14:36:40 RRSAgent has joined #wpwg 14:36:40 logging to https://www.w3.org/2021/04/01-wpwg-irc 14:36:46 Meeting: Web Payments Working Group 14:36:58 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-FTF2021 14:37:02 Chair: NickTR 14:48:01 present+ 14:55:07 present+ John_Bradley 14:55:17 present+ Deepu_K_Sasidharan 14:55:51 present+ Lawrence_Cheng 14:56:36 I have made the request to generate https://www.w3.org/2021/04/01-wpwg-minutes.html Ian 14:58:54 present+ Jonathan_Grossar 14:59:38 present+ 14:59:40 present+ Tom_Bellenger 14:59:41 present+ Anne_Pouillard 14:59:46 present+ David_Benoit 14:59:52 jonathan has joined #wpwg 14:59:52 present+ Mathieu_Hofman 14:59:57 present+ Sebastian_Elfors 15:00:00 present+ Takashi_Minimii 15:00:06 present- Takashi_Minimii 15:00:06 present+ 15:00:10 present+ Takashi_Minamii 15:00:16 Anne has joined #wpwg 15:00:17 present+ Arno 15:00:21 present+ Gavin 15:00:24 present+ Erhard 15:00:29 present+ 15:00:31 present+ 15:00:31 marcperez has joined #wpwg 15:00:34 present+ Marc_Perez_i_Ribas 15:00:42 present+ Adrian 15:00:46 present+ Jean-Michel 15:00:48 takashi_ has joined #wpwg 15:00:50 present+ Jean-Luc 15:00:53 Gavin has joined #WPWG 15:00:59 present+ James_Longstaff 15:01:03 Jean-Luc has joined #wpwg 15:01:15 present+ Timo 15:01:27 present+ Bastien_Latge 15:01:29 Timo_Gmell has joined #wpwg 15:01:32 present+ Frank_Hoffmann 15:01:33 Bastien has joined #WPWG 15:01:38 present+ 15:01:41 present+ 15:01:43 present+ Antoine_Cathelin 15:01:45 gkok has joined #wpwg 15:01:49 present+ Vaishali 15:01:50 jmgirard has joined #wpwg 15:01:52 present+ Gustavo 15:02:03 present+ Jayaseelan_Shanmugam 15:02:12 Jayaseelan has joined #wpwg 15:02:15 frank has joined #wpwg 15:02:18 present + 15:02:19 present+ Mike_Knowles 15:02:20 present+ 15:02:25 present+ Ulf_Leopold 15:02:28 present+ 15:02:29 present +Jayaseelan 15:02:34 present+ Rolf 15:02:40 present+ Olivier 15:02:44 present+ NickTR 15:02:47 mknowles has joined #wpwg 15:02:58 present+ Gerhard 15:03:01 present+ Fawad 15:03:06 present+ Danyao 15:03:24 present+ SameerT 15:03:35 Manoj has joined #wpwg 15:03:37 present+ Manoj_Kannembath 15:03:48 present+ Doug_Fisher 15:03:57 Tomasz has joined #Wpwg 15:03:58 SameerT has joined #wpwg 15:04:02 present+ 15:04:18 present+ 15:04:29 Vaishali_Bulusu has joined #WPWG 15:04:33 Gerhard has joined #wpwg 15:04:33 present+ Richard_Ledain 15:04:34 present+ 15:04:42 present+ 15:04:47 present+ Tomasz_Blachowicz 15:04:53 James has joined #wpwg 15:05:19 mikehorne has joined #wpwg 15:05:23 Christian has joined #wpwg 15:05:28 present+ Mike_Horne 15:05:37 present+ Manjush 15:05:40 present+ Max_Gu 15:05:42 present+ James Longstaff 15:05:55 present+ Sejal 15:06:16 present+ Vaishali 15:06:19 present+ btidor 15:06:25 present+ Chris_Dee 15:06:28 present+ Christina 15:06:33 btidor has joined #wpwg 15:06:34 present+ Aleksei 15:06:42 present+ 15:06:50 present+ Eric_Alvarez 15:06:55 agenda+ SRC and SPC 15:07:00 OlivierM has joined #wpwg 15:07:04 agenda+ WebAuthentication WG update 15:07:11 agenda+ Misc and wrap-up 15:07:17 Aleksei has joined #wpwg 15:07:20 present+ Kincaid_ONeil 15:07:27 ChrisD_ has joined #wpwg 15:07:35 present+ Aleksei 15:07:39 zakim, take up item 1 15:07:39 agendum 1 -- SRC and SPC -- taken up [from Ian] 15:07:57 Jonathan: Really great to have this discussion this week and to see Stripe results. 15:08:10 ...and great to see lots of people interested in authentication 15:08:27 ...auth + tokenization will improve approval rates 15:08:37 ...happy to see use of FIDO for this 15:08:47 present+ Shyam_Sheth 15:09:12 present+ Christian_Aabye 15:09:51 Fawad has joined #wpwg 15:10:16 present+ Sameer 15:10:54 Jonathan: FIDO can help in two ways with SRC (1) recognize returning consumer prior to display of card metadata (2) transaction authentication 15:11:40 ...today we'll focus on the transaction authentication part of SRC and the use of SPC 15:12:09 ...use cases and some initial requirement ideas 15:12:14 I have made the request to generate https://www.w3.org/2021/04/01-wpwg-minutes.html Ian 15:13:03 Jonathan: Let's review the use case space for enrollment first, then transaction use cases. 