13:59:48 <RRSAgent> RRSAgent has joined #wpwg
13:59:52 <RRSAgent> logging to https://www.w3.org/2025/07/03-wpwg-irc
13:59:52 <Ian> Meeting: Web Payments WG
13:59:53 <Ian> Chair: Ian
13:59:58 <Ian> Scribe: Ian
14:00:11 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20250703
14:00:13 <Ian> present+
14:00:18 <Ian> present+ Slobodan
14:00:21 <Ian> present+ Stephen
14:00:26 <Ian> present+ Rogerio_Matsui
14:00:39 <Ian> present+ Kenneth_Diaz
14:00:39 <Ian> present+ Darwin
14:01:06 <Ian> present+ Darwin_Yang
14:01:14 <Ian> present+ Leigh_Garner
14:01:17 <Ian> present+ Ben_Kelly
14:01:23 <Ian> present+ Fahad_Saleem
14:01:26 <Ian> present+ Doug_Fisher
14:01:56 <takashi> takashi has joined #wpwg
14:02:04 <takashi> present+
14:02:12 <Ian> present+ Sami_Tikkala
14:02:18 <Ian> present+ Gerhard_Oosthuizen
14:02:37 <Ian> present+ David_Benoit
14:03:00 <Rene> Rene has joined #wpwg
14:04:09 <Ian> present+ Nakjo_Shishkov
14:04:11 <Ian> present+ Henna
14:04:16 <Ian> present+ Rene_Leveille
14:04:21 <Ian> present+ Steve_Cole
14:04:32 <Ian> present+ Jean-Luc_di_Manno
14:05:06 <Ian> present+ Ehsan_Toreini
14:05:14 <Ian> topic: Charter update
14:05:22 <JL> JL has joined #WPWG
14:06:05 <Ian> present+ Albert_Schibani
14:06:38 <Ian> present+ Tomasz_Blachowicz
14:07:15 <Ian> present+ John_Bradley
14:07:30 <Ian> Topic: Next meeting
14:07:36 <Ian> 17 July
14:07:39 <Ian> Topic: SPC issues
14:07:46 <Ehsan> Ehsan has joined #wpwg
14:07:52 <Roger> Roger has joined #wpwg
14:07:52 <Ian> https://github.com/w3c/secure-payment-confirmation/issues
14:09:44 <Tomasz> Tomasz has joined #Wpwg
14:10:00 <Tomasz> +present
14:10:07 <Ian> ====
14:10:08 <Ian> * API features (#56, #65, #157, #274, #287, #288, #290, #300)
14:10:08 <Ian> * Dependency on Web Authentication (#12, #98, #124, #174, #187, #253, #260, #273, #278, #299)
14:10:08 <Ian> * New use cases (#34, #185, #186, #276)
14:10:08 <Ian> * Detailed specification issues (#269, #302)
14:10:09 <Ian> * Other (#266)
14:10:10 <Ian> ====
14:12:51 <KennethEntersekt> KennethEntersekt has joined #wpwg
14:13:33 <Ian> IJ: Would something like this be helpful?
14:13:38 <Ian> Bjorn: Good first step
14:13:42 <Ian> Doug: Yes
14:14:15 <LG> LG has joined #wpwg
14:14:45 <Ian> ACTION: Ian to start to label SPC issues in terms of topics
14:15:00 <Albert> Albert has joined #wpwg
14:15:03 <Gerhard> Gerhard has joined #wpwg
14:15:13 <Ian> https://github.com/w3c/secure-payment-confirmation/issues/299
14:17:13 <Ian> IJ: If passkey without extension is used, will they get a BBK at authentication time?
14:17:16 <Ian> Slobodan: Yes
14:17:44 <Ian> Ian: That raises the 2-step-up issue
14:17:51 <Ian> John: But that's up to the RP; they only step up if they care.
14:18:01 <Ian> ..you can do trust on first use with other analytics
14:18:25 <Gerhard> q+
14:18:28 <Ian> present+ Nakjo_Shishkov
14:18:51 <Ian> John: It's up to the bank to decide what they want to do with the credential.
14:18:57 <Ian> ack Ger
14:19:26 <Ian> Gerhard; The BBK might be extra in some places, but might be considered more important from a regulatory perspective in Europe.
14:19:55 <Ian> John: Banks are going to be prepared to do some sort of step-up anyway.
