13:56:54 <RRSAgent> RRSAgent has joined #wpwg
13:56:54 <RRSAgent> logging to https://www.w3.org/2021/11/04-wpwg-irc
13:57:01 <Ian> Meeting: Web Payments Working Group
13:57:08 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20211004
13:57:13 <Ian> Chair: AdrianHB
13:57:15 <Ian> Scribe: Ian
13:57:19 <Ian> Regrets+ NickTR
13:57:22 <Ian> agenda+ Privacy Sandbox
13:57:28 <Ian> agenda+ TPAC Recap
13:57:37 <Ian> agenda+ Next meeting
13:57:44 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/04-wpwg-minutes.html Ian
13:58:31 <Ian> present+ Ian_Jacobs
13:58:36 <Ian> present+ Adrian_Hope-Bailie
13:59:23 <Anne> Anne has joined #wpwg
13:59:45 <Ian> present+ Anne_Pouillard
14:00:05 <rouslan> rouslan has joined #wpwg
14:00:11 <rouslan> present+ Rouslan
14:00:16 <Ian> present+ Erhard_Brand
14:00:27 <Ian> present+ Arno_van_der_Merwe
14:00:55 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/04-wpwg-minutes.html Ian
14:01:53 <Ian> present+ Uno_Veski
14:02:01 <Ian> Present+ Jean-Luc_di_Manno
14:02:11 <rouslan> Has the webex meeting started? If so, I'm in the wrong one :-D
14:02:36 <AdrianHB_> present+
14:02:40 <Ian> present+ Robert_Savage
14:03:35 <Ian> present+ Stephen_McGruer
14:04:34 <Ian> present+ Gerhard+Oosthuizen
14:04:37 <Ian> present+ Brian_Lefler
14:04:44 <Ian> present+ Tomoya_Horiguchi
14:04:58 <Ian> zakim, take up item 1
14:04:58 <Zakim> agendum 1 -- Privacy Sandbox -- taken up [from Ian]
14:05:28 <Ian> -> http://www.w3.org/2021/Talks/rouslan-sandbox-20211028.pdf Rouslan Slides
14:06:30 <Ian> zakim, make minutes
14:06:30 <Zakim> I don't understand 'make minutes', Ian
14:06:48 <Ian> Rouslan: Privacy sandbox is undertaking project related to data collection.
14:07:34 <Ian> ...default browser behavior will limit silent tracking
14:08:38 <weiler> present+
14:08:56 <Gerhard> Gerhard has joined #wpwg
14:08:57 <Ian> ...general concept is that if 2 sites have independent identities, then intended behavior is that correlation without user consent will not be possible
14:09:06 <Ian> present+ Sam_Weiler
14:09:21 <Ian> present+ Shyam_Sheth
14:10:24 <Ian> rouslan: Chrome will phase out support for 3p cookies over a three-month period finishing in late 2023
14:11:28 <Ian> ...cross-origin iframe will not have access to cookies
14:11:33 <Ian> ...(by default)
14:11:50 <Ian> ...the iframe can communicate with the top-level (who can tell the iframe who they think the user is).
14:12:12 <Ian> ...if the user provides random identifier to top-level site, won't facilitate tracking via 3p
14:12:23 <Ian> ...there are some other behaviors expected as well.
14:12:29 <Ian> ...e.g., CHIPS
14:12:51 <Ian> ...where the iframe can store SOME information, but CHIPS cookies will be scoped to the parent origin.
14:13:04 <Ian> ...(storage partitioning)
14:13:38 <Ian> ...cross-site information needs 1 user authentication in order to be able to store CHIPS cookies
14:13:49 <AdrianHB_> q?
14:13:56 <Ian> ...another project: "Fenced Frames"
14:14:04 <AdrianHB_> q+ to ask what "authentication" means on the top-level site
14:14:12 <Ian> ...this one blocks communication between the embedded iframe and the top level Web site
14:14:30 <Ian> ...this proposal is very early in its life
14:14:46 <Ian> ...but the idea is that tracking inhibited by lack of communication between origins
14:14:56 <Ian> present+ Ryan_Watkins
14:15:20 <Ian> rouslan: So how does all this affect payments?
