14:21:39 RRSAgent has joined #wpwg 14:21:39 logging to https://www.w3.org/2021/03/31-wpwg-irc 14:21:45 Meeting: Web Payments Working Group 14:21:55 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-FTF2021 14:21:58 Chair: NickTR 14:22:01 Scribe: Ian 14:22:09 I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian 14:22:13 rrsagent, set logs public 14:46:32 zakim, who's here? 14:46:32 Present: (no one) 14:46:34 On IRC I see RRSAgent, Zakim, benoit_, pea13, canton_, dlehn, ChrisD, AdrianHB, mhofman, wseltzer, smcgruer_[EST], danyao, slightlyoff, falken_, jeffh, hadleybeeman, dlongley, 14:46:34 ... manu, mkwst, hober, Travis_, ntelford, tobie, nicktr, joconnor, rowan_m, yoav, Ian 14:52:28 agenda+ SPC design considerations 14:52:31 agenda+ Worldline demo 14:52:37 agenda+ Discussion with Web Authentication WG 14:52:45 I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian 14:54:07 present+ 14:58:30 present+ Marc_Perez_i_Ribas 14:58:43 Manu_ has joined #wpwg 14:58:57 present+ Sebastian_Elfors 14:59:01 present+ Mathieu_Hofman 14:59:06 present+ Chris_Wood 14:59:13 present+ Arno_van_der_Merwe 14:59:17 present+ Lawrence_Cheng 14:59:24 Chris_Wood has joined #wpwg 14:59:28 present+ Anne_Pouillard 14:59:31 stpeter has joined #wpwg 14:59:39 present+ Sameer_Tare 14:59:49 Manoj has joined #wpwg 14:59:55 Anne has joined #wpwg 14:59:57 marcperez has joined #wpwg 14:59:58 SameerT has joined #wpwg 14:59:59 present+ Manoj_Kannembath 15:00:00 present+ 15:00:04 present+ Frank_Hoffmann 15:00:06 present+ 15:00:07 present+ Rolf_Lindemann 15:00:17 present+ Remo 15:00:25 present+ Sephen_McGruer 15:00:29 present- Sephen_McGruer 15:00:31 present+ Stephen_McGruer 15:00:50 Remo_Fiorentino has joined #wpwg 15:00:50 present+ James_Longstaff 15:00:53 present+ 15:00:54 present+ John_Bradley 15:01:01 present+ 15:01:04 present+ Jean-Michel_Girard 15:01:08 present+ christina_Hulka 15:01:16 present+ Aleksei_Akimov 15:01:18 Fawad has joined #wpwg 15:01:18 Gerhard has joined #wpwg 15:01:24 JMGirard has joined #wpwg 15:01:24 present+ Adrian_Hope-Bailie 15:01:29 present+ 15:01:36 present+ Eric_Alvarez 15:01:40 present+ Gavin_Shenker 15:01:42 takashi has joined #wpwg 15:01:42 present= 15:01:47 present+ Robin_Hjelte 15:01:50 present+ Jean-Luc 15:01:54 present+ Gustavo 15:01:57 present+ Fawad 15:02:03 present+ Antoine_Cathelin 15:02:06 Bastien has joined #WPWG 15:02:09 present+ Vaiishali_Bulusu 15:02:10 present+ 15:02:17 Gavin has joined #WPWG 15:02:34 present+ Timo_Gmell 15:02:48 present+ Tomasz 15:02:53 present+ Takashi 15:02:54 James has joined #wpwg 15:03:01 Timo_Gmell has joined #wpwg 15:03:01 present+ Michel_Weksler 15:03:08 present+ James Longstaff 15:03:13 present+ 15:03:16 present+ Jonathan_Grossar 15:03:18 gkok has joined #wpwg 15:03:19 jonathan has joined #wpwg 15:03:23 present+ Erhard_Brand 15:03:24 present+ 15:03:29 present+ 15:03:29 present+ Deepu 15:03:33 present+ David_Benoit 15:03:37 present+ Doug_Fisher 15:03:41 present+ Danyao_Wang 15:03:46 present+ 15:03:47 present+ Tom_Bellenger 15:03:54 present+ Bastien 15:03:55 Deepu has joined #wpwg 15:04:06 mikehorne has joined #wpwg 15:04:06 present+ Mike_Horne 15:04:08 frank has joined #wpwg 15:04:18 present+ Deepu 15:04:22 present+ 15:04:31 mknowles has joined #wpwg 15:04:34 michelweksler has joined #wpwg 15:04:35 Vaishali_Bulusu has joined #WPWG 15:04:37 present+ Ulf_Leopold 15:04:48 Chair: AdrianHB 15:05:10 present+ 15:05:11 present+ Jayaseelan_Shanmugam 15:05:18 present+ Manjush 15:05:27 Jayaseelan has joined #wpwg 15:05:30 present+ Mike_Knowles 15:05:33 present+ Nick_Burris 15:05:54 present +Jayaseelan_Shanmugam 15:05:57 present+ Christian_Aabye 15:06:06 zakim, take up item 1 15:06:06 agendum 1 -- SPC design considerations -- taken up [from Ian] 15:06:19 -> https://docs.google.com/presentation/d/1jr1W66GCBl_caFS-Hf9V6DLumCCxvdlmnE_ghA3wcgc/edit?resourcekey=0-zC-TtFHPRAlvmL55pn-rrw#slide=id.p Slides from Danyao 15:07:04 Christian has joined #wpwg 15:07:39 ian: please join in. We welcome input from WG participants to help us get our standards design right 15:07:48 Danyao: We've heard a lot this week about business benefits of SPC. The goals of today's session is to start to get to work on scope of SPC "Level 1" 15:07:57 ...we'll look at design choices and options. 