15:13:27 ...we imagine in most cases that the SRC System will be the Relying Party 15:13:57 ...SPC credentials would be associated with a card after some ID&V process to the SRC system 15:15:00 ...in a second use case, the issuing bank is the relying party. After ID & V, and with user consent, the bank can share the relevant credentials with the SRC System. 15:15:49 q+ to ask if the DCF *has* to be the network/SRC system or if it can be a third party? 15:16:05 Jonathan: ...in a third use cases, the merchant is the relying party. After ID&V with the bank, and with user consent, the merchant can share the relevant credentials with the SRC system 15:16:25 ack nick 15:16:25 nicktr, you wanted to ask if the DCF *has* to be the network/SRC system or if it can be a third party? 15:17:01 nicktr: These are all great use cases. Is there a second flavor of the SRC-is-RP use case where some other entity (e.g., a wallet) is the RP on top of the SRC system? 15:17:50 q+ 15:17:59 q- 15:18:01 Jonathan: Maybe there is a fourth use case. [But we don't spend time on it here.] 15:18:29 Jonathan: Let's look at some flow diagrams where the SRC system validates the assertion (distinct from the 3DS flow) 15:19:25 ...we need the browser to store the payment credential (and as we discussed, a FIDO credential could be updated to an SPC credential in the future). 15:19:50 I have made the request to generate https://www.w3.org/2021/04/01-wpwg-minutes.html Ian 15:20:20 q+ 15:20:26 Jonathan: One question to explore; where does merchant identification come from in the transaction confirmation dialog (when there is a PSP, not the merchant, initiating the SPC request) 15:21:33 Vaishali_Bulusu_ has joined #wpwg 15:21:45 [Jonathan describes a flow where the SRC system stores the credential ids with cards, and provides nonce to SPC. And validates the assertion] 15:21:45 ack mhofman 15:22:05 mhofman: When you say SRCi/DCF retrieves the card profile...how does it do that? 15:22:23 Jonathan: This happens via cookies today but that will change. We are not focused on that functionality today. 15:22:43 tomasz: After ID&V the SRCi / DPA can use an SDK to retrieve a profile 15:24:28 [Flow diagram walk through by Tomasz] 15:25:58 Tomasz: ID&V can happen in a variety of ways (out of scope here) 15:26:25 ...the merchant loads the SRC SDK, which is used to get aggregated card data for display to the user. 15:26:54 ...selection of the payment instrument happens within the merchant domain. [May be a future discussion for the WG as AdrianHB described on Monday] 15:26:59 ...user selects a card 15:27:33 ...SRC SDK reaches out to the SRC system to get a list of credential IDs and a FIDO challenge 15:28:00 ...the SRC SDK then initiates SPC 15:29:37 ...the browser looks for a matching payment credential. 15:29:48 ...transaction confirmation dialog is displayed 15:30:18 ...after authentication, the SRC SDK sends the assertion to the SRC system for validation 15:31:17 ...checkout results returned 15:31:59 Remo_fiorentino has joined #wpwg 15:32:06 present+ 15:32:19 q? 15:32:24 q? 15:32:43 [SRC with SPC requirements slide] 15:32:55 Jonathan: Want to know whether the browser supports SPC 15:33:17 ...(2) Non-RP origins can call FIDO and retrieve assertion data 15:33:32 q+ to ask if the browser must support the SRC API or would this be merchant javascript that cycles through the list of potential FIDO credentials? 15:33:38 ...(3) At enrollment, RP creates FIDO credential needs to be able to store card metadata in the browser 15:34:14 ...(4) At enrollment, need transaction confirmation dialog, first matching credential applied, with support for fallback URL if no matching credential id 15:34:24 ...(5) Signed transaction data 15:35:02 Jonathan: Ideally the transaction confirmation dialog and ideally errors are harmonized across browsers. 15:35:45 Jonathan: (6) FIDO challenge is not necessarily generated by the RP. In our use case, the SRC system (validator of the assertion) generates it 15:35:48 q+ 15:35:51 ack Chr 15:35:51 ChrisD_, you wanted to ask if the browser must support the SRC API or would this be merchant javascript that cycles through the list of potential FIDO credentials? 