15:56:57 <RRSAgent> RRSAgent has joined #wpwg-spc
15:56:57 <RRSAgent> logging to https://www.w3.org/2021/04/19-wpwg-spc-irc
15:57:07 <Ian> Meeting: SPC Task Force
15:57:19 <Ian> Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Apr/0004.html
15:57:21 <Ian> Chair: Ian
15:57:24 <Ian> Scribe: Ian
15:57:38 <Ian> agenda+ Welcome
15:57:40 <Ian> agenda+ Scope
15:57:45 <Ian> agenda+ Deliverables
15:57:50 <Ian> agenda+ Meeting cadence / next meeting
16:01:08 <Ian> present+
16:01:12 <Ian> present+ Fawad_Nisar
16:01:22 <Ian> present+ Benjamin_Tidor
16:01:24 <Ian> present+ Chris_Wood
16:01:28 <Ian> present+ Jonathan_Grossar
16:01:33 <Ian> present+ Gerhard_Oosthuizen
16:01:47 <Ian> present+ Praveena_Subrahmany
16:01:54 <Ian> present+ Gustavo_Kok
16:02:03 <Ian> zakim, who's here?
16:02:03 <Zakim> Present: Ian, Fawad_Nisar, Benjamin_Tidor, Chris_Wood, Jonathan_Grossar, Gerhard_Oosthuizen, Praveena_Subrahmany, Gustavo_Kok
16:02:05 <Zakim> On IRC I see RRSAgent, Zakim, smcgruer_[EST], Ian
16:02:11 <Ian> present+ Shyam_Sheth
16:02:20 <Ian> present+ Stephen_McGruer
16:02:55 <btidor> btidor has joined #wpwg-spc
16:03:10 <Ian> present+ Rolf_Lindemann
16:03:12 <Chris_Wood> Chris_Wood has joined #wpwg-spc
16:03:13 <Gerhard> Gerhard has joined #wpwg-spc
16:03:17 <Ian> present+ Adrian_Hope-Bailie
16:03:44 <jonathan_> jonathan_ has joined #wpwg-spc
16:04:07 <praveena> praveena has joined #wpwg-spc
16:04:11 <AdrianHB> AdrianHB has joined #wpwg-spc
16:04:13 <Ian> zakim, take up item item
16:04:13 <Zakim> 'item' does not match any agenda item, Ian
16:04:17 <Ian> zakim, take up item 1
16:04:17 <Zakim> agendum 1 -- Welcome -- taken up [from Ian]
16:04:20 <Ian> zakim, close item 1
16:04:20 <Zakim> agendum 1, Welcome, closed
16:04:21 <Zakim> I see 3 items remaining on the agenda; the next one is
16:04:21 <Zakim> 2. Scope [from Ian]
16:04:21 <Ian> zakim, take up item 2
16:04:22 <Zakim> agendum 2 -- Scope -- taken up [from Ian]
16:04:51 <Ian> present+ Sameer_Tare
16:05:01 <Gerhard> present+
16:06:37 <gkok> gkok has joined #wpwg-spc
16:07:48 <Ian> Q. Should frictionless (data-based risk assessment) be part of SPC?
16:08:11 <Ian> AdrianHB: We want an authentication API
16:08:23 <Ian> ...the back end can be "anything"; what authentication means is context-specific.
16:08:29 <Ian> ...eg., I found a cookie and I'm satisfied
16:08:47 <Gerhard> q+
16:08:47 <Ian> ...or "I have a FIDO authenticator and get a signed credential for transaction confirmation"
16:09:02 <Ian> ack Gerhard
16:09:05 <Ian> present+ Michel
16:09:25 <Ian> Gerhard: I think we need to be careful about scope
16:09:30 <Ian> ....2 factor
16:09:33 <Ian> ...1 factor
16:09:35 <Ian> ...risk based
16:09:45 <Ian> ...the moment you say "how is the risk based " done
16:09:48 <Ian> ...or how is 2-factor achieved?