14:20:46 <Ian> ...you can't assume there will only be one BBK ever
14:21:41 <smcgruer_[EST]> +1
14:21:45 <Ian> (We discuss the function of the "cross origin" flag)
14:22:06 <Ian> John: Reiterating...we conflate payments and cross-origin.
14:22:48 <Ian> Stephen: John is correct; the web authentication extension is called "payment" which has a boolean that says 'for payments". But at the FIDO CTAP level, there's only a "3p usage" bit, but not a boolean for payments.
14:22:53 <Ian> ...today those are conflated.
14:23:03 <Ian> ...on certain platforms, they are also used for "can you do SPC at all"?
14:24:50 <Ian> Stephen: If we introduce a bit that is just about "payments" (not 3p usage) that implies that a credential without that bit should not be allowed with SPC.
14:25:08 <Ian> ...that means there's not path for an RP to use a passkey without the bit with SPC.
14:25:46 <Ian> ...today we are in a split world. But if move to a world that you have to opt-in to SPC when you create your passkey, that will change what can be done.
14:26:01 <Ian> John: And it would mean breaking CTAP.
14:26:06 <Ian> ...so for hybrid, you are out of luck
14:28:37 <Ian> John: We had originally imagined that all credentials would be usable within SPC, and only the ones with the CTAP bit would be usable by 3ps.
14:29:10 <Ian> Gerhard: The bank can still decide whether it accepts the credential.
14:29:43 <smcgruer_[EST]> q?
14:29:57 <smcgruer_[EST]> q+
14:30:24 <Ian> ack smcgruer_[EST]
14:30:55 <Ian> smcgruer_[EST]: To my knowledge, the original motivation for the 3p bit being opt-in was that RPs (not payment RPs) that they didn't want their credentials being used with SPC EVEN IF you can't do anything with them.
14:31:07 <Ian> ...so we made the CTAP bit opt-in
14:31:32 <Ian> ...the hope (long ago) was that the credential listing API make it possible to do this in a 1p context. (Immediate mediation)
14:31:56 <Ian> ...secondly, we assumed platform authenticators would be able to store the CTAP bit.
14:32:07 <Ian> ...but the world we are currently in is complicated:
14:32:17 <Ian> * On Android google password manager offers both, but
14:32:31 <Ian> * The General password provider ecosystem does not.
14:32:46 <Ian> John: That's because they haven't been able to use the 3p bit
14:33:01 <Ian> smcgruer_[EST]: Yes, for the bit, but the other bit is the credential liaising API.
14:33:12 <Ian> Rene: I think it's more the architecture on Android rather than permissions.
14:33:18 <Ian> present+ Max_Crone
14:33:54 <Ian> John: On Windows, there is an API just for doing this. On Android, need to discuss getting the list both for autofill and SPC.
14:34:02 <Ian> ...it sounds like there's a general Android API issue
14:34:10 <Ian> ..and then the payment bit would ride along with that solution.
14:34:37 <Ian> smcgruer_[EST]: Windows Hello today does have credential listing API and 3p bit; it's up to us to use them.
14:35:36 <smcgruer_[EST]> ... but in the near future they're adding third-party payment providers, and we don't know if they will support credential listing and 3p bit
14:36:09 <Ian> John: At the WebAuthn layer, the bit controls whether a credential is available to a 3p
14:36:29 <Gerhard> q+
14:38:15 <Ian> Ian: Question is whether SPC supports 1p usage of credentials without payment extension set.
14:38:21 <Ian> ack Gerhard
14:40:13 <Ian> (We look in detail at merchant-initiated and issuer-initiated SPC with credentials with/without bit set)
14:41:02 <Ian> Gerhard: Bank has a 2x2 matrix:
14:41:06 <Ian> * Can it be used for payments?
14:41:13 <Ian> * Can it be used cross origin?
14:44:03 <Ian> Ian propose:
14:44:16 <Ian> * SPC supports credentials without bit set by RPs
14:44:30 <Ian> * When no bit set, BBK is returned only at authentication time (not registration time)
14:44:37 <Rene> +q
14:45:02 <smcgruer_[EST]> https://w3c.github.io/secure-payment-confirmation/#steps-to-silently-determine-if-a-credential-is-available-for-the-current-device
14:45:06 <Ian> smcgruer_[EST]: We need the credential listing list API for that to work.
14:45:26 <Ian> smcgruer_[EST]: We need to determine whether a credential is immediately available.