15:36:30 ChrisD: At the point where the browser requests authentication, is there an assumption that the browser has any "SRC capability"? 15:36:42 ...or is this just vanilla SPC? 15:36:46 Jonathan: Vanilla. 15:38:01 Tomasz: In case SPC cannot be triggered and there is no URL provided, we want silent failure. 15:38:08 ...to allow for graceful fallback 15:39:22 q+ 15:39:31 ack Sam 15:40:03 SameerT: In one of the flows we've talked about for 3DS is for the ACS to store a credential, and for the browser also to store them for matching. 15:40:30 Jonathan: Agree there are two authentication schemes possible: 3DS or SRC system 15:40:41 q? 15:41:11 Tomasz: The list of credential ids could enable the browser to display stored instruments. But today we are only looking at flows that follow instrument selection. 15:41:34 ...it's important to us to be able to pass a list of credential ids to SPC 15:42:17 q+ to ask about payment handlers 15:42:31 Tomasz:...regarding steps 6 and 7 on the flow diagram...they are more or less equivalent to an AReq being used to get credential ids in the 3DS flows. 15:42:37 q+ 15:42:41 Tomasz:...and steps 12-13 are similar to the verification step of 3DS 15:43:01 ...I think SPC should be network protocol agnostic, and this flow diagram shows we are able to do so 15:43:17 q+ 15:43:40 ack me 15:44:18 Ian: Do you need something besides an out-of-band agreement to share challenge? 15:44:33 Jonathan: The goal is not for the browser to generate the challenge. 15:45:28 ...rather the SRC system would generate it and share as part of the data sent back to the party that calls SPC (along with credential ids) 15:45:46 Tomasz: we do not anticipate that SRC will forward assertions to issuers. 15:46:13 ...SRC will validate the assertions. They may generate their own bespoke cryptogram. But does not mean that assertions will be forwarded to issuers. 15:46:28 q? 15:46:38 Tomasz:...the party that validates the credential should generate the challenge, even if they do not "own" the credential. 15:46:56 Danyao: What is your though on payment handlers used for solutions? 15:47:19 q+ 15:47:22 Jonathan: The focus here is on authentication. We wanted to make sure we go into the details of the authentication use case by leveraging existing SRC implementations. We've not spent a lot of time on payment handler considerations. 15:47:40 q- 15:47:51 Danyao: I ask because if you want to use SPC in a payment handler, that is likely to generate different requirements for the design/implementaiton 15:47:52 +1 for SPC being able to be used within Payment Handler 15:48:12 Jonathan: We can leave open for now the question of SPC-in-payment-handlers 15:48:21 ack dan 15:48:21 danyao, you wanted to ask about payment handlers 15:48:24 ack Christian 15:48:26 q? 15:48:55 ChristianA: I think you mentioned that there are potentially 3 RPs. How does the relationship work if the SRC system is not the RP? How is data transported? 15:49:20 Jonathan: I think that will be out of scope for the Web API 15:49:27 q+ to clarify "ownership" vs. "verification" 15:50:37 ChristianA: I'm mostly curious about the merchant relationship. We can carry FIDO data in an AReq, but we don't have a mechanism to share the public key 15:50:51 ...at the end of the day, it's the responsibility of the bank to ensure that SCA happens 15:51:29 Jonathan: The merchant is not required to be trusted; it's the SRC system that does so. I agree with you that more investigation is needed to ensure that merchant enrollment data is shared securely with the SRC system. 15:51:52 ...but this model does not rely on the merchant to do the validation. 15:51:59 q? 15:52:30 ack James 15:53:06 James: A card may be registered on multiple devices. Does that open a new tracking mechanism? 15:53:20 ...that you can tell what devices the user has? 15:53:38 Tomasz: I don't think so because it is not done silently. 