IRC log of wpwg on 2021-05-27
Timestamps are in UTC.
- 13:25:23 [RRSAgent]
- RRSAgent has joined #wpwg
- 13:25:23 [RRSAgent]
- logging to https://www.w3.org/2021/05/27-wpwg-irc
- 13:25:37 [Ian]
- Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20210527
- 13:25:41 [Ian]
- Meeting: Web Payments Working Group
- 13:25:47 [Ian]
- Chair: NickTR
- 13:25:49 [Ian]
- Scribe: Ian
- 13:57:47 [Ian]
- present+
- 13:58:10 [Ian]
- present+ Pierre_Walden
- 13:58:59 [Ian]
- present+ Nick_Telford-Reed
- 13:59:28 [Ian]
- regrets+ Jean-Luc_Di-Manno
- 13:59:54 [Ian]
- present+ Anne_Pouillard
- 14:00:17 [Ian]
- present+ Fawad_Nisar
- 14:00:43 [Fawad]
- Fawad has joined #wpwg
- 14:00:47 [nicktr]
- scribenick: nicktr
- 14:01:19 [Ian]
- present+ Chris_Wood
- 14:01:32 [Ian]
- regrets+ Stephen_McGruer
- 14:01:33 [Lauren_]
- Lauren_ has joined #wpwg
- 14:01:37 [Ian]
- regrets- Stephen_McGruer
- 14:01:45 [Ian]
- present+ Stephen_McGruer
- 14:01:48 [benoit]
- present+
- 14:01:55 [nicktr]
- agenda?
- 14:01:56 [Ian]
- present+ Jean-Michel_Girard
- 14:02:00 [Ian]
- present+ Gavin_Shenker
- 14:02:05 [clinton]
- clinton has joined #wpwg
- 14:02:07 [Ian]
- present+ Davor_Davidovikj
- 14:02:10 [Ian]
- present+ Clinton_Allen
- 14:02:13 [nicktr]
- agenda+ Usecases/scope
- 14:02:14 [Anne]
- Anne has joined #wpwg
- 14:02:14 [Ian]
- present+ Lauren_Jones
- 14:02:19 [Ian]
- present+ Vincent_Kuntz
- 14:02:21 [nicktr]
- agenda+ issue 65
- 14:02:27 [Ian]
- present+ Gerhard_Oosthuizen
- 14:02:31 [nicktr]
- agenda+ issue 13
- 14:02:35 [vkuntz]
- vkuntz has joined #wpwg
- 14:02:36 [Gavin]
- Gavin has joined #WPWG
- 14:02:42 [vkuntz]
- present+
- 14:02:46 [Ian]
- present+ David_Benoit
- 14:02:49 [Ian]
- present+ Gustavo_Kok
- 14:02:51 [nicktr]
- agenda+ review different flows
- 14:03:00 [nicktr]
- agenda+ implementing SPC as an issuer
- 14:03:08 [nicktr]
- zakim, take up item 1
- 14:03:08 [Zakim]
- agendum 1 -- Usecases/scope -- taken up [from nicktr]
- 14:03:41 [Ian]
- -> https://github.com/w3c/webpayments/wiki/Agenda-20210527 Agenda
- 14:03:58 [Ian]
- present+ Chris_Dee
- 14:04:11 [Ian]
- scribenick: Nick
- 14:04:13 [Gerhard]
- Gerhard has joined #wpwg
- 14:04:17 [Gerhard]
- present+
- 14:04:22 [nicktr]
- scribenick: nicktr
- 14:04:27 [JMGirard]
- JMGirard has joined #wpwg
- 14:04:40 [nicktr]
- ian: SPC taskforce has been making good progress
- 14:04:43 [nicktr]
- ...we meet on Mondays
- 14:04:57 [nicktr]
- ...we have a timeline which tries to get us to a FPWD by this summer
- 14:05:05 [nicktr]
- ...and shipping code in Autumn
- 14:05:11 [Ian]
- -> https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/scope.md Scope and use cases
- 14:05:18 [nicktr]
- ian: today we'd like to give you an update on scope
- 14:05:25 [nicktr]
- [Ian presents]
- 14:05:49 [nicktr]
- ian: we have a draft definition
- 14:06:08 [nicktr]
- ...I merged a pull request today on features and benefits
- 14:06:22 [nicktr]
- ..."here's what you get with SPC"
- 14:06:33 [nicktr]
- 1. Authentication streamlined for payments
