IRC log of wpwg on 2021-06-24

Timestamps are in UTC.

13:53:55 [RRSAgent]

RRSAgent has joined #wpwg

13:53:55 [RRSAgent]

logging to https://www.w3.org/2021/06/24-wpwg-irc

13:54:00 [Ian]

Meeting: Web Payments WG

13:54:14 [Ian]

Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20210624

13:54:16 [Ian]

Chair: Nick

13:54:19 [Ian]

Scribe: Ian

13:54:23 [Ian]

agenda+ PR API update

13:54:28 [Ian]

agenda+ SPC discussion

13:54:33 [Ian]

agenda+ Next meeting

13:54:41 [Ian]

regrets+ Adrian_Hope-Bailie

13:55:17 [Ian]

present+

13:58:46 [tm]

tm has joined #wpwg

13:59:10 [RRSAgent]

I have made the request to generate https://www.w3.org/2021/06/24-wpwg-minutes.html Ian

14:00:22 [Ian]

present+ Anne_Pouillard

14:00:29 [Ian]

present+ Stephen_McGruer

14:01:12 [Anne]

Anne has joined #wpwg

14:01:18 [Ian]

present+ Lawrence_Cheng

14:01:33 [Ian]

present+ Jean-Michel_Girard

14:02:17 [Ian]

present+ David_Benoit

14:02:24 [Ian]

present+ Rolf_Lindemann

14:02:35 [Fawad]

Fawad has joined #wpwg

14:02:36 [Ian]

present+ Clinton_Allen

14:02:41 [Ian]

present+ Fawad_Nisar

14:03:13 [Ian]

present+ Nick_Telford-Reed

14:03:14 [clinton]

clinton has joined #wpwg

14:03:17 [Ian]

present+ Werner_Bruinings

14:03:20 [benoit]

benoit has joined #wpwg

14:03:23 [Ian]

present+ Gerhard_Oosthuizen

14:03:34 [Rolf]

Rolf has joined #wpwg

14:03:46 [Ian]

zakim, take up item 1

14:03:46 [Zakim]

agendum 1 -- PR API update -- taken up [from Ian]

14:03:54 [werner]

werner has joined #wpwg

14:04:03 [nicktr]

scribenick: nicktr

14:04:03 [JM_Girard]

JM_Girard has joined #wpwg

14:04:03 [Ian]

present+ Gavin_Shenker

14:04:37 [nicktr]

ian: In the process of getting Payment Request to REC, we got a few expressions of support for our CFC

14:04:55 [Ian]

-> https://github.com/w3c/transitions/issues/346 request to advance to CR

14:05:09 [nicktr]

...the next step is the request to advance to Candidate Recommendation

14:05:19 [nicktr]

...(there is cool new tooling)

14:05:30 [Gavin]

Gavin has joined #WPWG

14:05:40 [nicktr]

...with the Director's Approval, we will publish, then there is a 2 month window

14:06:03 [nicktr]

...Marcos and I met yesterday to clean up the Implementation Report. We are in good shape.

14:06:30 [nicktr]

ian: I expect it to be smooth sailing

14:06:50 [nicktr]

...The bigger discussion is probably what happens next after publication

14:07:01 [Ian]

zakim, close item 1

14:07:01 [Zakim]

agendum 1, PR API update, closed

14:07:03 [Zakim]

I see 2 items remaining on the agenda; the next one is

14:07:03 [Zakim]

2. SPC discussion [from Ian]

14:07:03 [nicktr]

...That will be part of our chartering discussion in the Autumn

14:07:08 [Ian]

zakim, take up next item

14:07:08 [Zakim]

agendum 2 -- SPC discussion -- taken up [from Ian]

14:07:27 [nicktr]

ian: We had a robust discussion at the Task Force on Monday

14:07:43 [nicktr]

...We thought we could continue that discussion today

14:07:59 [nicktr]

scribenick: nicktr

14:08:04 [Ian]

scribenick: Ian

14:08:58 [nicktr]

scribenick: nicktr

14:09:11 [nicktr]

ian: we are moving to store less and less in the browser

14:09:24 [nicktr]

...there may be implications for functionality

14:10:17 [nicktr]

...The question is "Is this a WebAuthn thing or a Payments thing?"

