13:57:45 RRSAgent has joined #wpwg 13:57:49 logging to https://www.w3.org/2025/06/19-wpwg-irc 13:58:03 Tomasz has joined #wpwg 13:58:09 Meeting: Web Payments Working Group 13:58:23 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20250619 13:58:23 Chair: Ian 13:58:29 regrets+ Praveena 13:58:34 Scribe: Ian 13:59:12 agenda+ SPC Updates 13:59:16 present+ Ian 13:59:19 present+ Tomasz 13:59:36 present+ Rouslan 13:59:58 present+ David_Benoit 14:00:09 present+ Rogerio_Matsui 14:00:14 present+ Bjorn_Hjelm 14:00:17 present+ Sue_Koomen 14:00:36 present+ Gustavo_Kok 14:00:56 regrets+ Fahad 14:01:16 present+ John_Bradley 14:01:26 present+ Stephen 14:01:30 present+ Slobodan 14:01:41 present+ Albert_Schibani 14:01:46 present+ Kenneth_Diaz 14:03:02 ---- 14:03:02 https://www.w3.org/2025/06/05-wpwg-minutes.html#ActionSummary 14:03:16 present+ sgothoskar 14:03:31 Sue has joined #wpwg 14:04:26 present_ Nick_Telford-Reed 14:04:27 Ehsan has joined #wpwg 14:04:33 present+ Nick_Telford-Reed 14:04:34 Ian: I reached out to Nina; currently not hearing support for cached credentials 14:04:42 present+ Ehsan_Toreini 14:05:36 smcgruer_[EST]: A question is to support roaming authenticator support in SPC without cached credentials; it becomes a UX topic in the fallback UX. 14:05:48 ..."we didn't find any credentials want to plug in a roaming authenticator"? 14:06:00 John_Bradley: There's also the case where the roaming authenticator is plugged in. 14:06:07 smcgruer_[EST]: Agreed. 14:06:47 Ian: What would implementation impact be to support present roaming authenticators? 14:07:09 smcgruer_[EST]: There's be some work to check if they are connected. 14:07:19 John: That will likely be different on each platform. 14:07:27 present+ Henna_Kapur 14:09:09 John_Bradley: Roaming authenticators also includes "hybrid" 14:09:25 ..there's not a clear differentiation from hardware keys 14:09:31 present+ Jean-Luc_di_Manno 14:10:13 (Regarding "passkey providers" on Android) 14:10:23 Rouslan: Not yet; let's see SPC adoption trends 14:11:45 John_Bradley: We need to understand the roadmap to get more interest from WebAuthn WG 14:11:57 ..the special authenticator built into Chrome; is that currently synching? 14:12:21 q+ 14:12:23 rouslan: Every OS is different from Chrome's perspective, so may need a more specific question. 14:12:44 slobodan: An Android...GPM will sync SPC between 2 Android devices 14:13:04 John: ON Android, where are passkeys stored? GPM or Chrome? 14:13:12 smcgruer_[EST]: In a secure enclave 14:13:29 ...the only place we store passkeys in chrome is macOS 14:13:53 JohN: So you are using GPM for other ones, it's just that things that use the passkey provider API get to GPM? 14:14:33 smcgruer_[EST]: SPC on Android talks directly to GPM. On Windows we use Windows Hello (which is soon to become a many passkey provider situation). On MacOS we use the chrome profile authenticator (one of 3 options on MacOS) 14:14:45 ...every platform now has many platform authenticators. 14:15:01 JL has joined #WPWG 14:15:12 NickTR: Can you describe Chrome password manager v. Google password manager? Are they the same thing? 14:15:38 smcgruer_[EST]: They should be the same thing, except on MacOS .. chrome has a legacy passkey storage as well as a GPM 14:15:45 present+ Gerhard 14:16:14 q+ 14:16:19 Ian: What documentation do we need for all this? 14:16:31 John: Maybe a matrix so that people who are deploying this understand where credentials will sync? 14:16:37 ack Tom 14:16:53 Tomasz: It would be good to document this. 14:17:29 ...can you say more about iOS 14:17:37 rouslan: The secure enclave would be used for the BBK. 14:17:49 ...what exactly will be used for the passkey portion is still a bit up in the air. 14:18:21 Ian: Would chrome team be able to put this together? 14:18:33 smcgruer_[EST]: Yes, we can. What should be an RP's expected model from SPC? 14:19:00 John: There should be "caveats" regarding credential exchange (at least for those marked cross-origin) 14:20:06 Action: smcgruer_[EST] to put together a matrix of currently supported platform authenticators per platform. 14:20:47 Ian: Would be good to know for BBKs as well. 14:21:00 John: For BBK it probably needs to be what the platform is and where it would be on that platform. 14:21:29 ...whereas for passkeys it's who passkey provider is and if cross-origin flag is synched across platforms. 14:21:48 Topic: Implementation update from Chrome 14:23:24 slobodan has joined #wpwg 14:23:34 smcgruer_[EST]: Lots of great work from Chrome Team on this. SPC for Chrome on Android is ready 14:23:58 ...if you turn on a set of flags you get BBKs, support for UX, payment entity logos, payment instrument details, etc. 14:24:06 ...Canary 139 14:25:36 (We see a demo) 14:28:24 q? 14:28:26 ack nicktr 14:28:55 (We see a new "no matching credential" screen) 14:30:09 (We see demo showing one payment entity logo) 14:31:01 (We see a demo showing no payment entity logos) 14:31:44 smcgruer_[EST]: Goal is to ship everything in M139. Stable would be released around 5 August. 