IRC log of wpwg on 2019-09-04
Timestamps are in UTC.
- 14:57:15 [RRSAgent]
- RRSAgent has joined #wpwg
- 14:57:15 [RRSAgent]
- logging to https://www.w3.org/2019/09/04-wpwg-irc
- 14:57:19 [Ian]
- Meeting: Card Payment Security Task Force
- 14:57:21 [Ian]
- Chair: Ian
- 14:57:37 [Ian]
- Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2019Sep/0005.html
- 14:57:43 [Ian]
- present+
- 14:57:57 [Ian]
- agenda+ TPAC planning
- 14:58:15 [Ian]
- RRSAGENT, make minutes
- 14:58:15 [RRSAgent]
- I have made the request to generate https://www.w3.org/2019/09/04-wpwg-minutes.html Ian
- 14:58:21 [Ian]
- RRSAGENT, set logs public
- 14:58:25 [Ian]
- regrets+ Jalpesh_Chitalia
- 14:59:29 [Ian]
- present+ Michel
- 15:00:00 [Ian]
- present+ David_Benoit
- 15:00:04 [Ian]
- present+ Dean_Ezra
- 15:00:58 [Ian]
- present+ Jonathan_Grossar
- 15:01:20 [deanezra]
- deanezra has joined #wpwg
- 15:02:09 [mweksler]
- mweksler has joined #wpwg
- 15:03:28 [Ian]
- present+ Tomasz_Blachowitz
- 15:03:47 [Ian]
- present+ Brian_Piel
- 15:03:55 [Ian]
- present+ Adrian_Hope-Bailie
- 15:04:04 [Ian]
- present+ Jonathan_Vokes
- 15:04:05 [tm]
- tm has joined #wpwg
- 15:04:10 [tomasz]
- tomasz has joined #wpwg
- 15:04:16 [AdrianHB]
- AdrianHB has joined #wpwg
- 15:04:42 [Ian]
- Topic: Last Call Recap
- 15:04:54 [Ian]
- Jonathan: We reviewed Jalpesh's flows; he made some minor modifications based on the discussion.
- 15:05:04 [Ian]
- There were many good questions (reflected in the minutes
- 15:05:20 [Ian]
- ...the idea is at TPAC to show user journey in a demo and to reflect these flows we reviewed
- 15:05:24 [Ian]
- ...first time user adding a card
- 15:05:27 [Ian]
- ..returning user on the same device
- 15:05:50 [Ian]
- ....the demo will go further by illustrating the date exchanged through PR API
- 15:06:21 [Ian]
- ...we did not have time to go through the 3DS flows
- 15:06:24 [Ian]
- ...there were 2 objectives:
- 15:06:33 [Ian]
- a) As part of SRC, if 3DS is invoked what does it look like?
- 15:06:52 [Ian]
- ...Tomasz can speak to that (e.g., invoked by merchant, payment handler, SRC system on behalf of others, etc.)
- 15:06:58 [Ian]
- ...Tomasz can show one view of that
- 15:07:17 [Ian]
- ..also, a month ago there was a request that we find a way to leverage 3DS outside of SRC
- 15:07:19 [jv_]
- jv_ has joined #wpwg
- 15:07:24 [Ian]
- ...we don't have that today but we can also prepare that for TPAC
- 15:07:37 [Ian]
- q+
- 15:08:07 [Ian]
- ...I suggest we go through the flows today with representation of 3DS...we will add the flows in the next few days to represent the other options
- 15:08:42 [Ian]
- IJ: Do you think we should work on 3DS outside of SRC as a priorioty?
- 15:09:42 [Ian]
- ..should we just start with SRC and then learn from that?
- 15:09:52 [Ian]
- Jonathan: +1 to get the data flow down
- 15:10:07 [Ian]
- ...if browsers can facilitate some 3DS experience, then I think it can be done independent of SRC
- 15:10:24 [AdrianHB]
- q+
- 15:10:35 [Ian]
- Tomasz: This is also related to where exactly the merchant declares that they want 3DS facilitated by the payment handler
- 15:10:46 [Ian]
- ...so we could have this in the PR API request (at top level) and it maps into the SRC payment method
- 15:10:58 [Ian]
- ...or we could include it in the SRC payment method definition
- 15:11:06 [Ian]
- ack AdrianHB
- 15:11:36 [Ian]
- AdrianHB: I had a call today with somebody today who mentioned this topic explicitly. They were wondering whether they could write a payment handler that does basic card + 3DS
- 15:11:42 [Ian]
- ...so there may be use cases for this
- 15:12:07 [Ian]
- Jonathan: It might come form the PSD2 regulation
- 15:12:37 [Ian]
- https://w3c.github.io/3ds/index.html
- 15:12:52 [Ian]
- https://w3c.github.io/3ds/index.html#howtouse
- 15:12:58 [jonathan_]
- jonathan_ has joined #wpwg
- 15:13:03 [benoit]
- benoit has joined #wpwg
- 15:14:11 [Ian]
- ack me
- 15:14:27 [Ian]
- https://github.com/w3c/src/wiki
- 15:15:05 [Ian]
- IJ: Could we extract some of the good questions from last week's call into the payment method wiki?
