14:50:56 RRSAgent has joined #wpwg 14:51:00 logging to https://www.w3.org/2025/12/04-wpwg-irc 14:51:03 Meeting: Web Payments Working Group 14:51:05 Chair: Ian 14:51:08 Scribe: Ian 14:51:26 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20251204 14:51:31 agenda+ TPAC follow-up 14:51:39 agenda+ SPC 14:51:49 agenda+ PR API and digital payment credentials 14:51:54 agenda+ Facilitated payment links 14:52:11 agenda+ Regulatory requirements related to authentication means 14:52:17 agenda+ Next meeting 14:52:27 I have made the request to generate https://www.w3.org/2025/12/04-wpwg-minutes.html Ian 14:59:21 JL has joined #WPWG 14:59:45 benoit has joined #wpwg 15:01:17 present+ 15:02:01 present+ Darwin 15:02:04 present+ Slobodan 15:02:06 present+ Ian 15:02:10 present+ Rogerio 15:02:15 present+ Kenneth_Diaz 15:02:19 present+ Takashi 15:02:21 present+ Henna 15:02:24 vasilii has joined #wpwg 15:02:27 present+ Dan_Pelegero 15:02:30 present+ Max_Crone 15:02:32 present+ Bjorn 15:02:36 present+ Dsigan 15:02:40 present+ Shunsuke 15:02:43 present+ Gustavo 15:02:44 Roger has joined #wpwg 15:02:45 present+ Vivian 15:02:51 present+ Vasilii 15:02:56 Takashi has joined #wpwg 15:02:56 present+ Sharanya 15:03:04 present+ 15:03:04 regrets+ Gerhard 15:03:15 present+ Vivian 15:03:17 present+ 15:04:01 present+ Stephen_McGruer 15:04:06 zakim, take up item 1 15:04:06 agendum 1 -- TPAC follow-up -- taken up [from Ian] 15:04:15 present+ Praveena 15:04:38 -> https://docs.google.com/document/d/1wWprUB_hJDCiw2ByiId79vO0E0ukRudSstjC1PROLWg/edit?tab=t.0#heading=h.sa1gwsosbnz Ian's recap 15:04:55 present+ Sue_Koomen 15:05:17 merci 15:05:33 Ian This is the payment solution that handles QR Payment you asked me during TPAC https://www.sbpayment.jp/en/support/how_to_pay/paypay_online/ 15:05:59 DP has joined #wpwg 15:06:26 present+ Albert 15:06:49 present+ Jean-Luc 15:07:11 present+ Tommaso 15:08:02 Ian: Any other big takeaways from TPAC? 15:08:52 stephen_mcgruer: From Chrome payments perspective, this was the best TPAC we've been to...very collaborative and felt like lots of momentum and good ideas. I am excited by the momentum. Glad to see new people as well! 15:08:57 present+ Arman 15:09:20 Gustavo: +1 15:09:38 Gustavo: I was an EMVCo meeting the following week, and TPAC helped us ramp up for that as well 15:10:18 zakim, take up item 2 15:10:18 agendum 2 -- SPC -- taken up [from Ian] 15:11:05 Reducing risk of double step-ups 15:11:47 https://github.com/w3c/secure-payment-confirmation/issues/287#issuecomment-3246173874 15:12:03 Tom has joined #wpwg 15:12:11 https://github.com/w3c/secure-payment-confirmation/issues/287#issuecomment-3521109967 15:12:51 Ian: What is - which approach to take? 15:13:14 stephen_mcgruer: The userVerification is likely easier to implement and reason about, but the main question is to understand the impact on users. 15:15:05 stephen_mcgruer: I think someone needs to take the action to identify the delta for users. 15:15:08 ...or developers 15:15:38 present+ Isaiah 15:15:58 Henna: We are leaning userVerification approach. But we likely need to look more closely at implications 15:16:06 ...we think that approach is much cleaner 15:16:34 ACTION: Ian to reach out to Tomasz to try to work on the user journey / developer impact of one proposal v the other. 15:17:01 [BBK Feature detection] 15:17:20 stephen_mcgruer: This one is "just likely to happen"; I'm not hearing concerns so I think we will just figure out some API shape for this. 15:17:35 ...we'll still need to do formal security/privacy review, but so far looks ok. 15:17:49 Ian: Any input you need? 15:17:54 stephen_mcgruer: Not today. 15:18:09 Henna: That was on my list 15:18:23 ACTION: stephen_mcgruer to look at API changes to support BBK feature detection. 15:18:49 Ian: Is everyone's expectation that this is a boolean? 15:19:02 stephen_mcgruer: We will probably support an enumeration (e.g., hardware, software, none) 15:19:08 ..to allow for expansion. 