00:48:22 RRSAgent has joined #wpwg 00:48:26 logging to https://www.w3.org/2025/11/11-wpwg-irc 00:48:27 Scribe: Ian 00:48:27 takashi has joined #wpwg 00:48:35 RRSagent, this meeting spans midnight 00:50:59 DP has joined #wpwg 00:50:59 jcayzac has joined #wpwg 00:50:59 present+ 00:51:00 Rene has joined #wpwg 00:51:02 present+ 00:51:03 present+ 00:51:05 present+ 00:51:07 Jonathan has joined #wpwg 00:51:08 timcappalli has joined #wpwg 00:51:11 nakjo has joined #wpwg 00:51:11 raginpirate has joined #wpwg 00:51:12 sidvishnoi has joined #wpwg 00:51:13 present+ 00:51:14 Gerhard has joined #WPWG 00:51:14 willmorgan has joined #wpwg 00:51:15 lychee has joined #wpwg 00:51:15 present+ 00:51:16 vasilii has joined #wpwg 00:51:21 present+ 00:51:21 martin_alvarez has joined #wpwg 00:51:23 present+ 00:51:33 present+ 00:51:41 present+ 00:51:42 Vanitha has joined #wpwg 00:51:42 present+ 00:51:42 shuji has joined #wpwg 00:51:42 present+ 00:51:42 Keith has joined #wpwg 00:51:44 Roger has joined #wpwg 00:51:45 Kavya has joined #wpwg 00:51:46 Jason has joined #wpwg 00:52:03 tomasz has joined #wpwg 00:52:36 Present+ 00:52:50 SameerT has joined #wpwg 00:52:58 present+ 00:53:08 fahadMastercard has joined #wpwg 00:53:17 present+ 00:53:46 takashi has joined #wpwg 00:54:02 present+ 00:54:14 Topic: Payment Request 00:55:34 Ian: Any Payment Request implementation or adoption updates 00:56:03 Ian: How has it been using PR API to get to ApplePay ? 00:56:21 Nick_S: Good! We have soft deprecated ApplePay.js. We are no longer adding new features to it. 00:56:24 takashi9 has joined #wpwg 00:56:25 HeatherF has joined #wpwg 00:56:32 Albert has joined #wpwg 00:56:40 ...one example is that we now support disbursements. We are only adding support to PR API and not the proprietary API 00:56:48 ...I expect over the next year we will start to further deprecate it. 00:56:57 plh has joined #wpwg 00:57:02 ...we support ApplePay on other browsers through a polypill. 00:57:11 q+ 00:57:12 ...we like payment request and think it's good 00:57:24 ack smcgruer_[EST] 00:57:44 benoit has joined #wpwg 00:57:48 present+ 00:57:57 smcgruer_[EST]: If I understand, the ApplePay experience onChrome on MacOS is a QR code. Any desire to use PH API? 00:57:58 steele has joined #wpwg 00:58:01 nick_S: We are interested. 00:58:05 present+ 00:58:23 Anna has joined #wpwg 00:58:34 Nick_S: At least some of my colleagues. We may also have an opportunity with digital credentials to take a more generic approach. 00:58:42 taki has joined #wpwg 00:59:11 Nick_S: Apple pay is also supported some some headless devices; we are interested in exploring handoff options. 00:59:47 smcgruer_[EST]: From our side, we shipped native payment handlers for web views. If a web view host opts in, to enable the user of payment handler API 00:59:50 Padmanabhan has joined #wpwg 01:00:37 ioana has joined #WPwg 01:00:37 Cathy (Meta): In the Facebook browser we can now support PR; experiment was wildly positive. Conversions increased a good amount. 01:01:17 mt_hates_irc has joined #wpwg 01:01:33 ...you click on a link in the Facebook app, and payment request can be used instead of a JS implementation 01:01:47 ...seeing Google Pay without PR API took a minute to log in...it was not a good UX 01:01:55 ...but with PR API, checkout happened within 20 seconds. 01:02:14 smcgruer_[EST]: This is using the open payment handler stack; this would work with any payment handler 01:03:09 alexs has joined #wpwg 01:03:10 Ian: Any PH API news? 01:03:11 q+ 01:03:11 present+ 01:03:16 agektmr4 has joined #wpwg 01:03:25 smcgruer_[EST]: Shopify sought input PH API in interop 2026 01:03:56 smcgruer_[EST]: Interop 202X is an open submission where anyone can submit what they consider to be an interop issue on the Web 01:04:13 ...this effort has been, IMO, amazingly successful 01:04:28 Jorge has joined #WPWG 01:04:32 ...we've seen interop scores go up across browsers. 01:04:38 ..there is a proposal process. 01:05:14 NickTR: Who hosts this? 01:05:26 Martin_Thompson: This is under "Web Platform Tests" auspices. 01:05:30 https://wpt.fyi/interop-2025 01:05:57 Martin_Thompson: The goal is to get close to 100% agreement across tests. 01:06:15 ...if something like this (PH API) makes it, it will improve interoperability 01:06:43 ack heath 01:06:46 q+ 01:07:15 present+ 01:07:18 present+ 01:07:20 ack lychee 01:07:26 present+ 01:07:26 gkok has joined #wpwg 01:07:37 present+ 01:07:45 yigu has joined #wpwg 01:07:47 Ehsan has joined #wpwg 01:07:50 s/Thompson/Thomson/ 01:07:57 Cathy: The original question was about "payment handlers": what we found for PR API, sometimes when a PH exists, sometimes it's blocked. We had to get on an allow list. 01:08:15 ...if you are a payment handler and you're not on our allow list, talk to me. 01:08:22 smcgruer_[EST]: That's a choice of the app distributor 01:08:27 q? 01:08:42 NickTR: Those are native apps. 01:08:45 ack G 01:09:19 Gerhard: I'm excited to hear about interop (2026). I've heard people say "Come back to me when browser X supports this"; it seems like a way to motivate interoperability. 01:09:26 https://wpt.fyi/interop-2025 01:09:54 https://web.dev/blog/interop-2026-proposals 01:10:02 Gerhard: Do we have timelines? 01:10:02 https://github.com/web-platform-tests/interop/blob/main/2026/selection-process.md 01:10:33 rbyers: This is not a mechanism to get someone to do something they don't want to do. It's a means to get signals; vendors make their own decisions. 01:10:41 smcgruer_[EST]: But it is a good venue to indicate interest. 01:11:16 rbyers: Look for news (blog post) later this year. 01:11:52 PLH: Mike Smith is our link to WPT and interop 01:11:54 tomasz has joined #wpwg 01:12:45 [WPT finds its origin at TPAC 2009: https://www.w3.org/2009/11/TPAC/DevMeeting] 01:13:05 agektmr_ has joined #wpwg 01:13:10 https://github.com/web-platform-tests/interop/issues lists the open proposals 01:13:21 agektmr4 has left #wpwg 01:13:44 -> https://github.com/w3c/payment-request/issues/1040 Improved error codes 01:13:59 smcgruer_[EST]: The request for improved error codes (from PayPal) 01:14:08 steele has joined #wpwg 01:14:17 ...my recollection is that there might be some privacy concerns; I don't think so. 01:14:30 ...but we need to make sure it does not break things in an implementation. 01:15:20 nickTR: There are two proposed directions (1) feature detection (2) specific error code 01:15:29 Sami has joined #wpwg 01:15:44 ...my sense was that Marcos' suggestion had less potential to be a breaking change 01:16:05 armanaygen has joined #WPWG 01:16:21 smcgruer_[EST]: At first glance, I lean towards Marcos' approach. 01:17:33 Ian: Any TAG perspectives here? 01:18:04 Martin: Under normal circumstances, adding error codes is an ok thing to do; people should expect that understanding evolves. 01:18:27 ...but also, software will typically break. 01:18:38 ...respond to the screaming that you will hear 01:18:41 q? 01:19:05 Sami has joined #wpwg 01:19:48 Action: smcgruer_[EST] to sync up with Marcos to try to sync up on 1040. 01:20:13 Takashi has joined #wpwg 01:20:38 Ian: Any opportunity to connect PR API to new digital wallets? 01:20:40 Nick_S: Yes. 01:20:40 q+ 01:21:10 ...as I mentioned yesterday, DC API will allow any credential manager to plug into it 01:21:10 fahadMastercard has joined #wpwg 01:21:12 ...those implementations are shipping 01:21:39 ...it seems like there's an opportunity to combine the many years of work we put into PR API to handle complex checkout flows (e.g., price negotiation based on contact info) 01:21:39 q- 01:21:46 ...with this extensible system for credentials. 01:22:07 ...it would be very unfortunate if we ended up in a place where there was use of DC API for payments 01:22:09 jcayzac has joined #wpwg 01:22:23 ...we should schedule some time in the future to see how we can bring these two APIs together in a combined flow. 01:22:23 q+ 01:22:25 q? 01:22:30 ack Gerhar 01:22:38 q+ 01:22:39 q+ 01:22:50 Gerhard: Are we proposing that a Payment Request do its thing then invoke DC API? 01:23:07 nick_S: That's one option, but I am thinking that DC API might be a standardized payment method that can be used within PR API 01:23:13 q+ 01:23:14 ...there may well be other things we want to do 01:23:15 q+ 01:23:21 ...e..g., auxiliary claims could fit into that flow 01:23:37 ...a good example might be phone number. PR API allows you to query phone number. 01:23:55 ...so you may want to get a payment credential and a phone credentail; you may need an API that allows you to get multiple credentials. 