IRC log of wpwg on 2021-03-31

Timestamps are in UTC.

14:21:39 [RRSAgent]

RRSAgent has joined #wpwg

14:21:39 [RRSAgent]

logging to https://www.w3.org/2021/03/31-wpwg-irc

14:21:45 [Ian]

Meeting: Web Payments Working Group

14:21:55 [Ian]

Agenda: https://github.com/w3c/webpayments/wiki/Agenda-FTF2021

14:21:58 [Ian]

Chair: NickTR

14:22:01 [Ian]

Scribe: Ian

14:22:09 [RRSAgent]

I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian

14:22:13 [Ian]

rrsagent, set logs public

14:46:32 [Ian]

zakim, who's here?

14:46:32 [Zakim]

Present: (no one)

14:46:34 [Zakim]

On IRC I see RRSAgent, Zakim, benoit_, pea13, canton_, dlehn, ChrisD, AdrianHB, mhofman, wseltzer, smcgruer_[EST], danyao, slightlyoff, falken_, jeffh, hadleybeeman, dlongley,

14:46:34 [Zakim]

... manu, mkwst, hober, Travis_, ntelford, tobie, nicktr, joconnor, rowan_m, yoav, Ian

14:52:28 [Ian]

agenda+ SPC design considerations

14:52:31 [Ian]

agenda+ Worldline demo

14:52:37 [Ian]

agenda+ Discussion with Web Authentication WG

14:52:45 [RRSAgent]

I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian

14:54:07 [Ian]

present+

14:58:30 [Ian]

present+ Marc_Perez_i_Ribas

14:58:43 [Manu_]

Manu_ has joined #wpwg

14:58:57 [Ian]

present+ Sebastian_Elfors

14:59:01 [Ian]

present+ Mathieu_Hofman

14:59:06 [Ian]

present+ Chris_Wood

14:59:13 [Ian]

present+ Arno_van_der_Merwe

14:59:17 [Ian]

present+ Lawrence_Cheng

14:59:24 [Chris_Wood]

Chris_Wood has joined #wpwg

14:59:28 [Ian]

present+ Anne_Pouillard

14:59:31 [stpeter]

stpeter has joined #wpwg

14:59:39 [Ian]

present+ Sameer_Tare

14:59:49 [Manoj]

Manoj has joined #wpwg

14:59:55 [Anne]

Anne has joined #wpwg

14:59:57 [marcperez]

marcperez has joined #wpwg

14:59:58 [SameerT]

SameerT has joined #wpwg

14:59:59 [Ian]

present+ Manoj_Kannembath

15:00:00 [Anne]

present+

15:00:04 [Ian]

present+ Frank_Hoffmann

15:00:06 [SameerT]

present+

15:00:07 [Ian]

present+ Rolf_Lindemann

15:00:17 [Ian]

present+ Remo

15:00:25 [Ian]

present+ Sephen_McGruer

15:00:29 [Ian]

present- Sephen_McGruer

15:00:31 [Ian]

present+ Stephen_McGruer

15:00:50 [Remo_Fiorentino]

Remo_Fiorentino has joined #wpwg

15:00:50 [Ian]

present+ James_Longstaff

15:00:53 [marcperez]

present+

15:00:54 [Ian]

present+ John_Bradley

15:01:01 [Remo_Fiorentino]

present+

15:01:04 [Ian]

present+ Jean-Michel_Girard

15:01:08 [Ian]

present+ christina_Hulka

15:01:16 [Ian]

present+ Aleksei_Akimov

15:01:18 [Fawad]

Fawad has joined #wpwg

15:01:18 [Gerhard]

Gerhard has joined #wpwg

15:01:24 [JMGirard]

JMGirard has joined #wpwg

15:01:24 [Ian]

present+ Adrian_Hope-Bailie

15:01:29 [Gerhard]

present+

15:01:36 [Ian]

present+ Eric_Alvarez

15:01:40 [Ian]

present+ Gavin_Shenker

15:01:42 [takashi]

takashi has joined #wpwg

15:01:42 [Fawad]

present=

15:01:47 [Ian]

present+ Robin_Hjelte

15:01:50 [Ian]

present+ Jean-Luc

15:01:54 [Ian]

present+ Gustavo

15:01:57 [Ian]

present+ Fawad

15:02:03 [Ian]

present+ Antoine_Cathelin

15:02:06 [Bastien]

Bastien has joined #WPWG

15:02:09 [Ian]

present+ Vaiishali_Bulusu

15:02:10 [Bastien]

present+

15:02:17 [Gavin]

Gavin has joined #WPWG

15:02:34 [Ian]

present+ Timo_Gmell

15:02:48 [Ian]

present+ Tomasz

15:02:53 [Ian]

present+ Takashi

15:02:54 [James]

James has joined #wpwg

15:03:01 [Timo_Gmell]

Timo_Gmell has joined #wpwg

15:03:01 [Ian]

present+ Michel_Weksler

15:03:08 [James]

present+ James Longstaff

15:03:13 [Timo_Gmell]

present+

15:03:16 [Ian]

present+ Jonathan_Grossar

15:03:18 [gkok]

gkok has joined #wpwg

15:03:19 [jonathan]

jonathan has joined #wpwg

15:03:23 [Ian]

present+ Erhard_Brand

15:03:24 [danyao]

present+

15:03:29 [jonathan]

present+

15:03:29 [Ian]

present+ Deepu

15:03:33 [Ian]

present+ David_Benoit

15:03:37 [Ian]

present+ Doug_Fisher

15:03:41 [Ian]

present+ Danyao_Wang

15:03:46 [gkok]

present+

15:03:47 [Ian]

present+ Tom_Bellenger

15:03:54 [Ian]

present+ Bastien

15:03:55 [Deepu]