14:15:31 <weiler> [what's the expansion of CHIPS?]
14:15:43 <weiler> q+ to ask for expansion of the CHIPS acronym
14:15:56 <Gerhard> q+
14:16:21 <Ian> rouslan: Embedded code may have no idea who user is via regular iframe. This might mean, e.g., user retypes credit card each time they visit the same merchant
14:16:22 <Ian> q?
14:16:37 <Ian> rouslan: I think this will be a big change so we need to find alternatives to avoid breaking the web.
14:17:09 <Ian> ...we need to hear from you what flows will break so we can find solutions
14:17:09 <Ian> q?
14:17:37 <jeanLuc> jeanLuc has joined #wpwg
14:17:45 <Ian> rouslan: We invite members of this Working Group to let us know your payments flows and how they would be broken by privacy sandbox changes
14:17:53 <Ian> q+ to ask rouslan where we can document these flows that will break
14:17:55 <Ian> ack AdrianHB
14:17:55 <Zakim> AdrianHB_, you wanted to ask what "authentication" means on the top-level site
14:18:15 <Ian> AdrianHB: What does authentication look like to give an iframe access to CHIPS?
14:18:53 <Ian> rouslan: That's my shorthand for "identifying yourself to the iframe". This might be, for example, providing an identifier for yourself.
14:19:16 <Ian> AdrianHB: So you don't provide ID to the top-level iframe that is shared with cross-origin iframe?
14:19:38 <Ian> Rouslan: You could do that, but if you provide a random identifier to the top-level identifier, you won't support tracking
14:20:21 <Ian> AdrianHB: So I could identify myself as "user X" to cross-origin iframe and they could tell parent origin "This is user X".
14:20:39 <Ian> Rouslan: Yes. But when code is embedded on a different origin, that information ("X") won't be available to them.
14:20:47 <Ian> Weiler: What does CHIPS expand to?
14:21:01 <Ian> Stephen: "Cookies Having Independent Partition State"
14:21:23 <smcgruer_[EST]> s/Partition/Partitioned
14:21:48 <Ian> rouslan: Ideally you don't want to have to retype your card or bank account number on every site.
14:22:05 <Ian> Adrian: If you use payment apps you still need to authenticate to the payment app.
14:22:22 <Ian> rouslan: We don't want users to type username/password in an iframe.
14:22:35 <Ian> q?
14:22:37 <Ian> ack weiler
14:22:37 <Zakim> weiler, you wanted to ask for expansion of the CHIPS acronym
14:23:03 <Ian> Rouslan: I need to find a better word than "authenticate" to mean "user provides identifying information"
14:23:06 <Ian> ack Gerhard
14:24:24 <Ian> Gerhard: Fenced frames sound more appealing to me. If I put a custom URL in a fenced iframe (e.g., in 3DS method URL). That's a channel of communication.
14:24:44 <Ian> Rouslan: The fenced frame explainer discusses this. One thing they might do they call a "three states machine"
14:25:05 <Ian> ...when the fenced frame accesses its URL from JavaScript it then loses storage access (write access) and network connectivity.
14:25:21 <Ian> ...but I think this is an unanswered question in this early stage of the project
14:25:30 <smcgruer_[EST]> q?
14:25:36 <Ian> Gerhard: I heard each iframe would have isolated storage.
14:26:01 <smcgruer_[EST]> q+
14:26:09 <Ian> Rouslan: Again, fenced frame behavior is not entirely known.
14:26:36 <Ian> ...in this group we can help answer questions by describing what would break
14:26:55 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/04-wpwg-minutes.html Ian
14:27:23 <Ian> Rouslan: I think we may need more than CHIPS and fenced frames for payments
14:28:14 <Ian> Gerhard: How do these changes change:
14:28:17 <Ian> a) hidden iframe
14:28:21 <Ian> b) Secure storage in iframes
14:28:23 <Ian> c) payment handlers
14:28:44 <Ian> d) Popups
14:28:49 <Ian> ...in an iframe
14:29:13 <smcgruer_[EST]> q?
