13:53:55 RRSAgent has joined #wpwg 13:53:59 logging to https://www.w3.org/2026/07/02-wpwg-irc 13:54:03 Meeting: Web Payments Working Group 13:54:15 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20260702 13:54:17 Chair: Ian 13:54:19 Scribe: Ian 13:54:24 I have made the request to generate https://www.w3.org/2026/07/02-wpwg-minutes.html Ian 13:54:26 rrsagent, set logs public 14:00:23 present+ David_Benoit 14:00:33 presen+ Sue_Koomen 14:00:35 present+ Ian_Jacobs 14:00:45 present+ Takashi_Minamii 14:01:05 Takashi has joined #wpwg 14:01:09 present+ Slobodan 14:01:12 present+ Darwin 14:01:15 present+ 14:01:16 present+ Steve_Cole 14:01:23 present+ Ravi_Shekhar 14:01:29 present+ Ricky_Graziosi 14:01:43 darwin has joined #wpwg 14:01:45 present+ Jean-Luc_di_Manno 14:02:14 present+ Stephen 14:03:11 present+ John_Earnshaw 14:03:11 slobodan has joined #wpwg 14:03:21 I have made the request to generate https://www.w3.org/2026/07/02-wpwg-minutes.html Ian 14:03:28 agenda+ Ecommerce Workshop 14:03:29 renebl has joined #wpwg 14:03:42 agenda+ SPC BBK topics 14:03:47 agenda+ SPC and third party definition 14:03:55 agenda+ SPC / WebAuthn restrictions 14:04:02 present+ Rene_Leveille 14:04:18 zakim, take up item 1 14:04:18 agendum 1 -- Ecommerce Workshop -- taken up [from Ian] 14:04:34 JL has joined #WPWG 14:04:42 https://www.w3.org/2026/ecommerce-agents/ 14:04:59 Ian: Deadline extended to 10 July 14:05:15 present+ Bjorn 14:05:17 agenda+ Roaming authenticators 14:05:21 zakim, close item 1 14:05:21 agendum 1, Ecommerce Workshop, closed 14:05:23 I see 4 items remaining on the agenda; the next one is 14:05:23 2. SPC BBK topics [from Ian] 14:05:25 zakim, take up item 2 14:05:25 agendum 2 -- SPC BBK topics -- taken up [from Ian] 14:05:37 present+ Ryan_Watkins 14:06:04 https://github.com/w3c/secure-payment-confirmation/pull/334 14:06:48 Ian: Anything left to do on this? 14:06:53 John: I'm happy with it 14:06:57 +1 to merge 14:07:06 Ian: Any objections to merge? 14:07:08 (None) 14:08:16 https://github.com/w3c/secure-payment-confirmation/issues/321 14:08:41 +1 to close as complete 14:08:58 present+ Praveena 14:09:01 present+ Albert 14:09:31 zakim, close item 2 14:09:31 agendum 2, SPC BBK topics, closed 14:09:32 I see 3 items remaining on the agenda; the next one is 14:09:32 3. SPC and third party definition [from Ian] 14:09:36 zakim, take up item 4 14:09:36 agendum 4 -- SPC / WebAuthn restrictions -- taken up [from Ian] 14:09:42 https://github.com/w3c/secure-payment-confirmation/pull/332 14:10:27 stephen_mcgruer: We added the ability for SPC calls to include webauthn extensions two years ago, but that created some privacy issues. 14:10:41 ..some extensions where an RP would not want a third-party to have access to that information. 14:11:09 ...we looked into auth-time extensions that would be useful to be used by a third-party 14:11:45 ...in chrome, we landed a change so that SPC calls fail if you call SPC with a webauthn extension and it's a third-party call. 14:12:01 ...I suggest we land 332 today (to reflect implementation)_ and can update in future if we need to 14:12:41 stephen: We also chatted with WebAuthn folks at Google. 14:12:54 Proposed: Merge 332 to align with chrome implementation. 