13:51:51 <RRSAgent> RRSAgent has joined #wpwg
13:51:55 <RRSAgent> logging to https://www.w3.org/2025/06/05-wpwg-irc
13:51:56 <Ian> Meeting: Web Payments Working Group
13:52:08 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20250605
13:52:09 <Ian> Chair: Ian
13:52:11 <Ian> Scribe: Ian
13:52:15 <Ian> agenda+ SPC updates
13:52:21 <Ian> agenda+ Chartering update
13:52:32 <Ian> agenda+ next meeting
13:55:04 <Tomasz> Tomasz has joined #wpwg
13:57:01 <Ian> present+
13:57:01 <Ian> present+ Sami_Tikkala
13:57:12 <Tomasz> present+
14:00:43 <Ian> present+ Jorge_Vargas
14:00:51 <Ian> present+ Steve_Cole
14:01:04 <Ian> present+ Ben_Kelly
14:01:09 <Ian> present+ Bjorn_Hjelm
14:01:13 <Ian> present+ Ehsan_Toreini
14:01:17 <Ian> present+ Kenneth_Diaz
14:01:23 <Ian> present+ Takashi_Minamii
14:01:41 <Ian> present+ Ryan_Watkins
14:01:57 <Ian> present+ Gerhard_Oosthuizen
14:02:52 <Ian> present+ David_Benoit
14:03:05 <Ian> present+ Tomasz_Blachowicz
14:04:07 <Ian> present+ Doug_Fisher
14:04:08 <Ian> present+ Albert_Schibani
14:04:12 <Ian> present+ Henna_Kapur
14:04:22 <Ian> zakim, take up item 2
14:04:22 <Zakim> agendum 2 -- Chartering update -- taken up [from Ian]
14:04:25 <Ian> present+ Roger
14:04:58 <Ian> Ian: Today we started AC review of the proposed WPWG charter (for four weeks)
14:05:18 <Ian> ...please reply to the CFR
14:05:55 <Ian> zakim, take up item 1
14:05:55 <Zakim> agendum 1 -- SPC updates -- taken up [from Ian]
14:06:05 <Ian> present+ Nick_Telford-Reed
14:06:35 <Ian> present+ Arman
14:07:00 <Ian> present+ Sharanya
14:07:13 <Ian> present+ Rouslan
14:07:53 <Ian> Ian: Any updates on whether passkeys can be upgraded?
14:07:57 <Ian> Rouslan: No updates yet
14:08:07 <Ian> Other topics:
14:08:08 <Ian> https://github.com/w3c/secure-payment-confirmation/issues/300
14:08:51 <Ian> present+ Rogerio_Matsui
14:09:18 <Ian> (No reactions to 300
14:09:18 <Ian> present+ Slobodan
14:09:33 <Ian> https://github.com/w3c/secure-payment-confirmation/pull/286
14:09:44 <Ian> Ian: How close are we to merging?
14:10:00 <Ian> Slobodan: Close ; still need one internal review
14:10:04 <Ian> ...should be by around next week
14:10:15 <Ian> https://github.com/w3c/secure-payment-confirmation/pull/296
14:10:21 <Ian> ...296 depends on 286
14:10:49 <Ian> Ian: Any implementations changed based on BBK?
14:10:52 <Ian> Slobodan: No
14:10:55 <Ian> present+ John_Bradley
14:11:55 <slobodan> slobodan has joined #wpwg
14:12:35 <Ian> https://github.com/w3c/secure-payment-confirmation/issues/299
14:14:32 <Ian> Ian: John, can we upgrade a passkey to add the payment extension?
14:14:50 <Ian> John: If we were going to do SPK we would have just done them.
14:15:24 <Ian> ...you'd have to do a trust on first use of supplemental credential
14:15:51 <Ian> ...a goal originally was to be able to use an authentication credential that a bank created as a payment credential
14:17:16 <Ian> present+ Fahas
14:17:17 <Ian> present+ Fahad
14:18:27 <Ian> John: You have to trust the device the first time you see it
14:18:47 <Ian> John: WebAuthn does have the CTAP bit which can be set
14:18:57 <Ian> ...it might be possible for some browsers to return that.
14:19:22 <Ian> ...people are going to have to figure out how to do step-up across devices.
14:19:47 <Ian> ...and cross-platform
14:19:59 <Ian> ...people are going to have to figure out what to do for step-up anyway.
14:20:24 <Ian> ...(CTAP 2.2 supports cross-origin bit)
14:20:30 <Ian> ...where are we with roaming authenticator support?
14:21:08 <Ehsan> Ehsan has joined #wpwg
14:22:07 <Ian> John: In CTAP 2.2 we have caching of credentials. I am checking with NinaS on implementation. She could use a signal that that would be useful for SPC. Right now the reason for doing it is for autofill.