15:08:23 btidor has joined #wpwg 15:08:28 present+ 15:08:59 Danyao:...the evolving consensus is that we are looking at Web Payments as three capabilities. We are focused in SPC on 2 of them: authentication and confirmation by the user of payment. 15:09:21 ...the Stripe experiment was a baseline, but should not be thought of as SPC in its final form. 15:09:39 present+ Chris_Dee 15:09:43 present+ btidor 15:09:51 Danyao: What is SPC "REALLY"? 15:10:02 ... payment authentication assertion (credit: Chris Wood) 15:10:16 ...we want to introduce a new object that has some unique properties: 15:10:24 ...proves possession and optionally a 2nd factor 15:10:27 ...binds transaction details 15:10:38 ..interoperable across all merchants and payment rails 15:10:38 +1 to "Payment Authentication Assertion" 15:10:48 Danyao:...consistent and predictable UX 15:10:55 ...privacy-preserving and strong security 15:11:15 ...if consistent and predictable, will be reassuring to merchants and issuers 15:11:17 q+ 15:11:59 Danyao: We want this new object to act as a canonical proof for 3 questions: Is this the same device? same person? has user confirmed the transaction details? 15:12:06 ack G 15:12:31 Gerhard: This is pretty close. I think we've heard one other requirement - to indicate the mechanism of authentication. 15:12:38 q+ 15:12:49 ack me 15:12:58 Ian: Maybe it's "Authentication context" 15:13:13 q+ to ask/suggest that confirmation is also included - i.e. consumer consents to their payment instrument being used 15:13:23 ... was there an explicit gesture or not etc 15:13:32 Ian: I also heard "whether it was frictionless"...so there's a set of metadata about the auth experience 15:13:46 Aleksei has joined #wpwg 15:13:54 Gerhard: If we opt that can be done silently, then yes "how it was done" should be captured. 15:14:32 ChrisD: The "C" is quite key here. Yes, it's about secure authentication, but it's also key to capture the user's consent to make the payment. 15:14:46 ...whether the consent is one-time, time bound, etc. 15:15:14 Danyao: Next step is to agree on a canonical user journey 15:15:20 ...useful to have a shared mental model 15:15:29 ...5 steps: 15:15:34 Q: payment credential vs payment instrument? Do we have a preference? 15:15:48 Danyao: 1. user creates a payment credential (during transaction or out of band) 15:16:02 Danyao: 2. At another point in time, user initiates payment 15:16:16 Danyao: 3. User challenged to generate a payment authorization assertion using the payment credential. 15:16:31 Danyao: 4. Payer "bank" verifies the assertion and authorizes payment 15:16:54 Danyao: 5. Some time later on another merchant, new payment authorization assertion using the same payment credential 15:17:09 present+ Sejal 15:17:20 q? 15:17:24 present+ Kincaid_O'Neil 15:17:26 ach ChrisD 15:17:53 Danyao: So if we have an assertion object and canonical user journey, here are some design questions for the "Payment authorization assertion": 15:18:01 1) Who owns the credential? 15:18:07 2) What is the data model? 15:18:14 3) How is it created? 15:18:21 4) How can it be exercised? 15:18:32 5) How is it managed (i.e., lifecycle management)? 15:18:55 q+ 15:18:55 present+ Richard_Ledain 15:19:00 ack Chr 15:19:00 ChrisD, you wanted to ask/suggest that confirmation is also included - i.e. consumer consents to their payment instrument being used 15:19:25 q+ 15:19:35 Danyao: In my slides I list some specific questions related to these five questions (the framework) 15:19:46 ack Ger 15:20:28 Gerhard: These questions apply to both the payment credential and the payment authorization assertion. 