- 14:06:40 [nicktr]
- 2. Scalabale and Ubiquitious
- 14:06:53 [nicktr]
- s/Scalabale/Scalable/
- 14:07:07 [nicktr]
- 3. Designed to meet regulatory req'ts
- 14:07:17 [nicktr]
- 4. Simpler and more secure front-end development
- 14:07:39 [nicktr]
- ian: unique features
- 14:07:49 [nicktr]
- 1. Browser-native UX for payment confirmation
- 14:07:56 [nicktr]
- 2. Cryptographic evidence
- 14:08:03 [nicktr]
- 3. Cross-origin authentication
- 14:08:21 [nicktr]
- ian: We have also been documenting user stories
- 14:08:30 [nicktr]
- ...which we have not yet prioritised
- 14:08:59 [nicktr]
- ian: I invite everyone to read the user stories and to let us know if you have questions or to document missing use cases
- 14:09:10 [nicktr]
- RRSAgent, make minutes
- 14:09:10 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/05/27-wpwg-minutes.html nicktr
- 14:09:15 [nicktr]
- q?
- 14:09:44 [Ian]
- Nick: I urge you to have a look and send comments.
- 14:10:20 [Ian]
- -> https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/requirements.md Requirements
- 14:10:22 [nicktr]
- zakim, next item
- 14:10:22 [Zakim]
- agendum 2 -- issue 65 -- taken up [from nicktr]
- 14:10:38 [gkok]
- gkok has joined #wpwg
- 14:10:52 [nicktr]
- Issue on Github -> https://github.com/w3c/secure-payment-confirmation/issues/65
- 14:11:51 [Ian]
- present+ Eric_Alvarez
- 14:12:08 [Ian]
- zakim, take up item 2
- 14:12:08 [Zakim]
- agendum 2 -- issue 65 -- taken up [from nicktr]
- 14:12:13 [Ian]
- https://github.com/w3c/secure-payment-confirmation/issues/65
- 14:12:43 [nicktr]
- ian: do you need payment request for SPC, or are they separate?
- 14:13:14 [nicktr]
- smcgruer_[EST]: It's really important that we don't get tripped up by terminology
- 14:13:42 [nicktr]
- ...inside a payment handler == inside payment request for me
- 14:13:51 [ChrisD]
- ChrisD has joined #wpwg
- 14:14:45 [nicktr]
- ian: I had imagined you could use paymentrequest constructor and then call SPC
- 14:14:59 [nicktr]
- ...or while a payment handler is running
- 14:15:13 [nicktr]
- ...or (outside) you just call SPC
- 14:15:20 [nicktr]
- ...there's no payment request
- 14:15:58 [nicktr]
- ...in this third situation, there's no payment method - it's just calling for authentication
- 14:16:56 [Ian]
- Three scenarios:
- 14:17:00 [Ian]
- 1) In PR API on merchant site
- 14:17:03 [nicktr]
- smcgruer_[EST]: I think we have concrete users of scenario 3
- 14:17:08 [Ian]
- 2) In PR API in payment handler
- 14:17:22 [Ian]
- 3) Unrelated to PR API at all (e.g., Stripe experiment)
- 14:17:24 [nicktr]
- ...we don't know of of payment handlers that want to use it
- 14:17:39 [nicktr]
- ...and I don't understand scenario 1
- 14:18:55 [nicktr]
- ian: it could be a method within payment request _OR_
- 14:19:08 [nicktr]
- ...it could be a new API (called SPC)
- 14:20:03 [nicktr]
- ...I feel like it's foundational
- 14:20:05 [nicktr]
- q?
- 14:20:31 [nicktr]
- smcgruer_[EST]: Do you want to get into the JS shape?