14:23:07 <Ian> Ian: Is caching done at browser level of browser?
14:23:19 <Ian> John: Depends on implementation. Sometimes one sometimes the other.
14:23:57 <Ian> John: It's complicated
14:24:21 <Ian> Ian: Is the bit "widely available"?
14:24:36 <Ian> John: Once 2.2. authenticators ship, yes.
14:24:40 <durkinza> durkinza has joined #wpwg
14:25:18 <Ian> John: Not yet widely publicly available...waiting for authenticator dissemination
14:25:42 <Ian> NickTR: So if the browser has seen a passkey on a roaming authenticator previously, will there be a prompt to insert the authenticator?
14:25:55 <Ian> John: Yes, that's the idea. That UX hasn't been developed yet.
14:26:49 <Ian> ACTION: Ian to ping NinaS at Chrome to mention SPC and roaming authenticators
14:27:58 <Ian> John: On platforms that support this feature...I assume the goal is to support pluggable passkey providers.
14:28:56 <RRSAgent> I have made the request to generate https://www.w3.org/2025/06/05-wpwg-minutes.html Ian
14:29:05 <RRSAgent> I have made the request to generate https://www.w3.org/2025/06/05-wpwg-minutes.html Ian
14:29:13 <Ian> present+ Sue_Koomen
14:30:58 <Ian> (Discussion of passing CTAP bit to browser for pluggable passkey providers)
14:31:57 <Ian> (We discuss some implementation details of information sharing between OS and browser)
14:33:40 <Ian> Topic: Chrome SPC on iOS
14:34:33 <Ian> Rouslan: We are investigating polyfill on Webkit for SPC
14:34:53 <Ian> John: Question is whether the cross-origin bit is passed by iOS so you could use those stored credentials.
14:35:23 <Ian> Rouslan: On iOS would probably use the Chrome WebAuthn passkey implementation and would probably use the secure enclave API for storage.
14:37:08 <Ian> John: The question will be whether the CTAP bit is passed through when a credential is synched between android and iOS
14:37:09 <Ian> Rouslan: Does Chrome Android support passkeys from 3p providers?
14:37:36 <Ian> (Scribe missed the discussion about cross-platform synching)
14:38:00 <Ian> (We have discussion about BBKs bound to stored passkeys from 3p providers)
14:39:28 <Ian> ACTION: Rouslan to find out more about using pluggable passkeys with SPC on Android
14:43:19 <Ian> JohN: If we can get CTAP into 3p passkey providers on one platform, we need to get it out of them on other platforms
14:46:06 <Ian> ACTION: Ian to request time on WebAuthn WG agenda to talk about the (1) CTAP bit synching across platforms and (2) any issues around adding the CTAP 2.2 features / security keys to be used with SPC
14:46:18 <Ian> John: Suggest several weeks advance notice of that agenda
14:47:14 <Ian> Rouslan: Also, we shipped payment request on Android WebView
14:47:20 <Roger> Roger has joined #wpwg
14:47:40 <Ian> ...shipped in web view 156
14:47:48 <Ian> ...we've been in contact with merchants, payment applications
14:48:15 <Ian> John: Does that mean WebAuth generic will work in WebAuthn?
14:48:52 <Ian> Rousan: Merchant chooses with payment application they want via PR API
14:48:57 <Ian> ...but we can't do SPC in WebView
14:49:49 <Ian> (Some discussion about whether WebAuthn works in web views)
14:50:56 <Ian> Ian: What is status of new UX?
14:51:01 <Ian> Slobodan: Still in development
14:51:09 <Ian> zakim, close item 1
14:51:09 <Zakim> agendum 1, SPC updates, closed
14:51:10 <Ian> zakim, close item 2
14:51:11 <Zakim> I see 2 items remaining on the agenda; the next one is
14:51:11 <Zakim> 2. Chartering update [from Ian]
14:51:11 <Zakim> agendum 2, Chartering update, closed
14:51:11 <Zakim> I see 1 item remaining on the agenda:
14:51:11 <Zakim> 3. next meeting [from Ian]
14:51:13 <Ian> actions?
14:51:43 <Ian> zakim, take up item 3
14:51:43 <Zakim> agendum 3 -- next meeting -- taken up [from Ian]
14:51:51 <Ian> 19 June
14:52:05 <Ian> RRSAGENT, make minutes
14:52:07 <RRSAgent> I have made the request to generate https://www.w3.org/2025/06/05-wpwg-minutes.html Ian
14:52:19 <Ian> RRSAGENT, set logs public
16:02:59 <TallTed> TallTed has joined #wpwg