13:53:55 <RRSAgent> RRSAgent has joined #wpwg
13:53:55 <RRSAgent> logging to https://www.w3.org/2021/06/24-wpwg-irc
13:54:00 <Ian> Meeting: Web Payments WG
13:54:14 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20210624
13:54:16 <Ian> Chair: Nick
13:54:19 <Ian> Scribe: Ian
13:54:23 <Ian> agenda+ PR API update
13:54:28 <Ian> agenda+ SPC discussion
13:54:33 <Ian> agenda+ Next meeting
13:54:41 <Ian> regrets+ Adrian_Hope-Bailie
13:55:17 <Ian> present+
13:58:46 <tm> tm has joined #wpwg
13:59:10 <RRSAgent> I have made the request to generate https://www.w3.org/2021/06/24-wpwg-minutes.html Ian
14:00:22 <Ian> present+ Anne_Pouillard
14:00:29 <Ian> present+ Stephen_McGruer
14:01:12 <Anne> Anne has joined #wpwg
14:01:18 <Ian> present+ Lawrence_Cheng
14:01:33 <Ian> present+ Jean-Michel_Girard
14:02:17 <Ian> present+ David_Benoit
14:02:24 <Ian> present+ Rolf_Lindemann
14:02:35 <Fawad> Fawad has joined #wpwg
14:02:36 <Ian> present+ Clinton_Allen
14:02:41 <Ian> present+ Fawad_Nisar
14:03:13 <Ian> present+ Nick_Telford-Reed
14:03:14 <clinton> clinton has joined #wpwg
14:03:17 <Ian> present+ Werner_Bruinings
14:03:20 <benoit> benoit has joined #wpwg
14:03:23 <Ian> present+ Gerhard_Oosthuizen
14:03:34 <Rolf> Rolf has joined #wpwg
14:03:46 <Ian> zakim, take up item 1
14:03:46 <Zakim> agendum 1 -- PR API update -- taken up [from Ian]
14:03:54 <werner> werner has joined #wpwg
14:04:03 <nicktr> scribenick: nicktr
14:04:03 <JM_Girard> JM_Girard has joined #wpwg
14:04:03 <Ian> present+ Gavin_Shenker
14:04:37 <nicktr> ian: In the process of getting Payment Request to REC, we got a few expressions of support for our CFC
14:04:55 <Ian> -> https://github.com/w3c/transitions/issues/346 request to advance to CR
14:05:09 <nicktr> ...the next step is the request to advance to Candidate Recommendation
14:05:19 <nicktr> ...(there is cool new tooling)
14:05:30 <Gavin> Gavin has joined #WPWG
14:05:40 <nicktr> ...with the Director's Approval, we will publish, then there is a 2 month window
14:06:03 <nicktr> ...Marcos and I met yesterday to clean up the Implementation Report. We are in good shape.
14:06:30 <nicktr> ian: I expect it to be smooth sailing
14:06:50 <nicktr> ...The bigger discussion is probably what happens next after publication
14:07:01 <Ian> zakim, close item 1
14:07:01 <Zakim> agendum 1, PR API update, closed
14:07:03 <Zakim> I see 2 items remaining on the agenda; the next one is
14:07:03 <Zakim> 2. SPC discussion [from Ian]
14:07:03 <nicktr> ...That will be part of our chartering discussion in the Autumn
14:07:08 <Ian> zakim, take up next item
14:07:08 <Zakim> agendum 2 -- SPC discussion -- taken up [from Ian]
14:07:27 <nicktr> ian: We had a robust discussion at the Task Force on Monday
14:07:43 <nicktr> ...We thought we could continue that discussion today
14:07:59 <nicktr> scribenick: nicktr
14:08:04 <Ian> scribenick: Ian
14:08:58 <nicktr> scribenick: nicktr
14:09:11 <nicktr> ian: we are moving to store less and less in the browser
14:09:24 <nicktr> ...there may be implications for functionality
14:10:17 <nicktr> ...The question is "Is this a WebAuthn thing or a Payments thing?"
14:10:30 <nicktr> ...Are there other design considerations
14:10:58 <nicktr> scribenick: ian
14:11:13 <Ian> smcgruer_[EST]: Emerging questions about "how can these credentials be used"
14:11:27 <Ian> ...at this time, the enrollment UX we added did come partially from a privacy discussion
14:11:43 <Ian> ...to be sure user knows enrollment is for payment
14:11:56 <Ian> ...but the conversation is ongoing whether the UX is necessary
14:12:16 <Ian> ...personally I would like to see enrollment be just a WebAuthn thing. On the server the RP maintains information.