15:54:18 Jonathan: The credential id does not say what kind of device it is. 15:54:49 q? 15:54:59 ack dany 15:54:59 danyao, you wanted to clarify "ownership" vs. "verification" 15:55:22 Danyao: It seems like a critical question: "ownership" v. "verification". What does ownership mean? 15:55:52 Tomasz: The credentials are bound to the RP domain. That's what I think of as the "owner" of the credential. 15:56:17 ..but then the public key can be shared with the SRC system, which can then use it to trigger SPC and then verify the assertion. 15:56:32 mweksler has joined #wpwg 15:57:04 q? 15:57:09 q+ 15:58:04 ack Ian 15:58:06 Ian: Are there WebAuthn terms we should use her for clarity? 15:58:22 John_Bradley: WebAuthn effectively enforces that "ownership" and "validation" are the same party. 15:58:51 ...the SPC FIDO needs to include the RPID of the RP 15:59:14 ...so we may need to consider how the credential id and RPID are passed to SPC 15:59:25 q+ 15:59:32 Jonathan: Does Chrome use FPID (of RP) during FIDO authentication? 16:00:04 Tomasz: In our flow, we can also pass the RPID information; that's unfortunately missing from our diagram. 16:00:28 John_Bradley: If you are sending a list of credential ids, you need to bind to a single RPID, and the authenticator needs to know the RPID 16:01:08 AdrianHB: For SPC, what I heard Danyao say yesterday is that, because there is some additional metadata, instead of providing the RPID, there is selection of a payment credential, and the BROWSER provides the correct RPID to the authenticator 16:01:32 ..the browser knows "this credential id is associated with this RPID" 16:01:49 Danyao: I think so. Our intent was that the caller does not need to know a lot of detailed parameters. 16:02:04 ack btidor 16:02:51 btidor: I think there's one thing that's different in the pilot. We have the list of credential IDs...in the pilot we used "SPC instrument IDs" and the browser has in persistent storage information about that ... and can look up RPID and other private metadata and credential ids 16:03:29 tomasz: That's what I wanted to say. If we could have some kind of indirection that is not the credential id itself but is more about the "stored metadata" that would be even better. 16:03:52 +1 16:03:56 q+ 16:04:07 ack Ian 16:04:23 We do need that concept validated by WebAuthn folks for possible security or privacy issues 16:04:56 q+ 16:05:00 Ian: We might be able to use an indirection for even more privacy (e.g., origin-bound opaque identifiers all of which are available in a browser-stored lookup table) 16:05:15 John_Bradley: Down side of storing in the browser is per-browser enrollment 16:05:25 btidor: Relates to roaming authenticators.... 16:05:44 John_Bradley: But even with platform authenticators, I have lots of browsers and would have to enroll multiple times 16:06:00 btidor: Could be simplified at OS level perhaps 16:06:10 John_Bradley: There might be some possibility with Large Blob. 16:06:22 ...could store in a browser-portable way to reduce enrollment overhead 16:06:51 q? 16:07:16 ack Manoj 16:07:34 Manoj: During the enrollment flow, can the credential be shared across payment instruments. 16:07:52 Jonathan: I think not. The consumer is authenticated for a specific instrument. 16:08:25 ...if you have several cards with the same bank, and you enroll them all with SRC, the bank might choose to reuse the authenticator with the SRC system. 16:09:08 I have made the request to generate https://www.w3.org/2021/04/01-wpwg-minutes.html Ian 16:09:16 Jonathan: Thanks all! 16:09:21 zakim, close this item 16:09:21 agendum 1 closed 16:09:22 I see 2 items remaining on the agenda; the next one is 16:09:22 2. WebAuthentication WG update [from Ian] 16:09:24 zakim, take up item 2 16:09:24 agendum 2 -- WebAuthentication WG update -- taken up [from Ian] 16:09:56 present+ Srini 16:10:01 If the same Relying Party enrols multiple payment instruments in the same browser it may choose to use a single PublicKeyCredential 16:11:07 IJ: Please tell us what SPC evokes for you, notably around silent auth. 16:11:30 Tony_Nadalin: We are wrapping up Web Authentication Level 2. We are waiting some test coverage that needs to be explained. 