15:21:09 Danyao: Let's use terms "credential" and "assertion" for shorthand here. 15:21:24 q+ 15:21:33 q? 15:21:46 q+ to raise question about design that may allow future work on instrument selection (just to register the idea) 15:22:11 present+ John_Fontana 15:22:18 James: +1 to Gerhard's point 15:22:42 ChristianA: The word "authorization" means something specific in the card world; heads up 15:23:07 Gerhard: How about "Payment Consent Assertion" 15:23:11 ChristianA: +1 15:23:16 +1 15:23:21 q? 15:23:25 ack james 15:23:25 ack James 15:23:26 ack chris 15:23:36 +1 to Christian's point (not using "authorization") 15:23:46 +1 to "Payment Consent Assertion" 15:23:47 ack ChristianA 15:23:51 ack ian 15:23:51 Ian, you wanted to raise question about design that may allow future work on instrument selection (just to register the idea) 15:24:23 ian: we are not addressing instrument selection but we may need the credential to have some identifier to support this in future 15:24:51 Tomasz has joined #Wpwg 15:25:11 DougF has joined #wpwg 15:25:14 Here one more design question ; What would be an appropriate TTL for this assertion ? 15:25:18 ... one proposal is to avoid identifiers in v1 but having said that the artwork and label do provide a visual identifier so we kind of have an identifier 15:25:19 michelweksler has joined #wpwg 15:25:24 ... we may want more in future 15:25:25 q+ might it be device possession assertion or instrument possession assertion (if it relates to a particular instrument) 15:25:31 q+ 15:25:38 ack ChrisD 15:26:09 ChrisD: Maybe the name should be "Device Possession Assertion"? Or maybe it's "Instrument Possession Assertion" 15:26:17 q? 15:26:23 q? 15:26:41 ack Tomasz 15:27:01 Tomasz: Regarding name: +1 to not using "authorization" in the name of the assertion 15:27:13 ...maybe it could just be "Payment Confirmation Assertion" 15:27:19 Jean-Luc_ has joined #wpwg 15:27:20 q? 15:27:50 Jayaseelan (JC): Should there be a time-to-live in the assertion? 15:28:01 [Ian hears that as part of "lifecycle management"] 15:28:32 Ian: What is the subscription use case for these? 15:28:49 AdrianHB: I think we need to consider TTL for both the credential and the assertion. +1 to those design considerations 15:28:51 q+ 15:29:02 q? 15:29:11 Tomasz: Revocation is another important topic. 15:29:16 ack Gerhard 15:29:35 Gerhard: On the TTL, we can reach out to the open banking standards for thoughts on the lifetime of consent. 15:29:46 +1 to assertion expiry (maybe be configurable by issuer?) and revocation 15:30:00 Gerhard: ...in the oauth2 pattern I think there is a "1 minute" pattern; let's check that out 15:30:11 mweksler has joined #wpwg 15:30:16 AdrianHB: Agree we need to accommodate policy options; but let's not dive into those today 15:30:16 q? 15:30:31 Danyao: I want to briefly talk about how the design discussions map into API land 15:32:04 Danyao: Key system objects from browser implementation perspectives: 15:32:09 1) Assertion data model 15:32:15 No need to discuss now, but seconding Ian's point above: Can you set up a subscription with an SPC? Then how would you amend, update, cancel. 15:32:25 Danyao: 2) User experience 15:32:59 Danyao: Web APIs (e.g., for "creation" of credential by RP) and "exercise" by the merchant (or their PSP) 15:33:41 q+ 15:33:47 Danyao: 4) Authenticator back-end. Could be client-side but could also be extended to payment apps. All of these backends might be able to cause assertion to happen. 15:33:49 ack Sam 15:34:04 q+ 15:34:09 Danyao: 5) Network protocol - transit to systems like 3DS 15:34:45 q+ 15:34:47 SameerT: For assertion data model, look at what FIDO alliance has defined (e.g., as input to 3DS). Let's continue to look at how those data models connect 15:35:03 q? 15:35:08 ach gerhard 15:35:12 ack gerhard 15:35:22 s/ach gerhard// 15:35:25 Gerhard: A payer bank will also want to exercise these credentials. A bank will want to get consent before doing a push payment. 