14:10:30 [nicktr]

...Are there other design considerations

14:10:58 [nicktr]

scribenick: ian

14:11:13 [Ian]

smcgruer_[EST]: Emerging questions about "how can these credentials be used"

14:11:27 [Ian]

...at this time, the enrollment UX we added did come partially from a privacy discussion

14:11:43 [Ian]

...to be sure user knows enrollment is for payment

14:11:56 [Ian]

...but the conversation is ongoing whether the UX is necessary

14:12:16 [Ian]

...personally I would like to see enrollment be just a WebAuthn thing. On the server the RP maintains information.

14:12:24 [Ian]

...but auth flow we are discussing is definitely a payments thing

14:12:36 [Ian]

...the various stakeholders need to know what the browser is presenting to the user

14:12:42 [Ian]

present+ Jean-Luc_di_Manno

14:13:08 [Ian]

Nick: I agree. The authentication piece is definitely a "payment-specific" thing

14:13:10 [Gerhard]

Gerhard has joined #wpwg

14:13:16 [Gerhard]

present_

14:13:19 [Gerhard]

q+

14:13:24 [Ian]

ack G

14:13:46 [Ian]

Gerhard: There's a simplicity if the browser doesn't have to remember any additional information

14:14:11 [Ian]

..but the CONSENT needs to be clear. I can imagine three levels:

14:14:14 [JL]

JL has joined #wpwg

14:14:20 [Ian]

1) The credential can be used for anything

14:14:37 [Ian]

2) The credential is for a specific use case (e.g., log in v. payment)

14:14:49 [Ian]

3) The credential is for a specific instrument

14:15:09 [RRSAgent]

I have made the request to generate https://www.w3.org/2021/06/24-wpwg-minutes.html Ian

14:15:16 [Ian]

q+

14:15:22 [smcgruer_[EST]]

q+

14:16:12 [Ian]

Gerhard: I doubt we will do the first one; but probably likely to do 2 or 3

14:16:23 [nicktr]

ack Ian

14:16:26 [Ian]

ack sm

14:16:31 [nicktr]

q+ Ian

14:18:19 [clinton_]

clinton_ has joined #wpwg

14:18:28 [clinton_]

q+

14:21:12 [Rolf]

q+

14:21:20 [Rolf]

q

14:21:46 [nicktr]

ack clinton_

14:21:50 [Ian]

Ian: I think "enrollment" in upgrade case means "use get() instead of create() with a consent dialog"

14:22:00 [nicktr]

q+ ian later

14:22:07 [nicktr]

q- later

14:22:34 [Ian]

clinton_: If you look at this from issuer perspective, if an issuer looks at this credential in a year, it needs to be known specifically 'this is for payment'

14:22:37 [smcgruer_[EST]]

q+

14:22:45 [Ian]

q-

14:22:45 [Ian]

q+

14:23:59 [Gavin]

q+

14:24:07 [Ian]

Clinton: It doesn't have to be "your card". If an issuer is taking a consumer through an enrollment process. Issuer might want credential bound to "account" rather instrument.

14:24:16 [Ian]

...what you use to pay online securely might be secondary

14:24:22 [Ian]

ack rolf

14:24:51 [Ian]

Rolf: For me, the "credential" term is just a tech term; users don't know what they are.

14:25:09 [Ian]

....we don't want users to think of "one password for card one, one password for card 2"

14:25:41 [Gerhard]

q+

14:25:48 [Ian]

...we designed WebAuthn with flexibility, so an RP can bind a single credential to an account or even multiple accounts.

