15:53:07 RRSAgent has joined #wpwg-spc 15:53:07 logging to https://www.w3.org/2021/05/03-wpwg-spc-irc 15:53:18 Meeting: SPC Task Force 15:53:20 Chair: Ian 15:53:34 Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Apr/0012.html 15:53:36 Scribe: Ian 15:53:57 agenda+ Origin trial end date 15:54:04 agenda+ User stores 15:54:07 agenda- User stores 15:54:09 agenda+ User stories 15:54:14 agenda+ Issue 56 15:54:15 agenda+ Issue 57 15:54:19 agenda+ Regular meeting time 15:54:24 regrets+ Tomasz 15:54:39 regrets+Anne_Pouillard 15:54:46 regrets? 15:54:54 regrets+ Anne_Pouillard 15:55:24 mweksler has joined #wpwg-spc 15:58:21 Clinton has joined #wpwg-spc 15:59:27 present+ 15:59:31 present+ Clinton_Allen 15:59:37 present+ Michel_Weksler 16:00:40 present+ Jean-Carlo_Emer 16:00:50 present+ Stephen_McGruer 16:01:14 present+ Gustavo_Kok 16:01:53 present+ Gerhard_OOsthuizen 16:02:06 present+ Jeff_Hodges 16:02:30 present+ Amy_Slack 16:02:33 present+ Doug_Fisher 16:02:39 present+ Christian_Aabye 16:02:55 present+ Werner_Bruinings 16:03:20 -> https://lists.w3.org/Archives/Public/public-payments-wg/2021Apr/0012.html Agenda 16:03:22 agenda? 16:03:40 zakim, take up item 1 16:03:40 agendum 1 -- Origin trial end date -- taken up [from Ian] 16:04:16 jeffh has joined #wpwg-spc 16:04:17 Mweksler: Airbnb and Adyen are going to do a pilot with SPC. Want to do this as part of the origin trial, and to see if we have any flexibility on the end date. 16:04:54 Stephen: The origin trial is from 91-93. I think this is through mid-September 16:05:03 ...we extend origin trials for 2 reasons 16:05:11 ...if there's a browser bug (invalidating the origin trial) 16:05:20 ...more commonly, when partners need more time! 16:05:29 present+ Sameer_Tare 16:05:40 ...sometimes we can extend 1 or more release cycles 16:05:48 SameerT has joined #wpwg-spc 16:06:02 mweksler: It would be great to chat with you more about the pilot idea 16:06:09 present+ Praveena_Subrahmany 16:06:28 mweksler: When would we need to request the extension and to whom? 16:06:33 Stephen: File the request with me 16:06:41 ...how about by July? 16:06:46 wernerb_ has joined #wpwg-spc 16:06:48 present+ Adrian_Hope-Bailie 16:07:11 michel: Noted! 16:07:17 zakim, close item 1 16:07:17 agendum 1, Origin trial end date, closed 16:07:18 I see 5 items remaining on the agenda; the next one is 16:07:18 2. User stores [from Ian] 16:07:25 zakim, close item 2 16:07:25 agendum 2, User stores, closed 16:07:26 I see 4 items remaining on the agenda; the next one is 16:07:26 3. User stories [from Ian] 16:07:28 zakim, take up item 3 16:07:28 agendum 3 -- User stories -- taken up [from Ian] 16:07:36 https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/scope.md 16:07:45 praveena has joined #wpwg-spc 16:07:47 jeffh_ has joined #wpwg-spc 16:07:54 agenda? 16:08:00 https://github.com/w3c/secure-payment-confirmation/pull/60 16:08:18 https://github.com/w3c/secure-payment-confirmation/pull/60/files 16:09:18 1) Out of band enrollment 16:09:35 Stephen: +1 to this use case. Captures the important of "enrolling all your payment instruments" 16:10:01 Jean_Emer_ has joined #wpwg-spc 16:10:50 Gerhard_ has joined #wpwg-spc 16:10:51 2) In-transaction enrollment, authentication same merchant 16:10:54 gkok has joined #wpwg-spc 16:11:19 3) Authentication different merchant 16:11:58 4) Enrollment for both payment authentication and account login 16:12:36 mweksler: The details are for discussion but the general idea is to do one-step login plus payment authentication 16:13:08 ...it would be great if, during a guest checkout, the user pays and the merchant can use the authentication step both for payment and to create an account 16:13:17 q+ 16:13:27 ack Gerhard_ 16:13:49 q+ 16:14:01 Gerhard_: When I look at this use case from a banking perspective, we definitely see the use case. 16:14:38 ...are you thinking about this from banking or merchant perspective? 