14:02:20 RRSAgent has joined #wpwg 14:02:24 logging to https://www.w3.org/2025/10/23-wpwg-irc 14:02:24 Meeting: WPWG 14:02:24 Chair: Ian 14:02:37 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20251023 14:02:48 present+ Rogerio 14:02:50 present+ NickTR 14:02:52 present+ Ehsan 14:02:55 present+ Dustin 14:02:58 present+ DanP 14:03:00 present+ Sami 14:03:08 present+ Steve_Cole 14:03:09 present+ Zandre 14:03:12 present+ Taskashi 14:03:18 present+ Tomasz 14:03:20 Ehsan has joined #wpwg 14:03:23 present+ David_Benoit 14:03:28 present+ Ashwany 14:03:30 present+ Arman 14:03:39 present+ Mike_Horne 14:03:44 present+ Darwin 14:03:47 present+ Slobodan 14:03:51 present+ Ryan_Watkins 14:03:55 present+ esiok 14:04:03 rwatkins_ma has joined #wpwg 14:04:03 q? 14:04:10 regrets+ Stephen 14:04:13 present+ Shunsuke 14:04:15 present+ Gerhard 14:04:33 https://github.com/w3c/webpayments/wiki/Agenda-20251023 14:04:38 sioked has joined #wpwg 14:04:40 agenda+ payment request 14:04:46 present+ Dwilliams17 14:04:52 agenda+ multiple RPs 14:05:01 https://github.com/w3c/payment-request/issues/1040 14:05:03 zakim, take up item 1 14:05:03 agendum 1 -- payment request -- taken up [from nicktr] 14:05:17 agenda+ recurring payments use case 14:05:23 present+ Albert_Schiabani 14:05:34 present+ Nakjo_Shishkov 14:05:34 agenda+ new double stepup scenario 14:05:34 Albert has joined #wpwg 14:05:37 present+ Ravi_Menon 14:05:38 Rene has joined #wpwg 14:05:54 Dustin: show() aborts with an error in many different user journeys 14:05:57 present+ Nitya 14:06:19 Dustin: For our use case we expose events in two failure cases. But the spec does not give us a great way to do this. 14:06:24 present+ Rene_Leveille 14:06:36 present+ Jorge_Vargas 14:07:04 Dustin: Generally what we are proposing is to distinguish two classes of errors; see the GitHub issue for a proposed solution 14:07:10 Tom has joined #wpwg 14:07:31 Dustin: Some concern is expressed since would be breaking. 14:07:39 ...we are flexible about the mechanism used to facilitate this. 14:08:00 present+ Jean-Luc 14:08:14 Gerhard has joined #wpwg 14:08:23 Slobodan: This resembles work we did in SPC. 14:08:53 Darwin: We have two error codes for different kinds of SPC cancellation. 14:09:22 present+ Nate 14:09:29 present+ Rouslan 14:09:30 present+ 14:10:42 IJ: Is there consensus that the privacy issue has been addressed? 14:10:47 q+ 14:10:55 Dustin: I would say yes; you can do this today ; we just want a more durable approach. 14:10:57 ack Ger 14:11:39 present+ Andlittle 14:11:41 present+ Sharanya 14:11:52 Gerhard: We are will want to get privacy support 14:12:01 present+ Greg_Jopa 14:12:18 present+ Ravi_Menon 14:12:52 present+ ereinstein 14:14:24 q+ 14:14:36 Gerhard: If one error code said "I could run the payment handler" and the other "I couldn't" that would reveal info about the user environment 14:14:56 Nick: I think this is just differentiating "cancel" v "something went wrong" 14:16:03 Dustin: The most common error is a timeout. You can pass details to show (today it's an abort error) 14:16:10 ...anything going wrong with fetching of service worker 14:16:22 ...buyer cancels out of payment by closing the modal 14:17:09 q? 14:17:14 ack nicktr 14:18:44 [Rouslan lets the group know that he has left Chrome Team to move into other areas.] 14:19:29 Rouslan: I've needed to move to other works. I will miss you at TPAC! 14:19:44 Rouslan: I will be in the Google research team 14:21:19 NickTR: Is there support from others for the feature? 14:21:32 ...the GitHub thread suggests that entropy is not changing 14:22:43 ...I hear two proposals from implementers. 14:23:01 IJ: Do others think that we should pursue this change in PR API? 14:23:02 I am supportive of this change. +1 14:23:06 +1 14:23:36 Tom has joined #wpwg 14:23:51 present+ Vasilii 14:24:02 DP has joined #wpwg 14:24:13 Roger has joined #wpwg 14:24:36 +1 to add to the F2F agenda 14:26:15 Topic: SPC 14:27:01 Albert0 has joined #wpwg 14:27:16 Topic: Recurring payments and SPC 14:27:24 Tomasz: This is issue 185 14:27:40 https://github.com/w3c/secure-payment-confirmation/issues/185#issuecomment-3372062838 14:27:58 Tomasz: Recurring payments online are growing quickly, we'd like to add our support for this use case (e.g., subscriptions) 14:28:03 ...but also installments. 14:28:11 ...this would allow us to increase the adoption of SPC 14:29:11 ...the second objective is to leverage the cryptographic binding to include recurrence metadata .... this would give us better data to share with issuers. 14:29:18 ...I think this is a relatively small and easy change 14:29:23 ...to PR API 14:29:31 Z has joined #wpwg 14:29:46 ...I think it could be done either as an addition to the PR API or through an addition to SPC 14:29:50 q+ 14:29:54 ...in the issue I provided in data elements of interest. 