01:24:03 ...this would allow you to fall back gracefully. 01:24:15 ...suppose a wallet supports digital credentials and can return a 3DS cryptogram 01:24:36 ...if you are on an older browser, you could say "I also support these other payment methods" and have graceful fallback 01:24:49 ack tomasz 01:24:52 tomasz: I think this is an interesting idea, especially since PR API has a lot of support for payment use cases. 01:25:07 ...what DC API is lacking these days is to provide a structured context for payments, which we have (more or less) in PR API 01:25:20 q- 01:25:22 willmorgan has joined #wpwg 01:25:24 ...the way we think about digital credentials goes beyond web 01:25:29 ...PR API is just for the web. 01:25:33 q? 01:25:38 ...the platforms have implemented their APIs natively 01:26:17 nick_S: The DC API is also a web standard. I'm not saying you wouldn't have native integrations, it's more that we want web sites to have access. 01:26:19 ack timcappalli 01:26:45 timcappalli: We need to chat sooner rather than later about what this would look like for developers. 01:26:57 ...e.g., simple use case for PR API, more sophisticated UX with DC API 01:27:05 armanayg_ has joined #WPWG 01:27:19 Sean has joined #wpwg 01:27:19 ...the original idea with DC API was to have a type attached to the request; but that's been offloaded to the protocol 01:27:20 ack mt_hates_irc 01:27:28 timcappalli has joined #wpwg 01:27:54 MartinT: One of the things that's interesting here is that there's pushback on use of DC API for privacy reasons. The TAG does not want to see people refusing to do business unless they get access to identity information 01:28:11 ...the considerations that apply on the DC side will apply even more in payments. 01:28:16 q+ 01:28:30 ack nick 01:28:34 q+ 01:28:46 nickTR: Nick_S made an interesting point about digital credentials as a payment method. 01:29:14 ...but my instinct would be that PR API provides context, and DC API would be an extension point to respond to a payment request. 01:29:59 q? 01:29:59 timcappalli: Think of DC as a format. 01:30:09 q+ 01:30:28 q+ 01:30:32 timcappalli: DC API is the entry point for the developer. After that there's plumbing that can hold credentials. 01:30:54 lychee has joined #wpwg 01:31:01 q+ 01:31:10 nickTR: I share the TAG's concerns generally about barriers that are presented by doing identity 01:31:30 ...but age verification is often required in a regulatory environment. 01:31:39 q? 01:31:49 q+ 01:32:07 q- 01:32:18 ack rbyers 01:32:31 rbyers: This is an interesting discussion discussion about PR API and DC API 01:32:44 ...it was core to design of DC API that it be one-shot (not bi-directional) 01:32:56 ...so we'd have to do some work to understand how they relate 01:33:16 ...PR API does not require a user interaction in the same way DC API does 01:33:21 q? 01:33:24 ack fahadMastercard 01:33:50 fahadMastercard: I think connecting these is a good idea. I think we need to solve for the .create use case for payments 01:33:50 q? 01:33:54 zakim, close the queue 01:33:54 ok, Ian, the speaker queue is closed 01:34:05 ack tomasz 01:34:16 Ash has joined #WPWG 01:34:25 tomasz: Regarding digital credential-as-payment method... I would think we'd need the type of credential as a payment method 01:34:29 q? 01:34:43 q+ 01:34:51 ack nick_s 01:35:02 vasilii has joined #wpwg 01:35:33 nick_S: I think merchants often want all the buttons visible.... 01:35:38 +1 01:35:59 ...NickTR's Finland example is a good example of where we should be using DC API....selective disclosure should be done with DC API 01:36:09 +1 01:36:10 ...I look forward to continuing the conversation 01:36:16 q? 01:36:22 @tomasz that's the point that I was trying (inelegantly) to make - payment methods represent a more granular request for a specific kind of credential 01:36:45 Velvizhi has joined #wpwg 01:37:03 Topic: Facilitated payment links 01:41:31 (smcgruer_[EST] presents slides) 01:41:58 smcgruer_[EST]: Browser can ignore the payment links flow; the merchant still needs a backup flow (e.g, QR code) 01:43:14 Shipping in Chrome since July 2025 01:43:22 ...There are 7 wallets supported by chrome 01:43:42 ...our page loads are increasing rapidly 01:44:11 ...there's a lot of demand for this for non-EU / North Am markets 01:44:36 (We see demos) 01:46:16 q? 01:46:55 q+ 01:47:04 zakim, open the queue 01:47:04 ok, nicktr, the speaker queue is open 01:47:08 q+ gkok 01:49:10 q? 01:50:31 Yasu4 has joined #wpwg 01:50:42 timcappalli has joined #wpwg 01:51:44 taki has joined #wpwg 01:52:50 nick_s has joined #wpwg 01:52:56 Lee: Do we need (yet another) API to go from Web to native app? 01:54:00 nina has joined #wpwg 01:54:24 q+ 01:54:40 vasilii has joined #wpwg 01:55:25 timcappalli has joined #wpwg 01:55:41 smcgruer_[EST]: Why a new front end? We are hearing from merchants they won't build a JS integration. They are saying no to PR API. They are willing to drop an HTML link on their page. 01:56:10 ...we cannot solve for generic payment protocols today ; nowhere to host manifest so we went with intents for the moment 01:56:46 q- 01:56:49 Marcos: At a high level, the use case is interesting. 01:56:59 ...but I question some of the design decisions. 01:57:31 ...why do you need a link relationship to duplicate data (for the QR use case) 01:57:37 ...why not just label the image? 01:57:41 smcgruer_[EST]: That makes sense. 01:58:40 nakjo has joined #wpwg 01:59:08 Martin: I'm concerned about resolution of these URLs 01:59:13 ...you have data URLs in there potentially loading UI which could be an attack vector 01:59:26 ...in the DC API we wrote up why custom URI schemes is not a good idea 01:59:39 smcgruer_[EST]: Do you have a suggestion for doing this declaratively in a way that would be good? 01:59:47 ...we heard one idea to use data URLs 02:00:07 Martin: The Web site uses a custom scheme that the browser recognizes, and the browser knows how to turn those things into a payment request (to a first approximation) 02:00:11 ...that's a resolution process. 02:00:18 ..you are not specifying a resolution process here. 02:00:33 ...if these were HTTPs URLs, they would be interoperable 02:00:54 smcgruer_[EST]: For the ones that are entity-specific, yes, we should fix custom scheme issue 02:01:11 ...but for a generic protocol that anyone can answer, how do you solve the decentralized use case? 02:01:36 timcappalli has joined #wpwg 02:01:37 The doc Marcos referenced: https://github.com/w3c-fedid/digital-credentials/blob/main/custom-schemes.md 02:02:10 Martin: Don't make the browser know how to handle proprietary schemes. 02:02:31 ...different browsers might have different understandings, and we'd not get interop 02:02:51 ...you'd get an inconsistent user experience 02:03:09 tomasz has joined #wpwg 02:05:19 q? 02:06:09 Idea: Map this to PR API if possible 02:06:26 vasilii has joined #wpwg 02:07:01 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html nicktr 02:08:29 benoit_ has joined #wpwg 02:23:15 armanaygen has joined #WPWG 02:26:59 topic: Payments in Japan 02:27:13 Note: The first presentation from Morimori will remain Member visible upon his request. 02:27:18 vasilii has joined #wpwg 02:33:49 nick_s has joined #wpwg 02:35:07 DP has joined #wpwg 02:36:02 Morimori: I want to cover three topics today - phishing resistant MFA in japan; selfi-matching only eKYC is being obsoleted 02:36:06 timcappalli has joined #wpwg 02:36:07 ....Digital identity guidelines 02:36:11 taki has joined #wpwg 02:36:37 armanaygen has joined #WPWG 02:38:54 [Scribe will cover discussion but not the slides] 02:38:57 q? 02:39:00 ack gk 02:40:19 ann has joined #wpwg 02:40:21 ioana has joined #wpwg 02:40:29 Shuji has joined #wpwg 02:41:32 gkok has joined #wpwg 02:41:57 benoit__ has joined #wpwg 02:42:13 elkurin has joined #wpwg 02:42:14 q? 02:42:15 q+ 02:42:21 ack gkok 02:42:29 ack gkok 02:42:39 Gustavo: You mentioned the focus is on financial services. Is there more strict guidance possible as well to providers? 02:43:58 Morimori: Countermeasures from the government is to implement DMARC with reject as well as phishing resistant MFA. It's not mandated, for all parties, but other parties are following suite. 02:44:00 s/suite/suit 02:44:22 q+ 02:44:22 Gustavo: Customers may not understand why it's important to use passkeys. What is happening to educate users? 02:44:33 Morimori: Good question; I will need to think more about that. 02:44:43 q- 02:45:04 Cip: For payments authentication, is phishing resistant MFA going to happen? 