- 14:21:02 [nicktr]
- ian: I do want to know if you have to trigger payment request or not
- 14:21:32 [nicktr]
- smcgruer_[EST]: I am ambivalent to this issue
- 14:21:49 [nicktr]
- ...I do think it should be callable by both merchants and within a payment handler
- 14:21:53 [Gerhard]
- q+
- 14:22:27 [nicktr]
- Gerhard: I think I should be about paying a merchant
- 14:22:32 [nicktr]
- ack Gerhard
- 14:23:01 [Ian]
- Gerhard: I need to be able to trigger SPC from an issuer domain. See usefulness of being able to trigger from merchant domain
- 14:23:07 [nicktr]
- ...I want to be able to kick it off from a merchant domain, an issuer domain _or_ a scheme domain
- 14:23:54 [nicktr]
- ...I think Tomasz asked if you could just do "credential.create" rather than "paymentrequest.authenticate"
- 14:24:00 [smcgruer_[EST]]
- q+
- 14:24:12 [nicktr]
- ...I do think should be bound to a payment
- 14:24:24 [nicktr]
- ack smcgruer_[EST]
- 14:25:04 [nicktr]
- smcgruer_[EST]: you mentioned that the credential should only used for payments
- 14:25:24 [nicktr]
- ...we have heard that others would like to be able to use for other uses
- 14:25:39 [nicktr]
- Gerhard: I think we devalue the transaction if we don't bind to payments
- 14:26:06 [nicktr]
- ian: could we re-use a credential for other things? Yes
- 14:26:14 [nicktr]
- ...but SPC should be payments
- 14:26:20 [Ian]
- present+ Erhard_Brand
- 14:26:35 [smcgruer_[EST]]
- +1, I misunderstood :D
- 14:26:51 [nicktr]
- gerhard: I think the credential + payment instrument is critical
- 14:27:14 [nicktr]
- ...I think secure display is critical
- 14:27:55 [nicktr]
- ...I think frictionless is a different construct
- 14:28:06 [nicktr]
- ian: would you write up the non-fido use case?
- 14:28:24 [nicktr]
- Gerhard: I think we have done that
- 14:28:38 [nicktr]
- ...including the explainer
- 14:28:44 [nicktr]
- ian: I will open an issue
- 14:28:46 [Ian]
- q?
- 14:29:57 [nicktr]
- ian: I am not hearing strong views on SPC invokable independent of payment request
- 14:30:10 [nicktr]
- ChrisD: I agree with Gerard that SPC should not ‘embed’ FIDO. Other authentication mechanisms are available.
- 14:30:35 [nicktr]
- ian: in the requirements doc, we say you should be able to call SPC from a payment handler or a website
- 14:31:00 [Gerhard]
- Non-fido challenge defined at https://github.com/entersekt/possession-credential with presentation at http://www.w3.org/2021/Talks/entersekt-20210330.pdf
- 14:31:08 [Ian]
- zakim, close this item
- 14:31:08 [Zakim]
- agendum 2 closed
- 14:31:09 [Zakim]
- I see 3 items remaining on the agenda; the next one is
- 14:31:09 [Zakim]
- 3. issue 13 [from nicktr]
- 14:31:14 [Ian]
- zakim, take up item 3
- 14:31:14 [Zakim]
- agendum 3 -- issue 13 -- taken up [from nicktr]
- 14:31:19 [Ian]
- https://github.com/w3c/secure-payment-confirmation/issues/13
- 14:32:28 [davor_]
- davor_ has joined #wpwg
- 14:33:37 [nicktr]
- ian: one credential per payment instrument? Or one credential for many payment instruments (e.g. while logged into you online banking)? Or many credentials for one instrument (different browsers)
- 14:35:05 [nicktr]
- ian: the key requirement is everything is independently addressable
- 14:35:31 [nicktr]
- ...we don't want to constrain implementations
- 14:35:36 [smcgruer_[EST]]
- q+
- 14:36:00 [nicktr]
- ian: this is what we documented in the requirements
- 14:36:06 [nicktr]
- ack smcgruer_[EST]
- 14:36:23 [nicktr]
- smcgruer_[EST]: I don't understand the constraint
- 14:37:01 [benoit]
- q+
- 14:37:20 [nicktr]
- ian: The intention is for the credential to be at an instrument (like a card number) level
- 14:37:22 [nicktr]
- q+
- 14:37:35 [Ian]
- ack ben
- 14:37:37 [smcgruer_[EST]]
- q+
- 14:37:45 [Chris_Wood]
- Chris_Wood has joined #wpwg
- 14:38:24 [nicktr]
- benoit: the binding of a card has been static traditionally but firms like Curve have made that fluid
- 14:38:48 [nicktr]
- ian: I don't think the text needs to change
- 14:38:51 [Ian]
- ack nick
- 14:39:06 [Ian]
- nicktr: I want to point out that it's turtles all the way down here.