16:12:03 ...the two platforms that have implemented are Windows and Google. They share the same code base. We want to prove that a common code base constitutes two distinct implementations 16:12:29 present+ Tony_Nadalin 16:12:44 Tony: We hope to get Level 2 to Rec in a couple of weeks. Then we will recharter to work on Level 3 16:12:51 ...some of the things coming in Level 2: 16:12:55 * Enterprise attestations 16:12:59 * Cross-origin iframe get() 16:13:03 * Discoverable credentials 16:13:08 * Large Blob 16:13:13 * App ID exclusion 16:13:27 Tony: In Level 3, we are going to cover some new things in the charter 16:13:56 ...we plan to take on some topics like possibly new crypto agility 16:14:03 ...some metrics generation 16:14:06 ..backup and recovery 16:14:19 ...multiple keys...which might be a solution for backup and recovery 16:15:08 ...not sure what (if anything) is needed for payments 16:15:14 ..but the charter will support that work. 16:15:28 ..our target for level 3 is probably about a year for now 16:15:32 s/for now/from now/ 16:15:57 Ian: What is deployment of Level 2 today? 16:16:29 Tony: I believe Google has implemented Level 2 features. Edge has picked them up from chromium, but they also have to add support onto Windows (Hello). 16:16:56 ...I am not sure about status on WebKit 16:17:06 ...nor about Mozilla status 16:17:28 ...regarding authenticators, others can speak for their support. 16:17:46 John_Bradley: It's useful to think of this as 2 pieces: WebAuthn and CTAP 16:18:05 ...the WebAuthn API L2 is available in Edge and Chrome and is pretty complete. 16:18:31 ...on Windows, WebAuthn.dll is in the process of being updated to support new CTAP that matches Level 2 features 16:19:06 ...there are hardware keys that support CTAP 2.1 16:19:25 ..until CTAP 2.1 is formally approved by FIDO we cannot make them available. 16:19:40 present+ Michel_Weksler 16:19:52 John_Bradley: Look for new keys in June time frame 16:19:55 q? 16:21:07 John_Bradley: For resident credentials ("discoverable credentials") there are two things: Cred Blob and Large Blob. Intented originally for certificate storage for SSL deployments. 16:21:14 ..but they could in principle be used for other deployments. 16:21:31 ...those places might be possible for storing additional metadata for a Payment Credential 16:21:47 Tony: So the RP should push opaque data to the authenticator 16:22:13 ...that would facilitate portability across browsers. 16:22:24 s/SSL/SSH/ 16:22:40 John_Bradley: In SSH use cases there may not be a browser, so needed some more storage 16:23:03 ...in the payments use case we might be able to use this to enable the user not to be forced to recreate every payment credential in every browser. 16:23:22 q+ 16:23:46 IJ: what about in SPC having "no presence check"? 16:23:59 John: That ability is in CTAP 2.0 but WebAuthn does not use it. 16:24:23 ...platform authenticators may have a hard time handing such a request, depending on the platform integration. 16:24:42 ...this is supported by all the roaming authenticators. 16:24:44 ack Sam 16:25:03 SameerT: Can you say more about discoverable credentials? 16:25:17 Gavin has joined #WPWG 16:25:39 John_Bradley: You make a request with no "allow list" and the browser will present a "pick list" to the user to pick one, which is given to the RP 16:26:08 Ian: Is that from credential management API? 16:26:14 John_Bradley: It's from WebAuthn 16:26:31 Ian: Could that be used for instrument selection? 16:27:17 John_Bradley: Chrome and Edge have implemented one. Safari has implemented one. There might be some differences; not sure how closely related they are from a spec POV. But perhaps some of the implementation could be reused. Depends on the implementation of the chooser whether they could extend to instruments. 16:27:38 ...there is a chooser everywhere but Android for discoverable credentials. 