02:45:04 nakjo has joined #wpwg 02:45:06 Morimori: More on that in a moment 02:47:30 Morimori: Regarding identity proofing, ... there has been traditional eKYC (selfie matching only) 02:47:30 ...but companies are seeing lots of attacks through fake ID cards. 02:47:44 ...so the trend in Japan is to use IC Chip-equipped id cards 02:47:44 ...so the goal is to obsolete sell-matching only eKYC 02:54:48 (in 2024-2025) 02:54:52 JPKI and its capabilities on a smartphone 02:54:52 ....MyNumber Card on iPhone became available in June 2026 02:54:52 s/2026/2025 02:54:52 "d payment" application allows to do identity proofing 02:54:52 Morimomri: Digital Agency recently published the DS-511 digital identity guidelines 02:54:52 ...is a normative requirement as of 30 September 2025 02:54:52 ...there are three authentication levels 02:54:52 ...the user must be able to choose phishing resistant MFA (with passkeys as an option) 02:54:52 q 02:54:52 q+ 02:54:52 ack Ger 02:54:52 Gerhard: Thank you for the presentation. In Europe we've seen definitions for SCA that may not align exactly with the implementation of passkeys. 02:54:52 ..e.g., one example we've spoken about is device binding 02:54:52 ...can you say more how Japan has defined MFA, and are there specifics (e.g., key lengths, device binding) 02:54:52 Morimori: DS-511 defines normative guidelines. 02:54:52 ....but there will be supplemental guidelines that explain what phishing resistance means 02:54:58 Gerhard: Will it be device-bound? 02:54:58 willmorgan has joined #wpwg 02:54:58 Morimori: Synched passkeys were a controversial discussion 02:54:58 ...personally I think synched passkeys really help 03:06:26 RRSAgent has joined #wpwg 03:06:28 logging to https://www.w3.org/2025/11/11-wpwg-irc 03:08:14 NickTR -- note that RRSAgent dropped at 21:54:46. (I've invited the bot back.) Some IRC loc and/or minutes patching will be needed. (I don't know who your staff contact is. They can help.) 03:08:22 ...open banking in API 03:08:59 [11:55] Morimori: With my NTTDoCoMo hat on I am driving to implement passkeys with 3DS 03:08:59 [11:55] q? 03:08:59 [11:55] * Zakim sees no one on the speaker queue 03:08:59 [11:55] Cip: As of April 2025 there are also other rules in Japan. 03:09:00 [11:56] [Takashi Minamii from JCB] 03:09:01 [11:56] TM: JCB covers Amex and Discover in Japan 03:09:02 [11:57] ...the Japan payment landscape is complex. 03:09:04 [11:58] ...JCB is trying to implement digital wallet with selective disclosure 03:09:06 [11:59] ...in Japan, Credit card remains the primary payment method 03:09:08 [11:59] ...QR code payments have grown significantly 03:09:12 [11:59] * nina (~nina@6b13c2d6.publics.cloak) has joined #wpwg 03:09:14 [11:59] ...mostly for public transportation payments 03:09:16 [12:00] ...but combined share of e-money and QR code payments is approaching 50% on a transaction count basis 03:09:19 [12:00] ...heavily skewed to small-value payments 03:09:21 [12:01] [Slide on merchant discount rate] 03:09:23 [12:01] TM: There are no caps on MDR or IRF 03:09:25 [12:01] * nick_s has quit ("My Mac has gone to sleep. ZZZzzz…") 03:09:27 [12:02] * nick_s (~textual@6c65f1b9.public.cloak) has joined #wpwg 03:09:29 [12:03] ...in Japan, two companies handle card processing: CAFIS and CARDNET 03:09:31 [12:03] * Albert (~Albert@6b13c2d6.publics.cloak) has joined #wpwg 03:09:33 [12:05] * taki has quit () 03:09:35 [12:05] ...IPR overlap: "Cotra" exists, but only for P2P remittance 03:09:37 [12:06] ...Confirmation of Payee is so ubiquitous that Japanese people don't even think about it 03:09:39 [12:06] * RRSAgent (rrsagent@16081354.team.cloak) has joined #wpwg 03:09:43 [12:06] logging to https://www.w3.org/2025/11/11-wpwg-irc 03:09:45 [12:08] NickTR -- note that RRSAgent dropped at 21:54:46. (I've invited the bot back.) Some IRC loc and/or minutes patching will be needed. (I don't know who your staff contact is. They can help.) 03:09:48 [12:08] ...open banking in API 03:09:50 TM: Alternatives to write-access APIs - real time direct debiting service 03:13:28 TM: Stable coin and CBDC 03:16:06 q? 03:16:22 TM: Situation similar to other countries; no decisions yet on CBDC's 03:17:15 NickTR: What is driving the proliferation of choice in payment methods in Japan? 03:17:57 TM: I think one initiative came from public transportation industry. 03:18:22 ...Japanese authorities started a push towards cashless payments, using QR codes 03:18:35 ...many service providers used QR codes as a prototype for new payment methods 03:19:05 Rogerio: There are even more options for online commerce 03:19:41 ...companies like to push their products and, after a while, public consensus leads to convergence 03:19:49 ...but there are often competing activities 03:19:50 q? 03:19:53 q? 03:20:26 [Rakuten on Ecommerce in Japan] 03:21:03 takashi has joined #wpwg 03:21:22 [Julien introduces Rakuten] 03:21:52 Julien: We have services on almost every continent. 03:22:13 ... about 1/3 of the Japan population are customers 03:22:29 ... we have internet services 03:22:35 ... but expanded to travel 03:22:40 ... now have a big fintech segment 03:23:23 ...our loyalty program (common in Japan) is very important. 03:23:44 ...rakuten points are important; it's not cash-back.1 point is worth 1 JPY 03:24:31 ...the more services of ours you use, the more points you get when you do a transaction 03:25:15 ...Japan is moving towards a cashless society 03:25:36 ...Japan has set a goal of 80% of transactions by 2030 03:25:48 s/2030/2035/ 03:25:58 ...in 2024, 40% were cashless 03:26:19 ..."cash" here excludes bank transfers. 03:26:53 ...checks never took off in Japan because bank transfers have been common for 50 years 03:27:38 [We see a diagram of what it means to pay with Rakuten Pay] 03:27:56 ...we offer a POS device for in-person payments 03:28:30 q+ Does settlement gateways = Information Processing Center? 03:28:34 ...people can use a variety of payment apps; they show a QR code or NFC; it is scanned by POS device, goes to Rakuten Pay backend then on to processing 03:28:53 q+ dp to ask about settlement gateways 03:29:38 ...for online transactions, for external merchants we have "Rakuten Pay Online" which is based on traditional web flows 03:30:36 (DanP asks a clarifying question about IPCs) 03:30:38 ack DP 03:30:38 dp, you wanted to ask about settlement gateways 03:31:20 Julien: The JPQR standard is a registry of payment providers that can provide QR codes 03:31:35 ..there's no fixed length in the QR code, but prefixes are standardsized 03:32:07 ...I've seen similar ideas in other Asian countries. 03:32:29 ...QR code helps indicate where processing should happen 03:33:05 ...POS payment methods at a glance topics include: credit/debit, domestic QR codes, foreign payment apps, e-wallets 03:33:30 ...QR code payments are not cross-border 03:34:09 Cip: Are these payment methods via Google Pay and Apple Pay? 03:34:18 q+ 03:34:18 Julien: In my experience they are not really used. 03:34:26 Cip: Is there a more common alternative? 03:34:33 Julien: no, no platform-specific thing 03:34:46 ...but phone manufacturers can provide wallets 03:34:55 Cip: Do you know why this is? 03:35:21 Julien: Maybe low need to provide same thing through new mechanism. 03:36:19 [More discussion about complexity of card support for Apple Pay] 03:36:24 ack Nick_S 03:36:43 nick_S: Apple Pay and Google Pay work differently if you are a resident of Japan. 03:37:24 ...we used to ship phones specifically for Japan. 03:37:28 q? 03:38:26 Nick_S: transit agencies only accept domestic issued cards (similar in other asian countries) 03:38:34 ...so you may not be able to top up 03:39:19 (We see some slides showing Rakuten pay experience) 03:42:31 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 03:43:15 Julien: We have a mini app ecosystem to extend Rakuten Pay. Right now, just for 1p apps, but we are opening up to 3p apps. 03:44:10 ...we would love for our merchants to be able to use Payment Request, but we cannot be accepted ... 03:44:16 q+ 03:44:34 ... when we embed merchants in our pay, we do so in WebView 03:44:53 ...we are also doing some plumbing with fetch request to skip some screens when we are embedded in our own super app, but it's not ideal 03:44:59 ...facilitated payment links might help us out 03:45:25 ...what we really want to offer merchants is a unified experience between usage from a web, and the experience when they are embedded in our super app 03:45:37 ...we have some user onboarding challenges 03:45:57 ...eKYC has historically not been a good experience.e 03:46:05 ...some consolidation is happening via MyNumber card 03:46:11 Rene has joined #wpwg 03:46:17 ...but what about visitors traveling from another country? 