13:52:51 RRSAgent has joined #wpwg 13:52:56 logging to https://www.w3.org/2026/03/26-wpwg-irc 13:53:03 Meeting: Web Payments Working Group 13:53:15 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20260326 13:55:30 Chair: Ian 13:55:32 Scribe: Ian 13:58:41 agenda+ SPC capabilities explainer 13:58:52 agenda+ BBK guarantees 13:59:01 agenda+ Various SPC topics 13:59:05 agenda+ Next meeting 14:00:59 present+ 14:01:04 present+ Darwin_Yang 14:01:10 Takashi has joined #wpwg 14:01:15 present+ John_Earnshaw 14:01:17 present+ John_Bradley 14:01:23 present+ Takashi_Minamii 14:01:25 darwin has joined #wpwg 14:01:29 present+ Kenneth 14:01:41 present+ Garima_Jaiswal 14:02:02 present+ Sami_Tikkala 14:02:07 present+ David_Benoit 14:02:11 present+ Ian_Jacobs 14:02:16 present+ Ashwany_Rayu 14:02:31 Garima has joined #wpwg 14:02:57 present+ Bjorn_Hjelm 14:04:03 zakim, take up item 1 14:04:03 agendum 1 -- SPC capabilities explainer -- taken up [from Ian] 14:04:22 -> https://github.com/w3c/secure-payment-confirmation/blob/main/explainer-capabilities.md Secure Payment Confirmation Capabilities explained 14:04:49 Darwin: Explains the Secure Payment Confirmation (SPC) Capabilities API 14:04:58 ...explains the API (and design choices) 14:05:35 present+ Gustavo 14:06:02 Ian: What's the status of implementation? 14:06:21 Darwin: Will come out in Chrome 148 (stable release is 5 May) 14:06:27 present+ Sue_Koomen 14:06:51 zakim, take up next item 1 14:06:51 I don't understand 'take up next item 1', Ian 14:07:03 zakim, take up item 2 14:07:03 agendum 2 -- BBK guarantees -- taken up [from Ian] 14:07:11 John: I would like more time. 14:07:45 ...and I will add notes to https://github.com/w3c/secure-payment-confirmation/issues/321 14:08:34 Stephen: We've not yet made changes to the spec based on #321. The main action had to do with wording in the spec about bindings. We think it's currently implicit, but we can make explicit. 14:09:03 renebl has joined #wpwg 14:09:08 present+ Rene_Leveille 14:09:32 zakim, take up next item 14:09:32 agendum 1 -- SPC capabilities explainer -- taken up [from Ian] 14:09:36 zakim, close item 1 14:09:36 agendum 1, SPC capabilities explainer, closed 14:09:37 I see 2 items remaining on the agenda; the next one is 14:09:37 3. Various SPC topics [from Ian] 14:09:39 zakim, take up next item 14:09:39 agendum 3 -- Various SPC topics -- taken up [from Ian] 14:10:19 Ian: Any updates on conversations with the Google password manager team on how we might address double step-up use cases? 14:11:04 John: uv=discouraged is supported in some places (webauthn, roaming authenticators) 14:11:50 ...some passkey providers ignore it even though the capability is enabled for other situations (e.g., laptop lid case) 14:12:18 stephen_mcgruer: Ian's question is about specific authenticators in the SPC context 14:13:02 John: "Of the authenticators that SPC supports" makes sense. 14:13:42 stephen_mcgruer: We had conversations with google password manager folks. Generally on android you need a biometric to get to hardware where keys are stored. 14:13:49 I thought on windows Hello always did UV regardless of the flag as well. Though I should go verify it as well 14:14:02 ...on desktop uv=discouraged could work with google password manager 14:14:47 stephen_mcgruer: I can see a path for making this happen on desktop platforms for *certain* authenticators. It's likely not ever going to be supported on Android. 14:15:00 ...because of the fundamental requirement for biometric to get to key storage 14:15:20 present+ Henna 14:16:07 Ian: Any other ideas circulating? 14:16:27 John: Only option would be to not use the platform authenticator (on Android) 14:17:06 Stephen: We haven't thought much more about this. In terms of uv=discouraged, that's the end of the story re: password manager on Android. 14:17:29 ...we've not yet spent time on the double step-up story through other means 14:18:23 Ian: The other option suggested was to move SPC architecture into WebAuthn 14:18:59 John: If we wanted to do the mental exercise of making this work with hybrid (e.g., credit cards as FIDO authenticators use case), 14:19:44 ...all the client data is collected in the initial browser and cached there. Which means that the authenticator has no place to put payment transaction information. 14:20:14 ...we've heard some pushback from banks about possibility of a MITM attack in hybrid case, where you can't trust a hijacked browser. 14:20:35 ...so there's a desire in WebAuthn from some folks to have a signal from the remote authenticator that the authentication happened over hybrid. 14:20:45 ...if we did something like that, we could generalize to include SPC type functionality. 14:21:15 ...you can imagine a different type of flow where the user says "I want to use my phone to do SPC" and the payment info would be presented on the phone rather than the desktop. 14:21:46 ...that would be a different model where the authenticator or the credential provider was doing the SPC presentation 14:22:03 ...you'd still have a BBK associated with the desktop 14:22:48 Ian: I recall discussing this model (more abstract) years ago. 14:23:30 John: Because data for clientData comes from browser, it makes doing hybrid in a trustable way very difficult 14:24:28 Ian: Does this relate to the "Instagram" topic (apps that are not browsers but how they get webauthn capabilities for hosted content) 14:24:57 John: Today you can't do WebAuthn in a web view for security reasons. But we received a request for other apps to have webauthn capabilities. 14:24:59 q+ 14:25:43 John: If people can't use webauthn and a web view and making people fall back to username/password, are we shooting ourselves in the foot? 14:25:50 ack stephen_mcgruer 14:27:34 John: SO, an approach would be to have the authenticator or credential provider be the one that presents the transaction dialog and creates the object. 14:29:06 present+ Albert 14:30:13 rrsagent, make minutes 14:30:15 I have made the request to generate https://www.w3.org/2026/03/26-wpwg-minutes.html Ian 14:30:17 rrsagent, set logs public 14:44:52 dlehn has joined #wpwg 15:03:19 TallTed has joined #wpwg