14:29:22 <Ian> rouslan: We don't know yet. What do you mean by secure storage?
14:29:36 <Ian> Gerhard: Local storage / index DB
14:29:48 <Ian> rouslan: I think the expectation is that all storage mechanisms would be partitioned
14:30:10 <Ian> ...regarding payment handlers, they use service worker, and privacy sandbox expectation is partitioning there, too.
14:30:56 <Ian> ack smcgruer_[EST]
14:31:21 <Ian> smcgruer_[EST]: See the Federated Credential Management explainer -> https://github.com/WICG/FedCM/blob/main/explainer/problem.md
14:31:28 <Ian> ...helpful in calling out problem statements
14:32:25 <Ian> ...FedCM is evolving to a model where they are pretty sure their technology is privacy sensitive against all the changes that are envisioned
14:32:31 <Ian> ...so that's a good example to be aware of
14:32:42 <Ian> ack me
14:32:42 <Zakim> Ian, you wanted to ask rouslan where we can document these flows that will break
14:32:54 <Ian> q+
14:33:19 <Ian> Gerhard: We know the 3DS flows; has that use case already been covered in privacy sandbox discussions?
14:33:48 <smcgruer_[EST]> q?
14:33:50 <smcgruer_[EST]> qq+
14:33:59 <Ian> Rouslan: We realize that 3DS will be affected.
14:34:00 <AdrianHB_> +1 to the problem of general purpose features being abused. I still believe we can find a balance with PR API + PH API + SPC that is payment specific enough to prevent tracking exploits but generic enough to be widely useful
14:34:32 <Ian> Gerhard: The EMVCo world view is that when data collection does not suffice, either accept risk or challenge
14:34:58 <Ian> ...if we can get guidance on getting adequate consent that would be helpful.
14:35:11 <Ian> ..are three clicks enough? a daily click? What suffices?
14:35:22 <Ian> ..just tell me what the hoops are :)
14:35:26 <Ian> ack sm
14:35:26 <Zakim> smcgruer_[EST], you wanted to react to Ian
14:37:00 <Ian> ack smcgruer_[EST]
14:37:29 <rouslan> q?
14:37:30 <Ian> smcgruer_[EST]: is this something we should pick up in the WG?
14:37:35 <Ian> ack me
14:38:24 <Ian> Ian: Should be starting a document with "things that will break"?
14:38:26 <Ian> rouslan: Yes, that's one step
14:38:41 <Ian> smcgruer_[EST]: Also people can reach out to us directly.
14:39:13 <smcgruer_[EST]> q?
14:39:13 <Ian> present+ Kaustubha_Govind
14:39:29 <Ian> Ian: Do you have an initial list?
14:39:33 <Ian> smcgruer_[EST]: I have a partial list
14:40:05 <Ian> Ian: Any co-editor volunteers?
14:41:09 <smcgruer_[EST]> q?
14:41:43 <Ian> -> https://github.com/w3c/webpayments/issues General WPWG repo
14:42:24 <Ian> ACTION: Stephen to start to move "things that will break" list to that repo.
14:43:07 <Ian> Stephen: Again, we'd like to hear concrete flows.
14:43:23 <Ian> ...e.g., part of a flow might be for a wallet to give back some data to the merchant to give to their payment processor.
14:43:44 <Ian> ...what mechanisms are we using to take these steps, and what would a world look like where primitives would not be abused.
14:44:00 <Ian> ...we've mostly thought about 3p cookies but we need to start looking beyond those mechanisms.
14:44:21 <Ian> ...as an aside, this is a general browser direction and so we presume the payments industry has ALREADY been affected.
14:44:40 <Ian> ...if the world hasn't yet burned down, why are things still working? What does that tell us?
14:44:48 <Ian> q?
