:33 ..if it's Windows hello, for example, we are likely to talk about using your face 14:16:50 present+ Praveena_Subrahmanyam 14:16:59 Sameer: Agree the UX looks much better. 14:17:08 ...is this the final design that the logos are centered? 14:17:43 smcgruer_[EST]: The current design reflects a lot of feedback; if you have a significant change in mind, let us know 14:18:00 sameer: There would be even more alignment with 3DS if the logos were edge-aligned 14:19:02 smcgruer_[EST]: Regarding payment system logos...we've started to prototype this. 14:19:19 ...we need to make changes to names to make them more generally useful 14:19:29 q+ Fahad 14:20:04 smcgruer_[EST]: There are open questions about icon size / quality? 14:20:38 ...what does Chrome do if the logo is more vertical? 14:20:58 ...we are wondering what it's feasible for a specification to say 14:21:23 ...we may get learnings from 3DS, which has more guidelines 14:21:36 ...some other questions: what happens if 0 or 1 icon are provided? 14:21:42 ...what happens if failure to download? 14:21:49 ...light and dark mode support? 14:22:28 ...how much should the browser validate in advance of the display? 14:23:04 ack Fah 14:23:19 q+ 14:23:57 ACTION: Sameer will take the questions to the 3DS Working Group to provide feedback. 14:24:02 ack gk 14:24:25 gkok: I think this is pretty standardized (in the land of card payments) 14:24:45 ...there's always an option to fall back to a generic card 14:25:39 smcgruer_[EST]: At the moment we are thinking if one logo is shown we'll center it. If 0 logos are provided, it's an open question still (whether nothing or placeholder) 14:26:46 gkok: I don't recall the issuer logo being provided...where does it come from? 14:27:08 smcgruer_[EST]: SPC doesn't care itself, but agree we need to make sure the icons are available through the integrations 14:27:46 present+ Arman_Aygen 14:28:28 [We review the new fallback UX] 14:29:13 smcgruer_[EST]: The new fallback sheet looks like the happy path sheet, but with a different button. This supports the goal of multiple output states. 14:30:32 Durkinza has joined #wpwg 14:30:47 q+ What happens if they click on grayed out area? (card form) 14:32:14 ack gkok 14:32:35 gkok: What happens when you click on the grey portion of the screen (under the sheet)? 14:32:52 smcgruer_[EST]: It dismisses (that's standard behavior) 14:33:27 q+ 14:33:30 gkok: I suggest for the mock-up using an image that is more authentically 3DS. 14:33:48 ...I'll send one 14:33:54 ack wander view 14:33:59 ack wander 14:34:42 Ben: I've not been here lately; remind me if SPC is tightly coupled with passkeys 14:35:07 smcgruer_[EST]: SPC has, to date, ben tightly coupled with passkeys. But things might change. 14:35:39 ...there have been proposals for SPC to not use WebAuthen...some folks have proposed that in lower regulation markets it might suffice to have just a confirmation dialog. 14:35:50 ...or web crypto under the hood 14:36:39 smcgruer_[EST]: Finally re: UX -- we are starting to prototype 14:37:06 present+ Mia_Jamili 14:38:09 smcgruer_[EST]: We expect to have the UX "soon" :) 14:38:14 present+ nicktr 14:38:24 present+ Nick_Telford-Reed 14:38:56 smcgruer_[EST]: We'll be shipping first on mobile and moving to desktop later in 2025 at the earliest 14:39:06 q? 14:39:34 [Browser bound key updates] 14:39:39 https://github.com/w3c/secure-payment-confirmation/pull/286 14:40:44 smcgruer_[EST]: This is close to what we'd like to land as v1. We are just doing refinement to the spec language 14:41:17 ...one of the big outstanding issues is whether we should only be doing hardware bound key 14:41:33 ...initial feedback internally we got about "how it's being stored" we're not going to give that information. 14:41:47 ...are there actual use cases where we absolutely need to know whether it's stored in hardware? 14:42:43 ACTION: Henna to manage a review of the pull request 14:42:59 present+ Sharanya 14:43:37 Ian: Anyone have any input on software-bound keys? 14:43:49 David: What defines "hardware"? 14:44:02 Nick: Remember previous discussions about virtual machines. 14:44:08 Nick: I think it's ok to not provide metadata in v1 14:44:33 q+ 14:44:45 ack wan 14:44:59 Ben: How does this relate to the device-bound session credentials proposal? 14:46:06 Ian: DBSC is single-origin and silent; SPC is cross-origin with user interaction 14:46:21 smcgruer_[EST]: We chatted with DBSC about shared infrastructure; they said don't rely on them at this time. 14:48:16 q+ 14:50:20 Ian: Any new thoughts on mitigating double step-up? 14:50:48 smcgruer_[EST]: See https://github.com/w3c/secure-payment-confirmation/issues/287 14:52:05 Issue currently just tracks, Chrome needs to add our thoughts on how we could mitigate it 14:53:04 Ian: Any updates on adoption or obstacles to adoption? 14:53:38 q? 14:53:58 Ian: How much does code differ between Android and Windows (for the purposes of 2 implementations)? 14:54:16 smcgruer_[EST]: What changes is UX and how to talk to authenticators. All the plumbing in the middle stays the same. 14:54:40 https://privacysandbox.com/news/privacy-sandbox-next-steps/ 14:54:44 smcgruer_[EST]: Also, check this blog post out re: privacy sandbox and 3p cookies 14:55:22 ...we think that current user choice is where we're going to be 14:55:34 ...users can opt out of 3p cookies in privacy settings 14:55:45 ...at this time Chrome does not plan to push more in that direction. 14:55:56 ...there are other activities we do plan to pursue (e.g., masking signals) 14:56:31 zakim, close item 1 14:56:31 I see a speaker queue remaining and respectfully decline to close this agendum, Ian 14:56:34 zakim, take up item 2 14:56:34 agendum 2 -- Charter -- taken up [from Ian] 14:57:22 TallTed has joined #wpwg 14:57:29 Ian: Please send reviews up to 28 April 14:57:57 ...please read the charter and send feedback 14:58:03 NickTR: Yes, please have a look! 14:58:18 zakim, close item 2 14:58:18 I see a speaker queue remaining and respectfully decline to close this agendum, Ian 14:58:21 zakim, take up item 3 14:58:21 agendum 3 -- Next meeting -- taken up [from Ian] 14:58:36 8 May 14:58:49 I have made the request to generate https://www.w3.org/2025/04/24-wpwg-minutes.html Ian 15:00:00 q? 15:00:26 ack me 15:00:30 I have made the request to generate https://www.w3.org/2025/04/24-wpwg-minutes.html Ian