IRC log of wpwg-spc on 2021-06-21
Timestamps are in UTC.
- 15:59:24 [RRSAgent]
- RRSAgent has joined #wpwg-spc
- 15:59:24 [RRSAgent]
- logging to https://www.w3.org/2021/06/21-wpwg-spc-irc
- 15:59:30 [Ian]
- Topic: SPC Task Force
- 16:00:12 [Ian]
- Chair: Ian
- 16:00:13 [Ian]
- present+
- 16:00:16 [Ian]
- Scribe: Ian
- 16:00:30 [Ian]
- Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Jun/0012.html
- 16:00:53 [Ian]
- present+ Rolf_Lindemann
- 16:00:59 [Ian]
- present+ Anne_Pouillard
- 16:01:03 [Ian]
- present+ Clinton_Allen
- 16:01:04 [Christian]
- Christian has joined #wpwg-spc
- 16:01:08 [Ian]
- present+ Stephen_McGruer
- 16:01:13 [Ian]
- present+ Benjamin_Tidor
- 16:01:17 [Ian]
- present+ Jonathan_Grossar
- 16:01:25 [Ian]
- present+ Michel_Weksler
- 16:01:28 [Ian]
- present+ Chris_Wood
- 16:01:33 [btidor]
- btidor has joined #wpwg-spc
- 16:01:47 [Ian]
- present+ Christian_Aabye
- 16:01:52 [Chris_Wood]
- Chris_Wood has joined #wpwg-spc
- 16:02:10 [Ian]
- present+ Adrian_Hope-Bailie
- 16:02:14 [Ian]
- Topic: Survey results
- 16:02:31 [Ian]
- https://www.w3.org/2002/09/wbs/83744/spc-priority/results
- 16:02:45 [mweksler]
- mweksler has joined #wpwg-spc
- 16:02:56 [Rolf]
- Rolf has joined #wpwg-spc
- 16:03:10 [Ian]
- Top five use cases
- 16:03:13 [Ian]
- - Authentication different merchant
- 16:03:25 [Ian]
- - Frictionless Checkout (no user presence check or payment confirmation dialog)
- 16:03:35 [Ian]
- - In-transaction enrollment, later authentication same merchant
- 16:03:42 [Ian]
- - Authentication with out-of-band authenticator
- 16:03:50 [smcgruer_[EST]]
- q+
- 16:03:50 [Ian]
- - Express Checkout (no user presence check)
- 16:03:55 [Ian]
- - Authentication by bank after redirect
- 16:04:43 [Ian]
- present+ Sameer_Tare
- 16:05:10 [Ian]
- present+ Werner_Bruingings
- 16:05:47 [smcgruer_[EST]]
- Stephen: Note that this ordering doesn't pay attention to number of responses to a given use-case.
- 16:06:05 [smcgruer_[EST]]
- ... so Frictionless Checkout only got two votes, meaning it was outside of the top-5 for 4/6 respondents
- 16:06:12 [smcgruer_[EST]]
- ... we need to analyze this deeper
- 16:06:14 [Ian]
- present+ Doug_Fisher
- 16:06:48 [Ian]
- Topic: What is enrollment?
- 16:06:50 [Anne]
- Anne has joined #wpwg-spc
- 16:07:48 [werner]
- werner has joined #wpwg-spc
- 16:07:49 [smcgruer_[EST]]
- q+
- 16:08:02 [Ian]
- IJ: Question from Gerhard was "What is enrollment?"
- 16:08:04 [Ian]
- ack smcgruer_[EST]
- 16:08:58 [Ian]
- smcgruer_[EST]: Today you need to store the credential in the browser. My view is that the RP has control and maintains the binding. They can say "This is my credential and it can be used for payment."
- 16:09:13 [Ian]
- ...if they get a payment somehow where the credential has not gone through the flow, then can choose not to accept it.
- 16:09:42 [Ian]
- IJ: What does enrollment do?
- 16:09:56 [Ian]
- smcgruer_[EST]: First pilot motivated us to try a standardized enrollment ux.
- 16:10:06 [Ian]
- ...we may find it is useful or not
- 16:10:35 [Ian]
- btidor:I thought one reason for the enrollment UI was to allow it to happen in an iframe
- 16:11:15 [Ian]
- smcgruer_[EST]: permission policy on iframe suggests it would be fine (without UX for enrollment)
- 16:11:32 [Ian]
- ..I have been thinking this could just be something that's part of webauthn
- 16:11:50 [Ian]
- btidor: If we could just do permission policy and remove enrollment screen, that would be amazing.