- 14:39:35 [Ian]
- ...you are talking about about "instrument" v "account"; funding PAN can be represented by a universe of token pans
- 14:40:31 [Ian]
- ...not sure definition of "instrument" is adequate
- 14:40:45 [Gerhard]
- q+
- 14:40:59 [Chris_Wood]
- q+
- 14:41:13 [Ian]
- ack sm
- 14:41:45 [nicktr]
- smcgruer_[EST]: I strongly believe that the meaning of credential is up to the relying partner
- 14:41:59 [nicktr]
- ...I don't think that the SPC spec should force that binding
- 14:42:40 [Ian]
- q+ to mention "2 user account" use case
- 14:42:52 [nicktr]
- ...today the only reason we have the binding in the explainer is because we store somethings in the browser _in our first implementation_
- 14:42:52 [Ian]
- present+ Jeffh
- 14:42:59 [Ian]
- q?
- 14:43:05 [nicktr]
- ...I think that should be up the RP
- 14:43:13 [Ian]
- smcgruer_[EST]: You could move binding to auth time (rather than static binding)
- 14:43:14 [nicktr]
- ack Gerhard
- 14:43:36 [Ian]
- Gerhard: SPC should not require a selection to be made
- 14:43:38 [nicktr]
- gerhard: I think that SPC should represent where the money is coming from
- 14:44:04 [nicktr]
- ...in other words, a credential == "where the money is coming from" without further user selection
- 14:44:08 [nicktr]
- q?
- 14:44:51 [nicktr]
- gerhard: I am strongly in favour of 1:1
- 14:44:53 [Ian]
- q+ to ask about regulatory requirement
- 14:44:57 [Ian]
- ack Chr
- 14:45:03 [nicktr]
- ...this creates sureness for consumers
- 14:45:06 [smcgruer_[EST]]
- q+
- 14:45:28 [Ian]
- Chris: For SPC to work with open banking, needs to be account (source of funds)
- 14:45:30 [nicktr]
- Chris_Wood: in an open banking context, instrument == "bank account"
- 14:45:44 [Ian]
- ach mee
- 14:45:46 [nicktr]
- ...it's "where do the funds come from" afaic
- 14:45:46 [Ian]
- ack me
- 14:45:46 [Zakim]
- Ian, you wanted to mention "2 user account" use case and to ask about regulatory requirement
- 14:45:48 [Gerhard]
- +1 to that
- 14:46:14 [nicktr]
- ian: I think the dynamic linking regulatory element is important
- 14:46:32 [nicktr]
- ...do we know what the specific requirement is wrt to funding source?
- 14:47:13 [nicktr]
- q?
- 14:47:17 [nicktr]
- ack smcgruer_[EST]
- 14:47:26 [Ian]
- Ian: Question is "dynamic before sig" or "dynamic after sig"
- 14:47:40 [nicktr]
- smcgruer_[EST]: I think the binding is at "auth" time
- 14:47:42 [Ian]
- smcgruer_[EST]: I want strong binding at auth time, not enrollment time.
