Ian: Not a lot to do by the WG at this point.
... we will make our case to the Director
... and update the implementation report
... See the draft timeline to Rec.
Ian: Please complete the SPC prioritization survey.
AdrianHB: You can provide feedback and suggest new use cases.
... or raise issues on GitHub
Dynamic binding of instrument info
See 7 June SPC task force discussion
Rouslan: Two main reasons for suggesting dynamic binding of authentication credentials with instrument information rather than static enrollment:
1) Updates to card information can be made at authentication time
... if we ONLY store the public key, that opens lots of possibilities
... including reuse of key for login and payment
... so when merchant sends to the browser, browser can verify it.
... that could reduce timing attacks and reduce tracking
... the sticking point is the dynamic challenge.
... I think it should be a goal that the browser generate the challenge.
... the RP could always say "I don't know these credentials"
... or "some other bit is invalid"
<AdrianHB> ian: sounds like a good feature for card on file use cases
<AdrianHB> ... the merchant could be updating this data out of band
Clinton: Not really.
... any delegation would happen by contract.
... if you delegate random generation to someone else, however, then you do.
IJ: Anybody have early insights?
... they will provide the info to the merchant at authentication time
rouslan: We have been in discussion with 3DS about v 2.3
IJ: Would Google be creating documentation for developers?
Rouslan: We are not working on that yet.
<AdrianHB> ian: Is anyone at Google currently working on developer docs for SPC
<benoit> Marqeta
AdrianHB: Yes, ACS folks should be doing experiments.
... or similarly for alternative payment methods
<AdrianHB> ian: the last is not a priority
clinton_: The descriptions make sense.
[Architecture]
- identity
- instrument selection
- authentication
<AdrianHB> ian: we have an SPC related issue wrt identifying the user
clinton_: outside of SRC, wouldn't that identity always be a topic?
Ian: Yes
AdrianHB: I think this relates again to what the browser stores.
<Zakim> AdrianHB, you wanted to discuss the last flow
Next meeting: 24 June