13:52:09 RRSAgent has joined #wpwg 13:52:13 logging to https://www.w3.org/2025/08/14-wpwg-irc 13:52:15 Meeting: Web Payments Working Group 13:52:38 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20250814 13:52:43 Chair: Ian 13:52:45 Scribe: Ian 13:52:49 agenda+ SPC updates 13:52:52 agenda + TPAC 2025 13:53:01 agenda+ Next meeting 28 August 13:58:39 present+ David_Benoit 13:58:51 present+ Rogerio_Matsui 14:00:11 present+ Ben_Kelly 14:00:26 present+ Bjorn_Hjelm 14:00:33 Takashi has joined #wpwg 14:00:34 present+ Daniel_Wyckoff 14:00:52 present+ Fahad_Saleem 14:00:59 present+ Takashi_Minamii 14:01:31 present+ Stephen_McGruer 14:01:47 present+ Steve_Cole 14:02:04 present+ Darwin_Yang 14:02:05 daniel-wyckoff has joined #wpwg 14:02:57 present+ Kenneth_Diaz 14:02:57 Roger has joined #wpwg 14:03:08 present+ Tomasz_Blachowicz 14:03:19 present+ Vasilii_Trofimchuk 14:03:24 present+ Henna_Kapur 14:03:36 present+ Arman_Aygen 14:04:09 present+ Ryan_Watkins 14:04:34 present+ Michael_Horne 14:04:38 present+ Sameer_Tare 14:04:47 Arman has joined #WPWG 14:04:50 present+ Jean-Luc_di_Manno 14:04:56 Steve_C has joined #wpwg 14:05:05 zakim, take up item 1 14:05:05 agendum 1 -- SPC updates -- taken up [from Ian] 14:05:24 Ian: any updates on timing for desktop support of BBKs and UX? 14:05:28 smcgruer_[EST]: Late 2025 or early 2026 14:05:34 present+ Gustavo 14:05:43 present+ Gerhard_Oosthuizen 14:05:53 present+ Nakjo_Shishkov 14:06:02 smcgruer_[EST]: hope to show at least one desktop to show off at TPAC 14:06:20 ...we also want to talk about iOS 14:06:36 ...we think there's a path for supporting chrome on iOS but plan to say more concretely at TPAC. 14:07:38 present+ Ehsan_Toreini 14:07:59 Henna: When you are doing the feasibility study on iOS, what are the options under consideration? 14:08:04 present+ Rene_Leveille 14:08:17 Rene has joined #wpwg 14:08:20 smcgruer_[EST]: We looked first at landing patches directly to Webkit but have not received responses. 14:08:41 ...we then started looking at creating a shim in Chrome on top of WebKit 14:08:50 ...and I think the latter path has more likelihood of success. 14:08:58 Ehsan has joined #wpwg 14:09:25 -> https://github.com/w3c/secure-payment-confirmation/blob/main/authenticators-and-spc.md Authenticators and SPC 14:09:35 JL has joined #WPWG 14:10:50 present+ Sue_Koomen 14:12:11 Bjorn: How would you like to get feedback? 14:13:07 ACTION: Ian to open an issue regarding prioritization (and mention pull requests for the doc) 14:14:39 -> https://github.com/w3c/secure-payment-confirmation/pull/311 UX guidelines documentation pull request 14:15:01 smcgruer_[EST]: We ported information from the issue into a standalone document. 14:15:41 vasilii has joined #wpwg 14:17:05 ACTION: Daniel to review the UX documentation for SPC 14:17:24 ACTION: Bjorn to have someone from the Yubico UX team review it. 14:18:00 smcgruer_[EST]: There are mockups in the repo that don't use company names 14:19:56 (Checking on progress to revise presentation to focus on high assurance login) 14:20:06 Jean-Luc: Might refocus on requirements 14:21:15 -> https://github.com/w3c/secure-payment-confirmation/issues/287 Ameliorate the need for re-authentication upon re-creating BBKs 14:22:35 Ian: Any updates on the conversation about reducing double step-up? 14:23:49 smcgruer_[EST]: We are still thinking about the issue that was raised (slowdown due to holidays) 14:24:37 fahad: No updates from my side either, but this appears more to be a "DOS" type attack. Still haven't figure out how to resolve it yet. 14:25:31 -> https://github.com/w3c/secure-payment-confirmation/issues/310 Support for multiple RPs in the Payment Request API for SPC 14:26:08 fahad: When you call PR API today to call SPC, you can pass multiple credential ids, but they are all linked to the same RP. 14:26:26 ...the question is whether credentials from multiple RPs could be provided as input 14:27:27 Ryan: We're also looking at the "allow BBK" solution 14:27:39 ...this might provide an interface opportunity here as well 14:28:53 Ian: Could this be addressed by serializing the request (and just having one UX either fallback or authentication)? 14:29:07 smcgruer_[EST]: The problem is not at the SPC (browser implementation) layer. 14:29:46 ...in the world where we have the ability to list credentials we can pick the first match. 14:32:29 Ian: Why would it be "worse" to iterate over RPs? 14:32:48 smcgruer_[EST]: Imagine the user has deleted some passkeys and we don't know that because of browser caching. 14:33:19 ...so we call for RP1. In theory, the browser could go to RP, but the user would see a *second WebAuthn* credential. 14:34:20 present+ Sharanya 14:35:48 Henna: I think you are right; we need to think about how to structure the ask to WebAuthn 14:36:14 ...the browser figuring out what credentials are available is a better path 14:36:39 ..also, we have a "related origins" concept. Could that help? 14:37:15 Ryan: It is probably not related origins. This is likely a use case where entities are very different. 14:37:23 https://github.com/w3c/webauthn/wiki/Explainer:-Related-origin-requests 14:40:26 Ian: Is there value in presenting the payments use case to drive feature evolution? 14:41:07 ...e.g., payments use case to drive listing (also used for immediate mediation) 14:41:37 zakim, take up item 2 14:41:37 agendum 2 -- TPAC 2025 -- taken up [from Ian] 14:47:08 (We skim the candidate agenda items0 14:47:24 zakim, take up item 3 14:47:24 agendum 3 -- Next meeting 28 August -- taken up [from Ian] 14:47:54 28 August 14:47:59 RRSAGENT, make minutes 14:48:00 I have made the request to generate https://www.w3.org/2025/08/14-wpwg-minutes.html Ian 14:48:02 RRSAGENT, set logs public 14:57:16 TallTed has joined #wpwg