W3C

SPC Task Force

26 April 2021

Attendees

Present
Clinton Allen (American Express), Fawad Nisar (Discover), Ian Jacobs (W3C), Jonathan Vokes (FIS), Laura Townsend (MAG), Michel Weksler (Airbnb), Praveena Subrahmany (Airbnb), Rolf Lindemann (Nok Nok Labs), Sameer Tare (Mastercard), Stephen McGruer (Google), Tomasz Blachowicz (Mastercard), Werner Bruinings (American Express)
Regrets
Adrian Hope-Bailie
Chair
Ian
Scribe
Ian

Meeting minutes

Scope Document

[Michel walks through the Draft scope document]

Unique features of SPC

Tomasz: regarding "Scalable" could also add "Ubiquitous". Regarding "Transaction confirmation" suggest s/3DS/SCA
… see also pull request for more suggestions
… it's not only to fulfill regulatory requirements

<smcgruer_[EST]> +1 to Ubiquitous, if that helps us get away from 'across all PSP's merchants' to 'across all merchants'. (I think the latter is a long path to get there and we should start smaller such as PSP-bound, but we should keep it as a path in mind)

<Zakim> Ian, you wanted to make a comment after the list

IJ: I propose to add "scalable and ubiquitous" to the definition

<Tomasz> +1

<mweksler> +1

<Rolf> +1

<smcgruer_[EST]> +1

<praveena> +1

<Zakim> SameerT, you wanted to say comment for the front-end dev - Make it generic since in 3DS world, the merchants simply allow the issuer iframe to present content to the user

SameerT: Regarding front-end development built, I think that we should either generalize to apply to both the merchant and RP, or remove it.

Ian: PH also would benefit

Sameer: Note that in 3DS use case, deployment is simple (just an iframe)
… the issuer presents the content through the iframe

Ian: Perhaps we could say: "Because the browser or secure hardware controls the display, whoever would ordinarily open UX for authentication should have a simpler deployment."

Sameer: Yes, something like that.

Definitions

IJ: Please have a look

Tomasz: What is the difference between "Credential" and "Assertion" here?

Rolf: In WebAuthn, the assertion is different from the credential. In username/password, the assertion is the same as the credential.
… all these terms are overloaded and used heavily.
… I think it's ok to refer to the Credential and then you do get() and get back an Assertion

<smcgruer_[EST]> +1 to Rolf

Tomasz: What if we use the Credential Management API? (cf. WebOTP).

Ian: That is a possibility. Anything here preclude that?

Tomasz: Also based on the credential management API

<smcgruer_[EST]> Perhaps: "SPC Credential Identifier : An identifier generated during enrollment and stored by the Relying Party in association with a payment instrument."

<smcgruer_[EST]> (Does not preclude multiple being created)

Stephen: There aren't really use cases yet...
… maybe talk about "payment systems"

Next Meeting

3 May

Minutes manually created (not a transcript), formatted by scribe.perl version 127 (Wed Dec 30 17:39:58 2020 UTC).