03:46:42 ...related to eKYC is "risk rating" 03:46:49 ...we collect lots of signals 03:47:07 ....we are also evaluating verifiable credentials 03:48:54 martin_alvarez has joined #wpwg 03:50:09 q+ 03:50:17 Morimori: Agree that visitors without My Number should have payment security. 03:50:42 ack Gerhard 03:50:49 q+ Gerhard 03:50:51 ack nicktr 03:51:09 NickTR: I get that payment handler not supported through webkit. You could use it with chrome, however. 03:51:24 Julien: But merchants will have to do things 2 ways 03:51:37 NickTR: You can do feature detection to fail gracefully 03:51:54 Julien: Yes, we can implement fallbacks 03:52:09 q? 03:52:13 ack Gerhard 03:52:14 q+ 03:52:37 Gerhard: Is your main hurdle the API or lack of interoperability? 03:52:43 Julien: Lack of interopability 03:52:55 smcgruer_[EST]: Should Payment Request just have a fallback concept? 03:53:08 Julien: Our fallback is Web Navigation 03:53:39 smcgruer_[EST]: Google has a bundle...these bundles take care of a million things and run JS in your domain. You do this because merchants won't do the updates themselves. 03:53:45 ...is there something we could be doing here? 03:54:08 Gerhard: We could build a polyfill for a Payment Handler 03:54:26 smcgruer_[EST]: Maybe there's a "standardized" polyfill with a predictable fallback. 03:54:37 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 03:54:43 +1 to the idea of polyfill 03:57:22 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 04:00:19 armanaygen has joined #WPWG 04:18:13 armanaygen has joined #WPWG 04:37:30 benoit__ has joined #wpwg 04:42:00 armanaygen has joined #WPWG 04:50:20 benoit__ has joined #wpwg 05:00:27 armanaygen has joined #WPWG 05:00:41 taki has joined #wpwg 05:02:22 benoit_ has joined #wpwg 05:05:21 q? 05:05:25 q- smcgruer_[EST] 05:12:45 timcappalli has joined #wpwg 05:13:04 Takashi has joined #wpwg 05:13:44 nick_s has joined #wpwg 05:13:58 Topic: Follow up on SPC from yesterday 05:16:13 DP has joined #wpwg 05:17:03 taki has joined #wpwg 05:17:14 RRSAGENT, make minutes 05:17:15 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 05:17:24 RRSAGENT, set logs public 05:17:26 nakjo has joined #wpwg 05:18:57 armanaygen has joined #WPWG 05:20:06 Jason has joined #wpwg 05:21:18 Roger has joined #wpwg 05:27:20 Topic: DBSC Update 05:27:31 DanRubery: I work on Chrome on DBSC 05:27:40 q? 05:28:03 DanRubery: We originally designed this to mitigate cookie-theft 05:28:18 alexs has joined #wpwg 05:29:06 (DanR walks through DBSC overview) 05:29:39 Shuji has joined #wpwg 05:29:41 DanR: We designed this around a "log in" session but it doesn't have to be for login 05:29:58 ...the configuration includes a set of bound cookies that must be included for in-scope requests. 05:30:24 ...if the request misses one of the bound cookies ..... if the cookie is expired we do a refresh and sign a challenge from a server 05:30:31 ...and the server replies with a fresh cookie. 05:30:48 ....deferral ensures that most of the app doesn't have to think about what happens when proofs have expired. 05:31:35 steele has joined #wpwg 05:31:43 Gerhard: An example would be a registration journey. You ask the customer to re-authenticate themselves 05:31:45 JL has joined #WPWG 05:32:00 ...can you retire a cookie before a registration session? 05:32:54 DanR: If 3p cookie is blocked, we don't do a refresh 05:33:09 ...also, no support for partitioned cookies (yet?) 05:33:27 ...we've received requests for DBSC-specific permissions prompts, for example. 05:33:39 Sean has joined #wpwg 05:33:47 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 05:33:53 q? 05:34:06 DanR: Partitioned cookies would let you set a different value of the cookie for each top-level site. 05:34:26 ...if your 3p content is within different top-level sites, you'd see different values in those contexts. 05:34:31 Kavya has joined #wpwg 05:34:38 ...good for privacy, but DBSC also needs to partition to not create privacy issues. 05:34:42 Padmanabhan has joined #wpwg 05:34:53 DanR: Chrome does not plan to provide TPM attestation. 05:35:01 ...non-revocable identifiers are bad 05:35:27 sidvishnoi has joined #wpwg 05:35:46 DanR: We have some other discussions on extensions related to cross-site single sign on 05:35:55 timcappalli has joined #wpwg 05:36:00 taki has joined #wpwg 05:36:06 ...it's hard to transfer these security properties cross-site 05:36:21 Vanitha has joined #wpwg 05:36:26 ...we have one solution right now which is sharing the key directly. 05:36:39 ...webauthn has a related feature called "related origin requests" 05:36:45 ...but this does not scale well. 05:36:54 ...we have some proposals based on attestation keys 05:37:03 ...those proposals are focused on enterprise use cases. 05:37:24 ...Chrome is running an origin trial today on this 05:37:32 ...we expect to ship in February 2026 05:37:36 q? 05:37:46 q? 05:37:52 Gerhard: Any way in which you can figure out when you might do partitions? 05:38:05 DanR: It's not planned today but if you file a bug on the spec, we can discuss 05:38:50 @@: What is the platform support for this? 05:38:56 DanR: Our current implementation is windows only 05:39:03 ...Mac implementation is in-progress 05:39:23 ...mobile is a pending topic...mobile OS have fewer issues that this would address. 05:39:46 DanR: The origin trial -- any 3p can register to try it out, but only .5% of page loads can use it 05:39:57 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 05:40:38 Albert has joined #wpwg 05:41:12 Gerhard has joined #wpwg 05:41:22 NickTR: Is there a way to provide access both to the merchant top-level origin and the iframe? 05:41:24 jcayzac has joined #wpwg 05:41:29 DanR: What does the merchant need to know? 05:41:40 NickTR: They don't need the key, just that the issuer has authenticated the user 05:42:07 q+ 05:42:20 DanR: Assuming the user has not blocked 3p cookies, the iframe can access its 1p state. And so the issuer could message to the top origin 05:42:49 q- SameerT 05:43:31 Topic: SPC next steps 05:43:53 lychee has joined #wpwg 05:43:58 timcappalli: I have three quick slides on immediate mediation 05:44:45 timcappalli: This is not yet in WebAuthn (but hopefully close) 05:45:27 timcappalli: There are mobile flows (blocking dialog), conditional UI (autofill UI). 05:45:34 ...this is a third mediation mode. 05:45:41 Takashi has joined #wpwg 05:45:47 ...the goal is to enable a seamless fallback when a passkey is not immediately available 05:45:54 ...."immediately available" means "available on the device" 05:46:27 ...the feedback we've received is that RPs prefer the user logging in quickly 05:46:49 ...if no immediately available credentials, API fails with an error code and you can redirect the user to a fallback login 05:46:58 ...it does require a user interaction (click a button) 05:47:23 ....you cannot pass in a list of credential IDS. It's important to not be able to probe the device to see which credentials are available. 05:47:36 [We see a video of an immediate mediation flow] 05:48:19 [We see code for how to set the mediation mode] 05:48:26 q+ 05:48:59 gkok has joined #wpwg 05:49:13 timcappalli: We imagine a cascade of options (e.g., password, fedcm) before fallback 05:49:24 ioana has joined #wpwg 05:49:28 Lee: This is by far the most deployed mode. 05:49:36 ack G 05:49:38 q+ 05:49:46 Gerhard: If there were two passkeys, would I first see both? 05:50:15 timcappalli: If you have two accounts, there's a selector. If there are two passkeys for the same account, probably frecency 05:50:48 Gerhard: The question for SPC ... by the time SPC arrives, either the card on file or the person typing in a PAN has chosen their card and there's a passkey linked to it. 05:50:57 ...how can we work around the idea of not allowing credentials. 05:51:07 q+ 05:51:27 q- 05:51:39 timcappalli: SPC could be an exception; but a problem would be if there's no dialog 05:52:02 q+ 05:53:25 ack gkok 05:53:35 q+ 05:53:53 Ash has joined #WPWG 05:54:20 Gustavo: Suppose I am asking the issuer: "do you have credentials". Is there some way to have a time-bound way to probe those credentials for a domain. 05:54:31 ...so that I can try to get a slightly better experience. 05:54:33 Gerhard has joined #wpwg 05:54:42 ...would something like that be possible? 