15:35:53 q? 15:35:58 ack Chris 15:36:33 ChristianA: We probably want both options: exercise on the merchant side (and in the background pre-AReq activities happen in 3DS). Or, "on the left side" there's a "CReq" model where there is direct interaction with the user's bank 15:37:13 Danyao: Design space in light of the above subsystems: 15:37:20 (1) Assertion data model 15:37:41 (2) UX: one click? zero click (no presence check)? 15:38:11 (3) Authenticator backend: FIDO, Payment Apps, "Possession Credential" 15:38:54 (4) Network protocol 15:38:58 (5) Web APIs 15:39:45 Danyao: Three different work streams moving forward: 15:39:48 1) Assertion data model 15:39:50 michelweksler has joined #wpwg 15:39:57 2) Use cases deep devices (lots of flows and UX and backend options) 15:40:05 Tomasz has joined #Wpwg 15:40:07 q? 15:40:11 Q+ 15:40:12 Danyao:...we are also likely to need to prioritize here and sequence them. 15:40:25 Danyao: After those discussions, we can start work on the API specification 15:40:56 Danyao: I'd like to hear who is interested in which flow (to help us prioritize) 15:41:05 ack Tom 15:41:36 Tomasz: Regarding the "Design Space"...I think of SPC as "network neutral" 15:42:18 ...SPC should work with "all the networks" 15:42:19 q+ 15:42:52 ack me 15:43:01 q+ 15:43:08 Tomasz: I like the fact that this is based on FIDO, but SPC should be usable in a variety of authentication flows 15:43:25 [Ian thinks there is still an open question from Entersekt on fallback to Web Crypto] 15:43:28 ack mweksler 15:43:38 mweksler: Great presentation; I love the clarity on focus. 15:43:40 Will there be minutes generated of today? 15:43:48 RRSAGENT, make minutes 15:43:48 I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian 15:44:08 mweksler: From Airbnb perspective, very interested in exploring this further. We are very interested in the UX 15:44:18 q+ to suggest an extra dimension on UX 15:44:24 mweksler: ...I want to focus on something that respects user preference AND has a really good UX. 15:44:41 ...so an experience where the user consents is really interesting 15:44:47 Tomasz_ has joined #Wpwg 15:44:58 mweksler: very interested in the checkbox "in the future on this merchant ok to not prompt me again" 15:45:00 present- Deepu 15:45:11 q+ 15:45:17 present+ Deepu_K_Sasidharan 15:45:18 Thank you! And the slides, will they be publicly available? Currently seem to be restricted: https://docs.google.com/presentation/d/1jr1W66GCBl_caFS-Hf9V6DLumCCxvdlmnE_ghA3wcgc/edit?resourcekey=0-zC-TtFHPRAlvmL55pn-rrw#slide=id.p 15:45:41 mweksler: Would be interested in Airbnb being part of a pilot 15:45:51 ack adrian 15:45:51 AdrianHB, you wanted to suggest an extra dimension on UX 15:45:52 ack AdrianHB 15:46:13 AdrianHB: Based on what Gerhard presented, I think there's possibly a third UX dimension: authenticator assertion UX 15:46:35 q+ to clarify uX options 15:46:52 Danyao: It's hard to fit all these cases into the boxes 15:47:16 ...let's distinguish "button clicks" from "user gestures in the authenticator" 15:47:26 q+ 15:48:09 q+ 15:48:25 q? 15:48:55 Ian: I am hearing three UX: both button + user gesture; button without user gesture; no button 15:49:20 ..and the implication is that the transaction confirmation dialog is frequently encountered, but not in the third case (no button or user gesture) 15:49:22 ack me 15:49:22 Ian, you wanted to clarify uX options 15:49:30 q+ 15:49:41 michelweksler has joined #wpwg 15:49:42 AdrianHB: I think "Single click for both instrument selection and authentication" is also UX we should keep in mind 15:49:56 ...so we should add a column for "instrument selection" since I think we can optimize there. 15:50:03 q? 15:50:12 AdrianHB: ...so we might have "zero click auth" because instrument selection just happened. 