14:12:24 <Ian> ...but auth flow we are discussing is definitely a payments thing
14:12:36 <Ian> ...the various stakeholders need to know what the browser is presenting to the user
14:12:42 <Ian> present+ Jean-Luc_di_Manno
14:13:08 <Ian> Nick: I agree. The authentication piece is definitely a "payment-specific" thing
14:13:10 <Gerhard> Gerhard has joined #wpwg
14:13:16 <Gerhard> present_
14:13:19 <Gerhard> q+
14:13:24 <Ian> ack G
14:13:46 <Ian> Gerhard: There's a simplicity if the browser doesn't have to remember any additional information
14:14:11 <Ian> ..but the CONSENT needs to be clear. I can imagine three levels:
14:14:14 <JL> JL has joined #wpwg
14:14:20 <Ian> 1) The credential can be used for anything
14:14:37 <Ian> 2) The credential is for a specific use case (e.g., log in v. payment)
14:14:49 <Ian> 3) The credential is for a specific instrument
14:15:09 <RRSAgent> I have made the request to generate https://www.w3.org/2021/06/24-wpwg-minutes.html Ian
14:15:16 <Ian> q+
14:15:22 <smcgruer_[EST]> q+
14:16:12 <Ian> Gerhard: I doubt we will do the first one; but probably likely to do 2 or 3
14:16:23 <nicktr> ack Ian
14:16:26 <Ian> ack sm
14:16:31 <nicktr> q+ Ian
14:18:19 <clinton_> clinton_ has joined #wpwg
14:18:28 <clinton_> q+
14:21:12 <Rolf> q+
14:21:20 <Rolf> q
14:21:46 <nicktr> ack clinton_
14:21:50 <Ian> Ian: I think "enrollment" in upgrade case means "use get() instead of create() with a consent dialog"
14:22:00 <nicktr> q+ ian later
14:22:07 <nicktr> q- later
14:22:34 <Ian> clinton_: If you look at this from issuer perspective, if an issuer looks at this credential in a year, it needs to be known specifically 'this is for payment'
14:22:37 <smcgruer_[EST]> q+
14:22:45 <Ian> q-
14:22:45 <Ian> q+
14:23:59 <Gavin> q+
14:24:07 <Ian> Clinton: It doesn't have to be "your card". If an issuer is taking a consumer through an enrollment process. Issuer might want credential bound to "account" rather instrument.
14:24:16 <Ian> ...what you use to pay online securely might be secondary
14:24:22 <Ian> ack rolf
14:24:51 <Ian> Rolf: For me, the "credential" term is just a tech term; users don't know what they are.
14:25:09 <Ian> ....we don't want users to think of "one password for card one, one password for card 2"
14:25:41 <Gerhard> q+
14:25:48 <Ian> ...we designed WebAuthn with flexibility, so an RP can bind a single credential to an account or even multiple accounts.
14:26:08 <nicktr> q-
14:26:09 <Ian> ...my suggestion here is "assume there is one user to be authenticated" and what the user agrees to may very
14:26:28 <Ian> ...some banks may want the user to enroll a credential with specific instruments, others might want per-account
14:26:29 <smcgruer_[EST]> q- rolf has said everything I want to say - let the relying party (bank) decide, which they can do with 'pure' webauthn
14:26:32 <Gerhard> q-
14:26:36 <smcgruer_[EST]> q-
14:26:47 <Ian> ...so let's not over constrain WebAuthentication credentials
14:26:53 <Ian> ...let the RP decide
14:26:55 <Gerhard> q+
14:27:10 <Ian> ..when the bank looks at the assertion, the bank can observe what the user was trying to do
14:27:22 <Ian> ...the assertion looks different, so no need to differentiate the credential
14:27:27 <Ian> [^^^key observation :) ]
14:27:43 <nicktr> q?
14:27:51 <Ian> ...so the bank can decide whether to accept an assertion based on previous interactions (enrollment time) with the user
14:27:53 <Ian> q+
14:28:00 <Ian> q- later
14:28:21 <smcgruer_[EST]> +1 to rolf's comments
14:28:23 <Ian> queue==Gavin, Gerhard, Ian
14:28:23 <nicktr> ack Gavin
14:28:43 <Ian> Gavin: +1 to what Rolf said; don't need 1:1 mapping of credential to instrument
14:29:01 <Ian> ACTION: Ian to update requirements document regarding the binding discussion
14:29:24 <clinton_> +1
14:29:30 <Ian> Gavin: If Visa is the RP party, I should be able, for example, to have one auth credential for all cards associated with the user
14:29:36 <Rolf> makes sense
14:30:01 <nicktr> ack Gerhard
14:30:18 <Ian> [Emerging consensus that the RP should decide what binding to use]
14:31:01 <Ian> q+ to ask about API implications
14:31:31 <Ian> Gerhard: There are potential risks of more flexibility (broader binding); we need to think through these.
14:31:37 <smcgruer_[EST]> q?
14:31:46 <smcgruer_[EST]> q+ to ask gerhard to clarify the concerns here
14:32:02 <Ian> Gerhard: I think people likely want as few credentials as possible
14:32:10 <Ian> present+ Jeff_Hodges
14:32:45 <Ian> Gerhard: There's a risk of confusion of binding instrument at the last moment
14:32:46 <clinton_> q+
14:33:07 <nicktr> ack Ian
14:33:07 <Zakim> Ian, you wanted to ask about API implications
14:34:15 <clinton> clinton has joined #wpwg
14:35:06 <Ian> present+ Thomas_Bellenger
14:37:16 <Ian> PROPOSED: Any WebAuthn credential can be passed to SPC authentication requests.
