Meeting minutes
Ecommerce Workshop
The deadline for agenda proposals for the E-commerce for Humans and AI Agents has been extended to 10 July.
SPC BBK topics
w3c/
Ian: Anything left to do on this?
John: I'm happy with it
<stephen_mcgruer> +1 to merge
Ian: Any objections to merge?
(None)
<stephen_mcgruer> w3c/
<stephen_mcgruer> +1 to close as complete
SPC / WebAuthn restrictions
w3c/
stephen_mcgruer: We added the ability for SPC calls to include webauthn extensions two years ago, but that created some privacy issues.
… some extensions where an RP would not want a third-party to have access to that information.
… we looked into auth-time extensions that would be useful to be used by a third-party
… in chrome, we landed a change so that SPC calls fail if you call SPC with a webauthn extension and it's a third-party call.
… I suggest we land 332 today (to reflect implementation)_ and can update in future if we need to
stephen: We also chatted with WebAuthn folks at Google.
Proposed: Merge 332 to align with chrome implementation.
<Ian> +1
RESOLUTION: Merge Pull Request 332
SPC and third party definition
w3c/
stephen: SPC's definition of third party is more restrictive than the world of webauthn≥
… in webauthn subdomain.domain.com is allowed to claim domain.com. SPC does not allow that.
… so identity.bank.com and bank.com SHOULD both be able to claim bank.com (in WebAuthn)(
… so we propose to update the spec (and implementation likely already follows WebAuthn) to align with WebAuthn
benoit: I see real world applications of this.
… but there are cases where third party domains run in domains of banks
… any way to allow for some limitations?
stephen: If this is true, that domain is already susceptible to issues in webauthn land.
… webuathn uses the "public suffix list"
… I think it's reasonable to raise the concern; please add a comment to the issue.
Ian: Let's leave this open to get more feedback.
Stephen: That works.
Ian: We'll try to close this at one of next 2 upcoming calls.
Roaming authenticators
w3c/
https://
(Stephen notes that 3DS folks did not provide information on needed Web Extensions)
Bjorn: Did not get to review 332.
Stephen: Let's put this discussion on the 16 July agenda. By then I'll have a document on the current situation and what would need to change.
(We move roaming auth discussion to 16 July)
TPAC agenda
Draft TPAC schedule => https://
Registration to open 9 July
Ian: Agenda ideas for the WPWG meeting on Thursday
- SPC pilots
- PR API / PH API
- Agentic payments
- SPC and roaming authenticators
- Autofill and checkout
Jean-Luc: We are seeing a lot of emerging protocols. In particular x401
… may have synergies with SPC
… might be interested to understand the use cases, and see how they relate
… could we talk to them about potential SPC intersections?
(No one on call directly involved in those activities)
<stephen_mcgruer> https://
<stephen_mcgruer> (Via https://
ACTION: Ian to work with the Chairs to reach out to see if x401 might be part of joint WebAuthn/WPSIG meeting on Tuesday
Jean-Luc: For agentic, we see growing need for "trust surface" . Perhaps browser could play this role.
… there are synergies with SPC ; how to rely on browser UX
https://
Next meeting
16 July