IRC log of wpwg-spc on 2021-05-31
Timestamps are in UTC.
- 15:54:36 [RRSAgent]
- RRSAgent has joined #wpwg-spc
- 15:54:36 [RRSAgent]
- logging to https://www.w3.org/2021/05/31-wpwg-spc-irc
- 15:54:56 [Ian]
- Meeting: SPC Task Force
- 15:54:58 [Ian]
- Chair: Ian
- 15:55:08 [Ian]
- Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021May/0022.html
- 15:55:12 [Ian]
- Scribe: Ian
- 15:55:51 [Ian]
- agenda+ prioritization of use cases
- 15:55:54 [Ian]
- agenda+ next meeting
- 15:57:47 [Ian]
- present+
- 16:00:09 [Ian]
- present+ Anne_Pouillard
- 16:00:40 [Ian]
- present+ Rolf_Lindemann
- 16:01:18 [Ian]
- present+ Jean-Carlo_Emer
- 16:01:26 [Rolf]
- Rolf has joined #wpwg-spc
- 16:02:21 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/05/31-wpwg-spc-minutes.html Ian
- 16:02:26 [Ian]
- https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/scope.md
- 16:03:31 [Ian]
- https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/scope.md#user-stories
- 16:05:12 [Ian]
- Enrollment of multiple instruments with one authentication
- 16:05:13 [Rolf]
- Do we already cover the ability to use the underlying credential for traditional authentication?
- 16:05:30 [Ian]
- https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/requirements.md#fido-considerations
- 16:05:37 [Ian]
- FIDO credentials should be "enhanceable" to SPC Credentials.
- 16:05:37 [Ian]
- SPC credentials should also usable as ordinary FIDO credentials. See issue 39.
- 16:06:01 [jcemer]
- jcemer has joined #wpwg-spc
- 16:06:34 [Ian]
- In-transaction enrollment, later authentication same merchant
- 16:08:40 [Ian]
- IJ: can you optimize the UX to enroll+authenticate/sign
- 16:10:16 [Ian]
- Rolf: Technically what you expect is after registration of credential. ID&V steps often prone to fishing. So registration time has a different security characteristics
- 16:12:22 [Ian]
- ...session binding assurance level not really known at this point
- 16:12:39 [Ian]
- ...how do you know it's the "same session". Cookie? stronger than that?
- 16:13:04 [Ian]
- ...binding assurance level might be relevant for this one
- 16:14:44 [Rolf]
- https://www.digital.govt.nz/standards-and-guidance/identification-management/identification-management-standards/binding-assurance-standard/
- 16:16:04 [Ian]
- Authentication with out-of-band authenticator
- 16:16:21 [Anne_]
- Anne_ has joined #wpwg-spc
- 16:16:23 [Ian]
- Rolf: Best thing would be to be able to send transaction details to the out-of-band authenticator
- 16:16:44 [Ian]
- ...Level 1 extension for transaction confirmation technically is this kind of approach
- 16:16:52 [Ian]
- ...the concept is the same even if not same data as SPC
- 16:17:02 [Ian]
- ...it doesn't matter how you send the data, but would be great if you could do so
- 16:17:09 [Ian]
- ...what we do today is that the browser displays the transaction text
- 16:17:26 [Ian]
- ...the browser has a privileged position (since it can talk to the authenticator), this is the security that we are leveraging
- 16:17:36 [Ian]
- ..if you send the transaction text to the authenticator it would be even higher security level
- 16:18:23 [Ian]
- ...the browser should be able to *understand* whether the text will be displayed by the authenticator
- 16:19:01 [Ian]
- ...the browser needs to be able to say "Check your smartphone" in the dialog...that at least needs to be discussed
- 16:19:41 [Ian]
- ...I can send push notification that launches an app that talks to a server to trigger SPC
- 16:20:11 [Ian]
- ...you can trigger it through out-of-band mechanisms like QR codes
- 16:20:19 [Ian]
- q+
- 16:20:35 [Ian]
- Jean-Carlo: In this case, would be still know user verification was formed?
- 16:20:42 [Ian]
- Rolf: Yes, you get an assertion from the authenticator.
- 16:20:56 [Ian]
- ...suppose I'm on desktop without a registered platform authenticator
- 16:21:03 [Ian]
- ..it might know that I have a smartphone that supports SPC
- 16:21:21 [Ian]
- ...so it could send push notification to app or OS or browser on my smartphone to trigger spc on my device
- 16:21:38 [Ian]
- ...the browser on my phone would ask for confirmation which would generate the signed assertion
- 16:22:18 [Ian]
- ...we might not need to standardize the out-of-band behavior (since different on each platform)
- 16:24:17 [Ian]
- IJ: What are security requirements for shipping to the phone?
- 16:24:33 [Ian]
- Rolf: Merchant has the data (currency, credential ID)
- 16:24:56 [Ian]
- ..if SPC returns null, the merchant's JS can tell the merchant server.
- 16:26:24 [Ian]
- ...ideally, if my PC browser is synced to my phone, then the BROWSER might know I have an SPC credential on my Android device. In which case the display can be shipped to my phone where I can sign it.
- 16:26:33 [Ian]
- ...that would be a browser vendor decision
- 16:28:04 [Ian]
- ...multiple channels to ship the display info to another authenticator: CABLE, known authenticator since same vendor
- 16:29:18 [Ian]
- ...CABLE-connected is still considered "Roaming"
- 16:29:28 [Rolf]
- caBLE - cloud assisted BLE
- 16:34:15 [Ian]
- zakim, close this item
- 16:34:15 [Zakim]
- I do not know what agendum had been taken up, Ian
- 16:34:22 [Ian]
- zakim, take up item 2
- 16:34:22 [Zakim]
- agendum 2 -- next meeting -- taken up [from Ian]
- 16:34:38 [Ian]
- 7 June
- 16:34:42 [Ian]
- No meeting 14 June
- 16:34:45 [Ian]
- RRSAGENT, make minutes
- 16:34:45 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/05/31-wpwg-spc-minutes.html Ian
- 16:34:51 [Ian]
- RRSAGENT, set logs public
- 22:52:08 [jeffh]
- jeffh has joined #wpwg-spc