IRC log of wpwg on 2021-11-04

Timestamps are in UTC.

13:56:54 [RRSAgent]
RRSAgent has joined #wpwg
13:56:54 [RRSAgent]
logging to https://www.w3.org/2021/11/04-wpwg-irc
13:57:01 [Ian]
Meeting: Web Payments Working Group
13:57:08 [Ian]
Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20211004
13:57:13 [Ian]
Chair: AdrianHB
13:57:15 [Ian]
Scribe: Ian
13:57:19 [Ian]
Regrets+ NickTR
13:57:22 [Ian]
agenda+ Privacy Sandbox
13:57:28 [Ian]
agenda+ TPAC Recap
13:57:37 [Ian]
agenda+ Next meeting
13:57:44 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/11/04-wpwg-minutes.html Ian
13:58:31 [Ian]
present+ Ian_Jacobs
13:58:36 [Ian]
present+ Adrian_Hope-Bailie
13:59:23 [Anne]
Anne has joined #wpwg
13:59:45 [Ian]
present+ Anne_Pouillard
14:00:05 [rouslan]
rouslan has joined #wpwg
14:00:11 [rouslan]
present+ Rouslan
14:00:16 [Ian]
present+ Erhard_Brand
14:00:27 [Ian]
present+ Arno_van_der_Merwe
14:00:55 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/11/04-wpwg-minutes.html Ian
14:01:53 [Ian]
present+ Uno_Veski
14:02:01 [Ian]
Present+ Jean-Luc_di_Manno
14:02:11 [rouslan]
Has the webex meeting started? If so, I'm in the wrong one :-D
14:02:36 [AdrianHB_]
present+
14:02:40 [Ian]
present+ Robert_Savage
14:03:35 [Ian]
present+ Stephen_McGruer
14:04:34 [Ian]
present+ Gerhard+Oosthuizen
14:04:37 [Ian]
present+ Brian_Lefler
14:04:44 [Ian]
present+ Tomoya_Horiguchi
14:04:58 [Ian]
zakim, take up item 1
14:04:58 [Zakim]
agendum 1 -- Privacy Sandbox -- taken up [from Ian]
14:05:28 [Ian]
-> http://www.w3.org/2021/Talks/rouslan-sandbox-20211028.pdf Rouslan Slides
14:06:30 [Ian]
zakim, make minutes
14:06:30 [Zakim]
I don't understand 'make minutes', Ian
14:06:48 [Ian]
Rouslan: Privacy sandbox is undertaking project related to data collection.
14:07:34 [Ian]
...default browser behavior will limit silent tracking
14:08:38 [weiler]
present+
14:08:56 [Gerhard]
Gerhard has joined #wpwg
14:08:57 [Ian]
...general concept is that if 2 sites have independent identities, then intended behavior is that correlation without user consent will not be possible
14:09:06 [Ian]
present+ Sam_Weiler
14:09:21 [Ian]
present+ Shyam_Sheth
14:10:24 [Ian]
rouslan: Chrome will phase out support for 3p cookies over a three-month period finishing in late 2023
14:11:28 [Ian]
...cross-origin iframe will not have access to cookies
14:11:33 [Ian]
...(by default)
14:11:50 [Ian]
...the iframe can communicate with the top-level (who can tell the iframe who they think the user is).
14:12:12 [Ian]
...if the user provides random identifier to top-level site, won't facilitate tracking via 3p
14:12:23 [Ian]
...there are some other behaviors expected as well.
14:12:29 [Ian]
...e.g., CHIPS
14:12:51 [Ian]
...where the iframe can store SOME information, but CHIPS cookies will be scoped to the parent origin.
14:13:04 [Ian]
...(storage partitioning)
14:13:38 [Ian]
...cross-site information needs 1 user authentication in order to be able to store CHIPS cookies
14:13:49 [AdrianHB_]
q?
14:13:56 [Ian]
...another project: "Fenced Frames"
14:14:04 [AdrianHB_]
q+ to ask what "authentication" means on the top-level site
14:14:12 [Ian]
...this one blocks communication between the embedded iframe and the top level Web site
14:14:30 [Ian]
...this proposal is very early in its life
14:14:46 [Ian]
...but the idea is that tracking inhibited by lack of communication between origins
14:14:56 [Ian]
present+ Ryan_Watkins
14:15:20 [Ian]
rouslan: So how does all this affect payments?