Deepu has joined #wpwg

15:04:06 [mikehorne]

mikehorne has joined #wpwg

15:04:06 [Ian]

present+ Mike_Horne

15:04:08 [frank]

frank has joined #wpwg

15:04:18 [Deepu]

present+ Deepu

15:04:22 [frank]

present+

15:04:31 [mknowles]

mknowles has joined #wpwg

15:04:34 [michelweksler]

michelweksler has joined #wpwg

15:04:35 [Vaishali_Bulusu]

Vaishali_Bulusu has joined #WPWG

15:04:37 [Ian]

present+ Ulf_Leopold

15:04:48 [Ian]

Chair: AdrianHB

15:05:10 [Chris_Wood]

present+

15:05:11 [Ian]

present+ Jayaseelan_Shanmugam

15:05:18 [Ian]

present+ Manjush

15:05:27 [Jayaseelan]

Jayaseelan has joined #wpwg

15:05:30 [Ian]

present+ Mike_Knowles

15:05:33 [Ian]

present+ Nick_Burris

15:05:54 [Jayaseelan]

present +Jayaseelan_Shanmugam

15:05:57 [Ian]

present+ Christian_Aabye

15:06:06 [Ian]

zakim, take up item 1

15:06:06 [Zakim]

agendum 1 -- SPC design considerations -- taken up [from Ian]

15:06:19 [Ian]

-> https://docs.google.com/presentation/d/1jr1W66GCBl_caFS-Hf9V6DLumCCxvdlmnE_ghA3wcgc/edit?resourcekey=0-zC-TtFHPRAlvmL55pn-rrw#slide=id.p Slides from Danyao

15:07:04 [Christian]

Christian has joined #wpwg

15:07:39 [AdrianHB]

ian: please join in. We welcome input from WG participants to help us get our standards design right

15:07:48 [Ian]

Danyao: We've heard a lot this week about business benefits of SPC. The goals of today's session is to start to get to work on scope of SPC "Level 1"

15:07:57 [Ian]

...we'll look at design choices and options.

15:08:23 [btidor]

btidor has joined #wpwg

15:08:28 [btidor]

present+

15:08:59 [Ian]

Danyao:...the evolving consensus is that we are looking at Web Payments as three capabilities. We are focused in SPC on 2 of them: authentication and confirmation by the user of payment.

15:09:21 [Ian]

...the Stripe experiment was a baseline, but should not be thought of as SPC in its final form.

15:09:39 [Ian]

present+ Chris_Dee

15:09:43 [Ian]

present+ btidor

15:09:51 [Ian]

Danyao: What is SPC "REALLY"?

15:10:02 [Ian]

... payment authentication assertion (credit: Chris Wood)

15:10:16 [Ian]

...we want to introduce a new object that has some unique properties:

15:10:24 [Ian]

...proves possession and optionally a 2nd factor

15:10:27 [Ian]

...binds transaction details

15:10:38 [Ian]

..interoperable across all merchants and payment rails

15:10:38 [AdrianHB]

+1 to "Payment Authentication Assertion"

15:10:48 [Ian]

Danyao:...consistent and predictable UX

15:10:55 [Ian]

...privacy-preserving and strong security

15:11:15 [Ian]

...if consistent and predictable, will be reassuring to merchants and issuers

15:11:17 [Gerhard]

q+

15:11:59 [Ian]

Danyao: We want this new object to act as a canonical proof for 3 questions: Is this the same device? same person? has user confirmed the transaction details?

15:12:06 [Ian]

ack G

15:12:31 [Ian]

Gerhard: This is pretty close. I think we've heard one other requirement - to indicate the mechanism of authentication.

15:12:38 [Ian]

q+

15:12:49 [Ian]

ack me

15:12:58 [Ian]

Ian: Maybe it's "Authentication context"

15:13:13 [ChrisD]

q+ to ask/suggest that confirmation is also included - i.e. consumer consents to their payment instrument being used

15:13:23 [AdrianHB]

... was there an explicit gesture or not etc

15:13:32 [Ian]

Ian: I also heard "whether it was frictionless"...so there's a set of metadata about the auth experience

15:13:46 [Aleksei]

Aleksei has joined #wpwg

15:13:54 [Ian]

Gerhard: If we opt that can be done silently, then yes "how it was done" should be captured.

15:14:32 [Ian]

ChrisD: The "C" is quite key here. Yes, it's about secure authentication, but it's also key to capture the user's consent to make the payment.

15:14:46 [Ian]

...whether the consent is one-time, time bound, etc.

15:15:14 [Ian]

Danyao: Next step is to agree on a canonical user journey

15:15:20 [Ian]

...useful to have a shared mental model

15:15:29 [Ian]

...5 steps:

15:15:34 [Gerhard]

Q: payment credential vs payment instrument? Do we have a preference?