15:19:35 [MVP list] 15:19:49 [Visa version] 15:20:18 Prioritization: 15:20:29 * BBK feature detection (Priority 1) 15:21:21 * Reduce double step-up (leaning UV=discouraged) (Priority 1) 15:21:41 ...this also helps with 1FA or 2FA choice 15:22:55 * SPC should work with passkey authentication andRP gets back two signatures. The RP should be able to set UV=discouraged to suppress passkey authentication and have only confirmation button (Priority 2) 15:23:15 [As always, I am required to point out that UV=discouraged is just a hint] 15:25:10 Ian: Remind me what kind of factor passkey provides 15:25:25 stephen_mcgruer: Biometric or knowledge. 15:25:42 ..but you need UV required to get one of those 15:28:33 Henna returns 15:29:53 * Allow list for BBKs to reduce double authentication with uv = discouraged 15:30:43 (Priority 3) 15:31:00 * SPC should support immediate mediation in 1p context (Priority 4) 15:32:00 ...I note that preferimmediatelyavailable not yet broadly available; need to see how it plays out in WebAuthn world 15:33:13 Henna: Last one - structured data set to support new payment methods and options such as recurring, agentic 15:33:25 ...we've not had discussion about what this might look like. 15:33:57 ...I've not set a priority on that one yet, but we can discussion in parallel. 15:34:20 present+ Ryan_Watkins 15:35:16 ACTION: Henna to send Ian list of features and priorities; Ian to publish in a way to get group input 15:36:02 Henna: Any initial feedback on this list? 15:37:13 stephen_mcgruer: The main question for me is whether UV=discouraged will result in the expected UX. E.g., on Windows there will always be authentication. We can make this work on MacOS. I need to find out on Android. 15:37:35 ...there's a related (implementation) question -- what authenticator in practice we use? Today we (Chrome) are spread across three authenticators. 15:37:39 present+ Steve_Cole 15:38:35 Henna: We just need to check on how will UV=discouraged be handled. On the Windows side, I thought there was a conversation about why Windows Hello was being used instead of GPM. 15:38:59 stephen_mcgruer: Good open question. 15:39:40 ...three of the requests hinge on UV=discouraged so that's the big question for me. 15:41:34 zakim, close item 1 15:41:34 agendum 1, TPAC follow-up, closed 15:41:34 I see 5 items remaining on the agenda; the next one is 15:41:34 2. SPC [from Ian] 15:41:35 zakim, close item 2 15:41:37 agendum 2, SPC, closed 15:41:37 I see 4 items remaining on the agenda; the next one is 15:41:37 3. PR API and digital payment credentials [from Ian] 15:41:46 zakim, take up item 5 15:41:46 agendum 5 -- Regulatory requirements related to authentication means -- taken up [from Ian] 15:42:00 Jean-Luc: Per https://github.com/eu-digital-identity-wallet/eudi-doc-standards-and-technical-specifications/blob/main/docs/technical-specifications/ts12-electronic-payments-SCA-implementation-with-wallet.md#35-presentation-response 15:42:25 ...I spoke with the author of the specification and, for compliance with regulation, the financial institution needs to know about authentication factors 15:42:39 ...this is an EU requirement that's been included in the technical specification 15:42:48 Roger has joined #wpwg 15:43:05 ...if, for example, we want to use passkeys for recurring authentications ... I would no longer have the required information 15:43:41 q+ 15:43:49 (In the link above see "The authentication_factors array MUST contain at least two different objects representing authentication categories. ") 15:43:56 ack stephen_mcgruer 15:44:29 stephen_mcgruer: From the Web perspective, neither WebAuthn or DC API require attestation or give you attestation by default. It's up to the underlying wallet or passkey provider. 