14:15:31 [weiler]
[what's the expansion of CHIPS?]
14:15:43 [weiler]
q+ to ask for expansion of the CHIPS acronym
14:15:56 [Gerhard]
q+
14:16:21 [Ian]
rouslan: Embedded code may have no idea who user is via regular iframe. This might mean, e.g., user retypes credit card each time they visit the same merchant
14:16:22 [Ian]
q?
14:16:37 [Ian]
rouslan: I think this will be a big change so we need to find alternatives to avoid breaking the web.
14:17:09 [Ian]
...we need to hear from you what flows will break so we can find solutions
14:17:09 [Ian]
q?
14:17:37 [jeanLuc]
jeanLuc has joined #wpwg
14:17:45 [Ian]
rouslan: We invite members of this Working Group to let us know your payments flows and how they would be broken by privacy sandbox changes
14:17:53 [Ian]
q+ to ask rouslan where we can document these flows that will break
14:17:55 [Ian]
ack AdrianHB
14:17:55 [Zakim]
AdrianHB_, you wanted to ask what "authentication" means on the top-level site
14:18:15 [Ian]
AdrianHB: What does authentication look like to give an iframe access to CHIPS?
14:18:53 [Ian]
rouslan: That's my shorthand for "identifying yourself to the iframe". This might be, for example, providing an identifier for yourself.
14:19:16 [Ian]
AdrianHB: So you don't provide ID to the top-level iframe that is shared with cross-origin iframe?
14:19:38 [Ian]
Rouslan: You could do that, but if you provide a random identifier to the top-level identifier, you won't support tracking
14:20:21 [Ian]
AdrianHB: So I could identify myself as "user X" to cross-origin iframe and they could tell parent origin "This is user X".
14:20:39 [Ian]
Rouslan: Yes. But when code is embedded on a different origin, that information ("X") won't be available to them.
14:20:47 [Ian]
Weiler: What does CHIPS expand to?
14:21:01 [Ian]
Stephen: "Cookies Having Independent Partition State"
14:21:23 [smcgruer_[EST]]
s/Partition/Partitioned
14:21:48 [Ian]
rouslan: Ideally you don't want to have to retype your card or bank account number on every site.
14:22:05 [Ian]
Adrian: If you use payment apps you still need to authenticate to the payment app.
14:22:22 [Ian]
rouslan: We don't want users to type username/password in an iframe.
14:22:35 [Ian]
q?
14:22:37 [Ian]
ack weiler
14:22:37 [Zakim]
weiler, you wanted to ask for expansion of the CHIPS acronym
14:23:03 [Ian]
Rouslan: I need to find a better word than "authenticate" to mean "user provides identifying information"
14:23:06 [Ian]
ack Gerhard
14:24:24 [Ian]
Gerhard: Fenced frames sound more appealing to me. If I put a custom URL in a fenced iframe (e.g., in 3DS method URL). That's a channel of communication.
14:24:44 [Ian]
Rouslan: The fenced frame explainer discusses this. One thing they might do they call a "three states machine"
14:25:05 [Ian]
...when the fenced frame accesses its URL from JavaScript it then loses storage access (write access) and network connectivity.
14:25:21 [Ian]
...but I think this is an unanswered question in this early stage of the project
14:25:30 [smcgruer_[EST]]
q?
14:25:36 [Ian]
Gerhard: I heard each iframe would have isolated storage.
14:26:01 [smcgruer_[EST]]
q+
14:26:09 [Ian]
Rouslan: Again, fenced frame behavior is not entirely known.
14:26:36 [Ian]
...in this group we can help answer questions by describing what would break
14:26:55 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/11/04-wpwg-minutes.html Ian
14:27:23 [Ian]
Rouslan: I think we may need more than CHIPS and fenced frames for payments
14:28:14 [Ian]
Gerhard: How do these changes change:
14:28:17 [Ian]
a) hidden iframe
14:28:21 [Ian]
b) Secure storage in iframes
14:28:23 [Ian]
c) payment handlers
14:28:44 [Ian]
d) Popups
14:28:49 [Ian]
...in an iframe
14:29:13 [smcgruer_[EST]]
q?