15:15:48 [Ian]

Danyao: 1. user creates a payment credential (during transaction or out of band)

15:16:02 [Ian]

Danyao: 2. At another point in time, user initiates payment

15:16:16 [Ian]

Danyao: 3. User challenged to generate a payment authorization assertion using the payment credential.

15:16:31 [Ian]

Danyao: 4. Payer "bank" verifies the assertion and authorizes payment

15:16:54 [Ian]

Danyao: 5. Some time later on another merchant, new payment authorization assertion using the same payment credential

15:17:09 [Ian]

present+ Sejal

15:17:20 [AdrianHB]

q?

15:17:24 [Ian]

present+ Kincaid_O'Neil

15:17:26 [AdrianHB]

ach ChrisD

15:17:53 [Ian]

Danyao: So if we have an assertion object and canonical user journey, here are some design questions for the "Payment authorization assertion":

15:18:01 [Ian]

1) Who owns the credential?

15:18:07 [Ian]

2) What is the data model?

15:18:14 [Ian]

3) How is it created?

15:18:21 [Ian]

4) How can it be exercised?

15:18:32 [Ian]

5) How is it managed (i.e., lifecycle management)?

15:18:55 [Gerhard]

q+

15:18:55 [Ian]

present+ Richard_Ledain

15:19:00 [Ian]

ack Chr

15:19:00 [Zakim]

ChrisD, you wanted to ask/suggest that confirmation is also included - i.e. consumer consents to their payment instrument being used

15:19:25 [James]

q+

15:19:35 [Ian]

Danyao: In my slides I list some specific questions related to these five questions (the framework)

15:19:46 [Ian]

ack Ger

15:20:28 [Ian]

Gerhard: These questions apply to both the payment credential and the payment authorization assertion.

15:21:09 [Ian]

Danyao: Let's use terms "credential" and "assertion" for shorthand here.

15:21:24 [Christian]

q+

15:21:33 [AdrianHB]

q?

15:21:46 [Ian]

q+ to raise question about design that may allow future work on instrument selection (just to register the idea)

15:22:11 [Ian]

present+ John_Fontana

15:22:18 [Ian]

James: +1 to Gerhard's point

15:22:42 [Ian]

ChristianA: The word "authorization" means something specific in the card world; heads up

15:23:07 [Ian]

Gerhard: How about "Payment Consent Assertion"

15:23:11 [Ian]

ChristianA: +1

15:23:16 [AdrianHB]

+1

15:23:21 [AdrianHB]

q?

15:23:25 [AdrianHB]

ack james

15:23:25 [Ian]

ack James

15:23:26 [Ian]

ack chris

15:23:36 [btidor]

+1 to Christian's point (not using "authorization")

15:23:46 [Ian]

+1 to "Payment Consent Assertion"

15:23:47 [AdrianHB]

ack ChristianA

15:23:51 [AdrianHB]

ack ian

15:23:51 [Zakim]

Ian, you wanted to raise question about design that may allow future work on instrument selection (just to register the idea)

15:24:23 [AdrianHB]

ian: we are not addressing instrument selection but we may need the credential to have some identifier to support this in future

15:24:51 [Tomasz]

Tomasz has joined #Wpwg

15:25:11 [DougF]

DougF has joined #wpwg

15:25:14 [Jayaseelan]

Here one more design question ; What would be an appropriate TTL for this assertion ?

15:25:18 [AdrianHB]

... one proposal is to avoid identifiers in v1 but having said that the artwork and label do provide a visual identifier so we kind of have an identifier

15:25:19 [michelweksler]

michelweksler has joined #wpwg

15:25:24 [AdrianHB]

... we may want more in future

15:25:25 [ChrisD]

q+ might it be device possession assertion or instrument possession assertion (if it relates to a particular instrument)

15:25:31 [Tomasz]

q+

15:25:38 [AdrianHB]

ack ChrisD

15:26:09 [Ian]

ChrisD: Maybe the name should be "Device Possession Assertion"? Or maybe it's "Instrument Possession Assertion"

15:26:17 [Ian]

q?

15:26:23 [AdrianHB]

q?

15:26:41 [Ian]

ack Tomasz

15:27:01 [Ian]

Tomasz: Regarding name: +1 to not using "authorization" in the name of the assertion

15:27:13 [Ian]

...maybe it could just be "Payment Confirmation Assertion"

15:27:19 [Jean-Luc_]

Jean-Luc_ has joined #wpwg

15:27:20 [AdrianHB]

q?

15:27:50 [Ian]

Jayaseelan (JC): Should there be a time-to-live in the assertion?

15:28:01 [Ian]

[Ian hears that as part of "lifecycle management"]

15:28:32 [Ian]

Ian: What is the subscription use case for these?

15:28:49 [Ian]

AdrianHB: I think we need to consider TTL for both the credential and the assertion. +1 to those design considerations

15:28:51 [Gerhard]

q+

15:29:02 [AdrianHB]

q?

15:29:11 [Ian]

Tomasz: Revocation is another important topic.

15:29:16 [Ian]

ack Gerhard

15:29:35 [Ian]

Gerhard: On the TTL, we can reach out to the open banking standards for thoughts on the lifetime of consent.