14:46:03 <Ian> Rene: The current listing Apis at least on Android leave the decision of showing credentials to the authenticator. Today all these use cases work for 1p (even if the payment bit is not passed)
14:46:20 <Ian> ....theoretically we could support SPC today without much work if it's a 1p flow
14:46:26 <smcgruer_[EST]> q+
14:46:30 <Ian> Rene:...the issue for us would be cross origin
14:46:36 <Ian> ack smcgruer_[EST]
14:47:09 <Ian> smcgruer_[EST]: I do not know the cred management ecosystem in detail. But there are two steps in SPC (1) Are any credentials passed in available? (2) Signing
14:47:25 <Ian> ...the first step is where SPC decides to take the user through authentication flow or the fallback flow.
14:48:01 <Ian> ...my understanding is that in today's credential management ecosystem, passkey providers might not respond even if they have the credential.
14:48:40 <Ian> Rene: That's part of the larger discussion. When cred man receives a request, it will fire it off to all the configured passkey providers (including built-in) and each authenticator decides which credentials it has stored that meet the requirements of that authentication request.
14:49:13 <Ian> ...in the case for SPC where you are listing the credentials, it's essentially the same thing. We will see the WebAuthn request (depending on 1p, bit set, etc.).
14:49:22 <Ian> ...and we can return credential id and metadata.
14:49:29 <Ian> ..and the browser would see that list and present it.
14:49:55 <Ian> John: The problem is that SPC kind of developed without a deep understanding of how the API was implemented on iOS and Android
14:50:12 <Ian> ..in theory what should be happening is part of the "do you have credential for my needs?" request that goes to the passkey provider
14:50:41 <Ian> ...the Web Authn client knows whether this is a cross-origin context.
14:51:02 <Ian> ..the way it works on Windows (for autofill UX)...you have webauthn.dll give back a list of credentials for the RPID.
14:51:55 <Ian> ...since SPC is currently bypassing (I think) the Windows API...Chrome is likely skipping the step the other passkey providers are doing (a pre-query)
14:52:16 <Ian> ....we'd have to adjust the impedance mismatch between the way SPC is currently implemented on Android and how the passkey providers are implemented on Android.
14:52:54 <Ian> ..if we were to do that, the passkey providers would need to understand the extension, be able to set the bit, and do the computation
14:53:14 <Ian> ..the current flow is (I think): SPC gets list of all credentials, and the browser does the filtering.
14:54:24 <Ian> ...but the way Android and iOS APIs work, some of the filtering logic is done by the passkey providers.
14:55:00 <Ian> ...from a privacy POV you probably want the authenticator doing the filtering.
14:56:07 <Ian> John: Immediate mediation is also coming up
14:56:19 <Ian> ...assuming it happens, it will have the same problem as SPC
14:57:53 <Ian> smcgruer_[EST]: You can have an SPC payment extension "give me a BBK even if payment bit is not sent"
14:58:10 <Ian> ...this would be "normal passkey but BBK set at registration time" option.
14:58:45 <Ian> Ian: And that key would only be available through SPC and ONLY through 1p use cases.
14:58:58 <smcgruer_[EST]> { payment: { isPayment: true, forThirdPartyPayment: false } }
14:59:53 <Ian> Rene: My understanding is that something like that would only work in a 1p case (issuer-initiated)
15:00:03 <smcgruer_[EST]> this would give you a 'normal' WebAuthn credential, but with a BBK created+associated+passed-back
15:01:24 <RRSAgent> I have made the request to generate https://www.w3.org/2025/07/03-wpwg-minutes.html Ian
15:01:55 <Ian> RRSAGENT, set logs public
15:02:04 <Ian> Rene: I suggest Chrome talk to the Android Team!
15:02:07 <RRSAgent> I have made the request to generate https://www.w3.org/2025/07/03-wpwg-minutes.html Ian
15:02:13 <Ian> RRSAGENT, set logs public
15:12:53 <Ian> RRSAGENT, make minutes
15:12:54 <RRSAgent> I have made the request to generate https://www.w3.org/2025/07/03-wpwg-minutes.html Ian
15:13:00 <Ian> RRSAGENT, set logs public
15:13:09 <Ian> RRSAGENT, bye
15:13:09 <RRSAgent> I see 1 open action item saved in https://www.w3.org/2025/07/03-wpwg-actions.rdf :
15:13:09 <RRSAgent> ACTION: Ian to start to label SPC issues in terms of topics [1]
15:13:09 <RRSAgent>   recorded in https://www.w3.org/2025/07/03-wpwg-irc#T14-14-45