- 16:12:27 [SameerT_]
- SameerT_ has joined #wpwg-spc
- 16:13:45 [Ian]
- btidor: SPC would allow 1p enrollment of webauthn credential (unlikely vanilla webauthn)
- 16:14:02 [Ian]
- smcgruer_[EST]: Right, gated behind permission policy
- 16:15:12 [Ian]
- btidor: Maybe "upgrade" and "create" permissions are different
- 16:16:12 [btidor]
- q+
- 16:17:14 [Ian]
- Ian: Is enrollment in a 1p context a requirement?
- 16:17:17 [Ian]
- ack btidor
- 16:17:18 [smcgruer_[EST]]
- q+ to note that 'In-transaction enrollment' essentially states that cross-origin iframe requires that
- 16:17:28 [Ian]
- btidor: I hear there's a proposal to integrate SPC into FIDO
- 16:17:39 [Ian]
- ...how do we think about what we can specify here v WebAuthN?
- 16:18:39 [Ian]
- q+
- 16:18:40 [AdrianHB]
- q?
- 16:18:42 [Ian]
- ack smcgruer_[EST]
- 16:18:42 [Zakim]
- smcgruer_[EST], you wanted to note that 'In-transaction enrollment' essentially states that cross-origin iframe requires that
- 16:19:09 [Ian]
- smcgruer_[EST]: On the question of 3p enrollment; it's sort of covered by the use case of "enrollment during transaction"
- 16:19:25 [Ian]
- ...to btidor's point, I think enrollment could wind its way to webauthn
- 16:19:37 [Ian]
- ...on authentication, i think that will solidly stay in WPWG space
- 16:19:49 [AdrianHB]
- q+ to ask about "instruments" in SPC vs WebAuthn?
- 16:19:53 [Ian]
- btidor: That makes sense
- 16:20:03 [Ian]
- ack AdrianHB
- 16:20:03 [Zakim]
- AdrianHB, you wanted to ask about "instruments" in SPC vs WebAuthn?
- 16:20:38 [Ian]
- AdrianHB: Where do payment instruments fit in? When I enroll an authenticator, do I explicitly say which instrument I will use for future auth?
- 16:20:53 [Ian]
- ...or does instrument stuff happen at auth time?
- 16:21:16 [Ian]
- ...what worries me is disconnect between instrument information and losing connection to RP
- 16:21:26 [smcgruer_[EST]]
- q+
- 16:21:29 [Ian]
- ack smcgruer_[EST]
- 16:21:48 [Ian]
- smcgruer_[EST]: We are interested in this direction - instrument is auth-time; and you are correct there is a UX issue
- 16:23:16 [Ian]
- "At enrollment, the Relying Party should be able to provide information about zero, one, or more than one instruments, and the browser should support verbiage in the user experience that communicates what the user is consenting to."
- 16:25:21 [btidor]
- +1 to not precluding software authenticators!
- 16:25:37 [Ian]
- Ian: API should abstract above "credential id" even if v1 is focused on FIDO
- 16:26:27 [smcgruer_[EST]]
- q+ for comment on discoverable credentials
- 16:26:50 [Ian]
- ack smcgruer_[EST]
- 16:26:50 [Zakim]
- smcgruer_[EST], you wanted to discuss comment on discoverable credentials
- 16:30:25 [Ian]
- ack me
- 16:30:35 [Ian]
- Ian: The less we store in the browser, the less instrument selection work we can do (I think)
- 16:31:07 [Ian]
- Topic: Agenda for thursday?
- 16:31:18 [clinton]
- +1
- 16:31:23 [Ian]
- AdrianHB: Yes, but let's define those topics
- 16:31:44 [Ian]
- btidor: Might be good to talk through what we want to do that may or may not make sense from a FIDO perspective.
- 16:31:52 [mweksler]
- +1
- 16:32:17 [AdrianHB]
- +1
- 16:33:40 [Ian]
- Topic: Next SPC task force call
- 16:33:58 [Ian]
- 28 June
- 16:34:15 [Ian]
- RRSAGENT, make minutes
- 16:34:15 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/06/21-wpwg-spc-minutes.html Ian
- 16:34:24 [Ian]
- RRSAGENT, set logs public