15:29:46 [btidor]

+1 to assertion expiry (maybe be configurable by issuer?) and revocation

15:30:00 [Ian]

Gerhard: ...in the oauth2 pattern I think there is a "1 minute" pattern; let's check that out

15:30:11 [mweksler]

mweksler has joined #wpwg

15:30:16 [Ian]

AdrianHB: Agree we need to accommodate policy options; but let's not dive into those today

15:30:16 [AdrianHB]

q?

15:30:31 [Ian]

Danyao: I want to briefly talk about how the design discussions map into API land

15:32:04 [Ian]

Danyao: Key system objects from browser implementation perspectives:

15:32:09 [Ian]

1) Assertion data model

15:32:15 [James]

No need to discuss now, but seconding Ian's point above: Can you set up a subscription with an SPC? Then how would you amend, update, cancel.

15:32:25 [Ian]

Danyao: 2) User experience

15:32:59 [Ian]

Danyao: Web APIs (e.g., for "creation" of credential by RP) and "exercise" by the merchant (or their PSP)

15:33:41 [SameerT]

q+

15:33:47 [Ian]

Danyao: 4) Authenticator back-end. Could be client-side but could also be extended to payment apps. All of these backends might be able to cause assertion to happen.

15:33:49 [Ian]

ack Sam

15:34:04 [Gerhard]

q+

15:34:09 [Ian]

Danyao: 5) Network protocol - transit to systems like 3DS

15:34:45 [Christian]

q+

15:34:47 [Ian]

SameerT: For assertion data model, look at what FIDO alliance has defined (e.g., as input to 3DS). Let's continue to look at how those data models connect

15:35:03 [AdrianHB]

q?

15:35:08 [AdrianHB]

ach gerhard

15:35:12 [AdrianHB]

ack gerhard

15:35:22 [AdrianHB]

s/ach gerhard//

15:35:25 [Ian]

Gerhard: A payer bank will also want to exercise these credentials. A bank will want to get consent before doing a push payment.

15:35:53 [AdrianHB]

q?

15:35:58 [AdrianHB]

ack Chris

15:36:33 [Ian]

ChristianA: We probably want both options: exercise on the merchant side (and in the background pre-AReq activities happen in 3DS). Or, "on the left side" there's a "CReq" model where there is direct interaction with the user's bank

15:37:13 [Ian]

Danyao: Design space in light of the above subsystems:

15:37:20 [Ian]

(1) Assertion data model

15:37:41 [Ian]

(2) UX: one click? zero click (no presence check)?

15:38:11 [Ian]

(3) Authenticator backend: FIDO, Payment Apps, "Possession Credential"

15:38:54 [Ian]

(4) Network protocol

15:38:58 [Ian]

(5) Web APIs

15:39:45 [Ian]

Danyao: Three different work streams moving forward:

15:39:48 [Ian]

1) Assertion data model

15:39:50 [michelweksler]

michelweksler has joined #wpwg

15:39:57 [Ian]

2) Use cases deep devices (lots of flows and UX and backend options)

15:40:05 [Tomasz]

Tomasz has joined #Wpwg

15:40:07 [AdrianHB]

q?

15:40:11 [Tomasz]

Q+

15:40:12 [Ian]

Danyao:...we are also likely to need to prioritize here and sequence them.

15:40:25 [Ian]

Danyao: After those discussions, we can start work on the API specification

15:40:56 [Ian]

Danyao: I'd like to hear who is interested in which flow (to help us prioritize)

15:41:05 [Ian]

ack Tom

15:41:36 [Ian]

Tomasz: Regarding the "Design Space"...I think of SPC as "network neutral"

15:42:18 [Ian]

...SPC should work with "all the networks"

15:42:19 [Ian]

q+

15:42:52 [Ian]

ack me

15:43:01 [mweksler]

q+

15:43:08 [Ian]

Tomasz: I like the fact that this is based on FIDO, but SPC should be usable in a variety of authentication flows

15:43:25 [Ian]

[Ian thinks there is still an open question from Entersekt on fallback to Web Crypto]

15:43:28 [Ian]

ack mweksler

15:43:38 [Ian]

mweksler: Great presentation; I love the clarity on focus.

15:43:40 [Deepu]

Will there be minutes generated of today?

15:43:48 [Ian]

RRSAGENT, make minutes

15:43:48 [RRSAgent]

I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian

15:44:08 [Ian]

mweksler: From Airbnb perspective, very interested in exploring this further. We are very interested in the UX

15:44:18 [AdrianHB]

q+ to suggest an extra dimension on UX

15:44:24 [Ian]

mweksler: ...I want to focus on something that respects user preference AND has a really good UX.

15:44:41 [Ian]

...so an experience where the user consents is really interesting

15:44:47 [Tomasz_]

Tomasz_ has joined #Wpwg

15:44:58 [Ian]

mweksler: very interested in the checkbox "in the future on this merchant ok to not prompt me again"

15:45:00 [Deepu]

present- Deepu

15:45:11 [Tomasz_]

q+

15:45:17 [Deepu]

present+ Deepu_K_Sasidharan

15:45:18 [Aleksei]

Thank you! And the slides, will they be publicly available? Currently seem to be restricted: https://docs.google.com/presentation/d/1jr1W66GCBl_caFS-Hf9V6DLumCCxvdlmnE_ghA3wcgc/edit?resourcekey=0-zC-TtFHPRAlvmL55pn-rrw#slide=id.p

15:45:41 [Ian]

mweksler: Would be interested in Airbnb being part of a pilot

15:45:51 [AdrianHB]

ack adrian

15:45:51 [Zakim]

AdrianHB, you wanted to suggest an extra dimension on UX

15:45:52 [Ian]

ack AdrianHB

15:46:13 [Ian]

AdrianHB: Based on what Gerhard presented, I think there's possibly a third UX dimension: authenticator assertion UX

15:46:35 [Ian]

q+ to clarify uX options

15:46:52 [Ian]

Danyao: It's hard to fit all these cases into the boxes

15:47:16 [Ian]

...let's distinguish "button clicks" from "user gestures in the authenticator"

15:47:26 [btidor]

q+

15:48:09 [Gavin]

q+

15:48:25 [AdrianHB]

q?

