16:00:27 RRSAgent has joined #wpwg-spc 16:00:27 logging to https://www.w3.org/2021/05/24-wpwg-spc-irc 16:00:29 Zakim has joined #wpwg-spc 16:00:39 Meeting: SPC Task Force 16:00:46 present+ Ian_Jacobs 16:00:51 present+ Clinton_Allen 16:00:58 regrets+ Stephen_McGruer 16:01:06 present+ Rouslan_Solomakhin 16:01:15 present+ Jean-Carlo_Emer 16:01:20 present+ Chris_Wood 16:01:24 present+ Benjamin_TIdor 16:01:44 Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021May/0017.html 16:02:06 present_ Gerhard_Oosthuizen 16:02:10 present+ Christina_Aabye 16:02:56 Gerhard has joined #wpwg-spc 16:02:57 btidor has joined #wpwg-spc 16:03:04 https://lists.w3.org/Archives/Public/public-payments-wg/2021May/0017.html 16:03:09 jcemer has joined #wpwg-spc 16:03:10 Christian has joined #wpwg-spc 16:03:14 clinton has joined #wpwg-spc 16:03:15 Topic: Scope + Requirements 16:03:23 https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/requirements.md 16:03:23 https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/scope.md 16:03:32 present+ Sameer_Tare 16:03:59 present+ Laura 16:04:06 present+ Tomasz 16:04:39 rouslan has joined #wpwg-spc 16:04:45 -> https://github.com/w3c/secure-payment-confirmation/wiki/Plan-2021 16:05:19 Topic: Clearer benefits/features 16:05:25 https://github.com/w3c/secure-payment-confirmation/pull/70 16:06:08 Chris_Wood__ has joined #wpwg-spc 16:06:12 Gerhard: Willr review today or tomorrow 16:06:35 Topic: Pull request 73 16:06:35 https://github.com/w3c/secure-payment-confirmation/pull/73 16:07:27 present+ Rolf_Lindemann 16:07:34 https://github.com/w3c/secure-payment-confirmation/pull/73/files 16:08:43 Gerhard: This is the "user gesture" bit, right 16:08:52 SameerT has joined #wpwg-spc 16:10:08 Tomasz: What about capability delegation? 16:10:21 Rolf has joined #wpwg-spc 16:11:02 Tomasz: I think this is a good requirement; capability delegation can help with the UX 16:12:06 Topic: Wrap up discussion raised by Tomasz and Stephen on GitHub: 16:12:22 https://github.com/w3c/secure-payment-confirmation/pull/71 16:14:44 Tomasz: How does API know that auth has taken place already? 16:14:58 rouslan: SPC requires a "key" as input. 16:16:39 Ian: But what impact would this have on the API? 16:16:42 rouslan: None 16:18:33 DF has joined #wpwg-spc 16:19:00 present+ Doug_Fisher 16:19:45 Tomasz: I am ok with requirement for in-transaction enrollment; but we may not need to mention "the user has been authenticated" 16:19:56 ACTION: Ian to revise the requirement to remove the pre-auth mention and to focus on the UX 16:21:01 Christian: In 3DS land, 3DS space would be where we talk about this. 16:21:06 ...not sure it belongs in SPC 16:22:34 -> https://lists.w3.org/Archives/Public/public-payments-wg/2021May/0016.html proposal regarding cardinality 16:25:51 Tomasz: I am hearing from API perspective that I provide an SPC Credential Identifier 16:25:59 q+ 16:26:12 Ian: Each instrument is independently addressable 16:26:52 +1 for that unique addressability. Unique id for each instrument + auth combination. 16:27:11 ack Gerhard 16:27:21 Gerhard: I agree with the simple model 16:27:32 q+ to discuss cardinality 16:27:48 ...but it does bring me to a use case comment: how do we handle scenario where multiple credentials are available 16:29:44 Benjamin: Regarding N > 1, the original expectation was "browser picks arbitrary one" 16:30:14 q+ to talk about cardinality and failure experience 16:30:30 ack rouslan 16:30:30 rouslan, you wanted to discuss cardinality and to talk about cardinality and failure experience 16:32:08 rouslan: In case of "no matches", the reqs returns error code without uX. That's the experiment we've been running. But there are some people who think that if there's no a user gesture requirement, there might be a way to iterate over a list of credentials ... and bad actors might use that info nefariously. 16:32:19 ...so some people might be interested in an error message in case of no match 16:32:41 ...regarding cardinality, I think that for each web site you'd have one credential 16:32:57 ...some people want to reuse webauthn credential for payments 16:33:00 q+ 16:33:40 ...the experience we've tested with SPC trial increases number of credentials 16:35:41 Note that it presents some level of friction to register an additional credential. So the ability to reuse one credential for auth and for payment is preferred from our side. 16:38:00 btidor:If we have a situation where N instruments can have signature from same key, we want to reduce avenues of attack, e.g., locking down cardinality as well as good practice to avoid vulnerability 16:38:45 Thanks everone. Have to drop. Chat later 16:39:16 It is important to cover the case where the API is invoked with 2 credentialIds that are from 2 different instruments. 16:39:30 Topic: Next call 16:39:32 31 May 16:39:41 RRSAGENT, make minutes 16:39:41 I have made the request to generate https://www.w3.org/2021/05/24-wpwg-spc-minutes.html Ian 16:39:47 RRSAGENT, set logs public 16:43:52 regrets+ Praveena 16:43:55 RRSAGENT, make minutes 16:43:55 I have made the request to generate https://www.w3.org/2021/05/24-wpwg-spc-minutes.html Ian 16:43:57 RRSAGENT, set logs public 19:43:53 zakim, bye 19:43:53 leaving. As of this point the attendees have been Ian_Jacobs, Clinton_Allen, Rouslan_Solomakhin, Jean-Carlo_Emer, Chris_Wood, Benjamin_TIdor, Christina_Aabye, Sameer_Tare, Laura, 19:43:53 Zakim has left #wpwg-spc 19:43:54 rrsagent, bye 19:43:54 I see 1 open action item saved in https://www.w3.org/2021/05/24-wpwg-spc-actions.rdf : 19:43:54 ACTION: Ian to revise the requirement to remove the pre-auth mention and to focus on the UX [1] 19:43:54 recorded in https://www.w3.org/2021/05/24-wpwg-spc-irc#T16-19-56 19:43:56 ... Tomasz, Rolf_Lindemann, Doug_Fisher