IRC log of wpwg-spc on 2021-05-31

Timestamps are in UTC.

15:54:36 [RRSAgent]
RRSAgent has joined #wpwg-spc
15:54:36 [RRSAgent]
logging to https://www.w3.org/2021/05/31-wpwg-spc-irc
15:54:56 [Ian]
Meeting: SPC Task Force
15:54:58 [Ian]
Chair: Ian
15:55:08 [Ian]
Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021May/0022.html
15:55:12 [Ian]
Scribe: Ian
15:55:51 [Ian]
agenda+ prioritization of use cases
15:55:54 [Ian]
agenda+ next meeting
15:57:47 [Ian]
present+
16:00:09 [Ian]
present+ Anne_Pouillard
16:00:40 [Ian]
present+ Rolf_Lindemann
16:01:18 [Ian]
present+ Jean-Carlo_Emer
16:01:26 [Rolf]
Rolf has joined #wpwg-spc
16:02:21 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/05/31-wpwg-spc-minutes.html Ian
16:02:26 [Ian]
https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/scope.md
16:03:31 [Ian]
https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/scope.md#user-stories
16:05:12 [Ian]
Enrollment of multiple instruments with one authentication
16:05:13 [Rolf]
Do we already cover the ability to use the underlying credential for traditional authentication?
16:05:30 [Ian]
https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/requirements.md#fido-considerations
16:05:37 [Ian]
FIDO credentials should be "enhanceable" to SPC Credentials.
16:05:37 [Ian]
SPC credentials should also usable as ordinary FIDO credentials. See issue 39.
16:06:01 [jcemer]
jcemer has joined #wpwg-spc
16:06:34 [Ian]
In-transaction enrollment, later authentication same merchant
16:08:40 [Ian]
IJ: can you optimize the UX to enroll+authenticate/sign
16:10:16 [Ian]
Rolf: Technically what you expect is after registration of credential. ID&V steps often prone to fishing. So registration time has a different security characteristics
16:12:22 [Ian]
...session binding assurance level not really known at this point
16:12:39 [Ian]
...how do you know it's the "same session". Cookie? stronger than that?
16:13:04 [Ian]
...binding assurance level might be relevant for this one
16:14:44 [Rolf]
https://www.digital.govt.nz/standards-and-guidance/identification-management/identification-management-standards/binding-assurance-standard/
16:16:04 [Ian]
Authentication with out-of-band authenticator
16:16:21 [Anne_]
Anne_ has joined #wpwg-spc
16:16:23 [Ian]
Rolf: Best thing would be to be able to send transaction details to the out-of-band authenticator
16:16:44 [Ian]
...Level 1 extension for transaction confirmation technically is this kind of approach
16:16:52 [Ian]
...the concept is the same even if not same data as SPC
16:17:02 [Ian]
...it doesn't matter how you send the data, but would be great if you could do so
16:17:09 [Ian]
...what we do today is that the browser displays the transaction text
16:17:26 [Ian]
...the browser has a privileged position (since it can talk to the authenticator), this is the security that we are leveraging
16:17:36 [Ian]
..if you send the transaction text to the authenticator it would be even higher security level
16:18:23 [Ian]
...the browser should be able to *understand* whether the text will be displayed by the authenticator
16:19:01 [Ian]
...the browser needs to be able to say "Check your smartphone" in the dialog...that at least needs to be discussed
16:19:41 [Ian]
...I can send push notification that launches an app that talks to a server to trigger SPC
16:20:11 [Ian]
...you can trigger it through out-of-band mechanisms like QR codes
16:20:19 [Ian]
q+
16:20:35 [Ian]
Jean-Carlo: In this case, would be still know user verification was formed?
16:20:42 [Ian]
Rolf: Yes, you get an assertion from the authenticator.
16:20:56 [Ian]
...suppose I'm on desktop without a registered platform authenticator
16:21:03 [Ian]
..it might know that I have a smartphone that supports SPC
16:21:21 [Ian]
...so it could send push notification to app or OS or browser on my smartphone to trigger spc on my device
16:21:38 [Ian]
...the browser on my phone would ask for confirmation which would generate the signed assertion
16:22:18 [Ian]
...we might not need to standardize the out-of-band behavior (since different on each platform)
16:24:17 [Ian]
IJ: What are security requirements for shipping to the phone?
16:24:33 [Ian]
Rolf: Merchant has the data (currency, credential ID)
16:24:56 [Ian]
..if SPC returns null, the merchant's JS can tell the merchant server.
16:26:24 [Ian]
...ideally, if my PC browser is synced to my phone, then the BROWSER might know I have an SPC credential on my Android device. In which case the display can be shipped to my phone where I can sign it.
16:26:33 [Ian]
...that would be a browser vendor decision
16:28:04 [Ian]
...multiple channels to ship the display info to another authenticator: CABLE, known authenticator since same vendor
16:29:18 [Ian]
...CABLE-connected is still considered "Roaming"
16:29:28 [Rolf]
caBLE - cloud assisted BLE
16:34:15 [Ian]
zakim, close this item
16:34:15 [Zakim]
I do not know what agendum had been taken up, Ian
16:34:22 [Ian]
zakim, take up item 2
16:34:22 [Zakim]
agendum 2 -- next meeting -- taken up [from Ian]
16:34:38 [Ian]
7 June
16:34:42 [Ian]
No meeting 14 June
16:34:45 [Ian]
RRSAGENT, make minutes
16:34:45 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/05/31-wpwg-spc-minutes.html Ian
16:34:51 [Ian]
RRSAGENT, set logs public
22:52:08 [jeffh]
jeffh has joined #wpwg-spc