16:28:03 ...the anticipated use case is "passwordless flow". You see a list of identities and pick one to log in 16:28:08 q? 16:29:06 q+ to ask what is required to invoke this flow? 16:29:20 ack AdrianHB 16:29:20 AdrianHB, you wanted to ask what is required to invoke this flow? 16:29:21 John_Bradley: The browser formulates a list of credentials for the RP by polling authenticators, prompts the user, and the user picks an identity 16:29:46 AdrianHB: What are the prerequisites for that flow? Is it multiple credentials for the same origin of the RP? 16:29:49 John_Bradley: Yes 16:30:33 ..and works across browsers...so you see registered credentials first time you encounter a new browser. 16:31:08 ...on enrollment user can say whether resident credential is preferred, required, ... 16:31:19 ...we are now calling them "Discoverable Credentials" now 16:32:17 ...in the case of 0 credentials, there is notification to the user (but no action) 16:32:23 ...in the case of 1 credential, there is still a user gesture 16:32:29 ...in the case of > 1, there is a user selection 16:32:32 q? 16:33:29 ian: if we wanted to sub-class PublicKeyCredential this woudl still work? 16:33:59 John_Bradley: The user id could also be used for display that could go back to the RP. This could be used for card instrument data 16:34:43 ian: I think what's missing is an instrument identifier 16:35:05 ... if you return something to the merchant you want it to be different for each merchant 16:35:25 John_Bradley: Username etc. is not returned to the RP...just displayed to the user 16:35:44 ..things that could come back to the RP are: (1) user id (2) cred blob (3) large blob 16:35:59 q+ 16:36:05 ...so there are some arbitrary things that could to back to RP in assertion and some things that are not sent back 16:36:29 Gavin: Does this help us with the identifying problem with cookies going away? 16:37:30 ian: what other storage mechanisms could be used to get a user id in a 3rd party context 16:37:43 John_Bradley: You can get the identifier, but only after a FIDO authentication. 16:38:04 ...given that you have additional information to store with resident credentials, you could decide that for payment credentials there was structured information within that 16:38:42 ...the instrument type could be stored in the user id...and SPC could let you say "Give me all the PSD2 credentials" or whatever structured information you have. In theory you could get the browser to do some filtering based on creation-time info 16:40:29 q+ 16:40:29 Ian: What about a credential picker for SRC identity? 16:40:33 ack Gavin 16:40:37 ack Man 16:40:58 Gavin: We should explore further the credential management API for identity management 16:41:43 q+ 16:41:45 John_Bradley: In Level 2, merchant can open an iframe to the bank and do a get() flow in an iframe. But it would require that the RP does the request and verification. 16:41:56 btidor: We should discuss whether we should bring @@ into SPC 16:42:07 ack SameerT 16:42:12 +1 to exploring use of discoverable credentials for SPC 16:42:29 SameerT: If the issuer could access credential from 3rd party iframe to do verification, we'd like to learn more about that. 16:42:44 John_Bradley: In Level 2 you can do the verification in the iframe. (but not the credential creation) 16:43:04 SameerT: So credential credential happens in a 1p context after redirect? 16:43:16 John_Bradley: Yes, you can redirect for creation and use it in 3p iframe. 16:43:28 Sameer: Today in 3DS flows, the RP or the issuer or ACS collects a lot of data. 16:43:33 rrsagent, make minutes 16:43:33 I have made the request to generate https://www.w3.org/2021/04/01-wpwg-minutes.html nicktr 16:44:41 John_Bradley: You can use discoverable credentials and user chooses one. Web Authn does not have a way to say "give me all the credentials for all the RPIDs" 16:44:50 ..in SPC we'd have to figure out how to scope that in some way 16:45:02 Sameer: My question is "is there no user action"? 16:45:29 ...is there a discoverable credential mechanism without a user action? 