14:30:32 ...metadata covers nature of payment, fixed or variable amount, and other metadata 14:31:11 q+ Sharanya 14:31:40 Tomasz: We know that doing UX is challenging 14:32:05 ack Gerh 14:32:12 ack Sh 14:32:55 Sharanya: What data would be given to issuer if customer is not present? 14:33:04 q+ Gerhard 14:33:32 Tomasz: This proposal is not for the whole lifecycle of recurring payments, just to start the first transaction 14:33:53 ...the first transaction is a customer present transaction; when they agree to terms, we will have evidence of consent. 14:33:54 present+ akot 14:33:58 present- akot 14:34:00 present+ akos 14:34:21 Tomasz: This Api will not report to consumer when a recurring payment has happened. 14:34:22 Tom has joined #wpwg 14:34:46 Sharanya: So this is for consent initially 14:35:01 Tomasz: I would not use the phrase "consent"; this is just to capture the information 14:35:18 ...I would use "confirm" 14:35:32 ..how this is handled by the PSP is a different story; this is just a technical facility 14:35:49 ack Ger 14:35:58 Gerhard: +1 for support of recurring payments 14:36:23 ...I'm just looking at one issuer for 3DS. We are getting about 3-4% transactions as recurring. 14:36:40 ...I think ID&V could also be of value as a use case 14:37:01 ...what is the motivation for you of recurring over "add card"? 14:37:43 Tomasz: I don't see use of SPC for add card 14:37:47 q+ 14:38:01 q? 14:38:08 ack me 14:38:34 JL has joined #WPWG 14:39:55 IJ: Who supports experimentation with recurring payments and SPC? 14:40:30 +1 14:40:32 +1 14:40:59 +1 14:41:50 Albert: The motivation for this...are you looking to bolster the merchant's rights in disputes? 14:42:07 Tomasz: Short answer is yes. 14:42:42 ...and improve approval rates. 14:43:36 Topic: Multiple RPs 14:43:37 https://github.com/w3c/secure-payment-confirmation/issues/310 14:44:18 Tomasz: We have a situation where we might have multiple passkeys (e.g, network, issuer, PSP) 14:44:44 ...what we want to do is bind them so that the user can pick one from the available list. 14:45:24 ...we think that chances go up of authentication if multiple passkeys available from multiple RPs can be passed to SPC 14:47:31 Slobodan: Would you want / expect a chooser of credentials? Or is it more desirable fo the browser to just pick one? 14:47:48 Tomasz: We want least friction; so don't ask user. We'd like to provide an ordered list. 14:47:55 ..first match wins. 14:49:02 zakim, take up item 4 14:49:02 agendum 4 -- new double stepup scenario -- taken up [from nicktr] 14:49:15 https://github.com/w3c/secure-payment-confirmation/issues/287#issuecomment-3246173874 14:51:23 Tom has joined #wpwg 14:52:08 IJ: What's the difference between the new scenario and 287? 14:52:18 https://github.com/w3c/secure-payment-confirmation/issues/315 14:53:15 Tomasz: What happens if I create a passkey on one device (e.g., new android device) and I get bbk on that device. then I get a second phone without secure hardware...the passkey is synched to that device, but I don't get ANY bbk on the second device. 14:53:33 ...this is worse because there's no BBK ever, so I am double stepped up every time on that device. 14:54:24 ..so scenarios covered by #315 are (1) unable to store BBK (2) BBK not supported in browser 14:54:52 Darwin: For the first issue (unable to store BBK) we were thinking of providing a signal whether BBKs are available, which would allow you to not have to go through BBKs. 14:55:38 Slobodan: In the "is spc available" API we could add "Is BBK available? 14:56:05 ...another variant is to make BBKs a requirement of the spec 14:56:27 Tomasz: Yes, could add a signal for BBK available 14:56:47 TallTed has joined #wpwg 14:56:51 q+ to ask if passkeys are available on devices without TPMs? 14:57:03 q+ 14:57:41 ack JL 14:58:12 Jean-Luc: Regarding BBK where there is no safe storage...if there is no secure storage, the authenticator won't be able to certify level 14:58:27 ...so there might be step-ups if Level not known 14:58:45 ...or accepted 14:58:50 ...the bank might step up anyway 14:59:10 ack Nick 14:59:10 nicktr, you wanted to ask if passkeys are available on devices without TPMs? 14:59:18 I have made the request to generate https://www.w3.org/2025/10/23-wpwg-minutes.html Ian 14:59:24 https://fidoalliance.org/certification/authenticator-certification-levels/ 14:59:30 I have made the request to generate https://www.w3.org/2025/10/23-wpwg-minutes.html Ian 15:00:01 Ehsan has left #wpwg 15:07:35 Tom has joined #wpwg 15:13:18 Tom has joined #wpwg 15:29:28 Tom has joined #wpwg 15:35:21 Tom has joined #wpwg 15:43:29 Tom has joined #wpwg 15:53:19 Tom has joined #wpwg