- 14:47:46 [nicktr]
- ...not at registration time
- 14:48:29 [Gerhard]
- q+
- 14:48:39 [Ian]
- ack G
- 14:48:40 [nicktr]
- ack Gerhard
- 14:49:47 [nicktr]
- gerhard: if have multiple authenticators, how does that work?
- 14:49:56 [nicktr]
- ...can someone take me through that?
- 14:50:19 [nicktr]
- smcgruer_[EST]: you will always have a separate credential per authenticator
- 14:50:36 [nicktr]
- ...but let's imagine you have a visa card and a mastercard from the same issuer
- 14:50:55 [nicktr]
- ...for a particular payment, I select the mastercard
- 14:51:07 [nicktr]
- ...the merchant sends that through
- 14:51:33 [nicktr]
- ...the RP (issuer) sends the authenticator credentials for that instrument
- 14:52:08 [nicktr]
- ...but also (possibly) here are the other instruments
- 14:52:27 [nicktr]
- ...by sending the info at authentication time
- 14:52:27 [Ian]
- q?
- 14:53:04 [nicktr]
- ian: I am hearing a strong push for the binding no later than authentication but not necessarily at enrolment time
- 14:53:18 [nicktr]
- ian: We need to revisit the requirements
- 14:53:44 [nicktr]
- ...I believe that there is consensus that what you sign is what you're paying with
- 14:53:46 [nicktr]
- q+
- 14:53:52 [Ian]
- ack nick
- 14:53:58 [Ian]
- scribenick: Ian
- 14:54:10 [Ian]
- nicktr: You asked about regulatory requirement re: dynamic linking.
- 14:54:27 [Ian]
- ...I don't think it binds the instrument; it binds USER, amount, and beneficiary
- 14:55:02 [nicktr]
- scribenick: nicktr
- 14:55:26 [Ian]
- ACTION: smcgruer_[EST] with rouslan and Ian to work on refining requirements to support authentication-time binding to concrete funding source
- 14:55:28 [nicktr]
- ian: Rouslan and Ian will work on that while smcgruer_[EST] is enjoying well earned vacation
- 14:55:34 [nicktr]
- q?
- 14:55:36 [nicktr]
- agenda?
- 14:56:11 [nicktr]
- ian: I suggest we revisit the next two agenda items next time
- 14:56:17 [nicktr]
- q+
- 14:56:25 [Ian]
- Topic: Next meeting
- 14:56:41 [Ian]
- 10 June
- 14:56:45 [Ian]
- ack nicktr
- 14:57:33 [nicktr]
- RRSAgent, make minutes
- 14:57:33 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/05/27-wpwg-minutes.html nicktr
- 14:57:42 [Ian]
- RRSAGENT, make minutes
- 14:57:42 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/05/27-wpwg-minutes.html Ian
- 14:57:45 [Ian]
- RRSAGENT, set logs public
- 14:58:32 [Ian]
- zakim, bye
- 14:58:32 [Zakim]
- leaving. As of this point the attendees have been Ian, Pierre_Walden, Nick_Telford-Reed, Anne_Pouillard, Fawad_Nisar, Chris_Wood, Stephen_McGruer, benoit, Jean-Michel_Girard,
- 14:58:32 [Zakim]
- Zakim has left #wpwg
- 14:58:34 [Ian]
- rrsagent, bye
- 14:58:34 [RRSAgent]
- I see 1 open action item saved in https://www.w3.org/2021/05/27-wpwg-actions.rdf :
- 14:58:34 [RRSAgent]
- ACTION: smcgruer_[EST] with rouslan and Ian to work on refining requirements to support authentication-time binding to concrete funding source [1]
- 14:58:34 [RRSAgent]
- recorded in https://www.w3.org/2021/05/27-wpwg-irc#T14-55-26
- 14:58:35 [Zakim]
- ... Gavin_Shenker, Davor_Davidovikj, Clinton_Allen, Lauren_Jones, Vincent_Kuntz, Gerhard_Oosthuizen, vkuntz, David_Benoit, Gustavo_Kok, Chris_Dee, Gerhard, Eric_Alvarez,
- 14:58:35 [Zakim]
- ... Erhard_Brand, Jeffh