16:09:51 <Ian> ...it explode
16:10:05 <Ian> ...I think we should pick 1 or 2 or at most 5 flows and try to optimize those
16:10:24 <smcgruer_[EST]> q+
16:10:34 <Ian> ...we can stick to use cases ; and give optionality but within limits
16:10:36 <Ian> ack sm
16:11:02 <Ian> smcgruer_[EST]: +1 to Gerhard. We are interested in SPC-as-it-is...we are worried about the overall user journey
16:11:21 <Ian> ..I think we should remain tightly scoped in v1
16:11:24 <mweksler> mweksler has joined #wpwg-spc
16:11:37 <Gerhard> q+
16:11:40 <Gerhard> +1 to that.
16:11:40 <Ian> AdrianHB: I don't want SPC to assume only fido-based auth
16:12:08 <Ian> AdrianHB: The API should say "I am authenticating the payer" but what happens should not only be hardware-based crypto
16:12:16 <btidor> q+
16:12:23 <Ian> AdrianHB: ...e.g., software crypto should be an option
16:12:36 <shyam> shyam has joined #wpwg-spc
16:12:42 <Ian> ...so there's an API and a user interaction
16:12:44 <Ian> ack G
16:12:44 <SameerT> SameerT has joined #wpwg-spc
16:13:00 <AdrianHB> q?
16:13:40 <Ian> Gerhard: +1 to AHB. Risk-based auth should support some options
16:13:45 <Ian> back bt
16:13:46 <Ian> ack bt
16:14:20 <Ian> AdrianHB: So perhaps in scope is:
16:14:29 <Ian> 1) Authentication API
16:14:58 <Ian> 2) Merchant calls API
16:15:20 <Ian> 3) Transaction confirmation piece (optional?)
16:15:49 <jonathan_> q?
16:15:50 <Ian> btidor: I can imagine zero-interaction flows.
16:15:59 <Ian> ....so maybe the ultimate definition is the "payment assertion" format.
16:16:04 <Gerhard> Proposal: "A Consent Page" with customer ability to 'skip-the-sheet' based on consent. But it needs 'proof' since it crosses domain'
16:16:27 <Ian> btidor: Either a hardware token generates the format, or a software authenticator generates the format
16:16:49 <Ian> Rolf: What is the unique value proposition of SPC? I can do a lot of things with iframes, JS, etc.
16:17:00 <Ian> ...I agree it is what btidor described:
16:17:09 <Ian> 1) Browser display not subject to x-site attacks
16:17:17 <Ian> 2) Assertion format
16:17:28 <Ian> ...how the user was verified plays a secondary role
16:17:31 <Ian> q?
16:17:31 <AdrianHB> q?
16:18:00 <Ian> AdrianHB: I would like us to consider the possibility that the "UI" is not per-transaction.
16:18:05 <Ian> ...user should be able to pre-load consent.
16:18:10 <mweksler> q+
16:18:13 <btidor> +1
16:18:18 <SameerT> q+
16:18:26 <Ian> ack mweksler
16:18:28 <Gerhard> +1
16:18:54 <Ian> mweksler: Regarding priorities, Adrian's comment about pre-load consent is a lower priority.
16:19:01 <Ian> ...I'd like to define an MVP
16:19:16 <Ian> ...once we have that, it will be easier to take the next step, and I agree with Adrian's point
16:19:17 <Gerhard> q+
16:19:20 <Ian> ack Sa
16:19:24 <smcgruer_[EST]> +1
16:19:35 <Rolf> Rolf has joined #wpwg-spc
16:19:47 <Fawad> Fawad has joined #wpwg-spc
16:19:58 <AdrianHB> Proposal: Assertion format as priority 1.
16:20:02 <Ian> SameerT: +1 to Michel. Issuers can already do some things today. I would say "look at what you have in SPC today and don't re-invent things people can already do."
16:20:10 <AdrianHB> That will include data on how the assertion was generated
16:20:19 <AdrianHB> With scope to evolve
16:20:40 <Ian> SameerT: So define SPC as a bundle (e.g., data, modal, FIDO) that will help
16:20:42 <Ian> ack Ger
16:20:48 <AdrianHB> (assumption is that assertion is a public key signature over tx data)
16:21:08 <Ian> Gerhard: One way we can perhaps do that is to not define certain flows.