15:48:55 [Ian]

Ian: I am hearing three UX: both button + user gesture; button without user gesture; no button

15:49:20 [Ian]

..and the implication is that the transaction confirmation dialog is frequently encountered, but not in the third case (no button or user gesture)

15:49:22 [Ian]

ack me

15:49:22 [Zakim]

Ian, you wanted to clarify uX options

15:49:30 [Gerhard]

q+

15:49:41 [michelweksler]

michelweksler has joined #wpwg

15:49:42 [Ian]

AdrianHB: I think "Single click for both instrument selection and authentication" is also UX we should keep in mind

15:49:56 [Ian]

...so we should add a column for "instrument selection" since I think we can optimize there.

15:50:03 [AdrianHB]

q?

15:50:12 [Ian]

AdrianHB: ...so we might have "zero click auth" because instrument selection just happened.

15:50:17 [AdrianHB]

ack tom

15:50:54 [btidor]

q-

15:51:04 [Ian]

Tomasz: I agree the UX is very important. I think there's another dimension whether we can quietly initiate the payment context, to allow the merchant to handle custom UI to get assertions.

15:51:35 [gkok]

+1 on importance of fallback flow

15:51:39 [Ian]

Tomasz: We also want to discuss how to handle fail scenarios....how are fallback experiences provided gracefully?

15:51:55 [Ian]

q+ John_Bradley

15:52:13 [Ian]

ack Gav

15:52:48 [Ian]

Gavin: Regarding the UX...should we take into account "recent user gestures"

15:53:16 [Ian]

...for optimization?

15:53:41 [Ian]

AdrianHB: I think that one of the challenges we'll have is left to heuristics in the browser to protect user privacy v. specific user agent behavior

15:53:45 [Aleksei]

q+

15:53:54 [Ian]

ack Gerhard

15:54:04 [Ian]

Gerhard: We are interested in piloting as well depending on where it goes

15:54:12 [Ian]

...might be useful to try it outside of Europe as well

15:55:11 [Ian]

...instead of "network protocol" maybe we want to refer to "pull" and "push" mechanisms.

15:55:48 [Ian]

[Ian is not convinced those are the only systems...we should also suppose proprietary payment mechanisms]

15:56:13 [Ian]

ack John

15:56:25 [Ian]

q+ Sebastien re: authenticators

15:56:42 [Ian]

John_Bradley: FIDO authenticators can do checks with assertions (all the roaming ones at least)

15:56:52 [Ian]

...regarding scoping of credentials ... we scope them to RPID (origin)

15:57:08 [Ian]

...if you are issuing a credential across origins, are we scoping the credentials differently?

15:57:24 [Ian]

Danyao: I think we will scope them as FIDO does.

15:57:37 [Ian]

...but the API may allow other origins to "EXERCISE" the credential

15:58:02 [Ian]

...so the payment credential can be used as a FIDO credential for login by the RP, but can only be used for payment scenarios by other origins

15:58:15 [Ian]

AdrianHB: That's a feature with SPC as it has been experimented with today.

15:58:32 [Ian]

...the exercise can happen by another origin, but after 2 UX gestures in a payment context

15:58:48 [Ian]

present+ Max_Gu

15:59:07 [Ian]

John_Bradley: The merchant would need to know the RPID of the issuer

15:59:13 [Christian]

q+

15:59:20 [AdrianHB]

q?

15:59:28 [Ian]

Danyao: For the pilot, the merchant did not need to know the pilot. The merchant does need to know the credential ID (and 3DS rails were used in the pilot)

15:59:47 [Ian]

John_Bradley: But the authenticator needs to know the RPID.

15:59:58 [Ian]

Danyao: The browser is taking care of that (in the pilot)

15:59:59 [James]

q+

16:00:13 [Ian]

ack Alek

16:00:27 [Ian]

Aleksei: My compliments on the meeting and level of discussion.

16:00:33 [Ian]

..it's important to verify with a pilot

16:00:52 [Ian]

...Adyen would be interested in doing a pilot

16:01:35 [Ian]

Sebastian: Thanks for the presentation, Danyao. While we are talking about authentication...you mentioned platform authenticators for the pilot. Are you also looking at roaming?

16:01:52 [AdrianHB]

q?

16:01:55 [Ian]

Danyao: Yes, we've started to talk about it. As part of the work to make this a real spec we do need to figure out how roaming fits in.

16:01:57 [Ian]

ack Seb

16:01:57 [Zakim]

Sebastien, you wanted to discuss authenticators

16:02:05 [Ian]

Sebastian: Will PIN be supported?

16:02:27 [Ian]

Danyao: As long as people have a FIDO-compatible user-verifying authenticator, it will work by design.