14:29:22 [Ian]
rouslan: We don't know yet. What do you mean by secure storage?
14:29:36 [Ian]
Gerhard: Local storage / index DB
14:29:48 [Ian]
rouslan: I think the expectation is that all storage mechanisms would be partitioned
14:30:10 [Ian]
...regarding payment handlers, they use service worker, and privacy sandbox expectation is partitioning there, too.
14:30:56 [Ian]
ack smcgruer_[EST]
14:31:21 [Ian]
smcgruer_[EST]: See the Federated Credential Management explainer -> https://github.com/WICG/FedCM/blob/main/explainer/problem.md
14:31:28 [Ian]
...helpful in calling out problem statements
14:32:25 [Ian]
...FedCM is evolving to a model where they are pretty sure their technology is privacy sensitive against all the changes that are envisioned
14:32:31 [Ian]
...so that's a good example to be aware of
14:32:42 [Ian]
ack me
14:32:42 [Zakim]
Ian, you wanted to ask rouslan where we can document these flows that will break
14:32:54 [Ian]
q+
14:33:19 [Ian]
Gerhard: We know the 3DS flows; has that use case already been covered in privacy sandbox discussions?
14:33:48 [smcgruer_[EST]]
q?
14:33:50 [smcgruer_[EST]]
qq+
14:33:59 [Ian]
Rouslan: We realize that 3DS will be affected.
14:34:00 [AdrianHB_]
+1 to the problem of general purpose features being abused. I still believe we can find a balance with PR API + PH API + SPC that is payment specific enough to prevent tracking exploits but generic enough to be widely useful
14:34:32 [Ian]
Gerhard: The EMVCo world view is that when data collection does not suffice, either accept risk or challenge
14:34:58 [Ian]
...if we can get guidance on getting adequate consent that would be helpful.
14:35:11 [Ian]
..are three clicks enough? a daily click? What suffices?
14:35:22 [Ian]
..just tell me what the hoops are :)
14:35:26 [Ian]
ack sm
14:35:26 [Zakim]
smcgruer_[EST], you wanted to react to Ian
14:37:00 [Ian]
ack smcgruer_[EST]
14:37:29 [rouslan]
q?
14:37:30 [Ian]
smcgruer_[EST]: is this something we should pick up in the WG?
14:37:35 [Ian]
ack me
14:38:24 [Ian]
Ian: Should be starting a document with "things that will break"?
14:38:26 [Ian]
rouslan: Yes, that's one step
14:38:41 [Ian]
smcgruer_[EST]: Also people can reach out to us directly.
14:39:13 [smcgruer_[EST]]
q?
14:39:13 [Ian]
present+ Kaustubha_Govind
14:39:29 [Ian]
Ian: Do you have an initial list?
14:39:33 [Ian]
smcgruer_[EST]: I have a partial list
14:40:05 [Ian]
Ian: Any co-editor volunteers?
14:41:09 [smcgruer_[EST]]
q?
14:41:43 [Ian]
-> https://github.com/w3c/webpayments/issues General WPWG repo
14:42:24 [Ian]
ACTION: Stephen to start to move "things that will break" list to that repo.
14:43:07 [Ian]
Stephen: Again, we'd like to hear concrete flows.
14:43:23 [Ian]
...e.g., part of a flow might be for a wallet to give back some data to the merchant to give to their payment processor.
14:43:44 [Ian]
...what mechanisms are we using to take these steps, and what would a world look like where primitives would not be abused.
14:44:00 [Ian]
...we've mostly thought about 3p cookies but we need to start looking beyond those mechanisms.
14:44:21 [Ian]
...as an aside, this is a general browser direction and so we presume the payments industry has ALREADY been affected.
14:44:40 [Ian]
...if the world hasn't yet burned down, why are things still working? What does that tell us?
14:44:48 [Ian]
q?