- 15:15:26 [AdrianHB]
- Could we add some abstraction of the 3DS function to PR API? Something like a requestData where 3DS is an implementation of a service that can provide this?
- 15:16:09 [Ian]
- Jonathan: We can add some explanations from last week's call to the wiki
- 15:16:20 [Ian]
- ...idea of a FAQ is probably a good idea as well
- 15:17:16 [Ian]
- ACTION: Jonathan to send Ian some notes for text to integrate into the SRC wiki
- 15:17:17 [trackbot]
- 'Jonathan' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., john203445, versky).
- 15:17:38 [Ian]
- Topic: 3DS flows
- 15:18:22 [Ian]
- [Tomasz shows flows]
- 15:18:51 [Ian]
- Tomasz: First flow shows SRC systems communicating with 3DS sever.
- 15:18:58 [Ian]
- s/sever/server
- 15:19:08 [Ian]
- ...the 3DS system can be asked to facilitate 3DS on behalf of merchant
- 15:19:35 [Ian]
- ...SRC system connects to issuing bank (via the directory service [not shown])
- 15:19:54 [Ian]
- ...if the authentication request is Y or A, then auth is frictionless.
- 15:20:03 [Ian]
- ...more interesting case is when the issuing bank specifies the challenge flow
- 15:20:25 [Ian]
- ...the SRC payment handler would create a challenge window (e.g., in an iframe if a web environment)
- 15:21:04 [Ian]
- ...then there's a challenge request to the issuing bank
- 15:21:35 [Ian]
- ...the challenge is submitted to the ACS, which sends back and auth value
- 15:22:03 [Ian]
- ...then there is a request to close the challenge window in the payment handler
- 15:22:29 [Ian]
- ...because the challenge flow was executed, the payment handler needs to go back to the SRC system to complete checkout and get the auth value and credentials
- 15:22:39 [Ian]
- ...all this is packed in the encrypted payload
- 15:24:12 [Ian]
- ...regarding the shape of the output data
- 15:24:37 [Ian]
- https://github.com/w3c/src/wiki
- 15:25:02 [Ian]
- https://github.com/w3c/src/issues/16
- 15:25:53 [Ian]
- Ian: We don't yet have specifics about the shape of the assurance data.
- 15:26:23 [Ian]
- Tomasz: We can either include the assurance data (output from the 3DS auth) in the response from the SRC payment method, or we can elevate this into the PR API response.
- 15:26:47 [Ian]
- q?
- 15:26:53 [Ian]
- Ian: I am hearing three options:
- 15:27:03 [Ian]
- - 3DS parameters / response data as part of next version of PR API
- 15:27:23 [Ian]
- - 3DS params / response data hardwired into SRC...but could also hardware other assurance methods into SR
- 15:27:42 [Ian]
- - 3DS params/response data in separate module, and a payment method imports as many similar modules as it wants
- 15:28:56 [Ian]
- Tomasz: We do have other assurance methods but we don't have specs for those yet
- 15:29:23 [Ian]
- Brian: I think the goal should be to define how 3DS works within PR API
- 15:29:42 [Ian]
- ...SRC payment handler may want to use it...there might be some nuances to the SRC case
- 15:29:48 [Ian]
- ...but in general having 3DS work within PR API should be a goal
- 15:29:56 [Ian]
- ...(as we previously discussed)
- 15:30:35 [Ian]
- ..there's also an SDK view of 3DS
- 15:30:38 [Ian]
- q+ to ask about encryption
- 15:31:30 [Ian]
- ack me
- 15:31:30 [Zakim]
- Ian, you wanted to ask about encryption
- 15:34:21 [mweksler]
- q+
- 15:34:25 [Ian]
- ack mweksler
- 15:34:36 [Ian]
- IJ: I think there are complexities to doing it at the PR API level due to encryption (at least)
- 15:34:54 [Ian]
- ...feels more right to make 3DS a module (including, due to encryption)
- 15:35:06 [Ian]
- mweksler: +1 to not overloading PR API
- 15:35:25 [Ian]
- ...also, the "most engineered way" where there's an includable module is a nice long-term approach
- 15:37:05 [Ian]
- IJ: Today basic card is not supported in Firefox or Safari, so in practice we have N=1 use cases (SRC)
- 15:37:13 [Ian]
- Brian: We should factor in "who can initiate the call"
- 15:37:32 [Ian]
- ...could be merchant, or PSP (on the merchant side)
- 15:38:03 [Ian]
- ...could be some call-outs that "when I am initiating through PR API" I would like to use 3DS
- 15:39:32 [Ian]
- IJ: Do we need to figure out what to do in merchant-initiated 3DS flows?