16:45:41 John_Bradley: No, that's not in Level 2 and probably won't be in Level 3 16:45:42 q+ 16:46:18 John_Bradley: Tony mentioned something about the non-modal dialog to get that sort of effect: the RP would trigger the browser "if there are any credentials for this RPID challenge the user, otherwise don't show the dialog" 16:46:30 ...so the RP doesn't find out what credentials are in the browser, but the user can select one to log in. 16:46:49 btidor: I think in 3DS we already have the card number, so the issuer knows which credentials to give to the browser 16:47:54 ack me 16:48:03 I have made the request to generate https://www.w3.org/2021/04/01-wpwg-minutes.html Ian 16:48:15 zakim, close item 3 16:48:15 agendum 3, Misc and wrap-up, closed 16:48:16 I see 1 item remaining on the agenda: 16:48:16 2. WebAuthentication WG update [from Ian] 16:48:19 zakim, close item 2 16:48:19 agendum 2, WebAuthentication WG update, closed 16:48:20 I see nothing remaining on the agenda 16:48:22 zakim, take up item 3 16:48:22 agendum 3 -- Misc and wrap-up -- taken up [from Ian] 16:48:37 NickTR: Next steps involve this kind of work -- what gaps are needed in any of the specifications? 16:48:47 [NickTR summarizes the meeting] 16:49:31 I have made the request to generate https://www.w3.org/2021/04/01-wpwg-minutes.html Ian 16:50:26 NickTR: It's been a successful and engaging 4 days. Thanks to all the presenters! 16:51:01 ...it feels like we have an idea that (through trials) delivers benefits to users. We are looking hard at privacy and security considerations 16:51:34 AdrianHB: I'm excited to kick off the SPC task force 16:51:47 ...I think instrument selection will have a strong impact on the SPC design but we'll figure that out. 16:51:55 q? 16:52:35 ian: next steps - we'll set up a task force - regular meeting, github repo 16:53:07 ...there may be other deliverables like implementation guides, FAQs, explainers as well as a spec 16:53:32 ...the next meeting is 15th April where we will talk about i18n of Payment Request 16:53:42 ian: where are we on Payment Request v1? 16:54:05 ...we had a patent advisory group that closed 16:54:12 ...we have a privacy issue to resolve 16:54:24 ...we need to close out the internationalisation issues 16:54:39 ...then we will be done 16:54:54 I have made the request to generate https://www.w3.org/2021/04/01-wpwg-minutes.html Ian 16:55:10 thanks to all who presented... amazing updates 16:55:18 NickTR: Thanks to all for doing the work, presenting, attending, etc. 16:55:24 I have made the request to generate https://www.w3.org/2021/04/01-wpwg-minutes.html Ian 16:55:34 NickTR: Please go back into your organizations and talk up SPC 16:56:13 ...this is for me a real opportunity to shift the needle for multiple payment methods...but there's lots of work to do. If you think there's something here please rustle up some engineering resources. 16:56:15 +1 16:56:50 I have made the request to generate https://www.w3.org/2021/04/01-wpwg-minutes.html Ian 17:26:09 zakim, who's here? 17:26:09 Present: Ian, John_Bradley, Deepu_K_Sasidharan, Lawrence_Cheng, Jonathan_Grossar, mhofman, Tom_Bellenger, Anne_Pouillard, David_Benoit, Mathieu_Hofman, Sebastian_Elfors, jonathan, 17:26:12 ... Takashi_Minamii, Arno, Gavin, Erhard, Anne, AdrianHB, Marc_Perez_i_Ribas, Jean-Michel, Jean-Luc, James_Longstaff, Timo, Bastien_Latge, Frank_Hoffmann, Bastien, Timo_Gmell, 17:26:12 ... Antoine_Cathelin, Vaishali, Gustavo, Jayaseelan_Shanmugam, Mike_Knowles, frank, Ulf_Leopold, Rolf, Olivier, NickTR, Gerhard, Fawad, Danyao, SameerT, Manoj_Kannembath, 17:26:16 ... Doug_Fisher, Tomasz, Richard_Ledain, mknowles, Tomasz_Blachowicz, Mike_Horne, Manjush, Max_Gu, Longstaff, Sejal, btidor, Chris_Dee, Christina, Aleksei, Eric_Alvarez, 17:26:16 ... Kincaid_ONeil, Shyam_Sheth, Christian_Aabye, Remo_fiorentino, Srini, Tony_Nadalin, Michel_Weksler 17:26:16 On IRC I see Vaishali_Bulusu_, ChrisD_, Christian, James, Manoj, mknowles, Jayaseelan, gkok, Timo_Gmell, jonathan, RRSAgent, Zakim, pea13, canton, benoit_, dlehn, AdrianHB, 17:26:19 ... mhofman, wseltzer, smcgruer_[EST], danyao, slightlyoff, falken_, jeffh, hadleybeeman, dlongley, manu, mkwst, hober, Travis_, ntelford, tobie, nicktr, joconnor, rowan_m, yoav, 17:26:19 ... Ian 17:26:21 zakim, bye 17:26:21 Zakim has left #wpwg 17:26:23 rrsagent, bye 17:26:23 I see no action items