16:02:46 [Ian]

Sebastian: Is there any provision that you share with the authenticator or will the authenticator be "self-contained"?

16:03:18 [Ian]

Danyao: The design is that the authenticator is self-contained. The browser will generate a hash that contains the transaction information and the original challenge. The authenticator does a regular signature of the challenge composed by the browser.

16:03:23 [Ian]

ack Christian

16:04:03 [AdrianHB]

q?

16:05:19 [Ian]

James: Thanks for the great presentation, Danyao. You talked about the "design space". Regarding the UX of "payment consent authentication". There's also design space around management credentials.

16:05:26 [Ian]

...e.g., the ability to update or cancel credentials.

16:05:47 [Ian]

AdrianHB: There will be an interesting line between "creation API" and "lifecycle management" as a distinguishing browser feature

16:05:57 [Ian]

present+ Olivier_Maas

16:06:11 [AdrianHB]

q?

16:06:13 [Ian]

ack J

16:06:17 [RRSAgent]

I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian

16:06:25 [Christian]

We have to define the data moved between the participants depending on who is reliant party - ultimately in PSD2 the payer bank is responsible to assert the authentication, so if they are not reliant party, they need data to prove that the "payment consent assertion" took place

16:06:37 [Ian]

AdrianHB: Can you say more about prioritization of use cases?

16:06:51 [Ian]

Danyao: I think I heard good signals. Great to hear from people that they want to do some pilots

16:07:29 [Ian]

q+

16:07:39 [James]

q+

16:08:27 [Ian]

ack me

16:08:49 [Ian]

Ian: Would be great to hear after SRC presentation tomorrow if payment app use case is still an important use case

16:10:49 [Ian]

[Discussion about payment apps initiating SPC]

16:11:22 [Ian]

[Next steps]

16:11:32 [Chris_Wood]

Chris_Wood has joined #wpwg

16:11:36 [Ian]

Danyao: We want to form an SPC task force that will meet regularly and come up with proposals for the WG

16:11:54 [Ian]

...the task force will also coordinate with other network backends (3DS, SRC, Open banking)

16:12:06 [Ian]

..the task force will then bring forward a draft spec (through the WG)

16:12:19 [Ian]

...on the slide we have some names of people who have expressed interest.

16:12:27 [Ian]

...we welcome others; please reach out to Ian

16:13:13 [AdrianHB]

ian: we had a card payment security taskforce in the past that may still do SPC focused work for card payments

16:13:18 [Ian]

Danyao: Thanks everyone!

16:13:21 [RRSAgent]

I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian

16:13:45 [Ian]

zakim, close item 1

16:13:45 [Zakim]

I see a speaker queue remaining and respectfully decline to close this agendum, Ian

16:13:47 [Ian]

zakim, take up item 2

16:13:48 [Zakim]

agendum 2 -- Worldline demo -- taken up [from Ian]

16:15:19 [Ian]

Anne: While on their bank site, user has an opportunity to enroll cards for an SPC-like experience.

16:16:34 [Ian]

...during transaction, the user is redirected during checkout to the bank app

16:16:45 [Ian]

...the user selects the instrument, authenticates, and the payment is completed

16:17:20 [AdrianHB]

q?

16:17:40 [Ian]

ack James

16:18:52 [Ian]

Olivier: We see benefits of the payment app model.

16:19:03 [Ian]

...whether payment with card or bank account

16:19:14 [Ian]

...our use case is PSD2-compliant card payment.

16:19:40 [Ian]

...for us the key benefit of using the payment handler is that we can bypass the 3DS protocol but still keeping the 3DS fields that are required for the authorization request.

16:19:48 [Ian]

...we see the following benefits.

16:19:56 [Ian]

1) For the merchant it's simpler, quicker, more robust checkout.

16:20:18 [Ian]

...it is more robust because one avoids calls to the DS

16:20:47 [gkok]

q+

16:20:48 [Ian]

2) For the card or wallet issuer, it provides an alternative to Web Authentication. Banks want a migration path.

16:21:01 [Ian]

q+ to ask about migration path comment

16:21:16 [Ian]

3) For user, we think there will be greater trust in UX provided by issuer

16:21:26 [Ian]

4) This approach can be expanded by non-card payment scenarios.

16:21:36 [Ian]

...in short: Payment App + SPC can enhance the UX

16:22:12 [ChrisD]

q+ to ask how you know which issuer to authenticate with, if you don't have a Directory Server?

16:22:30 [Jean-Luc_]

q+

16:22:33 [Ian]

olivier: Payment app provides direct channel to issuer, which has benefits

16:22:34 [ChrisD]

q-

16:23:04 [Christian]

q+

16:23:14 [Ian]

Jean-Michel: To explain our demo we have an animation of flows

16:23:59 [AdrianHB]

q?

16:24:04 [Ian]

ack kok

16:24:30 [Ian]

gkok: For the onboarding process, what is exactly being stored in your demo? Is it the PAN or a network token?

16:24:48 [Ian]

Anne: What is stored is a payment instrument as defined by Payment Handler API

16:25:14 [AdrianHB]

q?

