15:54:36 <RRSAgent> RRSAgent has joined #wpwg-spc
15:54:36 <RRSAgent> logging to https://www.w3.org/2021/05/31-wpwg-spc-irc
15:54:56 <Ian> Meeting: SPC Task Force
15:54:58 <Ian> Chair: Ian
15:55:08 <Ian> Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021May/0022.html
15:55:12 <Ian> Scribe: Ian
15:55:51 <Ian> agenda+ prioritization of use cases
15:55:54 <Ian> agenda+ next meeting
15:57:47 <Ian> present+
16:00:09 <Ian> present+ Anne_Pouillard
16:00:40 <Ian> present+ Rolf_Lindemann
16:01:18 <Ian> present+ Jean-Carlo_Emer
16:01:26 <Rolf> Rolf has joined #wpwg-spc
16:02:21 <RRSAgent> I have made the request to generate https://www.w3.org/2021/05/31-wpwg-spc-minutes.html Ian
16:02:26 <Ian> https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/scope.md
16:03:31 <Ian> https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/scope.md#user-stories
16:05:12 <Ian> Enrollment of multiple instruments with one authentication
16:05:13 <Rolf> Do we already cover the ability to use the underlying credential for traditional authentication?
16:05:30 <Ian> https://github.com/w3c/secure-payment-confirmation/blob/gh-pages/requirements.md#fido-considerations
16:05:37 <Ian> FIDO credentials should be "enhanceable" to SPC Credentials.
16:05:37 <Ian> SPC credentials should also usable as ordinary FIDO credentials. See issue 39.
16:06:01 <jcemer> jcemer has joined #wpwg-spc
16:06:34 <Ian> In-transaction enrollment, later authentication same merchant
16:08:40 <Ian> IJ: can you optimize the UX to enroll+authenticate/sign
16:10:16 <Ian> Rolf: Technically what you expect is after registration of credential. ID&V steps often prone to fishing. So registration time has a different security characteristics
16:12:22 <Ian> ...session binding assurance level not really known at this point
16:12:39 <Ian> ...how do you know it's the "same session". Cookie? stronger than that?
16:13:04 <Ian> ...binding assurance level might be relevant for this one
16:14:44 <Rolf> https://www.digital.govt.nz/standards-and-guidance/identification-management/identification-management-standards/binding-assurance-standard/
16:16:04 <Ian> Authentication with out-of-band authenticator
16:16:21 <Anne_> Anne_ has joined #wpwg-spc
16:16:23 <Ian> Rolf: Best thing would be to be able to send transaction details to the out-of-band authenticator
16:16:44 <Ian> ...Level 1 extension for transaction confirmation technically is this kind of approach
16:16:52 <Ian> ...the concept is the same even if not same data as SPC
16:17:02 <Ian> ...it doesn't matter how you send the data, but would be great if you could do so
16:17:09 <Ian> ...what we do today is that the browser displays the transaction text
16:17:26 <Ian> ...the browser has a privileged position (since it can talk to the authenticator), this is the security that we are leveraging
16:17:36 <Ian> ..if you send the transaction text to the authenticator it would be even higher security level
16:18:23 <Ian> ...the browser should be able to *understand* whether the text will be displayed by the authenticator
16:19:01 <Ian> ...the browser needs to be able to say "Check your smartphone" in the dialog...that at least needs to be discussed
16:19:41 <Ian> ...I can send push notification that launches an app that talks to a server to trigger SPC
16:20:11 <Ian> ...you can trigger it through out-of-band mechanisms like QR codes
16:20:19 <Ian> q+
16:20:35 <Ian> Jean-Carlo: In this case, would be still know user verification was formed?
16:20:42 <Ian> Rolf: Yes, you get an assertion from the authenticator.
16:20:56 <Ian> ...suppose I'm on desktop without a registered platform authenticator
16:21:03 <Ian> ..it might know that I have a smartphone that supports SPC
16:21:21 <Ian> ...so it could send push notification to app or OS or browser on my smartphone to trigger spc on my device
16:21:38 <Ian> ...the browser on my phone would ask for confirmation which would generate the signed assertion
16:22:18 <Ian> ...we might not need to standardize the out-of-band behavior (since different on each platform)
16:24:17 <Ian> IJ: What are security requirements for shipping to the phone?
16:24:33 <Ian> Rolf: Merchant has the data (currency, credential ID)
16:24:56 <Ian> ..if SPC returns null, the merchant's JS can tell the merchant server.
16:26:24 <Ian> ...ideally, if my PC browser is synced to my phone, then the BROWSER might know I have an SPC credential on my Android device. In which case the display can be shipped to my phone where I can sign it.
16:26:33 <Ian> ...that would be a browser vendor decision
16:28:04 <Ian> ...multiple channels to ship the display info to another authenticator: CABLE, known authenticator since same vendor
16:29:18 <Ian> ...CABLE-connected is still considered "Roaming"
16:29:28 <Rolf> caBLE - cloud assisted BLE
16:34:15 <Ian> zakim, close this item
16:34:15 <Zakim> I do not know what agendum had been taken up, Ian
16:34:22 <Ian> zakim, take up item 2
16:34:22 <Zakim> agendum 2 -- next meeting -- taken up [from Ian]
16:34:38 <Ian> 7 June
16:34:42 <Ian> No meeting 14 June
16:34:45 <Ian> RRSAGENT, make minutes
16:34:45 <RRSAgent> I have made the request to generate https://www.w3.org/2021/05/31-wpwg-spc-minutes.html Ian
16:34:51 <Ian> RRSAGENT, set logs public
22:52:08 <jeffh> jeffh has joined #wpwg-spc