14:52:13 <RRSAgent> RRSAgent has joined #wpwg
14:52:17 <RRSAgent> logging to https://www.w3.org/2026/01/15-wpwg-irc
14:52:40 <Ian> Meeting: Web Payments Working Group
14:52:42 <Ian> Chair: ian
14:52:44 <Ian> Scribe: Ian
14:52:47 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20260115
14:52:50 <Ian> agenda+ SPC
14:52:55 <Ian> agenda+ Facilitated Payment Links
14:52:58 <Ian> agenda+ Next meeting
14:58:52 <Ian> present+
14:59:10 <Ian> present+ Jeff_Owenson
14:59:57 <Ian> present+ Ashwany_Rayu
15:00:00 <Ian> present+ Tomasz_Bachowicz
15:00:07 <Ian> present+ Tomasz_Blachowicz
15:00:10 <Ian> present- Tomasz_Bachowicz
15:00:53 <Ian> present+ Sameer_Tare
15:00:56 <Ian> present+ Rogerio_Matsui
15:01:04 <Ian> present+ Kenneth_Diaz
15:01:14 <Ian> present+ Arman_Aygen
15:02:03 <Ian> present+ John_Bradley
15:02:23 <Ian> present+ Darwin_Yang
15:02:33 <Ian> present+ Bjorn_Hjelm
15:02:38 <Ian> present+ Sami_Tikkala
15:02:58 <Ian> present+ Ryan_Watkins
15:03:00 <Roger> Roger has joined #wpwg
15:03:04 <Ian> present+ Stephen_McGruer
15:03:23 <Ian> present+Ehsan_Toreini
15:03:27 <Ian> present+ Ehsan_Toreini
15:04:47 <Ian> zakim, take up item 1
15:04:47 <Zakim> agendum 1 -- SPC -- taken up [from Ian]
15:04:58 <Ian> -> https://www.w3.org/wbs/83744/spc-mvp-2025/results/ Survey results
15:05:07 <Ian> present+ Albert
15:06:30 <vasilii> present+
15:06:51 <Albert> Albert has joined #wpwg
15:08:15 <Ian> present+ Isaiah
15:08:20 <Ian> present+ Praveena
15:08:25 <tomasz> tomasz has joined #wpwg
15:08:30 <tomasz> present+
15:08:58 <Ian> Ian: Three capabilities seem clear:
15:09:05 <Ian> * BBK feature detection
15:09:08 <Ian> * Allow list
15:09:47 <Ian> * UV=discouraged
15:14:11 <stephen_mcgruer> q+
15:14:11 <Ian> Ian: These should support a variety of 1FA and 2FA use cases.
15:14:56 <rene> rene has joined #wpwg
15:16:12 <Ian> ack stephen_mcgruer
15:16:20 <Ian> stephen_mcgruer: This would be easier to discuss if we wrote it up
15:16:26 <Ian> present+ Steve_Cole
15:16:33 <Ian> presetn+ Rene_Leveille
15:16:39 <tomasz> q+
15:16:57 <Ian> ack tom
15:17:33 <Ian> tomasz: In SPC there's no way to set UV today...so this why we are talking about a spec change
15:18:52 <Ian> Ian: What is the assessment of the implementation cost for these three features?
15:19:05 <Ian> stephen_mcgruer: Feature detection is underway; should not be too costly.
15:19:32 <Ian> ...adding an allow list for BBKs and uv=discouraged does not appear to be a big amount of work, but the big question is whether uv=discouraged is supported.
15:19:49 <Ian> ...so some work will need to be done to understand the cost of getting support for uv=discouraged.
15:20:27 <Ian> John: Windows Hello uses user verification to unlock storage, so "discouraged" not likely to work there in the short term
15:20:38 <tomasz> q+
15:20:51 <Ian> John: It was also previously baked into Android, but that may have changed at some point.
15:21:15 <Ian> ...for technical reasons it may not be able to unlock the private key without some sort of user verification action by the authenticator
15:21:36 <Ian> Isaiah: I think MacOS also upgrades uv=discouraged
15:21:48 <Ian> Tomasz: Maybe we should go back and talk about why we need this.
15:22:29 <Ian> ...one flow we have in mind is user is authenticated in one flow and then we want to use SPC after that, so we already know the user.
