14:53:14 RRSAgent has joined #wpwg 14:53:18 logging to https://www.w3.org/2026/01/29-wpwg-irc 14:56:59 Meeting: Web Payments Working Group 14:57:01 Chair: Ian 14:57:06 regrets+ Nick_Telford-Reed 14:57:08 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20260129 14:57:12 Scribe: Ian 14:58:52 present+ 14:58:59 present+ David_Benoit 14:59:11 benoit has joined #wpwg 15:01:55 present+ Stephen_McGruer 15:02:02 present+ Shunsuke_Oka 15:02:06 present+ Kenneth_Diaz 15:02:51 present+ Jean-Luc_di_Manno 15:03:21 present+ Henna_Kapur 15:03:57 present+ Bjorn_Hjelm 15:04:04 present+ Takashi_Minamii 15:04:09 present+ Gerhard_Oosthuizen 15:04:13 present+ Albert_Schibani 15:04:17 present+ Darwin_Yang 15:04:21 present+ Dees_Chinniah 15:04:35 present+ Sharanya 15:05:01 Takashi has joined #wpwg 15:05:10 present+ Sami 15:05:14 present+ 15:06:16 present+ 15:06:39 present+ John_Bradley 15:06:46 Topic: BBK features 15:06:51 https://docs.google.com/document/d/1fw_gFS4tAwHevHW73IrM1F3tVFgZki36nDVYY64VKkU/edit 15:06:59 JL has joined #wpwg 15:07:54 present+ Ryan_Watkins 15:08:36 stephen_mcgruer: This is an overview of BBK features we've discussed as part of MVP 15:19:19 stephen_mcgruer: One question I have - there might be a "double confirm" situation even if "discouraged" is honored. The authenticator may require user presence via a confirm button. We might be able to avoid that in some cases. 15:20:15 Henna: A big reason this came up is confidence that GPM will honor this; so we need to hear more from them before committing to these features. 15:20:29 ...this is an easy fix to a big part if GPM can honor this. 15:20:55 JohnBradley: uv=discouraged will more or less be honored, but it will depend on the authenticator 15:21:38 ...the double confirm will be harder to get rid of 15:22:01 ... some people may be nervous that will allow attacks 15:22:50 ...not having any user dialog could be difficult to work around 15:23:26 Henna: Double confirm is new information. Let's find out if GPM can be smart to not do a second confirm 15:23:36 q+ 15:23:46 present+ Steve_Cole 15:23:53 ack tom 15:24:11 ack stephen_mcgruer 15:25:03 stephen_mcgruer: It's more likely we can make this work on Android (in part due to limitations on what can be considered a browser) 15:25:52 q+ 15:25:57 ack me 15:26:12 Ian: Any way to provide input to the authenticator confirm dialog? 15:27:32 Henna: At TPAC I thought we also talked about using GPM on Windows 15:27:57 present+ Rene_Leveille 15:28:08 Rene has joined #wpwg 15:28:35 q? 15:28:38 stephen_mcgruer: We could switch to GPM with Chrome on all platforms but it would have downsides (and be sad) 15:28:56 s/sad/sad from an open web ecosystem perspective 15:29:03 Henna: Is there a way on windows through GPM or another means to get similar behavior 15:29:17 John: Yes, but only using GPM. 15:29:57 ...or better integrate SPC into WebAuthn 15:30:45 ...using the credential manager on android, if that passed through transaction information as part of what gets into user data 15:31:31 Ian: Would there be appetite for that? 15:31:48 John: Might be interesting to discuss with platforms. 15:31:58 stephen_mcgruer: This should already be possible via our extension 15:32:14 ...the authentication time extension includes all the payment data. 15:33:07 John: WebAuthn WG rechartering discussion has started (yesterday) 15:33:25 ...a better architecture would be to push this into credential manager and authenticator. I don't think people would be against this. 15:33:34 ...the credential manager APIs are proprietary 15:37:23 (Tradeoffs include os- or authenticator-dependent display of transaction data) 15:39:42 Ian: Recall EMVCo emphasis on importance of consistent UX 15:40:59 Action: Stephen to talk to GPM folks about uv=discouraged and double-confirm situation 15:41:59 Ian: Does it make sense for browser to pick first credential ID that has a matching BBK? 15:42:45 stephen_mcgruer: That makes sense. But in practice we pass single credential at a time (to avoid selector). So we will have to do a different prioritization. 15:43:13 ...we should probably spec this out: pick the first one that matches some criteria 15:45:16 Topic: BBK Feature discussion proposal 15:45:23 https://github.com/w3c/secure-payment-confirmation/issues/290#issuecomment-3806454419 15:46:18 Darwin: The proposal is to have a new method on Payment Request that returns a map of capabilities. 15:46:38 ...so you'd make a static request first, and track the results. If BBKs are available in the map you make your decision 15:47:27 ...we picked map in case we introduce new features like BBK-through-software 15:47:40 ..this lets us add to the enum 15:48:23 ...see other ideas for approaches but those are less appealing. 15:49:20 See also privacy considerations discussion in the proposal 15:49:59 Ian: This is backwards compatible? 15:50:01 Darwin: Yes 15:51:09 Ian: Could we use this to hear more about discouraged support? 15:51:23 stephen_mcgruer: You probably can know this from OS 15:51:32 John: Maybe, but you might have multiple authenticators 15:52:21 ...question is the more esoteric: "Do I believe that the authenticator would honor discouraged?" 15:53:20 ...unlikely the browser would know the answer 15:53:58 Topic: Payment Handler 15:54:30 Stephen: Absent any immediate comments, we are planning to rename the payment handler specification to be Web-based Payment Handler API 15:55:06 (No comments) 15:55:26 Topic: Questions from Bjorn re roaming authenticators 15:55:52 Bjorn: We are looking at roaming authenticators with SPC. Where would you like input to be captured? 15:56:11 https://github.com/w3c/secure-payment-confirmation/issues/12 15:56:42 present+ Jinho_Bang 15:57:00 Ian: Let's at least attach to that issue. 15:57:50 John: I agree that a pull request on the spec only covers a portion of the broader topic. 15:58:46 Ian: Maybe put requirements into issue 12 15:59:58 Topic: Next meeting 16:00:06 TallTed has joined #wpwg 16:00:14 26 February 16:00:19 I have made the request to generate https://www.w3.org/2026/01/29-wpwg-minutes.html Ian 16:00:21 RRSAGENT, set logs public 17:20:21 benoit has joined #wpwg