15:50:17 ack tom 15:50:54 q- 15:51:04 Tomasz: I agree the UX is very important. I think there's another dimension whether we can quietly initiate the payment context, to allow the merchant to handle custom UI to get assertions. 15:51:35 +1 on importance of fallback flow 15:51:39 Tomasz: We also want to discuss how to handle fail scenarios....how are fallback experiences provided gracefully? 15:51:55 q+ John_Bradley 15:52:13 ack Gav 15:52:48 Gavin: Regarding the UX...should we take into account "recent user gestures" 15:53:16 ...for optimization? 15:53:41 AdrianHB: I think that one of the challenges we'll have is left to heuristics in the browser to protect user privacy v. specific user agent behavior 15:53:45 q+ 15:53:54 ack Gerhard 15:54:04 Gerhard: We are interested in piloting as well depending on where it goes 15:54:12 ...might be useful to try it outside of Europe as well 15:55:11 ...instead of "network protocol" maybe we want to refer to "pull" and "push" mechanisms. 15:55:48 [Ian is not convinced those are the only systems...we should also suppose proprietary payment mechanisms] 15:56:13 ack John 15:56:25 q+ Sebastien re: authenticators 15:56:42 John_Bradley: FIDO authenticators can do checks with assertions (all the roaming ones at least) 15:56:52 ...regarding scoping of credentials ... we scope them to RPID (origin) 15:57:08 ...if you are issuing a credential across origins, are we scoping the credentials differently? 15:57:24 Danyao: I think we will scope them as FIDO does. 15:57:37 ...but the API may allow other origins to "EXERCISE" the credential 15:58:02 ...so the payment credential can be used as a FIDO credential for login by the RP, but can only be used for payment scenarios by other origins 15:58:15 AdrianHB: That's a feature with SPC as it has been experimented with today. 15:58:32 ...the exercise can happen by another origin, but after 2 UX gestures in a payment context 15:58:48 present+ Max_Gu 15:59:07 John_Bradley: The merchant would need to know the RPID of the issuer 15:59:13 q+ 15:59:20 q? 15:59:28 Danyao: For the pilot, the merchant did not need to know the pilot. The merchant does need to know the credential ID (and 3DS rails were used in the pilot) 15:59:47 John_Bradley: But the authenticator needs to know the RPID. 15:59:58 Danyao: The browser is taking care of that (in the pilot) 15:59:59 q+ 16:00:13 ack Alek 16:00:27 Aleksei: My compliments on the meeting and level of discussion. 16:00:33 ..it's important to verify with a pilot 16:00:52 ...Adyen would be interested in doing a pilot 16:01:35 Sebastian: Thanks for the presentation, Danyao. While we are talking about authentication...you mentioned platform authenticators for the pilot. Are you also looking at roaming? 16:01:52 q? 16:01:55 Danyao: Yes, we've started to talk about it. As part of the work to make this a real spec we do need to figure out how roaming fits in. 16:01:57 ack Seb 16:01:57 Sebastien, you wanted to discuss authenticators 16:02:05 Sebastian: Will PIN be supported? 16:02:27 Danyao: As long as people have a FIDO-compatible user-verifying authenticator, it will work by design. 16:02:46 Sebastian: Is there any provision that you share with the authenticator or will the authenticator be "self-contained"? 16:03:18 Danyao: The design is that the authenticator is self-contained. The browser will generate a hash that contains the transaction information and the original challenge. The authenticator does a regular signature of the challenge composed by the browser. 16:03:23 ack Christian 16:04:03 q? 16:05:19 James: Thanks for the great presentation, Danyao. You talked about the "design space". Regarding the UX of "payment consent authentication". There's also design space around management credentials. 16:05:26 ...e.g., the ability to update or cancel credentials. 