16:21:32 <Ian> ...we could require explicit consent and define the assertion
16:21:42 <Rolf> q+
16:21:44 <Ian> ...and allow the browser to drive the UX further if they deem it of value of users
16:22:00 <Ian> ack R
16:22:08 <Ian> Rolf: Two more extension proposals I'd like to mention
16:22:34 <Ian> 1) Especially where mobile phone is used as an authenticator, it would be helpful if the authenticator itself could be the entity that displays the details, and ties it to the assertion
16:22:41 <Ian> ...from a security perspective this is yet another level
16:22:48 <mweksler> +1
16:23:05 <smcgruer_[EST]> +1 (but does the spec need to say that?)
16:23:09 <Ian> Rolf: 2) This is for me not only about payments. E.g., "Do you want to share this data with a hospital?"
16:23:21 <AdrianHB> q+ to comment on non-payment use cases
16:23:38 <Ian> Rolf: ...the user agrees to a certain "transaction"...this is unsolved in the browser world...x-site scripting is a major attack vector
16:23:51 <Ian> ...we'd need some flexibility to set the "CONTEXT"
16:23:55 <Ian> ..whether payment or other data sharing
16:24:14 <Ian> ...the high-security pieces of these use cases would be very relevant
16:24:21 <Ian> ack AdrianHB
16:24:22 <Zakim> AdrianHB, you wanted to comment on non-payment use cases
16:24:33 <smcgruer_[EST]> q+ to note we have 5 minutes left and I'd like to discuss next steps
16:24:43 <Rolf> q+
16:25:04 <Ian> AdrianHB: I am a big advocate of the other use cases. One piece of this is important is that these are not "open data fields"
16:25:20 <Ian> ...so other use cases may need strong structure around the data
16:25:29 <Ian> ...my guess is that could enable more traction.
16:25:43 <mweksler> q+
16:25:52 <Ian> zakim, close the queue
16:25:52 <Zakim> ok, Ian, the speaker queue is closed
16:25:59 <Ian> ack smcgruer_[EST]
16:25:59 <Zakim> smcgruer_[EST], you wanted to note we have 5 minutes left and I'd like to discuss next steps
16:26:11 <Ian> ack Ro
16:26:19 <Ian> Rolf: Session auth would be out of scope
16:26:26 <Ian> ...logged in use case
16:26:36 <Ian> ...but there are other non-payment transactions and that's all I had in mind
16:26:37 <Ian> ack mweksler
16:26:56 <Ian> mweksler: I like the suggestion re: authenticator display
16:27:11 <Ian> ...however, I think auth display is lower priority
16:27:17 <Ian> ...I think non-payments use cases should be out of scope
16:28:45 <mweksler> I can start the doc
16:29:30 <Ian> Next Meeting: 26 April
16:29:39 <Ian> ACTION: Michel to work with Ian on the beginnings of a scoping / requirements doc
16:29:54 <Ian> Stephen: We want:
16:29:56 <Ian> a) User journeys
16:29:58 <Ian> b) Spec
16:30:00 <Ian> c) FAQ
16:32:30 <Ian> RRSAGENT, make minutes
16:32:30 <RRSAgent> I have made the request to generate https://www.w3.org/2021/04/19-wpwg-spc-minutes.html Ian
16:32:33 <Ian> RRSAGENT, set logs public
16:46:48 <mweksler> mweksler has joined #wpwg-spc
17:07:46 <Ian> zakim, bye
17:07:46 <Zakim> leaving.  As of this point the attendees have been Ian, Fawad_Nisar, Benjamin_Tidor, Chris_Wood, Jonathan_Grossar, Gerhard_Oosthuizen, Praveena_Subrahmany, Gustavo_Kok,
17:07:46 <Zakim> Zakim has left #wpwg-spc
17:07:48 <Ian> rrsagent, bye
17:07:48 <RRSAgent> I see 1 open action item saved in https://www.w3.org/2021/04/19-wpwg-spc-actions.rdf :
17:07:48 <RRSAgent> ACTION: Michel to work with Ian on the beginnings of a scoping / requirements doc [1]
17:07:48 <RRSAgent>   recorded in https://www.w3.org/2021/04/19-wpwg-spc-irc#T16-29-39