14:32:13 ...this will be an experiment-controlled rollout, but our toal is 100% of stable mid-to-late-August. So Pilots in Sep/Oct would be possible. 14:32:20 ..if you want to test, easiest is to locally set the flags on your device 14:33:00 (No questions) 14:33:09 smcgruer_[EST]: Future plans 14:33:24 q+ 14:33:26 ...M140 we hope to confirm the securePaymentConfirmationAvailability API (we have a small issue to fix) 14:33:41 ...also Testdriver APIs for testing BBKs and new fallback flow 14:34:06 ...TBD (but soon): ship same UX changes and BBKs on desktop (Windows, MacOS) 14:34:12 ...we are starting development now 14:34:19 ....still under investigation: SPC on iOS 14:34:23 ...feasibility study to start 14:34:43 John: Regarding iOS you mean Chrome on iOS 14:34:46 smcgruer_[EST]: Yes 14:35:16 jean-luc:Will these changes be available in custom tabs? 14:35:20 smcgruer_[EST]: yes. 14:35:26 ...not Webviews yet. 14:35:55 jean-Luc: So I will be able to trigger SPC from a native app through custom tabs? 14:35:57 smcgruer_[EST]: Yes. 14:36:47 [Rouslan shows PR API support] 14:37:46 rouslan: Update on availability of PR API and handlers on different systems 14:37:51 (Rouslan shows a matrix) 14:38:11 Rouslan: Note support in WebView 14:38:52 Note that Apple Pay is supported in all browsers on iOS through PR API 14:41:48 Note that Google Pay available on android through Webview since M137 14:45:22 (For other payment apps on android, they are native apps and connect to PR Api through native Android API pay intent) 14:45:59 IJ: is there any interest from these payment app providers on additional adoption through PH API on other platforms? 14:46:34 Rousan: Besides Google Pay there's a small number of other (Web-based) payment handlers; I don't think we track those 14:46:46 ...but the biggest PH is Google Pay 14:47:23 smcgruer_[EST]: I saw a recent PH demo from a payment service provider; pretty exciting but it was just a demo 14:47:56 Ian: Any roadmap for PR or PH at this time? 14:48:09 q? 14:48:14 ack JL 14:48:22 Topic: Open issue review 14:48:28 https://github.com/w3c/secure-payment-confirmation/issues 14:49:50 https://github.com/w3c/secure-payment-confirmation/issues/98 14:49:57 IJ: What's the latest on immediate mediation? 14:50:01 ...in WebAuthn 14:50:20 John: We are currently evaluating the proposal for immediate mediation. 14:50:31 ...that is intended to allow for better UX in theory 14:50:38 ..if there's no credential immediately available 14:50:44 ...based on an allow list. 14:50:53 ..the RP gets an error and can pop up alternative dialogs 14:51:00 ...there are still privacy discussions. 14:51:12 ...but it seems to be likely to go ahead (that would be my guess) 14:51:33 IJ: What does that suggest to SPC folks at Chrome? 14:51:47 smcgruer_[EST]: One important question is SPC is cross-origin 14:51:51 ...that may have more privacy implications. 14:52:03 ...is immediate mediation supposed to work inside of a cross-origin iframe? 14:52:34 John: I believe it would. The cross-origin iframe would need to be loaded from the other origin with permission 14:52:57 smcgruer_[EST]: I think that if there are cases where an RP is using an iframe with its own SPC credential, we should follow WebAuthn 14:53:39 slobodan: Does immediate mediation imply supplying allows credential IDs? 14:53:56 John: Yes, I believe it requires them but I'd need to check. 14:54:20 smcgruer_[EST]: I thought it was the opposite (no credentials provided) but that can be thwarted easily 14:54:56 smcgruer_[EST]: You could see a future where, if you are doing SPC with your own context, you can do that (with immediate mediation) 14:55:20 https://github.com/w3c/secure-payment-confirmation/issues/184 14:55:54 smcgruer_[EST]: The size has increased slightly with the UX, but may not merit clean closing of the issue. This is also an implementation issue. 14:56:15 https://github.com/w3c/secure-payment-confirmation/issues/254 14:56:50 IJ: Did that make it into the fallback UX discussions? 14:57:05 smcgruer_[EST]: In my mind, it does not make sense to have a timeout now that it's a confirmation dialog. 14:57:21 ...separate question of whether we should support abortcontroller. 14:57:42 smcgruer_[EST]: I will put a comment in that one and close it 14:58:06 https://github.com/w3c/secure-payment-confirmation/issues/274 14:58:21 smcgruer_[EST]: At this time it's still supported (in the new UX). 14:58:40 ...at this moment we've not made a decision to drop from the spec, but to my knowledge nobody is using this at this time. 14:59:29 Ian: Let's leave in for now as we get more adoption. 15:00:10 topic: Meeting time 15:00:28 Ian: Can we move one hour later to align with WSPIG? 15:00:43 Gerhard: My preference would be to use this time slot instead of the WPSIG slot 15:01:11 +1 for Gerhard's point 15:01:39 John: If we move the slot to an hour later, it will conflict with the FIDO technical WG and you'll lose my contribution 15:02:07 RRSAGENT, make minutes 15:02:08 I have made the request to generate https://www.w3.org/2025/06/19-wpwg-minutes.html Ian 15:02:10 RRSAGENT, set logs public