16:14:53 mweksler: Merchant perspective. Want to use credentials for future login 16:15:53 ...user perspective is "just authenticate once; allow multiple usage" 16:16:42 stephen: In the use case it talks about using this credential on a "different" merchant. 16:16:42 Just note Michel: This sounds more like Delegated Auth use-cases. 16:17:11 michel: I was not thinking about cross-merchant login 16:18:28 Ian: My understanding was that the issuer is the RP, and gives the merchant the info required to re-use the credential for login 16:18:34 q+ 16:18:55 Ian: But that login use case breaks web auth same origin policy, so would need to handle specially 16:19:06 +1 to what Gerhard mentioned, owner (RP) of the credentials will drive use-cases differently 16:19:07 ack sm 16:19:45 smcgruer_[EST]: Sharing creds is a FIDO problem, not an SPC problem 16:20:17 5) Lower Friction 16:20:50 (Brought to us by Entersekt) 16:20:54 https://github.com/w3c/secure-payment-confirmation/pull/60/files 16:22:08 Gerhard: Low friction to me is "transaction display but just "verify" button" 16:22:16 ..you still get cryptographic signature 16:22:32 ...this is not a frictionless flow (e.g., based on previous consent by the user) 16:23:14 ...if there is a frictionless flow, then the signed data would need to say so 16:24:38 Christian has joined #wpwg-spc 16:25:18 Ian: I think we've been talking about 3 levels: 16:25:26 1) display and user verification 16:25:36 ..there is a multi-factor event 16:25:41 2) display and user presence 16:25:49 3) display and possession, but no user presence check 16:26:06 4) no display and no user presence check 16:26:10 (but previous consent) 16:26:14 q? 16:27:17 JeffH: Silent authentication is not supported in WebAuthn but technically can be done at CTAP layer 16:28:34 ..authenticators might have displays 16:28:54 q+ 16:29:09 ...authenticators that are discrete components that have display in the authenticator boundary are rare. 16:29:14 ack mw 16:29:45 mweksler: I suggest that if we feel like the use case is useful, we can still add it 16:30:14 ...as a merchant, this is very useful (with user consent) to do something with silent authentication 16:30:22 ...but we don't want to create a security hole 16:31:15 ACTION: To split these use cases into the 4 experiences we described here. 16:32:07 zakim, take up item 6 16:32:07 agendum 6 -- Regular meeting time -- taken up [from Ian] 16:32:11 +1 for moving to WPWG group 16:32:19 +1 to move to an hour, -1 to 7 am pacific 16:32:21 PROPOSED: Move this 30 mins to 1 hour every other week on thursday call 16:32:44 Christian: We (EMVCo) have a conflict then 16:33:29 Next meeting: 10 May 16:33:30 Doug has joined #wpwg-spc 16:33:50 RRSAGENT, make minutes 16:33:50 I have made the request to generate https://www.w3.org/2021/05/03-wpwg-spc-minutes.html Ian 16:33:55 rrsagent, set logs public 16:34:15 rrsagent, bye 16:34:15 I see 1 open action item saved in https://www.w3.org/2021/05/03-wpwg-spc-actions.rdf : 16:34:15 ACTION: To split these use cases into the 4 experiences we described here. [1] 16:34:15 recorded in https://www.w3.org/2021/05/03-wpwg-spc-irc#T16-31-15 16:34:17 zakim, bye 16:34:17 leaving. As of this point the attendees have been Ian, Clinton_Allen, Michel_Weksler, Jean-Carlo_Emer, Stephen_McGruer, Gustavo_Kok, Gerhard_OOsthuizen, Jeff_Hodges, Amy_Slack, 16:34:17 Zakim has left #wpwg-spc