14:26:08 [nicktr]

q-

14:26:09 [Ian]

...my suggestion here is "assume there is one user to be authenticated" and what the user agrees to may very

14:26:28 [Ian]

...some banks may want the user to enroll a credential with specific instruments, others might want per-account

14:26:29 [smcgruer_[EST]]

q- rolf has said everything I want to say - let the relying party (bank) decide, which they can do with 'pure' webauthn

14:26:32 [Gerhard]

q-

14:26:36 [smcgruer_[EST]]

q-

14:26:47 [Ian]

...so let's not over constrain WebAuthentication credentials

14:26:53 [Ian]

...let the RP decide

14:26:55 [Gerhard]

q+

14:27:10 [Ian]

..when the bank looks at the assertion, the bank can observe what the user was trying to do

14:27:22 [Ian]

...the assertion looks different, so no need to differentiate the credential

14:27:27 [Ian]

[^^^key observation :) ]

14:27:43 [nicktr]

q?

14:27:51 [Ian]

...so the bank can decide whether to accept an assertion based on previous interactions (enrollment time) with the user

14:27:53 [Ian]

q+

14:28:00 [Ian]

q- later

14:28:21 [smcgruer_[EST]]

+1 to rolf's comments

14:28:23 [Ian]

queue==Gavin, Gerhard, Ian

14:28:23 [nicktr]

ack Gavin

14:28:43 [Ian]

Gavin: +1 to what Rolf said; don't need 1:1 mapping of credential to instrument

14:29:01 [Ian]

ACTION: Ian to update requirements document regarding the binding discussion

14:29:24 [clinton_]

+1

14:29:30 [Ian]

Gavin: If Visa is the RP party, I should be able, for example, to have one auth credential for all cards associated with the user

14:29:36 [Rolf]

makes sense

14:30:01 [nicktr]

ack Gerhard

14:30:18 [Ian]

[Emerging consensus that the RP should decide what binding to use]

14:31:01 [Ian]

q+ to ask about API implications

14:31:31 [Ian]

Gerhard: There are potential risks of more flexibility (broader binding); we need to think through these.

14:31:37 [smcgruer_[EST]]

q?

14:31:46 [smcgruer_[EST]]

q+ to ask gerhard to clarify the concerns here

14:32:02 [Ian]

Gerhard: I think people likely want as few credentials as possible

14:32:10 [Ian]

present+ Jeff_Hodges

14:32:45 [Ian]

Gerhard: There's a risk of confusion of binding instrument at the last moment

14:32:46 [clinton_]

q+

14:33:07 [nicktr]

ack Ian

14:33:07 [Zakim]

Ian, you wanted to ask about API implications

14:34:15 [clinton]

clinton has joined #wpwg

14:35:06 [Ian]

present+ Thomas_Bellenger

14:37:16 [Ian]

PROPOSED: Any WebAuthn credential can be passed to SPC authentication requests.

14:37:34 [Ian]

smcgruer_[EST]: The RP gets to decide whether to give the merchant credential and whether it accepts the usage of that credential.

14:37:53 [Gerhard]

q+

14:38:19 [Ian]

ack smcgruer_[EST]

14:38:19 [Zakim]

smcgruer_[EST], you wanted to ask gerhard to clarify the concerns here

14:38:34 [Ian]

smcgruer_[EST]: I'd like to understand more Gerhard's concerned about "which payment instrument."

14:38:40 [Ian]

...there are multiple protections:

14:38:45 [Ian]

1) User sees the information

14:38:51 [Ian]

2) Information is signed

14:39:01 [Ian]

3) RP can decide whether to accept it (and maintains definitive binding)

14:40:14 [Ian]

Gerhard: I've heard concerns about "informed consent" including PSD2 rules

14:40:42 [Ian]

...I think there may be risks here. Has the user given enough consent for payment?

14:40:48 [clinton]

q-

14:40:56 [Gerhard]

q-

14:41:06 [Ian]

smcgruer_[EST]: I agree with the concern. The argument being made to me from the WebAuthn side is that it's up to the RP to get the consent

14:41:26 [Ian]

..if the bank is going to accept auth for payment, then I am presuming the bank has gotten user consent

14:42:12 [Ian]

ack clin

14:42:12 [smcgruer_[EST]]

q?