14:12:59 +1 14:13:12 Resolved: merge 332 14:13:27 zakim, close this item 14:13:27 agendum 4 closed 14:13:29 I see 2 items remaining on the agenda; the next one is 14:13:29 3. SPC and third party definition [from Ian] 14:13:31 zakim, take up item 3 14:13:31 agendum 3 -- SPC and third party definition -- taken up [from Ian] 14:13:38 https://github.com/w3c/secure-payment-confirmation/issues/328 14:14:47 stephen: SPC's definition of third party is more restrictive than the world of webauthn≄ 14:15:07 ...in webauthn subdomain.domain.com is allowed to claim domain.com. SPC does not allow that. 14:15:24 ...so identity.bank.com and bank.com SHOULD both be able to claim bank.com (in WebAuthn)( 14:15:42 ...so we propose to update the spec (and implementation likely already follows WebAuthn) to align with WebAuthn 14:16:12 q+ 14:16:15 ack ben 14:16:32 benoit: I see real world applications of this. 14:16:55 ...but there are cases where third party domains run in domains of banks 14:17:06 ...any way to allow for some limitations? 14:17:24 stephen: If this is true, that domain is already susceptible to issues in webauthn land. 14:17:33 ...webuathn uses the "public suffix list" 14:18:11 ...I think it's reasonable to raise the concern; please add a comment to the issue. 14:19:32 Ian: Let's leave this open to get more feedback. 14:19:35 Stephen: That works. 14:19:56 Ian: We'll try to close this at one of next 2 upcoming calls. 14:19:59 zakim, close this item 14:19:59 agendum 3 closed 14:20:00 I see 1 item remaining on the agenda: 14:20:00 5. Roaming authenticators [from Ian] 14:20:12 agenda+ TPAC agenda 14:20:17 zakim, take up item 5 14:20:17 agendum 5 -- Roaming authenticators -- taken up [from Ian] 14:20:42 https://github.com/w3c/secure-payment-confirmation/issues/12#issuecomment-4509002452 14:21:01 https://www.w3.org/2026/06/04-wpwg-minutes.html#ActionSummary 14:21:39 (Stephen notes that 3DS folks did not provide information on needed Web Extensions) 14:22:19 Bjorn: Did not get to review 332. 14:23:59 Stephen: Let's put this discussion on the 16 July agenda. By then I'll have a document on the current situation and what would need to change. 14:24:34 (We move roaming auth discussion to 16 July) 14:24:37 zakim, close this item 14:24:37 agendum 5 closed 14:24:38 I see 1 item remaining on the agenda: 14:24:38 6. TPAC agenda [from Ian] 14:24:41 zakim, take up item 1 14:24:41 agendum 1 -- Ecommerce Workshop -- taken up [from Ian] 14:24:46 zakim, take up item 6 14:24:46 agendum 6 -- TPAC agenda -- taken up [from Ian] 14:25:21 Draft TPAC schedule => https://www.w3.org/calendar/tpac2026/ 14:25:30 Registration to open 9 July 14:26:18 Ian: Agenda ideas 14:26:22 - SPC pilots 14:26:46 - PR API / PH API 14:27:36 - Agentic payments 14:28:19 - SPC and roaming authenticators 14:28:40 - Autofill and checkout 14:30:07 Jean-Luc: We are seeing a lot of emerging protocols. In particular X41 14:30:26 ...may have synergies with SPC 14:30:48 ...might be interested to understand the use cases, and see how they relate 14:30:55 s/X41/x401/ 14:31:05 ...could we talk to them about potential SPC intersections? 14:31:32 (No one on call directly involved in those activities) 14:31:35 https://x401.id/ <--- I assume? 14:31:43 (Via https://www.proof.com/blog/introducing-x401 ) 14:32:41 Action: Ian to work with the Chairs to reach out to see if this might be part of joint WebAuthn/WPSIG meeting on Tuesday 14:33:49 Jean-Luc: For agentic, we see growing need for "trust surface" . Perhaps browser could play this role. 14:34:03 ...there are synergies with SPC ; how to rely on browser UX 14:34:51 https://github.com/w3c/ecommerce-for-humans-and-AI-Agents-workshop/issues 14:36:42 Topic: Next meeting 14:36:46 16 July 14:36:55 RRSAGENT, make minutes 14:36:56 I have made the request to generate https://www.w3.org/2026/07/02-wpwg-minutes.html Ian 14:37:02 RRSAGENT, set logs public