- 15:39:42 [Ian]
- Brian: There is a user experience issue
- 15:42:03 [Ian]
- Brian: In payment handler scenario, the UX is built-in
- 15:43:08 [Ian]
- q?
- 15:47:46 [Ian]
- PROPOSED: Continue to treat 3DS as a part of SRC; later if there is demand we look at factoring out 3DS as a reusable module for payment methods
- 15:47:47 [mweksler]
- +1
- 15:48:00 [AdrianHB]
- +1
- 15:48:01 [benoit]
- +1
- 15:48:15 [jv_]
- +1
- 15:48:16 [tomasz]
- +1
- 15:48:38 [Ian]
- ACTION: Ian to update the wiki to let people know that that is our current strategy
- 15:48:38 [trackbot]
- 'Ian' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., IFSF-EFT-WG-Lead, ijacobs).
- 15:49:16 [Ian]
- Topic: TPAC
- 15:49:16 [Ian]
- https://github.com/w3c/webpayments/wiki/FTF-Agenda-201909#16-september
- 15:50:18 [Ian]
- IJ: How should we allocate the 2 hours?
- 15:50:36 [Ian]
- Jonathan: Start with demo (and explain the differences since April)
- 15:50:45 [Ian]
- ...walk through identity management
- 15:50:54 [Ian]
- ...suggest 1 hour for that
- 15:52:48 [Ian]
- IJ: Can we have a JSON response sample?
- 15:52:59 [Ian]
- Action: Tomasz to produce a sample JSON response data blob for SRC
- 15:53:00 [trackbot]
- Created ACTION-127 - Produce a sample json response data blob for src [on Tomasz Blachowicz - due 2019-09-11].
- 15:53:44 [Ian]
- -> https://github.com/w3c/src/issues
- 15:59:43 [Ian]
- ACTION: Ian to look for someone to do an SRC v1 intro to the WG
- 15:59:43 [trackbot]
- 'Ian' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., IFSF-EFT-WG-Lead, ijacobs).
- 16:00:56 [benoit]
- benoit has joined #wpwg
- 16:02:08 [jv]
- jv has joined #wpwg
- 16:06:27 [Ian]
- Topic: Next meeting
- 16:06:28 [Ian]
- In Japan!
- 16:06:34 [RRSAgent]
- I have made the request to generate https://www.w3.org/2019/09/04-wpwg-minutes.html Ian
- 16:07:58 [RRSAgent]
- I have made the request to generate https://www.w3.org/2019/09/04-wpwg-minutes.html Ian
- 16:08:06 [Ian]
- RRSAGENT, set logs public
- 16:38:29 [Ian]
- zakim, bye
- 16:38:29 [Zakim]
- leaving. As of this point the attendees have been Ian, Michel, David_Benoit, Dean_Ezra, Jonathan_Grossar, Tomasz_Blachowitz, Brian_Piel, Adrian_Hope-Bailie, Jonathan_Vokes
- 16:38:29 [Zakim]
- Zakim has left #wpwg
- 16:38:31 [Ian]
- Prrsgaent, bye
- 16:38:35 [Ian]
- RRSAGENT, bye
- 16:38:35 [RRSAgent]
- I see 4 open action items saved in https://www.w3.org/2019/09/04-wpwg-actions.rdf :
- 16:38:35 [RRSAgent]
- ACTION: Jonathan to send Ian some notes for text to integrate into the SRC wiki [1]
- 16:38:35 [RRSAgent]
- recorded in https://www.w3.org/2019/09/04-wpwg-irc#T15-17-16
- 16:38:35 [RRSAgent]
- ACTION: Ian to update the wiki to let people know that that is our current strategy [2]
- 16:38:35 [RRSAgent]
- recorded in https://www.w3.org/2019/09/04-wpwg-irc#T15-48-38
- 16:38:35 [RRSAgent]
- ACTION: Tomasz to produce a sample JSON response data blob for SRC [3]
- 16:38:35 [RRSAgent]
- recorded in https://www.w3.org/2019/09/04-wpwg-irc#T15-52-59
- 16:38:35 [RRSAgent]
- ACTION: Ian to look for someone to do an SRC v1 intro to the WG [4]
- 16:38:35 [RRSAgent]
- recorded in https://www.w3.org/2019/09/04-wpwg-irc#T15-59-43