14:37:34 <Ian> smcgruer_[EST]: The RP gets to decide whether to give the merchant credential and whether it accepts the usage of that credential.
14:37:53 <Gerhard> q+
14:38:19 <Ian> ack smcgruer_[EST]
14:38:19 <Zakim> smcgruer_[EST], you wanted to ask gerhard to clarify the concerns here
14:38:34 <Ian> smcgruer_[EST]: I'd like to understand more Gerhard's concerned about "which payment instrument."
14:38:40 <Ian> ...there are multiple protections:
14:38:45 <Ian> 1) User sees the information
14:38:51 <Ian> 2) Information is signed
14:39:01 <Ian> 3) RP can decide whether to accept it (and maintains definitive binding)
14:40:14 <Ian> Gerhard: I've heard concerns about "informed consent" including PSD2 rules
14:40:42 <Ian> ...I think there may be risks here. Has the user given enough consent for payment?
14:40:48 <clinton> q-
14:40:56 <Gerhard> q-
14:41:06 <Ian> smcgruer_[EST]: I agree with the concern. The argument being made to me from the WebAuthn side is that it's  up to the RP to get the consent
14:41:26 <Ian> ..if the bank is going to accept auth for payment, then I am presuming the bank has gotten user consent
14:42:12 <Ian> ack clin
14:42:12 <smcgruer_[EST]> q?
14:42:17 <Ian> q+ Gerhard
14:42:25 <Gerhard> q-
14:46:03 <smcgruer_[EST]> q+
14:47:51 <smcgruer_[EST]> q?
14:48:16 <Ian> Ian: For out-of-band auth flow, does SPC api need special capability (e.g., interrupted since auth now happening out of band)
14:48:44 <Ian> rolf: There are two options:
14:49:01 <clinton> q+
14:49:04 <Ian> a) RP decides to trigger SPC on mobile device
14:49:16 <Ian> b) ....
14:49:31 <Ian> ..From a usability perspective, I might prefer that auth happens on one device rather than another.
14:49:45 <Gerhard> q+
14:50:08 <Gerhard> q-
14:50:19 <Ian> ack smcgruer_[EST]
14:50:20 <smcgruer_[EST]> q?
14:50:56 <Ian> clinton: You need to know who the person is, and what avenue of payment they want to use before you do SPC
14:50:59 <smcgruer_[EST]> q+
14:51:02 <Ian> ack clinton
14:51:05 <Ian> ack smcgruer_[EST]
14:51:21 <Ian> smcgruer_[EST]: There might be a related concept that may be lower priority: cross-device authentication
14:51:30 <Ian> ...your browser is doing SPC but your browser has a relationship to a phone
14:52:13 <Ian> rolf: Special case of smart phone as Roaming authenticator
14:52:34 <Ian> q+
14:52:53 <Ian> rolf: Nice thing about this case is phone has a display
14:53:06 <Ian> ...so it would be good for the desktop browser to send the display information to the smart phone
14:53:34 <smcgruer_[EST]> q?
14:54:32 <Ian> ...need to convey payment details to authenticator
14:55:26 <Ian> rolf: Let's clarify what we mean by "out-of-band"...server reaches out to me on different device
14:55:46 <Ian> ...system we just spoke about (using smart phone as roaming authenticator) is not this use case
14:58:03 <smcgruer_[EST]> q+
14:58:11 <Ian> ack me
14:59:32 <smcgruer_[EST]> q-
14:59:58 <Gavin> +q
15:00:07 <Ian> Ian: Is out of band an important use case?
15:00:11 <Ian> Gavin: I think so, but not for SPC
15:00:17 <Ian> ...3DS has to deal with it.
15:00:20 <smcgruer_[EST]> +1, nothing to do with SPC :)
15:00:57 <clinton_> clinton_ has joined #wpwg
15:01:28 <Ian> PROPOSAL: It is not an important use case to trigger SPC on a mobile device via a push notification to fulfill out-of-band use cases
15:01:50 <Ian> Rolf: -1. We don't need SPC for this. They do this already today with other protocols.
15:02:00 <Ian> s/-1/+1
15:02:06 <nicktr> +1
15:02:09 <Ian> (JeffH: +1)
15:02:17 <Ian> smcgruer_[EST]: +1
15:02:30 <Ian> Topic: Next meeting
15:02:32 <Ian> 8 July
15:02:36 <Ian> RRSAGENT, make minutes
15:02:36 <RRSAgent> I have made the request to generate https://www.w3.org/2021/06/24-wpwg-minutes.html Ian
15:02:39 <Ian> RRSAGENT, set logs public
15:03:23 <JM_Girard> JM_Girard has left #wpwg
15:04:32 <Ian> l/dialog dom
15:04:37 <Ian> rrsagent, bye
15:04:37 <RRSAgent> I see 1 open action item saved in https://www.w3.org/2021/06/24-wpwg-actions.rdf :
15:04:37 <RRSAgent> ACTION: Ian to update requirements document regarding the binding discussion [1]
15:04:37 <RRSAgent>   recorded in https://www.w3.org/2021/06/24-wpwg-irc#T14-29-01