05:54:52 taki has joined #wpwg 05:55:04 timcappalli: I can't think of a way to do that without opening avenues for abuse. 05:55:06 q? 05:55:35 smcgruer_[EST]: I hear the use case is "you could have brought the issuer into the 3p but didn't" 05:55:44 ...you want to delegate the RP's origin 05:55:48 q? 05:56:05 Gustavo: This would only be with the issuer's permission 05:56:25 q? 05:56:36 Nishant: Across multiple issuers? 05:56:42 Gustavo: No, just one issuer. 05:56:59 ...is there something we could do to limit probing? 05:57:07 timcappalli: We want to prevent probing. 05:57:25 ...you need the user's permission, not the RP's permission 05:57:56 smcgruer_[EST]: The RP is "the enemy" for this particular threat scenario. 05:58:07 tomasz has joined #wpwg 05:58:20 ...imagine the user has created a passkey and you (e.g., as a government) are trying to find this person 05:58:37 ...and you start probing for that user among all users that visit your site. 05:58:42 q? 05:59:01 vasilii has joined #wpwg 05:59:03 ack Jason 05:59:29 q+ 05:59:36 Jason: Can you delegate authentication? 05:59:39 nakjo has joined #wpwg 05:59:40 timcappalli: By default, no. 05:59:49 Jason: Does the error say "no passkey found"? 05:59:51 Sami has joined #wpwg 06:00:08 https://github.com/WICG/capability-delegation for delegating user activation 06:00:09 timcappalli: No, it's a predefined WebAuthn error. It is very clear what the scenario is, however. 06:00:11 q+ 06:00:12 s/authentication/activation 06:00:16 Sami2 has joined #wpwg 06:00:19 ack Ni 06:00:37 Capability delegation (passing a user activation down to an iframe): https://github.com/WICG/capability-delegation 06:00:37 Shuji has joined #wpwg 06:00:43 nick_s: I don't think we can solve this and fix the privacy problem. The problem is that this information is valuable and so abuse is inevitable. 06:00:43 Sami7 has joined #wpwg 06:01:09 nick_s: There are merchants who are malicious ; we need to be careful about revealing information about the user. 06:01:15 Sami0 has joined #wpwg 06:01:46 DanP: Are errors aligned with signals API? 06:01:52 timcappalli: they are distinct 06:01:53 ack gkok 06:01:55 ack DP 06:02:13 gkok: I understand that passing credential does not work. Is there a way to achieve cross-domain with no list? 06:02:14 Sami has joined #wpwg 06:03:00 JorgeV has joined #wpwg 06:03:01 JohnB: But that would be a worse privacy issue...I could see if a user has a credential from another origin. 06:03:14 Jason: Could the request be signed by the RP? 06:03:32 Lee: DCP! 06:03:57 q+ 06:04:11 zakim, close the queue 06:04:12 ok, Ian, the speaker queue is closed 06:04:27 ack Gerhard 06:04:45 Gerhard: I guess there are cases where you might want to use SPC in the RPs domain. 06:04:57 ...so an issuer could use this 06:05:32 smcgruer_[EST]: We could do this in a 1P context 06:06:19 ...we will not do immediate mediation with an allow list. 06:07:04 smcgruer_[EST]: This was one of the reasons we moved away from the credential-per-payment-instrument. 06:09:49 Action: Jason to write up an issue for SPC to do immediate mediation in a 1p context without an allowList 06:10:10 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 06:10:46 Action: Jason to write up an issue for SPC to do immediate mediation in a 3p context without an allowList 06:10:56 Vanitha has joined #wpwg 06:11:45 Roger has joined #wpwg 06:12:02 Henna: We identified some themes that SPC could do based on how it works today. Here's a list of ideas: 06:12:15 1) We discussed immediate mediation 06:12:26 2) Some sort of eligibility check -- is BBK supported in this browser? 06:12:39 smcgruer_[EST]: I suspect that should be fine. I need to check privacy position 06:13:10 ACTION: Stephen to look into viability of BBK support check 06:13:25 smcgruer_[EST]: Is user-verifying platform authenticator generally true if there's no strongbox? 06:13:32 timcappalli: Not related 06:14:09 tomasz has joined #wpwg 06:14:19 3) We want two ways to do SPC -- with passkey authentication, and the confirmation only path (without user verification) 06:14:40 ...a proposal is that if you want passkey it's the default, but if you don't you ask for uv = discouraged. 06:14:48 q+ 06:14:55 ...and then you get two signed payloads, but no UX for the passkey 06:14:58 zakim, open the queue 06:14:58 ok, Ian, the speaker queue is open 06:14:59 zakim, open the queue 06:15:00 ok, nicktr, the speaker queue is open 06:15:03 q+ 06:15:04 q+ nick_s 06:15:18 re: 2) check #315 https://github.com/w3c/secure-payment-confirmation/issues/315 06:15:31 nick_s: User verification discouraged does not guarantee you won't get a UX 06:15:36 q+ 06:15:41 ...the browser can ignore that. 06:15:42 ack nick 06:15:44 ack Gerhard 06:15:45 ack nick_s 06:16:15 Gerhard: there are two paths (1) we include a passkey (2) if the passkey isn't there, we still want the BBK and sign only with that. 06:16:21 +1 06:16:25 q+ 06:16:29 JohnB: That's a whole other kettle of fish. 06:16:39 Lee: that's a different feature request 06:16:51 Gerhard: But that would be attractive (no passkey registration) 06:17:00 Henna: So that's a third option. 06:17:16 Takashi has joined #wpwg 06:17:22 JohnB: That's just DBC 06:17:32 Ian: No, there are other features of SPC beyond DBSC 06:17:52 q? 06:18:11 ack Nick 06:18:25 nick_s: there are many non-payment use cases 06:18:33 Gerhard: But there's always a display in our use case. 06:19:33 smcgruer_[EST]: Are Apple doing DBSC? 06:19:43 nick_s: I defer to my colleagues. 06:20:25 Lee: the question is "can we do uv = discourage"? Yes, we can 06:20:37 ...and that's the one implementation. 06:20:50 ...so I think we can do it on the platform side. 06:21:07 smcgruer_[EST]: We use GPM on Android, but we use other authenticators on other platforms. 06:21:15 tomasz has joined #wpwg 06:21:45 JohnB: If you support windows hello on windows, it can't release a credential without a user verification 06:22:35 timcappalli has joined #wpwg 06:22:36 Henna: We are going to separate the issue of "no passkey" option 06:22:51 Henna: We should collectively think about "SPC or DPC" 06:23:03 Gerhard has joined #wpwg 06:23:40 q+ 06:23:49 Henna: How do we do recurring transactions? 06:23:52 ack Nick 06:24:06 nick_s: We are not trying to rebuild the whole checkout flow... 06:24:17 s/recurring transactions/recurring transactions, multi-merchant, etc etc/ 06:24:19 ...if you are required to display a payment, it may not be able to solve in SPC or PR API 06:24:21 TallTed has joined #wpwg 06:24:27 q+ 06:24:40 nick_s:...there's value to that, but need to be thinking about not taking on too much 06:24:44 ack smcgruer_[EST] 06:24:54 smcgruer_[EST]: I agree with Nick. Do you feel the same with DPC? 06:24:57 nick_s: Yes. 06:25:14 ...also, rules change. We can't build it into the standard. 06:25:21 ...custom UI has problems 06:25:27 ....I'm not seeking to replace the entire checkout flow 06:25:46 smcgruer_[EST]: I think it's not about replacing the checkout flow, it's about dynamic linking requirements 06:26:00 nickTR: This is not a requirement in PSD2 06:26:18 Henna: I think there's an expectation that the user see information when they are entering into a mandate. 06:26:48 SameerT: It's not letter of the law...regulators just asked that things be fixed. 06:26:58 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 06:27:26 q+ 06:27:29 q+ 06:28:11 Lee: We can consider new features on a case-by-case basis. 06:28:38 Henna: I heard from Nick_S we should not put things in standards 06:28:49 ack gk 06:29:13 gkok: We also need to figure out the experience on the 3DS side 06:29:47 ...it's a fine line... 06:30:02 q+ 06:30:12 ...regulators want to impose a mandate on something that is not a mandate 06:30:16 q- 06:30:29 q- 06:31:12 Henna: We are going to try to come up with an MVP structure 06:31:20 smcgruer_[EST]: I am hearing a couple of asks 06:31:31 ...DPC takes a JSON schema. Should SPC? Yes. let's just do that 06:31:47 ...what's the chance of a browser or wallet handling all the UX...my guess is not much 06:31:59 Lee: What we want in DPC is a small number of schemas 06:32:20 ..for DPC it may be a JSON schema and the browser can display like it likes 06:32:30 ...in FIDO we want a transaction schema and it should be same 06:32:34 +1 06:32:49 q+ 06:32:57 q+ irene_chang 06:33:18 Action: Tomasz to add to SPC repo the topic of structured (DPC-compatible) way to specify schema 06:33:38 ack nick_s 06:33:41 nick_s: Apple has a proprietary request to PR API for recurring 06:34:09 irene: I am hearing a number of feature requests. What's MVP? 06:34:31 topic: FIDO requirements for payments 06:35:18 An example recurring payment request for Apple Pay that uses PaymentRequest custom modifiers: https://gist.github.com/nickjshearer/bbf9c3f80e76a97ea0cc016b41b0f1c3 06:35:18 We would be happy to discuss upstreaming this into line items if there is enough interest. 