16:25:16 [Ian]

Anne:...what is stored is a "link" that the issuer associates with the user's instrument

16:25:24 [AdrianHB]

ack gkok

16:25:38 [Ian]

Anne: ..the credentials are stored in the browser but opaque to the browser; they are known to the issuer

16:25:40 [SameerT]

q+

16:25:45 [Ian]

ack me

16:25:45 [Zakim]

Ian, you wanted to ask about migration path comment

16:26:11 [AdrianHB]

ian: You mentioned banks wanting a migration path, can you say more?

16:26:14 [Ian]

Ian: Can you say more about "migration path" to WebAuthn?

16:26:59 [Ian]

Olivier: There are different security levels associated with WebAuthn. Some banks may want to implement this with a gradual approach ... and may not want WebAuthn depending on the user device

16:27:01 [AdrianHB]

q?

16:27:29 [AdrianHB]

ack jea

16:28:00 [Ian]

Jean-Luc: If I understood ,there is no DS and the bank authenticates the user. For 3DS the DS also validates the merchant to a certain extent.

16:28:19 [Ian]

...in your demo, there is no way for the merchant to prove that there was an authentication.

16:28:27 [Ian]

Anne: There is also no way to get the PAN if the bank is not reachable.

16:28:30 [ChrisD]

q+ to ask what will happen if the user hasn't enrolled prior to making a payment? Don't you need the Directory Service to support 'in payment' enrollment as an option; otherwise how do you find the right issuer to enroll with?

16:28:48 [Ian]

Anne: If the bank is unreachable, there's no payment.

16:28:54 [AdrianHB]

q?

16:29:15 [Ian]

Olivier: Similarly, if SRC system not available you don't get a token/PAN

16:29:31 [Ian]

Jean-Michel: Our goal in the demo was to remove the DS. But of course if bank is not reachable, there is no payment.

16:29:49 [Jean-Luc_]

q-

16:29:52 [Ian]

Olivier: The schemes could be the ones who provide the payment handler (or part of it, on behalf of the bank)

16:30:22 [Ian]

zakim, close the queue

16:30:22 [Zakim]

ok, Ian, the speaker queue is closed

16:31:07 [Ian]

Anne: The issuer / ACS is the same domain. We assume here that the issuer is able to rely on the ACS to provide fields.

16:31:53 [AdrianHB]

q?

16:32:00 [Ian]

Christian: I am hearing that the issuer emulates an ACS (either by working with an ACS or getting the data otherwise)

16:32:00 [AdrianHB]

ack Christian

16:32:03 [stpeter]

stpeter has joined #wpwg

16:32:15 [Ian]

Olivier: This function can be performed by ACS, issuer, or Schemes.

16:32:26 [Ian]

...in our demo, we don't need the DS to find the card

16:32:39 [Ian]

..when you enroll via a payment handler, you have a direct link to the issuer

16:32:49 [AdrianHB]

s/DS to find the card/DS to find the card issuer/

16:33:00 [Ian]

Olivier:...in short, we are simplifying now that there is browser functionality (Payment handler API) that was not available 20 years ago.

16:33:03 [Ian]

ack Same

16:33:05 [AdrianHB]

q?

16:33:28 [Ian]

SameerT: I think part of my question is how 3DS fields are generated without 3DS services being involved.

16:34:26 [Ian]

ack Chris

16:34:26 [Zakim]

ChrisD, you wanted to ask what will happen if the user hasn't enrolled prior to making a payment? Don't you need the Directory Service to support 'in payment' enrollment as an

16:34:30 [Zakim]

... option; otherwise how do you find the right issuer to enroll with?

16:35:10 [Ian]

ChrisD: Without the DS you can really support "in-payment enrollment" flows...unless the payment handler has a BIN lookup capability.

16:35:40 [Ian]

[Ian: See SRC assumptions on this topic => https://github.com/w3c/src/wiki/UX-Assumptions-and-Requirements ]

16:36:24 [Ian]

Jean-Michel: Agree with that comment, but the purpose of the demo was to show the role a payment handler can play to simplify.

16:36:36 [Ian]

...you can still do "3DS things in your payments" without the DS

16:36:48 [Ian]

ChrisD: I can also see advantages in latency and reliability

16:37:01 [Ian]

...but one cost is that you may need to support two flows: pre-enrolled v. during-transaction

16:37:07 [Ian]

Jean-Michel: Agreed

16:37:40 [RRSAgent]

I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian

16:37:45 [Ian]

zakim, close item 1

16:37:45 [Ian]

zakim, close item 2

16:37:45 [Zakim]

agendum 1, SPC design considerations, closed

16:37:46 [Zakim]

I see 2 items remaining on the agenda; the next one is

16:37:46 [Zakim]

2. Worldline demo [from Ian]

16:37:46 [Zakim]

agendum 2, Worldline demo, closed

16:37:46 [Zakim]

I see 1 item remaining on the agenda:

16:37:47 [Zakim]

3. Discussion with Web Authentication WG [from Ian]

16:37:49 [Ian]

zakim, take up item 3

16:37:49 [Zakim]

agendum 3 -- Discussion with Web Authentication WG -- taken up [from Ian]

16:39:31 [Ian]

present+ Gargi_Sharma

16:40:02 [Ian]

zakim, close item 3

16:40:02 [Zakim]

agendum 3, Discussion with Web Authentication WG, closed

16:40:03 [Zakim]

I see nothing remaining on the agenda

16:40:07 [Ian]

Topic: Chrome Origin Trial

16:40:23 [Ian]

Danyao: New origin trial for SPC. The second one:

16:40:46 [Ian]

...look for v91 of chrome

16:41:06 [Ian]

https://developer.chrome.com/origintrials/#/view_trial/2735936773627576321

16:41:15 [Ian]

Quoting: "Secure payment confirmation augments the payment authentication experience on the web with the help of WebAuthn. The feature adds a new PaymentCredential credential type to the Credential Management spec, which allows a relying party such as a bank to create a PublicKeyCredential that can be queried by any merchant origin as part of an online checkout via the Payment Request API using the proposed secure-payment-confirmation payment method."

