13:25:23 <RRSAgent> RRSAgent has joined #wpwg
13:25:23 <RRSAgent> logging to https://www.w3.org/2021/05/27-wpwg-irc
13:25:37 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20210527
13:25:41 <Ian> Meeting: Web Payments Working Group
13:25:47 <Ian> Chair: NickTR
13:25:49 <Ian> Scribe: Ian
13:57:47 <Ian> present+
13:58:10 <Ian> present+ Pierre_Walden
13:58:59 <Ian> present+ Nick_Telford-Reed
13:59:28 <Ian> regrets+ Jean-Luc_Di-Manno
13:59:54 <Ian> present+ Anne_Pouillard
14:00:17 <Ian> present+ Fawad_Nisar
14:00:43 <Fawad> Fawad has joined #wpwg
14:00:47 <nicktr> scribenick: nicktr
14:01:19 <Ian> present+ Chris_Wood
14:01:32 <Ian> regrets+ Stephen_McGruer
14:01:33 <Lauren_> Lauren_ has joined #wpwg
14:01:37 <Ian> regrets- Stephen_McGruer
14:01:45 <Ian> present+ Stephen_McGruer
14:01:48 <benoit> present+
14:01:55 <nicktr> agenda?
14:01:56 <Ian> present+ Jean-Michel_Girard
14:02:00 <Ian> present+ Gavin_Shenker
14:02:05 <clinton> clinton has joined #wpwg
14:02:07 <Ian> present+ Davor_Davidovikj
14:02:10 <Ian> present+ Clinton_Allen
14:02:13 <nicktr> agenda+ Usecases/scope
14:02:14 <Anne> Anne has joined #wpwg
14:02:14 <Ian> present+ Lauren_Jones
14:02:19 <Ian> present+ Vincent_Kuntz
14:02:21 <nicktr> agenda+ issue 65
14:02:27 <Ian> present+ Gerhard_Oosthuizen
14:02:31 <nicktr> agenda+ issue 13
14:02:35 <vkuntz> vkuntz has joined #wpwg
14:02:36 <Gavin> Gavin has joined #WPWG
14:02:42 <vkuntz> present+
14:02:46 <Ian> present+ David_Benoit
14:02:49 <Ian> present+ Gustavo_Kok
14:02:51 <nicktr> agenda+ review different flows
14:03:00 <nicktr> agenda+ implementing SPC as an issuer
14:03:08 <nicktr> zakim, take up item 1
14:03:08 <Zakim> agendum 1 -- Usecases/scope -- taken up [from nicktr]
14:03:41 <Ian> -> https://github.com/w3c/webpayments/wiki/Agenda-20210527 Agenda
14:03:58 <Ian> present+ Chris_Dee
14:04:11 <Ian> scribenick: Nick
14:04:13 <Gerhard> Gerhard has joined #wpwg
14:04:17 <Gerhard> present+
14:04:22 <nicktr> scribenick: nicktr
14:04:27 <JMGirard> JMGirard has joined #wpwg
14:04:40 <nicktr> ian: SPC taskforce has been making good progress
14:04:43 <nicktr> ...we meet on Mondays
14:04:57 <nicktr> ...we have a timeline which tries to get us to a FPWD by this summer
14:05:05 <nicktr> ...and shipping code in Autumn
14:05:11 <Ian> -> https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/scope.md Scope and use cases
14:05:18 <nicktr> ian: today we'd like to give you an update on scope
14:05:25 <nicktr> [Ian presents]
14:05:49 <nicktr> ian: we have a draft definition
14:06:08 <nicktr> ...I merged a pull request today on features and benefits
14:06:22 <nicktr> ..."here's what you get with SPC"
14:06:33 <nicktr> 1. Authentication streamlined for payments
14:06:40 <nicktr> 2. Scalabale and Ubiquitious
14:06:53 <nicktr> s/Scalabale/Scalable/
14:07:07 <nicktr> 3. Designed to meet regulatory req'ts
14:07:17 <nicktr> 4. Simpler and more secure front-end development
14:07:39 <nicktr> ian: unique features
14:07:49 <nicktr> 1. Browser-native UX for payment confirmation
14:07:56 <nicktr> 2. Cryptographic evidence
14:08:03 <nicktr> 3. Cross-origin authentication
14:08:21 <nicktr> ian: We have also been documenting user stories
14:08:30 <nicktr> ...which we have not yet prioritised
14:08:59 <nicktr> ian: I invite everyone to read the user stories and to let us know if you have questions or to document missing use cases
14:09:10 <nicktr> RRSAgent, make minutes
14:09:10 <RRSAgent> I have made the request to generate https://www.w3.org/2021/05/27-wpwg-minutes.html nicktr
14:09:15 <nicktr> q?