06:35:31 Jean-Luc: I'd like to talk about the regulatory context in Europe around payments. 06:35:52 ...as you can see, there's lots of regulation...some is strictly enforced, others less so 06:36:09 ...beyond PSD2 there is, e.g., the accessibility act 06:36:14 ...and others 06:37:32 Ash has joined #WPWG 06:37:55 Jean-Luc: An important topic for us is going to relate to onboarding 06:39:24 ...topics include incident reporting and risk management 06:39:28 ....digital identity wallets 06:40:38 Velvizhi has joined #wpwg 06:40:50 timcappalli has joined #wpwg 06:41:02 ...PSD3...(1) expands and tightens SCA requirements. (2) Strengthens anti-fraud controls (3) Creates frameworks for dispute resolution and chargeback management (4) Better monitoring and reporting (5) Strengthen outsourcing rules to improve risk management 06:41:20 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 06:41:44 If you are interested, here's a blog I wrote about PSD3 last year -> https://www.endava.com/insights/articles/what-you-really-need-to-know-about-psd3 06:41:50 q+ 06:43:41 Jean-Luc: I can summarize the requirements...if we require with them, we should be able to comply with (all the) regulation. 06:44:04 ...most of them are implemented (with current proposals) 06:44:11 ...but "proof of liveness" is interesting 06:44:22 ... demonstrate "device environment compliance" 06:44:30 ...accessibility 06:44:52 ...how to provide information to the financial institution during an audit which auth mechanism was used, and whether it complied. 06:45:09 ...I have a slide where I evaluate technologies and how they fulfill the requirements 06:45:19 nick_s has joined #wpwg 06:45:46 Jean-Luc: As you can see, for passkeys there are requirements not addressed (e.g., device binding) 06:46:02 ...whereas for DPC / wallets many requirements are met 06:46:22 q? 06:46:25 ack ir 06:46:28 ack Ger 06:46:39 q+ 06:46:54 Gerhard: Thank you for the useful presentation. There are two that I don't see on the list. One is DORA. The other one is "confirmation of payee" 06:47:08 ...could we add that to the list "who is the other party"? 06:47:45 nakjo has joined #wpwg 06:47:47 Jean-Luc: I had understood DORA to be more server-side. 06:48:43 q? 06:48:47 ack smcgruer_[EST] 06:48:59 smcgruer_[EST]: I am going to ask a controversial question - define "respects privacy"? 06:49:20 ...I think it's a contradiction to say that "things must be traceable" and "must respect privacy" 06:49:28 Jean-Luc: I agree you are right to point this out. 06:49:58 ...it will require time to figure out a balance between the two 06:51:02 NickTR: "AML 6" is now law. It has bits requiring financial institutions to have information to do forensics. 06:51:18 q+ 06:51:21 q+ 06:51:23 DavidBenoit: They don't even have to find fraud, merely suspect it. 06:52:29 nickTR: So financial institutions will have to not comply with privacy requirements. 06:52:32 ack smcgruer_[EST] 06:52:34 smcgruer_[EST]: how? 06:52:57 smcgruer_[EST]: We already give too much information...but I don't think there are technical solutions that give the implied level of information. 06:53:02 ack nick_s 06:53:14 nick_S: It's orthogonal to the business of standardization. 06:53:23 vasilii has joined #wpwg 06:53:28 ...we don't stop using encryption keys when countries ban them. 06:53:34 q+ 06:53:49 nick_S: Instruments can figure out what they need to do 06:54:11 smcgruer_[EST]: I don't think it's orthogonal, but I agree that we should not as a standards body stop pursuing principle-based designs 06:54:21 q? 06:54:23 ack smcgruer_[EST] 06:54:25 Nishant has joined #Wpwg 06:54:29 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 06:55:36 jean-Luc: We should not be bound to a particular regulatory context, but we should also do our best to make it possible to fulfill there regulation. Banks are looking for workarounds to meet their regulatory needs. 06:55:49 ...it's better to do a thoughtful design 06:56:27 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 06:58:04 Jean-Luc: how can we provide a financial institution with information about authentication modality to allow them to fulfill their audit trail requirements. 06:58:27 ... I understand that this is not on the table for passkeys 06:58:40 ...is there anything else that we can offer for, eg DPC 06:58:43 q? 06:59:32 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 06:59:56 RRSAGENT, set logs public 07:01:28 benoit__ has joined #wpwg 07:02:05 armanaygen has joined #WPWG 07:04:04 armanaygen has joined #WPWG 07:16:22 benoit_ has joined #wpwg 07:25:35 Sean has joined #wpwg 07:29:34 nick_s has joined #wpwg 07:30:11 taki has joined #wpwg 07:32:44 armanaygen has joined #WPWG 07:33:30 armanaygen has joined #WPWG 07:34:46 Takashi has joined #wpwg 07:35:31 topic: SPC MVP 07:35:46 Henna: We should talk about one more issue that we are thinking about for MVP 07:35:58 jcayzac has joined #wpwg 07:36:02 DP has joined #wpwg 07:36:11 vasilii has joined #wpwg 07:36:26 Jason: The issue arises when a new BBK is created and not to have a double step up 07:36:41 ...one idea was to add a BBK allow list 07:36:56 ..if no BBK matches, then override the user verification parameter to be discouraged 07:36:58 q+ 07:37:05 ack smcgruer_[EST] 07:37:12 lychee has joined #wpwg 07:37:16 smcgruer_[EST]: You'll never get a BBK in that situation. 07:37:28 Jason: You'd still get a new BBK 07:37:31 smcgruer_[EST]: Ok. 07:37:49 ...but you still may get a double authentication. 07:38:02 SameerT has joined #wpwg 07:38:10 hsano has joined #wpwg 07:38:23 smcgruer_[EST]: The question is what are the users of this API comfortable with. Is "less frequent" ok? 07:38:35 Shuji has joined #wpwg 07:38:35 q? 07:38:52 JohnB: That doesn't seem completely unreasonable 07:39:09 ...it can be dealt with entirely by the browser as part of SPC 07:39:24 ...if the browser manages the BBK and if it matches / or not set UV to this or that value 07:39:32 ...the underlying WebAuthn is ambivalte 07:39:37 ambivalent 07:39:45 ....if you want to put in the SPC API, why not? 07:39:57 smcgruer_[EST]: If you set "discouraged" and the user was verified, is that reported? 07:40:18 JohnB: Yes 07:41:17 IJ: Does this moot the issue about poison BBKs? 07:41:20 smcgruer_[EST]: I think so 07:41:39 Gerhard: If we say discouraged, currently it will always authenticate on Window Hello 07:41:58 JohnB: But that will change depending on integration with windows hello moving forward. 07:42:37 ...integration changes based on DLL 07:43:48 Ash has joined #WPWG 07:44:28 alexs has joined #wpwg 07:44:59 Henna's list of things: 07:45:04 * Immediate mediation in 1p context 07:45:10 rene has joined #wpwg 07:45:24 ...with no allow list 07:45:34 * Immediate mediation in 3p context in with no allow list 07:45:40 * BBK support feature detection 07:45:50 * BBK with passkey + BBK with uv = discouraged option 07:45:56 * BBK without passkey 07:46:20 * Structured data so that it works with either SPC or DPC 07:46:52 * Trusted BBK with uv = discouraged to avoid double step-up 07:48:13 Irene: think about prioritization in the context of real-life pilots 07:48:22 ...other things can be "things we can continue to think about" 07:49:04 Henna: I've not done a 1-by-1 ranking from my perspective. there were just "the top 5 things" 07:49:12 ...I will need more time to rank them individually 07:49:56 Gerhard has joined #wpwg 07:50:12 Jonathan: If you need to look into pilot, removing UV may not be for MVP 07:50:36 ...the first use case would likely be that the BBK is used properly and you don't have issues when you change device. 07:50:49 Padmanabhan has joined #wpwg 07:51:32 Gerhard: I think Trusted BBk with uv = discouraged is high priority 07:51:50 q+ 07:52:05 Ian: Are there user journeys that would help prioritize? 07:52:29 Henna: That's hard to do. I'd like to take an action to rank them (and ask others too do the same) 07:52:44 Tomasz: I want to bring back issue 287 (re-authentication upon creating new BBK) 07:53:05 ....I'd like to consider the solution proposed there in addition to uv = discouraged 07:53:37 ...I'd like us to keep open the idea for a solution in that space. 