15:59:24 RRSAgent has joined #wpwg-spc 15:59:24 logging to https://www.w3.org/2021/06/21-wpwg-spc-irc 15:59:30 Topic: SPC Task Force 16:00:12 Chair: Ian 16:00:13 present+ 16:00:16 Scribe: Ian 16:00:30 Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Jun/0012.html 16:00:53 present+ Rolf_Lindemann 16:00:59 present+ Anne_Pouillard 16:01:03 present+ Clinton_Allen 16:01:04 Christian has joined #wpwg-spc 16:01:08 present+ Stephen_McGruer 16:01:13 present+ Benjamin_Tidor 16:01:17 present+ Jonathan_Grossar 16:01:25 present+ Michel_Weksler 16:01:28 present+ Chris_Wood 16:01:33 btidor has joined #wpwg-spc 16:01:47 present+ Christian_Aabye 16:01:52 Chris_Wood has joined #wpwg-spc 16:02:10 present+ Adrian_Hope-Bailie 16:02:14 Topic: Survey results 16:02:31 https://www.w3.org/2002/09/wbs/83744/spc-priority/results 16:02:45 mweksler has joined #wpwg-spc 16:02:56 Rolf has joined #wpwg-spc 16:03:10 Top five use cases 16:03:13 - Authentication different merchant 16:03:25 - Frictionless Checkout (no user presence check or payment confirmation dialog) 16:03:35 - In-transaction enrollment, later authentication same merchant 16:03:42 - Authentication with out-of-band authenticator 16:03:50 q+ 16:03:50 - Express Checkout (no user presence check) 16:03:55 - Authentication by bank after redirect 16:04:43 present+ Sameer_Tare 16:05:10 present+ Werner_Bruingings 16:05:47 Stephen: Note that this ordering doesn't pay attention to number of responses to a given use-case. 16:06:05 ... so Frictionless Checkout only got two votes, meaning it was outside of the top-5 for 4/6 respondents 16:06:12 ... we need to analyze this deeper 16:06:14 present+ Doug_Fisher 16:06:48 Topic: What is enrollment? 16:06:50 Anne has joined #wpwg-spc 16:07:48 werner has joined #wpwg-spc 16:07:49 q+ 16:08:02 IJ: Question from Gerhard was "What is enrollment?" 16:08:04 ack smcgruer_[EST] 16:08:58 smcgruer_[EST]: Today you need to store the credential in the browser. My view is that the RP has control and maintains the binding. They can say "This is my credential and it can be used for payment." 16:09:13 ...if they get a payment somehow where the credential has not gone through the flow, then can choose not to accept it. 16:09:42 IJ: What does enrollment do? 16:09:56 smcgruer_[EST]: First pilot motivated us to try a standardized enrollment ux. 16:10:06 ...we may find it is useful or not 16:10:35 btidor:I thought one reason for the enrollment UI was to allow it to happen in an iframe 16:11:15 smcgruer_[EST]: permission policy on iframe suggests it would be fine (without UX for enrollment) 16:11:32 ..I have been thinking this could just be something that's part of webauthn 16:11:50 btidor: If we could just do permission policy and remove enrollment screen, that would be amazing. 16:12:27 SameerT_ has joined #wpwg-spc 16:13:45 btidor: SPC would allow 1p enrollment of webauthn credential (unlikely vanilla webauthn) 16:14:02 smcgruer_[EST]: Right, gated behind permission policy 16:15:12 btidor: Maybe "upgrade" and "create" permissions are different 16:16:12 q+ 16:17:14 Ian: Is enrollment in a 1p context a requirement? 16:17:17 ack btidor 16:17:18 q+ to note that 'In-transaction enrollment' essentially states that cross-origin iframe requires that 16:17:28 btidor: I hear there's a proposal to integrate SPC into FIDO 16:17:39 ...how do we think about what we can specify here v WebAuthN? 16:18:39 q+ 16:18:40 q? 16:18:42 ack smcgruer_[EST] 16:18:42 smcgruer_[EST], you wanted to note that 'In-transaction enrollment' essentially states that cross-origin iframe requires that 16:19:09 smcgruer_[EST]: On the question of 3p enrollment; it's sort of covered by the use case of "enrollment during transaction" 16:19:25 ...to btidor's point, I think enrollment could wind its way to webauthn 16:19:37 ...on authentication, i think that will solidly stay in WPWG space 16:19:49 q+ to ask about "instruments" in SPC vs WebAuthn? 16:19:53 btidor: That makes sense 16:20:03 ack AdrianHB 16:20:03 AdrianHB, you wanted to ask about "instruments" in SPC vs WebAuthn? 16:20:38 AdrianHB: Where do payment instruments fit in? When I enroll an authenticator, do I explicitly say which instrument I will use for future auth? 16:20:53 ...or does instrument stuff happen at auth time? 16:21:16 ...what worries me is disconnect between instrument information and losing connection to RP 16:21:26 q+ 16:21:29 ack smcgruer_[EST] 16:21:48 smcgruer_[EST]: We are interested in this direction - instrument is auth-time; and you are correct there is a UX issue 16:23:16 "At enrollment, the Relying Party should be able to provide information about zero, one, or more than one instruments, and the browser should support verbiage in the user experience that communicates what the user is consenting to." 16:25:21 +1 to not precluding software authenticators! 16:25:37 Ian: API should abstract above "credential id" even if v1 is focused on FIDO 16:26:27 q+ for comment on discoverable credentials 16:26:50 ack smcgruer_[EST] 16:26:50 smcgruer_[EST], you wanted to discuss comment on discoverable credentials 16:30:25 ack me 16:30:35 Ian: The less we store in the browser, the less instrument selection work we can do (I think) 16:31:07 Topic: Agenda for thursday? 16:31:18 +1 16:31:23 AdrianHB: Yes, but let's define those topics 16:31:44 btidor: Might be good to talk through what we want to do that may or may not make sense from a FIDO perspective. 16:31:52 +1 16:32:17 +1 16:33:40 Topic: Next SPC task force call 16:33:58 28 June 16:34:15 RRSAGENT, make minutes 16:34:15 I have made the request to generate https://www.w3.org/2021/06/21-wpwg-spc-minutes.html Ian