14:09:44 <Ian> Nick: I urge you to have a look and send comments.
14:10:20 <Ian> -> https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/requirements.md Requirements
14:10:22 <nicktr> zakim, next item
14:10:22 <Zakim> agendum 2 -- issue 65 -- taken up [from nicktr]
14:10:38 <gkok> gkok has joined #wpwg
14:10:52 <nicktr> Issue on Github -> https://github.com/w3c/secure-payment-confirmation/issues/65
14:11:51 <Ian> present+ Eric_Alvarez
14:12:08 <Ian> zakim, take up item 2
14:12:08 <Zakim> agendum 2 -- issue 65 -- taken up [from nicktr]
14:12:13 <Ian> https://github.com/w3c/secure-payment-confirmation/issues/65
14:12:43 <nicktr> ian: do you need payment request for SPC, or are they separate?
14:13:14 <nicktr> smcgruer_[EST]: It's really important that we don't get tripped up by terminology
14:13:42 <nicktr> ...inside a payment handler == inside payment request for me
14:13:51 <ChrisD> ChrisD has joined #wpwg
14:14:45 <nicktr> ian: I had imagined you could use paymentrequest constructor and then call SPC
14:14:59 <nicktr> ...or while a payment handler is running
14:15:13 <nicktr> ...or (outside) you just call SPC
14:15:20 <nicktr> ...there's no payment request
14:15:58 <nicktr> ...in this third situation, there's no payment method - it's just calling for authentication
14:16:56 <Ian> Three scenarios:
14:17:00 <Ian> 1) In PR API on merchant site
14:17:03 <nicktr> smcgruer_[EST]: I think we have concrete users of scenario 3
14:17:08 <Ian> 2) In PR API in payment handler
14:17:22 <Ian> 3) Unrelated to PR API at all (e.g., Stripe experiment)
14:17:24 <nicktr> ...we don't know of of payment handlers that want to use it
14:17:39 <nicktr> ...and I don't understand scenario 1
14:18:55 <nicktr> ian: it could be a method within payment request _OR_
14:19:08 <nicktr> ...it could be a new API (called SPC)
14:20:03 <nicktr> ...I feel like it's foundational
14:20:05 <nicktr> q?
14:20:31 <nicktr> smcgruer_[EST]: Do you want to get into the JS shape?
14:21:02 <nicktr> ian: I do want to know if you have to trigger payment request or not
14:21:32 <nicktr> smcgruer_[EST]: I am ambivalent to this issue
14:21:49 <nicktr> ...I do think it should be callable by both merchants and within a payment handler
14:21:53 <Gerhard> q+
14:22:27 <nicktr> Gerhard: I think I should be about paying a merchant
14:22:32 <nicktr> ack Gerhard
14:23:01 <Ian> Gerhard: I need to be able to trigger SPC from an issuer domain. See usefulness of being able to trigger from merchant domain
14:23:07 <nicktr> ...I want to be able to kick it off from a merchant domain, an issuer domain _or_ a scheme domain
14:23:54 <nicktr> ...I think Tomasz asked if you could just do "credential.create" rather than "paymentrequest.authenticate"
14:24:00 <smcgruer_[EST]> q+
14:24:12 <nicktr> ...I do think should be bound to a payment
14:24:24 <nicktr> ack smcgruer_[EST]
14:25:04 <nicktr> smcgruer_[EST]: you mentioned that the credential should only used for payments
14:25:24 <nicktr> ...we have heard that others would like to be able to use for other uses
14:25:39 <nicktr> Gerhard: I think we devalue the transaction if we don't bind to payments
14:26:06 <nicktr> ian: could we re-use a credential for other things? Yes
14:26:14 <nicktr> ...but SPC should be payments
14:26:20 <Ian> present+ Erhard_Brand
14:26:35 <smcgruer_[EST]> +1, I misunderstood :D
14:26:51 <nicktr> gerhard: I think the credential + payment instrument is critical
14:27:14 <nicktr> ...I think secure display is critical
14:27:55 <nicktr> ...I think frictionless is a different construct
14:28:06 <nicktr> ian: would you write up the non-fido use case?