16:42:36 [Ian]

Danyao: We are balancing with the ability to experiment; origin trials let us try out new APIs without saying "this is final"

16:42:55 [mweksler]

mweksler has joined #wpwg

16:43:21 [Ian]

Danyao:...traditionally new features were hidden behind flags. Origin trials let people enable features on the experimenter origin, and the user doesn't have to flip any settings

16:43:23 [AdrianHB]

q?

16:43:39 [danyao]

SPC Origin Trial instructions: https://github.com/rsolomakhin/secure-payment-confirmation/blob/master/developer-guide.md

16:43:48 [Ian]

AdrianHB: If people want to enable their origin, what what part of the flow involves origin checks

16:44:28 [Ian]

Danyao: Two extensions are (1) payment credential creation (2) exercise via PR API

16:44:42 [Ian]

...the origin that hosts the JS needs to opt in to the origin trial

16:45:53 [AdrianHB]

q?

16:45:56 [ulf]

ulf has joined #wpwg

16:47:24 [Ian]

Danyao: Origin trials have expiration dates. SPC2 through Chrome 93. We can extend, but this is meant to prevent reliance. The SPC task force will develop the "real" API for future reliance

16:48:11 [Ian]

PROPOSED: The WPWG should take up SPC as a formal work item.

16:48:28 [AdrianHB]

+1

16:48:29 [benoit_]

+1

16:48:30 [Gerhard]

+1

16:48:32 [btidor]

+1

16:48:34 [Vaishali_Bulusu]

+1

16:48:35 [frank]

+1

16:48:36 [mknowles]

+1

16:48:41 [Fawad]

+1

16:48:46 [Aleksei]

+1

16:48:49 [Anne]

+1

16:48:57 [danyao]

+1

16:49:14 [James]

+1 (non member, but support!)

16:49:53 [Christian]

+1

16:50:02 [SameerT]

+1 non member support

16:51:35 [Ian]

[Other stuff]

16:51:40 [Ian]

15 April: I18N issues

16:51:48 [Ian]

29 April: New ideas on hasEnrolledInstrument

16:51:59 [Ian]

AdrianHB: Thanks Danyao! Excited to start this work

16:52:11 [Ian]

..thanks Anne and Worldline for the demo and discussion

16:52:35 [Ian]

...the demo speaks a lot to how I have thought of the browser as playing a role in interop.

16:52:48 [Ian]

...demos are always welcome to spark conversation and visual what we are doing

16:52:56 [RRSAgent]

I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian

16:53:09 [Deepu]

Thank you everyone

16:53:22 [RRSAgent]

I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian

16:53:44 [Vaishali_Bulusu]

Thank you all !

16:57:30 [Ian]

zakim, who's here?

16:57:30 [Zakim]

Present: Robin_Hjelte, Jean-Luc, Gustavo, Fawad, Antoine_Cathelin, Vaiishali_Bulusu, Bastien, Timo_Gmell, Tomasz, Takashi, Michel_Weksler, James, Longstaff, Jonathan_Grossar,

16:57:34 [Zakim]

... Erhard_Brand, danyao, jonathan, David_Benoit, Doug_Fisher, Danyao_Wang, gkok, Tom_Bellenger, Mike_Horne, frank, Ulf_Leopold, Chris_Wood, Jayaseelan_Shanmugam, Manjush,

16:57:34 [Zakim]

... Mike_Knowles, Nick_Burris, Christian_Aabye, btidor, Chris_Dee, Sejal, Kincaid_O'Neil, Richard_Ledain, John_Fontana, Deepu_K_Sasidharan, Max_Gu, Olivier_Maas, Gargi_Sharma

16:57:40 [Zakim]

On IRC I see stpeter, DougF, Aleksei, btidor, Jayaseelan, Vaishali_Bulusu, mknowles, frank, Deepu, jonathan, gkok, Timo_Gmell, James, Bastien, Gerhard, Fawad, Remo_Fiorentino,

16:57:40 [Zakim]

... SameerT, Manoj, RRSAgent, Zakim, benoit_, pea13, canton_, dlehn, ChrisD, AdrianHB, mhofman, wseltzer, smcgruer_[EST], danyao, slightlyoff, falken_, jeffh, hadleybeeman,

16:57:40 [Zakim]

... dlongley, manu, mkwst, hober, Travis_, ntelford, tobie, nicktr, joconnor, rowan_m, yoav, Ian

17:13:38 [mweksler]

mweksler has joined #wpwg

17:16:33 [mweksler]

mweksler has joined #wpwg

19:17:58 [Zakim]

Zakim has left #wpwg

19:30:02 [Ian]

rrsagent, bye

19:30:02 [RRSAgent]

I see no action items