14:45:14 [Ian]
zakim, close this item
14:45:14 [Zakim]
agendum 1 closed
14:45:15 [Zakim]
I see 2 items remaining on the agenda; the next one is
14:45:15 [Zakim]
2. TPAC Recap [from Ian]
14:45:19 [Ian]
zakim, take up item 2
14:45:19 [Zakim]
agendum 2 -- TPAC Recap -- taken up [from Ian]
14:45:43 [Ian]
-> https://github.com/w3c/webpayments/wiki/Agenda-TPAC2021 Minutes linked from the agenda
14:47:47 [Ian]
Ian: Rouslan, you asked questions in 3DS WG discussion. Any movement after those?
14:47:51 [Ian]
Rouslan: Not yet
14:48:44 [Ian]
Ian: We also want to connect to anti-fraud discussions
14:48:59 [Ian]
Kaustubha: I'm working on sandbox. One work stream we are involved in is anti-fraud.
14:49:22 [Ian]
...we recognize that anti-fraud solutions rely on 3p cookies, data collection, etc.
14:49:41 [Ian]
...client IP addresses, etc.
14:50:00 [Ian]
...across the industry browsers, OSes and so forth have been working towards making some of these signals harder to use to track users.
14:50:12 [Ian]
...we want to be doing this responsibly.
14:50:31 [Ian]
https://www.w3.org/community/blog/2021/11/03/proposed-group-anti-fraud-community-group/
14:50:56 [Ian]
Ian: What will happen in the anti-fraud CG?
14:51:22 [Ian]
Kaustubha: We'll start by listening. We are working on trust tokens, for example.
14:51:42 [Ian]
...we want to hear about use cases, requirements, and constraints.
14:51:46 [Ian]
q+
14:52:54 [Ian]
ack Ian
14:53:11 [Ian]
Ian: Is risk scoring part of your team's remit? the CG?
14:54:33 [Ian]
Kaustubha: something like that could be interesting. On Android and iOS there are native APIs regarding confidence in user.
14:54:48 [Ian]
...I think exposing something like that in a privacy safe way on the web is something to consider
14:54:55 [Ian]
..but we don't want to lock people out if they don't have the token.
14:55:14 [Ian]
...we are experimenting with that, in relation to trust tokens.
14:55:28 [Ian]
Ian: Where is that conversation happening?
14:55:37 [Ian]
Kaustubha: WICG (via GitHub)
14:55:40 [smcgruer_[EST]]
q?
14:55:52 [smcgruer_[EST]]
q+ to note the sort of insights payments could bring to anti-Fraud CG
14:55:52 [Ian]
...but we might ask to move it to anti-fraud CG
14:55:55 [Ian]
q?
14:55:58 [Ian]
ack smcgruer_[EST]
14:55:58 [Zakim]
smcgruer_[EST], you wanted to note the sort of insights payments could bring to anti-Fraud CG
14:57:00 [Ian]
smcgruer_[EST]: Here's why the anti-fraud CG will be important and why payments folks should go there: there are interesting payments points of view that may not be captured .... like "trustworthy user but inappropriately using stolen card"
14:57:16 [Gerhard]
q+
14:57:50 [Ian]
Kaustubha: Agreed. There are some post-facto activities and some not; we are hoping to identify what signal fidelity is needed for different use cases.
14:58:10 [Ian]
...e.g., want to discard tokens when users log out
14:58:19 [Ian]
zakim, close the queue
14:58:19 [Zakim]
ok, Ian, the speaker queue is closed
14:58:34 [Ian]
Kaustubha: As we make progress, we can make touch points with this WG.
14:58:54 [Gerhard]
q-
14:59:01 [Gerhard]
(Found the way to show my support
14:59:08 [Ian]
Ian: See also the WPSIG
14:59:44 [Ian]
[WE CELEBRATE CG LAUNCH!]
15:00:08 [Ian]
zakim, close this item
15:00:08 [Zakim]
agendum 2 closed
15:00:09 [Zakim]
I see 1 item remaining on the agenda:
15:00:09 [Zakim]
3. Next meeting [from Ian]
15:00:12 [Ian]
zakim take up item 3
15:00:34 [Ian]
RRSAGENT, make minutes
15:00:36 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/11/04-wpwg-minutes.html Ian
15:00:37 [Ian]
RRSAGENT, set logs public
16:49:36 [kirkwood]
kirkwood has joined #wpwg
17:15:20 [bkardell_]
bkardell_ has joined #wpwg