14:28:24 <nicktr> Gerhard: I think we have done that
14:28:38 <nicktr> ...including the explainer
14:28:44 <nicktr> ian: I will open an issue
14:28:46 <Ian> q?
14:29:57 <nicktr> ian: I am not hearing strong views on SPC invokable independent of payment request
14:30:10 <nicktr> ChrisD: I agree with Gerard that SPC should not ‘embed’ FIDO. Other authentication mechanisms are available.
14:30:35 <nicktr> ian: in the requirements doc, we say you should be able to call SPC from a payment handler or a website
14:31:00 <Gerhard> Non-fido challenge defined at https://github.com/entersekt/possession-credential with presentation at http://www.w3.org/2021/Talks/entersekt-20210330.pdf
14:31:08 <Ian> zakim, close this item
14:31:08 <Zakim> agendum 2 closed
14:31:09 <Zakim> I see 3 items remaining on the agenda; the next one is
14:31:09 <Zakim> 3. issue 13 [from nicktr]
14:31:14 <Ian> zakim, take up item 3
14:31:14 <Zakim> agendum 3 -- issue 13 -- taken up [from nicktr]
14:31:19 <Ian> https://github.com/w3c/secure-payment-confirmation/issues/13
14:32:28 <davor_> davor_ has joined #wpwg
14:33:37 <nicktr> ian: one credential per payment instrument? Or one credential for many payment instruments (e.g. while logged into you online banking)? Or many credentials for one instrument (different browsers)
14:35:05 <nicktr> ian: the key requirement is everything is independently addressable
14:35:31 <nicktr> ...we don't want to constrain implementations
14:35:36 <smcgruer_[EST]> q+
14:36:00 <nicktr> ian: this is what we documented in the requirements
14:36:06 <nicktr> ack smcgruer_[EST]
14:36:23 <nicktr> smcgruer_[EST]: I don't understand the constraint
14:37:01 <benoit> q+
14:37:20 <nicktr> ian: The intention is for the credential to be at an instrument (like a card number) level
14:37:22 <nicktr> q+
14:37:35 <Ian> ack ben
14:37:37 <smcgruer_[EST]> q+
14:37:45 <Chris_Wood> Chris_Wood has joined #wpwg
14:38:24 <nicktr> benoit: the binding of a card has been static traditionally but firms like Curve have made that fluid
14:38:48 <nicktr> ian: I don't think the text needs to change
14:38:51 <Ian> ack nick
14:39:06 <Ian> nicktr: I want to point out that it's turtles all the way down here.
14:39:35 <Ian> ...you are talking about about "instrument" v "account"; funding PAN can be represented by a universe of token pans
14:40:31 <Ian> ...not sure definition of "instrument" is adequate
14:40:45 <Gerhard> q+
14:40:59 <Chris_Wood> q+
14:41:13 <Ian> ack sm
14:41:45 <nicktr> smcgruer_[EST]: I strongly believe that the meaning of credential is up to the relying partner
14:41:59 <nicktr> ...I don't think that the SPC spec should force that binding
14:42:40 <Ian> q+ to mention "2 user account" use case
14:42:52 <nicktr> ...today the only reason we have the binding in the explainer is because we store somethings in the browser _in our first implementation_
14:42:52 <Ian> present+ Jeffh
14:42:59 <Ian> q?
14:43:05 <nicktr> ...I think that should be up the RP
14:43:13 <Ian> smcgruer_[EST]: You could move binding to auth time (rather than static binding)
14:43:14 <nicktr> ack Gerhard
14:43:36 <Ian> Gerhard: SPC should not require a selection to be made
14:43:38 <nicktr> gerhard: I think that SPC should represent where the money is coming from
14:44:04 <nicktr> ...in other words, a credential == "where the money is coming from" without further user selection
14:44:08 <nicktr> q?
14:44:51 <nicktr> gerhard: I am strongly in favour of 1:1
14:44:53 <Ian> q+ to ask about regulatory requirement
14:44:57 <Ian> ack Chr
14:45:03 <nicktr> ...this creates sureness for consumers
14:45:06 <smcgruer_[EST]> q+
14:45:28 <Ian> Chris: For SPC to work with open banking, needs to be account (source of funds)
14:45:30 <nicktr> Chris_Wood: in an open banking context, instrument == "bank account"
14:45:44 <Ian> ach mee
14:45:46 <nicktr> ...it's "where do the funds come from" afaic
14:45:46 <Ian> ack me
14:45:46 <Zakim> Ian, you wanted to mention "2 user account" use case and to ask about regulatory requirement
14:45:48 <Gerhard> +1 to that
14:46:14 <nicktr> ian: I think the dynamic linking regulatory element is important
14:46:32 <nicktr> ...do we know what the specific requirement is wrt to funding source?