16:05:47 AdrianHB: There will be an interesting line between "creation API" and "lifecycle management" as a distinguishing browser feature 16:05:57 present+ Olivier_Maas 16:06:11 q? 16:06:13 ack J 16:06:17 I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian 16:06:25 We have to define the data moved between the participants depending on who is reliant party - ultimately in PSD2 the payer bank is responsible to assert the authentication, so if they are not reliant party, they need data to prove that the "payment consent assertion" took place 16:06:37 AdrianHB: Can you say more about prioritization of use cases? 16:06:51 Danyao: I think I heard good signals. Great to hear from people that they want to do some pilots 16:07:29 q+ 16:07:39 q+ 16:08:27 ack me 16:08:49 Ian: Would be great to hear after SRC presentation tomorrow if payment app use case is still an important use case 16:10:49 [Discussion about payment apps initiating SPC] 16:11:22 [Next steps] 16:11:32 Chris_Wood has joined #wpwg 16:11:36 Danyao: We want to form an SPC task force that will meet regularly and come up with proposals for the WG 16:11:54 ...the task force will also coordinate with other network backends (3DS, SRC, Open banking) 16:12:06 ..the task force will then bring forward a draft spec (through the WG) 16:12:19 ...on the slide we have some names of people who have expressed interest. 16:12:27 ...we welcome others; please reach out to Ian 16:13:13 ian: we had a card payment security taskforce in the past that may still do SPC focused work for card payments 16:13:18 Danyao: Thanks everyone! 16:13:21 I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian 16:13:45 zakim, close item 1 16:13:45 I see a speaker queue remaining and respectfully decline to close this agendum, Ian 16:13:47 zakim, take up item 2 16:13:48 agendum 2 -- Worldline demo -- taken up [from Ian] 16:15:19 Anne: While on their bank site, user has an opportunity to enroll cards for an SPC-like experience. 16:16:34 ...during transaction, the user is redirected during checkout to the bank app 16:16:45 ...the user selects the instrument, authenticates, and the payment is completed 16:17:20 q? 16:17:40 ack James 16:18:52 Olivier: We see benefits of the payment app model. 16:19:03 ...whether payment with card or bank account 16:19:14 ...our use case is PSD2-compliant card payment. 16:19:40 ...for us the key benefit of using the payment handler is that we can bypass the 3DS protocol but still keeping the 3DS fields that are required for the authorization request. 16:19:48 ...we see the following benefits. 16:19:56 1) For the merchant it's simpler, quicker, more robust checkout. 16:20:18 ...it is more robust because one avoids calls to the DS 16:20:47 q+ 16:20:48 2) For the card or wallet issuer, it provides an alternative to Web Authentication. Banks want a migration path. 16:21:01 q+ to ask about migration path comment 16:21:16 3) For user, we think there will be greater trust in UX provided by issuer 16:21:26 4) This approach can be expanded by non-card payment scenarios. 16:21:36 ...in short: Payment App + SPC can enhance the UX 16:22:12 q+ to ask how you know which issuer to authenticate with, if you don't have a Directory Server? 16:22:30 q+ 16:22:33 olivier: Payment app provides direct channel to issuer, which has benefits 16:22:34 q- 16:23:04 q+ 16:23:14 Jean-Michel: To explain our demo we have an animation of flows 16:23:59 q? 16:24:04 ack kok 16:24:30 gkok: For the onboarding process, what is exactly being stored in your demo? Is it the PAN or a network token? 16:24:48 Anne: What is stored is a payment instrument as defined by Payment Handler API 16:25:14 q? 16:25:16 Anne:...what is stored is a "link" that the issuer associates with the user's instrument 16:25:24 ack gkok 16:25:38 Anne: ..the credentials are stored in the browser but opaque to the browser; they are known to the issuer 16:25:40 q+ 16:25:45 ack me 16:25:45 Ian, you wanted to ask about migration path comment 16:26:11 ian: You mentioned banks wanting a migration path, can you say more? 16:26:14 Ian: Can you say more about "migration path" to WebAuthn? 