07:54:21 Action: Tomasz to add use case of SRC using passkey to get card list, then doing SPC without biometric 07:54:30 JorgeV has joined #wpwg 07:55:24 Action: Henna to create a prioiritzation of these topics 07:55:32 Action: Tomasz to create a prioritization of these topics 07:56:09 q? 07:56:15 ack tomasz 07:56:17 Topic: Passkeys and Agentic AI (from a FIDO perspective) 07:56:24 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 07:57:21 Fahad: As Nick Steele discussed yesterday, it's possible to authenticate users during some agentic flows. 07:57:32 gkok has joined #wpwg 07:57:33 Ehsan has joined #wpwg 07:57:51 ...when it comes to authentication within agentic commerce, we need to authenticate cardholders and also intent mandates 07:58:06 ...we use passkeys for cardholder authentication, but how do we validate the user's intent? 07:58:19 ...how can we get to an assertion that has intent data. 07:58:40 ...what we are working on in the FIDO Payments WG agentic group is to how to use VCs to communicate user intent 07:58:53 ...what I mean by intent is: the instructions given by the user to their agent. 07:59:22 ...the intent could range from general to very specific. 07:59:39 ...and some transactions may be faster to carry out depending on specificity 08:00:13 Sami has joined #wpwg 08:00:21 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 08:00:33 Sami3 has joined #wpwg 08:00:34 Albert has joined #wpwg 08:00:40 q+ 08:00:44 Fahad: We need to include intent data in assertions to reduce chargebacks. 08:00:45 ack gkok 08:00:46 q+ 08:00:46 q+ 08:00:54 q+ 08:00:58 gkok: Google did great work trying to break down what this ecosystem could look like. 08:00:59 q= 08:01:03 q- 08:01:28 gkok: The user might have a request, the store might ask for clarification....there's back and forth....would that make the user experience clunky? 08:01:36 ...the user in a sense is signing off multiple times 08:01:39 q+ 08:01:42 q+ 08:01:52 ...how do you get "the final request" and assert only that one? 08:02:08 Fahad: The agent will need to distill 08:02:23 ...if the condition is met immediately and the agent adds something to a cart, that 08:02:33 ...should produce an intent mandate related to the items in the cart. 08:03:17 ...the mandate might also include boundaries (e.g, "no more than $100") 08:03:27 ...we want to understand what the (JSON) data would look like. 08:03:31 q? 08:04:17 gkok: There are good reasons to capture intent mandate even if user is present. 08:04:46 vasilii_ has joined #wpwg 08:04:51 Fahad: In the end, I the user is not clicking a button...I'm asking the agent..and the agent could still mess up when executing the intent. 08:04:54 q+ 08:04:57 Gerhard: I watched the AP2 video. 08:05:14 ...Google has 2 categories (user present, user not present) 08:05:38 ..I think it was also clever to distinguish the intent mandate from the payment mandate 08:05:46 ...perhaps we attest only to the payment mandate (to simplify) 08:06:00 ... we could extend SPC to sign the payment mandate. 08:06:23 Fahad: In AP2, there is a chain of mandates. While the data may not be present, there's a hash of data 08:06:27 q+ 08:06:35 ack Gerhard 08:06:50 ...in the final payment mandate, it might not have all the disclosures disclosed, but in the future, the issuer can go back to the merchant and verify disclosures 08:07:02 ack vasilii 08:07:23 vasilii: The reason why I opened the issue with SPC re: line items is that the SPC experience looks like what we want to confirm intent. 08:07:48 Fahad: We would do it with SPC. 08:07:50 q? 08:07:52 q+ 08:07:57 q+ 08:08:08 ack Smi 08:08:11 ack Sami 08:08:25 Sami: EMVCo is looking into agentic transactions in the digital identity and payments TF 08:08:35 ...our focus there is on EMV technologies and how could they live with agentic 08:08:43 ...how do interactions and integrations work? 08:08:43 steele has joined #wpwg 08:08:46 q+ 08:08:59 rene has joined #wpwg 08:09:21 Sami: Regarding scoping intent...in your thinking, do you have multiple items in your intent? 08:09:31 ...e.g., "buy me a cowboy outfit" 08:09:41 ...with multiple merchants 08:09:57 ...the cowboy mandate could lead to multiple transactions 08:10:29 ...there's another point on selective disclosure to the merchant. If my ask was "I'm interested in N and M, but not O shoes"; this is probably not to be disclosed 08:10:46 Fahad: JWT allows us to do some selective disclosures 08:11:01 ...we need to define this and are working on that in the payments wg at FIDO 08:11:06 q? 08:12:19 hsano7 has joined #wpwg 08:12:19 Sami: from EMVCO work, we're not writing any specs at this time; just want to make sure our tech can carry info 08:12:31 ...we also ack that the agentic landscape is moving quickly 08:12:53 Fahad: From a principle perspective, 3DS transferring data to the issuer...how to do that? 08:13:24 q+ to remind the audience of the salutary tale of VGIS 08:13:39 Sami: My third point is that we need to scope it down a bit (e.g., consumer present/ not present is one axis, another is agent-to-merchant integration, agent-to-merchant-agent integration) 08:13:47 Haruki has joined #wpwg 08:13:52 ack benoit_ 08:14:12 raginpirate has joined #wpwg 08:14:14 benoit_: When you ask a human "go buy me shows" that's easy if the person knows a lot about you. 08:14:29 ...is there a way to prevent agents acting in parallel to double purchase? 08:15:01 ...for less specific requests (cowboy outfit), will agents always tend to max out budget? 08:15:11 Fahad: Your second question is implementation specific. 08:16:00 q+ 08:16:47 ack gkok 08:16:49 q+ gkok 08:16:59 ack DP 08:17:35 DanP: How is this going to proceed without a framework for dispute management? Historically, that's a network specific issue. 08:18:27 ...where should a standards body be playing in that space? 08:18:46 ve7jtb has joined #wpwg 08:18:58 ...a framework may not be useful if data is not able to be used in dispute management. 08:19:11 Sami: EMVCo doesn't do dispute management. We just need to make sure that the data doesn't stop somewhere. 08:19:12 q+ 08:20:03 q- 08:20:14 vasilii has joined #wpwg 08:20:17 Vanitha has joined #wpwg 08:20:23 zakim, close the queue 08:20:23 ok, Ian, the speaker queue is closed 08:20:37 +1000 08:20:37 ack nick_s 08:20:38 nick_s: It's useful to draw a distinction between payments for agentic commerce and user intent. 08:20:50 ...there are plenty of use cases that don't involve payments 08:21:35 ...regarding adoption...we'd need to have more players coming to these discussions would be great. 08:21:40 ack steel 08:22:05 steele: On Thursday we'll show a demo 08:22:13 ...for a digital payment credential being used with AP2 08:22:27 ..it sounds like we're putting the cart before the horse 08:22:31 q- 08:22:56 steele: We don't have the architecture in place yet for intent mandates. We can do cart mandates 08:23:15 ...we've received requests for providing additional context going into user authorization / delegation 08:23:39 ...there's room for merchants and payment processors to be provided addl context in some contexts where they can have more context behind the reasoning 08:24:16 ...if you wanted to buy something today (with MCP but not AP2) you'd use URLs... client would say "go to this URL and complete this event" 08:24:44 ...today you are going to want to push the user back into a flow for high assurance use cases. 08:25:09 ...AP2 is early enough that we are still figuring out intent mandate 08:25:11 q? 08:25:14 vasilii has joined #wpwg 08:25:33 ack nickTR 08:25:33 nicktr, you wanted to remind the audience of the salutary tale of VGIS 08:26:04 NickTR: Visa built a whole spec for line items 08:26:14 ...it's a catastrophe passing line items 08:26:46 ...trying to build a spec for a customer not present transaction in a context without liability framework will be very very difficult 08:27:11 ...let's have an API for doing intent, but lets keep our payment API to the context of payments 08:27:12 q? 08:27:29 ack Johnb: 08:27:39 ve7jtb: I largely agree with NickTR on the difficulty. 08:28:09 ...you can use passkeys to talk to a service to create an intent, sure 08:28:18 ..but you don't need SPC for this; it's most likely a direct relationship 08:28:26 ...these intents are potentially a privacy nightmare 08:28:44 +1 08:28:51 ...on the one hand they are protecting people but on the other you are giving out highly correlatable information that can be used to track you 08:29:05 ...so disclosure issues need to be considered very carefully 08:29:20 ...you don't want multiple merchants being able to correlate 08:29:22 Totally agree on the privacy front. A merchant, issuer, etc. likely should not see what conversation I had with my agent unless its a necessity at dispute time, and assuming a dispute framework even exists to use that information. 