15:44:49 ...we know in the EU that wallets will be forced to provide attestation that provides the type of verification method(s) 15:45:11 ...technically WebAuthn supports attestation. Is this a world where passkey providers will start providing attestation? 15:45:35 ..the big difference is that for passkeys it's "bring your own passkey provider" but for EUDI Wallets, only certified wallets will work. 15:46:30 DP has joined #wpwg 15:46:52 Ian: I am hearing "passkey providers" don't typically provide attestation today but (at least some) could and it will be required in some (EU) contexts. 15:47:08 stephen_mcgruer: Some passkey providers don't provide attestation today nor do they expect to. 15:47:36 Isaiah: Google and Apple have said they won't provide attestation. Windows can, in some contexts. All the other credential providers cannot provide attestation. 15:47:55 ...attestation is scoped to enterprise contexts. 15:48:37 Jean-Luc: The wallet provider in EU will provide attestation within the payment credential. But if we don't find an equivalent for passkeys or SPC, we won't be able to provide synergies for use cases like recurring. 15:48:49 ...so in EU people will always go through a wallet. 15:50:58 stephen_mcgruer: I agree with JL that it seems like passkeys in their current direction are not likely to be compliant. 15:51:20 Isaiah: If WebAuthn doesn't support it, it will never be available due to how things work 15:52:43 vivlee has joined #wpwg 15:52:50 Jean-Luc: There's a related challenge... 15:52:57 https://github.com/eu-digital-identity-wallet/eudi-doc-standards-and-technical-specifications/discussions/439 15:53:45 ...currently there's no way for an RP to know that two private keys are stored in the same device (e.g., for two credential use cases like age verification credential and payment creation). 15:53:54 ...I was wondering whether the BBK might be useful for that. 15:54:12 Tomasso: Or DBSC 15:55:30 Jean-Luc: BBK could be used to sign data from DC API to provide proof that two blobs on the same device 15:56:04 https://github.com/eu-digital-identity-wallet/eudi-doc-standards-and-technical-specifications/discussions/439#discussioncomment-14803390 15:56:27 zakim, close this item 15:56:27 agendum 5 closed 15:56:28 I see 3 items remaining on the agenda; the next one is 15:56:28 3. PR API and digital payment credentials [from Ian] 15:56:34 zakim, take up item 3 15:56:34 agendum 3 -- PR API and digital payment credentials -- taken up [from Ian] 15:56:59 Ian: More to come! 15:57:22 zakim, take up item 4 15:57:24 agendum 4 -- Facilitated payment links -- taken up [from Ian] 15:57:29 Ian: CfC ended with some support 15:58:17 ..suggest we do analysis of options before taking up formally 15:58:21 stephen_mcgruer: Ack 15:58:25 Topic: Next meeting 15:58:29 18 December 15:58:39 I have made the request to generate https://www.w3.org/2025/12/04-wpwg-minutes.html Ian 15:58:55 RRSAGENT, set logs public 16:01:19 TallTed has joined #wpwg 16:17:21 iinuwa has joined #wpwg 17:21:51 vasilii has joined #wpwg 17:42:07 Tom has joined #wpwg 17:58:21 Tom has joined #wpwg 18:14:49 Tom has joined #wpwg 18:30:35 Tom has joined #wpwg 18:46:30 Tom has joined #wpwg 19:02:14 Tom has joined #wpwg 19:10:35 Tom has joined #wpwg 19:26:22 Tom has joined #wpwg 19:31:18 vasilii has joined #wpwg 19:42:10 Tom has joined #wpwg 19:57:54 Tom has joined #wpwg 20:07:31 Tom has joined #wpwg 20:27:45 Tom has joined #wpwg 20:37:58 Tom has joined #wpwg 20:54:07 Tom has joined #wpwg 21:12:34 Tom has joined #wpwg 21:17:35 Tom has joined #wpwg 21:22:38 Tom has joined #wpwg 21:27:38 Tom has joined #wpwg 21:43:49 Tom has joined #wpwg 21:48:57 vasilii has joined #wpwg 22:00:01 Tom has joined #wpwg 22:08:59 Tom has joined #wpwg 22:13:59 Tom has joined #wpwg 22:23:51 Tom has joined #wpwg 22:43:01 Tom has joined #wpwg 22:49:06 Tom has joined #wpwg 23:07:17 Tom has joined #wpwg 23:23:33 Tom has joined #wpwg 23:39:41 Tom has joined #wpwg 23:48:17 vasilii has joined #wpwg 23:55:51 Tom has joined #wpwg 23:58:31 vasilii has joined #wpwg