14:47:13 <nicktr> q?
14:47:17 <nicktr> ack smcgruer_[EST]
14:47:26 <Ian> Ian: Question is "dynamic before sig" or "dynamic after sig"
14:47:40 <nicktr> smcgruer_[EST]: I think the binding is at "auth" time
14:47:42 <Ian> smcgruer_[EST]: I want strong binding at auth time, not enrollment time.
14:47:46 <nicktr> ...not at registration time
14:48:29 <Gerhard> q+
14:48:39 <Ian> ack G
14:48:40 <nicktr> ack Gerhard
14:49:47 <nicktr> gerhard: if have multiple authenticators, how does that work?
14:49:56 <nicktr> ...can someone take me through that?
14:50:19 <nicktr> smcgruer_[EST]: you will always have a separate credential per authenticator
14:50:36 <nicktr> ...but let's imagine you have a visa card and a mastercard from the same issuer
14:50:55 <nicktr> ...for a particular payment, I select the mastercard
14:51:07 <nicktr> ...the merchant sends that through
14:51:33 <nicktr> ...the RP (issuer) sends the authenticator credentials for that instrument
14:52:08 <nicktr> ...but also (possibly) here are the other instruments
14:52:27 <nicktr> ...by sending the info at authentication time
14:52:27 <Ian> q?
14:53:04 <nicktr> ian: I am hearing a strong push for the binding no later than authentication but not necessarily at enrolment time
14:53:18 <nicktr> ian: We need to revisit the requirements
14:53:44 <nicktr> ...I believe that there is consensus that what you sign is what you're paying with
14:53:46 <nicktr> q+
14:53:52 <Ian> ack nick
14:53:58 <Ian> scribenick: Ian
14:54:10 <Ian> nicktr: You asked about regulatory requirement re: dynamic linking.
14:54:27 <Ian> ...I don't think it binds the instrument; it binds USER, amount, and beneficiary
14:55:02 <nicktr> scribenick: nicktr
14:55:26 <Ian> ACTION: smcgruer_[EST] with rouslan and Ian to work on refining requirements to support authentication-time binding to concrete funding source
14:55:28 <nicktr> ian: Rouslan and Ian will work on that while smcgruer_[EST] is enjoying well earned vacation
14:55:34 <nicktr> q?
14:55:36 <nicktr> agenda?
14:56:11 <nicktr> ian: I suggest we revisit the next two agenda items next time
14:56:17 <nicktr> q+
14:56:25 <Ian> Topic: Next meeting
14:56:41 <Ian> 10 June
14:56:45 <Ian> ack nicktr
14:57:33 <nicktr> RRSAgent, make minutes
14:57:33 <RRSAgent> I have made the request to generate https://www.w3.org/2021/05/27-wpwg-minutes.html nicktr
14:57:42 <Ian> RRSAGENT, make minutes
14:57:42 <RRSAgent> I have made the request to generate https://www.w3.org/2021/05/27-wpwg-minutes.html Ian
14:57:45 <Ian> RRSAGENT, set logs public
14:58:32 <Ian> zakim, bye
14:58:32 <Zakim> leaving.  As of this point the attendees have been Ian, Pierre_Walden, Nick_Telford-Reed, Anne_Pouillard, Fawad_Nisar, Chris_Wood, Stephen_McGruer, benoit, Jean-Michel_Girard,
14:58:32 <Zakim> Zakim has left #wpwg
14:58:34 <Ian> rrsagent, bye
14:58:34 <RRSAgent> I see 1 open action item saved in https://www.w3.org/2021/05/27-wpwg-actions.rdf :
14:58:34 <RRSAgent> ACTION: smcgruer_[EST] with rouslan and Ian to work on refining requirements to support authentication-time binding to concrete funding source [1]
14:58:34 <RRSAgent>   recorded in https://www.w3.org/2021/05/27-wpwg-irc#T14-55-26
14:58:35 <Zakim> ... Gavin_Shenker, Davor_Davidovikj, Clinton_Allen, Lauren_Jones, Vincent_Kuntz, Gerhard_Oosthuizen, vkuntz, David_Benoit, Gustavo_Kok, Chris_Dee, Gerhard, Eric_Alvarez,
14:58:35 <Zakim> ... Erhard_Brand, Jeffh