15:23:07 <Ian> ...where we use uv=discouraged or another mechanism is part of the discussion.
15:26:19 <Ian> Ian: What about flow where BBK is in the allow list and the user does not want to go through passkey authentication.
15:27:03 <Ian> ...we might avoid uv=discouraged altogether
15:27:13 <Ian> John: Is the BBK per credential?
15:27:27 <Ian> ...what does a BBK mean without the credential?
15:27:42 <Ian> stephen_mcgruer: We heard at TPAC that people don't want to walk away from passkeys.
15:28:24 <Ian> John: There's a different privacy question if I annotate something to a passkey that is already uniquely identifying for a person...but when I remove the person and it's just about the device....
15:28:41 <Ian> stephen_mcgruer: We heard at TPAC strongly that the passkey does not represent a person
15:28:59 <Ian> John: RP shouldn't be able to correlate between persona A and persona B based on a passkey.
15:29:14 <Ian> stephen_mcgruer: If I create two passkeys for the user (for persona A and B) that's what those keys are for.
15:30:37 <Ian> present+ Gerhard_Oosthuizen
15:31:50 <Ian> John: Let's just be clear about what passkey flow is being eliminated.
15:32:18 <Ian> present+ Sue_Koomen
15:34:09 <Ian> Tomasz: If user is authenticated with passkey for login, the same credential ID is provided to PSC.
15:34:30 <Ian> Ian: If you get a new BBK, do you need to step up the user again?
15:34:36 <Ian> Tomasz: I don't know yet.
15:36:18 <Ian> John: It's the same device in the authenticated session, but it's still a new device.
15:38:04 <Ian> Action: Ian to work with Stephen and Tomasz on write up of how features will support 1FA and 2FA use cases (feature detection, uv=discouraged, and allow list)
15:38:42 <Ian> [Regarding roaming authenticators]
15:40:11 <Ian> Ian: Would it meet your request to support roaming authenticators that are immediately available
15:40:18 <Ian> Bjorn: That is a good starting point, yes.
15:40:36 <Ian> ...Yubico is interested in this and the reqs doc says that it should be supported.
15:40:46 <Ian> ...we can do a write up for how it could be supported.
15:41:21 <Ian> John: I don't know whether "Using an immediately available authenticator" should not involve much change to the spec
15:41:42 <Ian> https://github.com/w3c/secure-payment-confirmation/blob/main/authenticators-and-spc.md
15:42:58 <Ian> John: We did add the 3p flag to CTAP
15:43:02 <Ian> ...(2.3)
15:43:35 <Ian> regrets+ David_Benoit
15:44:03 <Ian> John: I think this is mostly an implementation question, for whoever is doing the credential provider selection.
15:44:20 <Ian> John: On Android there is a credential provider selector that's not currently used by SPC
15:45:46 <Ian> Action: Bjorn to write up the path forward for SPC to support roaming authenticators.
15:46:06 <Ian> Bjorn: I'll work with John and Stephen.
15:46:53 <Ian> zakim, close item 1
15:46:53 <Zakim> I see a speaker queue remaining and respectfully decline to close this agendum, Ian
15:46:57 <Ian> zakim, take up item 2
15:46:57 <Zakim> agendum 2 -- Facilitated Payment Links -- taken up [from Ian]
15:49:38 <Ian> Ian: We talked about comparing different options.
15:49:47 <Ian> Stephen: Yes, we own the next steps on that
15:50:10 <Ian> ACTION: Stephen to work on comparison of different ways to smooth the handoff (on mobile) from web checkout to native payment app
15:50:21 <Ian> zakim, close item 2
15:50:22 <Zakim> I see a speaker queue remaining and respectfully decline to close this agendum, Ian
15:50:28 <Ian> zakim, take up item 3
15:50:28 <Zakim> agendum 3 -- Next meeting -- taken up [from Ian]
15:50:41 <Ian> 29 January
15:50:52 <RRSAgent> I have made the request to generate https://www.w3.org/2026/01/15-wpwg-minutes.html Ian
15:50:59 <Ian> RRSAGENT, set logs public
16:04:21 <TallTed> TallTed has joined #wpwg
16:09:16 <tomasz> tomasz has joined #wpwg
16:09:16 <Albert> Albert has joined #wpwg
16:09:16 <wanderview> wanderview has joined #wpwg