14:45:14 <Ian> zakim, close this item
14:45:14 <Zakim> agendum 1 closed
14:45:15 <Zakim> I see 2 items remaining on the agenda; the next one is
14:45:15 <Zakim> 2. TPAC Recap [from Ian]
14:45:19 <Ian> zakim, take up item 2
14:45:19 <Zakim> agendum 2 -- TPAC Recap -- taken up [from Ian]
14:45:43 <Ian> -> https://github.com/w3c/webpayments/wiki/Agenda-TPAC2021 Minutes linked from the agenda
14:47:47 <Ian> Ian: Rouslan, you asked questions in 3DS WG discussion. Any movement after those?
14:47:51 <Ian> Rouslan: Not yet
14:48:44 <Ian> Ian: We also want to connect to anti-fraud discussions
14:48:59 <Ian> Kaustubha: I'm working on sandbox. One work stream we are involved in is anti-fraud.
14:49:22 <Ian> ...we recognize that anti-fraud solutions rely on 3p cookies, data collection, etc.
14:49:41 <Ian> ...client IP addresses, etc.
14:50:00 <Ian> ...across the industry browsers, OSes and so forth have been working towards making some of these signals harder to use to track users.
14:50:12 <Ian> ...we want to be doing this responsibly.
14:50:31 <Ian> https://www.w3.org/community/blog/2021/11/03/proposed-group-anti-fraud-community-group/
14:50:56 <Ian> Ian: What will happen in the anti-fraud CG?
14:51:22 <Ian> Kaustubha: We'll start by listening. We are working on trust tokens, for example.
14:51:42 <Ian> ...we want to hear about use cases, requirements, and constraints.
14:51:46 <Ian> q+
14:52:54 <Ian> ack Ian
14:53:11 <Ian> Ian: Is risk scoring part of your team's remit? the CG?
14:54:33 <Ian> Kaustubha: something like that could be interesting. On Android and iOS there are native APIs regarding confidence in user.
14:54:48 <Ian> ...I think exposing something like that in a privacy safe way on the web is something to consider
14:54:55 <Ian> ..but we don't want to lock people out if they don't have the token.
14:55:14 <Ian> ...we are experimenting with that, in relation to trust tokens.
14:55:28 <Ian> Ian: Where is that conversation happening?
14:55:37 <Ian> Kaustubha: WICG (via GitHub)
14:55:40 <smcgruer_[EST]> q?
14:55:52 <smcgruer_[EST]> q+ to note the sort of insights payments could bring to anti-Fraud CG
14:55:52 <Ian> ...but we might ask to move it to anti-fraud CG
14:55:55 <Ian> q?
14:55:58 <Ian> ack smcgruer_[EST]
14:55:58 <Zakim> smcgruer_[EST], you wanted to note the sort of insights payments could bring to anti-Fraud CG
14:57:00 <Ian> smcgruer_[EST]: Here's why the anti-fraud CG will be important and why payments folks should go there: there are interesting payments points of view that may not be captured .... like "trustworthy user but inappropriately using stolen card"
14:57:16 <Gerhard> q+
14:57:50 <Ian> Kaustubha: Agreed. There are some post-facto activities and some not; we are hoping to identify what signal fidelity is needed for different use cases.
14:58:10 <Ian> ...e.g., want to discard tokens when users log out
14:58:19 <Ian> zakim, close the queue
14:58:19 <Zakim> ok, Ian, the speaker queue is closed
14:58:34 <Ian> Kaustubha: As we make progress, we can make touch points with this WG.
14:58:54 <Gerhard> q-
14:59:01 <Gerhard> (Found the way to show my support
14:59:08 <Ian> Ian: See also the WPSIG
14:59:44 <Ian> [WE CELEBRATE CG LAUNCH!]
15:00:08 <Ian> zakim, close this item
15:00:08 <Zakim> agendum 2 closed
15:00:09 <Zakim> I see 1 item remaining on the agenda:
15:00:09 <Zakim> 3. Next meeting [from Ian]
15:00:12 <Ian> zakim take up item 3
15:00:34 <Ian> RRSAGENT, make minutes
15:00:36 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/04-wpwg-minutes.html Ian
15:00:37 <Ian> RRSAGENT, set logs public
16:49:36 <kirkwood> kirkwood has joined #wpwg
17:15:20 <bkardell_> bkardell_ has joined #wpwg