16:26:59 Olivier: There are different security levels associated with WebAuthn. Some banks may want to implement this with a gradual approach ... and may not want WebAuthn depending on the user device 16:27:01 q? 16:27:29 ack jea 16:28:00 Jean-Luc: If I understood ,there is no DS and the bank authenticates the user. For 3DS the DS also validates the merchant to a certain extent. 16:28:19 ...in your demo, there is no way for the merchant to prove that there was an authentication. 16:28:27 Anne: There is also no way to get the PAN if the bank is not reachable. 16:28:30 q+ to ask what will happen if the user hasn't enrolled prior to making a payment? Don't you need the Directory Service to support 'in payment' enrollment as an option; otherwise how do you find the right issuer to enroll with? 16:28:48 Anne: If the bank is unreachable, there's no payment. 16:28:54 q? 16:29:15 Olivier: Similarly, if SRC system not available you don't get a token/PAN 16:29:31 Jean-Michel: Our goal in the demo was to remove the DS. But of course if bank is not reachable, there is no payment. 16:29:49 q- 16:29:52 Olivier: The schemes could be the ones who provide the payment handler (or part of it, on behalf of the bank) 16:30:22 zakim, close the queue 16:30:22 ok, Ian, the speaker queue is closed 16:31:07 Anne: The issuer / ACS is the same domain. We assume here that the issuer is able to rely on the ACS to provide fields. 16:31:53 q? 16:32:00 Christian: I am hearing that the issuer emulates an ACS (either by working with an ACS or getting the data otherwise) 16:32:00 ack Christian 16:32:03 stpeter has joined #wpwg 16:32:15 Olivier: This function can be performed by ACS, issuer, or Schemes. 16:32:26 ...in our demo, we don't need the DS to find the card 16:32:39 ..when you enroll via a payment handler, you have a direct link to the issuer 16:32:49 s/DS to find the card/DS to find the card issuer/ 16:33:00 Olivier:...in short, we are simplifying now that there is browser functionality (Payment handler API) that was not available 20 years ago. 16:33:03 ack Same 16:33:05 q? 16:33:28 SameerT: I think part of my question is how 3DS fields are generated without 3DS services being involved. 16:34:26 ack Chris 16:34:26 ChrisD, you wanted to ask what will happen if the user hasn't enrolled prior to making a payment? Don't you need the Directory Service to support 'in payment' enrollment as an 16:34:30 ... option; otherwise how do you find the right issuer to enroll with? 16:35:10 ChrisD: Without the DS you can really support "in-payment enrollment" flows...unless the payment handler has a BIN lookup capability. 16:35:40 [Ian: See SRC assumptions on this topic => https://github.com/w3c/src/wiki/UX-Assumptions-and-Requirements ] 16:36:24 Jean-Michel: Agree with that comment, but the purpose of the demo was to show the role a payment handler can play to simplify. 16:36:36 ...you can still do "3DS things in your payments" without the DS 16:36:48 ChrisD: I can also see advantages in latency and reliability 16:37:01 ...but one cost is that you may need to support two flows: pre-enrolled v. during-transaction 16:37:07 Jean-Michel: Agreed 16:37:40 I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian 16:37:45 zakim, close item 1 16:37:45 zakim, close item 2 16:37:45 agendum 1, SPC design considerations, closed 16:37:46 I see 2 items remaining on the agenda; the next one is 16:37:46 2. Worldline demo [from Ian] 16:37:46 agendum 2, Worldline demo, closed 16:37:46 I see 1 item remaining on the agenda: 16:37:47 3. Discussion with Web Authentication WG [from Ian] 16:37:49 zakim, take up item 3 16:37:49 agendum 3 -- Discussion with Web Authentication WG -- taken up [from Ian] 16:39:31 present+ Gargi_Sharma 16:40:02 zakim, close item 3 16:40:02 agendum 