14:42:17 [Ian]

q+ Gerhard

14:42:25 [Gerhard]

q-

14:46:03 [smcgruer_[EST]]

q+

14:47:51 [smcgruer_[EST]]

q?

14:48:16 [Ian]

Ian: For out-of-band auth flow, does SPC api need special capability (e.g., interrupted since auth now happening out of band)

14:48:44 [Ian]

rolf: There are two options:

14:49:01 [clinton]

q+

14:49:04 [Ian]

a) RP decides to trigger SPC on mobile device

14:49:16 [Ian]

b) ....

14:49:31 [Ian]

..From a usability perspective, I might prefer that auth happens on one device rather than another.

14:49:45 [Gerhard]

q+

14:50:08 [Gerhard]

q-

14:50:19 [Ian]

ack smcgruer_[EST]

14:50:20 [smcgruer_[EST]]

q?

14:50:56 [Ian]

clinton: You need to know who the person is, and what avenue of payment they want to use before you do SPC

14:50:59 [smcgruer_[EST]]

q+

14:51:02 [Ian]

ack clinton

14:51:05 [Ian]

ack smcgruer_[EST]

14:51:21 [Ian]

smcgruer_[EST]: There might be a related concept that may be lower priority: cross-device authentication

14:51:30 [Ian]

...your browser is doing SPC but your browser has a relationship to a phone

14:52:13 [Ian]

rolf: Special case of smart phone as Roaming authenticator

14:52:34 [Ian]

q+

14:52:53 [Ian]

rolf: Nice thing about this case is phone has a display

14:53:06 [Ian]

...so it would be good for the desktop browser to send the display information to the smart phone

14:53:34 [smcgruer_[EST]]

q?

14:54:32 [Ian]

...need to convey payment details to authenticator

14:55:26 [Ian]

rolf: Let's clarify what we mean by "out-of-band"...server reaches out to me on different device

14:55:46 [Ian]

...system we just spoke about (using smart phone as roaming authenticator) is not this use case

14:58:03 [smcgruer_[EST]]

q+

14:58:11 [Ian]

ack me

14:59:32 [smcgruer_[EST]]

q-

14:59:58 [Gavin]

+q

15:00:07 [Ian]

Ian: Is out of band an important use case?

15:00:11 [Ian]

Gavin: I think so, but not for SPC

15:00:17 [Ian]

...3DS has to deal with it.

15:00:20 [smcgruer_[EST]]

+1, nothing to do with SPC :)

15:00:57 [clinton_]

clinton_ has joined #wpwg

15:01:28 [Ian]

PROPOSAL: It is not an important use case to trigger SPC on a mobile device via a push notification to fulfill out-of-band use cases

15:01:50 [Ian]

Rolf: -1. We don't need SPC for this. They do this already today with other protocols.

15:02:00 [Ian]

s/-1/+1

15:02:06 [nicktr]

+1

15:02:09 [Ian]

(JeffH: +1)

15:02:17 [Ian]

smcgruer_[EST]: +1

15:02:30 [Ian]

Topic: Next meeting

15:02:32 [Ian]

8 July

15:02:36 [Ian]

RRSAGENT, make minutes

15:02:36 [RRSAgent]

I have made the request to generate https://www.w3.org/2021/06/24-wpwg-minutes.html Ian

15:02:39 [Ian]

RRSAGENT, set logs public

15:03:23 [JM_Girard]

JM_Girard has left #wpwg

15:04:32 [Ian]

l/dialog dom

15:04:37 [Ian]

rrsagent, bye

15:04:37 [RRSAgent]

I see 1 open action item saved in https://www.w3.org/2021/06/24-wpwg-actions.rdf :

15:04:37 [RRSAgent]

ACTION: Ian to update requirements document regarding the binding discussion [1]

15:04:37 [RRSAgent]

recorded in https://www.w3.org/2021/06/24-wpwg-irc#T14-29-01