08:29:40 JohnB: Hard work, important. Just want to make sure it's on the table. 08:29:49 q? 08:29:52 ack ve7jtb 08:30:34 Topic: What's the latest in WebAuthn? 08:30:40 Takashi has joined #wpwg 08:31:32 Tony: We still haven't published L3 specification as we are awaiting for some horizontal reviews. 08:32:11 Ian: What's in L3 that we should be paying attention to? 08:32:39 vasilii_ has joined #wpwg 08:32:59 nick_s has joined #wpwg 08:33:06 timcappali: 08:33:16 - Related origins 08:33:34 timcappalli has joined #wpwg 08:33:35 hsano has joined #wpwg 08:33:44 NickSteele: You can define up to 5 related origins; they can all use a passkey. 08:33:47 Conditional Create (Passkey Upgrades), Conditional Get (Autofill UI), Related Origin Requests 08:34:08 NickStelle: Conditional get and create....see Eiji's blog posts on those 08:34:45 ....conditional get shows available passkeys in form fields 08:35:14 ..Signals API will be where a lot of the L4 stuff goes 08:35:31 ...a lot of work on allowing the authenticator and the RP to update each other on the state of credentials on the RPI 08:35:38 s/RPI/RP side 08:36:01 ...that will help credential managers show the user's display name in an object in the vault, for example. 08:36:08 ..if user changes name on site, should be updated in vault as well 08:36:17 ..GetClientCapabilities will also be useful 08:36:33 ...allows you to see what the current client is able to do (e.g., elements of the Signals API and other types of calls) 08:36:46 ...quality of life features for e.g., debugging 08:36:47 https://featuredetect.passkeys.dev/ 08:38:00 Ian: What is the status of L4 requirements? Any where the payments folks may want to weigh in? 08:38:16 timC: In L4: 08:38:18 - Immediate mediation 08:38:28 - Error code work (more about developer ergonomics) 08:38:45 ...giving slightly more context in some cases to help e.g., with debugging 08:38:57 - Credential manager trust groups (formerly "RPK") 08:39:49 ...credential manager can generate a key and the key be transmitted ... suppose three related devices in proximity; may be enough to reduce need to step up 08:40:02 - some interesting question of "what an account looks like on the web" 08:40:18 ....maybe "one API" that might resemble some APIs that are available on platforms. 08:40:32 hsano has joined #wpwg 08:40:39 ...you could get privacy benefits 08:40:59 Ehsan has joined #wpwg 08:41:29 TimC: Some other work is happening on work force authenticators ... 08:41:37 Ian: What's that? 08:41:48 TimC: Employer gives you an authenticator. 08:42:17 ...you can tell a user to download an app and sign in with a "workforce authenticator" 08:42:34 ... this is a workforce oriented provisioning flow 08:42:51 JohnB: There are authenticators already that create credentials in a back channel 08:42:57 ...I think Windows Hello does, and Google does 08:43:16 ...so there's some precedent for authenticators doing this 08:43:25 ..the question is: what are the rules for doing this in a workforce environment. 08:43:33 q+ 08:43:48 zakim, open the queue 08:43:48 ok, Ian, the speaker queue is open 08:43:51 q+ DP 08:45:01 q? 08:45:04 ack DP 08:45:20 timcappalli: What else should we look at? 08:45:23 steele has joined #wpwg 08:45:49 Ian: What's the latest on transaction confirmation? 08:46:23 timcappali: Issue was closed due to lack of conversation, but it's re-opened again 08:46:45 s/conversation/folks turning up to the WG meetings to discuss it 08:46:49 ...there is still no expectation that unstructured fields will be displayed 08:47:48 timcappalli: Another topic is to provide a hint to show language (enum) in the authentication dialog 08:48:06 ..there are some re-auth scenarios that are not exactly sign-in 08:48:28 timcappalli: Another one coming up - some payment cards may have authenticators in them. 08:48:55 JohnB: It's an NFC authenticator 08:49:41 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 08:50:27 TimCappalli: There is another L3 use case - "client hints" .. allow you to you nudge the user to start with a security key dialog 08:50:35 (e.g., for high transaction values) 08:50:44 timcappalli has joined #wpwg 08:51:00 NickSteele: What's missing? 08:51:52 Gerhard: For clarification for this group: there's been a lot of talk about DPC and digital credentials, and WebAuthn 08:52:01 ...how do those interrelate. 08:53:10 JohnB: There is something that we're working on for digital credential wallets where passkeys and wallets overlap 08:53:14 ..there's a raw signing extension 08:53:31 ..when you talk about "signing other things" you can use a derived key from your passkey to sign arbitrary pieces of information 08:53:39 ...the passkey credentials are pairwise between the two parties 08:54:06 ...you use your passkey to log into your wallet. As part of that, the wallet can create key pairs that are stored securely in the passkey provider 08:54:13 ...these can be used for ZKPs etc 08:54:24 ...Yubico has created an extension and will be available later in the year. 08:54:44 ..it describes how to use an extension to WebAuthn to do personal HSM activities for 3p applications 08:55:04 ...so in theory you could have an app int he browser do webauthn and store keys in the authenticator to sign other things than VCs. 08:55:13 ...people love signing stuff 08:55:25 ...it is an intersection between passkeys and digital payment credentials. 08:55:36 ..you use a derived key from your passkey to sign arbitrary objects 08:55:51 Fahad: Will those derived keys carry attestations? 08:56:00 JohnB: The spec will support it 08:56:07 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 08:57:25 NickTR: Thank you for your energy and passioin 08:57:45 ...great to hear all the good ideas and reminder we are working to help users 08:57:49 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 09:00:15 armanaygen has joined #WPWG 09:00:44 I have made the request to generate https://www.w3.org/2025/11/11-wpwg-minutes.html Ian 09:04:02 vasilii has joined #wpwg 09:06:15 armanayg_ has joined #WPWG 09:08:45 armanayg_ has joined #WPWG 09:59:57 benoit_ has joined #wpwg 10:06:48 armanaygen has joined #WPWG 10:09:46 armanayg_ has joined #WPWG 10:11:33 armanaygen has joined #WPWG 10:34:16 nick_s has joined #wpwg 11:56:45 vasilii has joined #wpwg 12:18:10 vasilii has joined #wpwg 13:31:33 vasilii has joined #wpwg 13:55:15 armanaygen has joined #WPWG 14:00:27 armanaygen has joined #WPWG 14:36:08 vasilii has joined #wpwg 15:16:30 armanaygen has joined #WPWG 15:22:24 armanayg_ has joined #WPWG 15:26:22 vasilii has joined #wpwg 15:28:08 armanaygen has joined #WPWG 15:33:55 armanayg_ has joined #WPWG 15:42:09 vasilii has joined #wpwg 16:31:41 vasilii has joined #wpwg 18:08:31 vasilii has joined #wpwg 19:04:56 armanaygen has joined #WPWG 19:05:13 Zakim has left #wpwg 20:06:19 vasilii has joined #wpwg 20:32:24 armanaygen has joined #WPWG 21:35:38 vasilii has joined #wpwg 21:50:32 armanaygen has joined #WPWG 22:07:06 vasilii has joined #wpwg 22:07:39 rrsagent, bye 22:07:39 I see 7 open action items saved in https://www.w3.org/2025/11/11-wpwg-actions.rdf : 22:07:39 ACTION: Jason to write up an issue for SPC to do immediate mediation in a 1p context without an allowList [1] 22:07:39 recorded in https://www.w3.org/2025/11/11-wpwg-irc#T06-09-49 22:07:39 ACTION: Jason to write up an issue for SPC to do immediate mediation in a 3p context without an allowList [2] 22:07:39 recorded in https://www.w3.org/2025/11/11-wpwg-irc#T06-10-46 22:07:39 ACTION: Stephen to look into viability of BBK support check [3] 22:07:39 recorded in https://www.w3.org/2025/11/11-wpwg-irc#T06-13-10 22:07:39 ACTION: Tomasz to add to SPC repo the topic of structured (DPC-compatible) way to specify schema [4] 22:07:39 recorded in https://www.w3.org/2025/11/11-wpwg-irc#T06-33-18 22:07:39 ACTION: Tomasz to add use case of SRC using passkey to get card list, then doing SPC without biometric [5] 22:07:39 recorded in https://www.w3.org/2025/11/11-wpwg-irc#T07-54-21 22:07:39 ACTION: Henna to create a prioiritzation of these topics [6] 22:07:39 recorded in https://www.w3.org/2025/11/11-wpwg-irc#T07-55-24 22:07:39 ACTION: Tomasz to create a prioritization of these topics [7] 22:07:39 recorded in https://www.w3.org/2025/11/11-wpwg-irc#T07-55-32