3, Discussion with Web Authentication WG, closed 16:40:03 I see nothing remaining on the agenda 16:40:07 Topic: Chrome Origin Trial 16:40:23 Danyao: New origin trial for SPC. The second one: 16:40:46 ...look for v91 of chrome 16:41:06 https://developer.chrome.com/origintrials/#/view_trial/2735936773627576321 16:41:15 Quoting: "Secure payment confirmation augments the payment authentication experience on the web with the help of WebAuthn. The feature adds a new PaymentCredential credential type to the Credential Management spec, which allows a relying party such as a bank to create a PublicKeyCredential that can be queried by any merchant origin as part of an online checkout via the Payment Request API using the proposed secure-payment-confirmation payment method." 16:42:36 Danyao: We are balancing with the ability to experiment; origin trials let us try out new APIs without saying "this is final" 16:42:55 mweksler has joined #wpwg 16:43:21 Danyao:...traditionally new features were hidden behind flags. Origin trials let people enable features on the experimenter origin, and the user doesn't have to flip any settings 16:43:23 q? 16:43:39 SPC Origin Trial instructions: https://github.com/rsolomakhin/secure-payment-confirmation/blob/master/developer-guide.md 16:43:48 AdrianHB: If people want to enable their origin, what what part of the flow involves origin checks 16:44:28 Danyao: Two extensions are (1) payment credential creation (2) exercise via PR API 16:44:42 ...the origin that hosts the JS needs to opt in to the origin trial 16:45:53 q? 16:45:56 ulf has joined #wpwg 16:47:24 Danyao: Origin trials have expiration dates. SPC2 through Chrome 93. We can extend, but this is meant to prevent reliance. The SPC task force will develop the "real" API for future reliance 16:48:11 PROPOSED: The WPWG should take up SPC as a formal work item. 16:48:28 +1 16:48:29 +1 16:48:30 +1 16:48:32 +1 16:48:34 +1 16:48:35 +1 16:48:36 +1 16:48:41 +1 16:48:46 +1 16:48:49 +1 16:48:57 +1 16:49:14 +1 (non member, but support!) 16:49:53 +1 16:50:02 +1 non member support 16:51:35 [Other stuff] 16:51:40 15 April: I18N issues 16:51:48 29 April: New ideas on hasEnrolledInstrument 16:51:59 AdrianHB: Thanks Danyao! Excited to start this work 16:52:11 ..thanks Anne and Worldline for the demo and discussion 16:52:35 ...the demo speaks a lot to how I have thought of the browser as playing a role in interop. 16:52:48 ...demos are always welcome to spark conversation and visual what we are doing 16:52:56 I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian 16:53:09 Thank you everyone 16:53:22 I have made the request to generate https://www.w3.org/2021/03/31-wpwg-minutes.html Ian 16:53:44 Thank you all ! 16:57:30 zakim, who's here? 16:57:30 Present: Robin_Hjelte, Jean-Luc, Gustavo, Fawad, Antoine_Cathelin, Vaiishali_Bulusu, Bastien, Timo_Gmell, Tomasz, Takashi, Michel_Weksler, James, Longstaff, Jonathan_Grossar, 16:57:34 ... Erhard_Brand, danyao, jonathan, David_Benoit, Doug_Fisher, Danyao_Wang, gkok, Tom_Bellenger, Mike_Horne, frank, Ulf_Leopold, Chris_Wood, Jayaseelan_Shanmugam, Manjush, 16:57:34 ... Mike_Knowles, Nick_Burris, Christian_Aabye, btidor, Chris_Dee, Sejal, Kincaid_O'Neil, Richard_Ledain, John_Fontana, Deepu_K_Sasidharan, Max_Gu, Olivier_Maas, Gargi_Sharma 16:57:40 On IRC I see stpeter, DougF, Aleksei, btidor, Jayaseelan, Vaishali_Bulusu, mknowles, frank, Deepu, jonathan, gkok, Timo_Gmell, James, Bastien, Gerhard, Fawad, Remo_Fiorentino, 16:57:40 ... SameerT, Manoj, RRSAgent, Zakim, benoit_, pea13, canton_, dlehn, ChrisD, AdrianHB, mhofman, wseltzer, smcgruer_[EST], danyao, slightlyoff, falken_, jeffh, hadleybeeman, 16:57:40 ... dlongley, manu, mkwst, hober, Travis_, ntelford, tobie, nicktr, joconnor, rowan_m, yoav, Ian 17:13:38 mweksler has joined #wpwg 17:16:33 mweksler has joined #wpwg 19:17:58 Zakim has left #wpwg 19:30:02 rrsagent, bye 19:30:02 I see no action items