IRC log of wpwg-spc on 2021-11-08
Timestamps are in UTC.
- 16:52:12 [RRSAgent]
- RRSAgent has joined #wpwg-spc
- 16:52:12 [RRSAgent]
- logging to https://www.w3.org/2021/11/08-wpwg-spc-irc
- 16:52:27 [Ian]
- Meeting: SPC Task Force
- 16:52:29 [Ian]
- Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Nov/0001.html
- 16:52:30 [Ian]
- Chair: Ian
- 16:52:33 [Ian]
- Scribe: Ian
- 16:52:42 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/11/08-wpwg-spc-minutes.html Ian
- 17:02:27 [Ian]
- present+ Anne
- 17:02:29 [Ian]
- present+ Clinton
- 17:02:32 [John_Bradley]
- John_Bradley has joined #wpwg-spc
- 17:02:34 [Ian]
- present+ John_Bradley
- 17:02:40 [Ian]
- present+ Praveena
- 17:02:42 [Ian]
- present+ Sameer
- 17:02:56 [Ian]
- present+ Stephen
- 17:03:13 [Ian]
- present+ Doug_Fisher
- 17:03:26 [Anne]
- Anne has joined #wpwg-spc
- 17:03:32 [Ian]
- present+ JeffH
- 17:03:36 [Ian]
- Topic: What are requirements when more than one SPC credential matches?
- 17:03:55 [Ian]
- present+ Michel Weksler
- 17:04:08 [Ian]
- Stephen: Today in the implementation we accept the first credential that matches.
- 17:04:16 [SameerT]
- SameerT has joined #wpwg-spc
- 17:04:18 [clinton]
- clinton has joined #wpwg-spc
- 17:04:20 [Ian]
- ...WebAuthn as a model also views as a decreasing order of pref
- 17:04:31 [Ian]
- ..but they expect prompting of the user to pick the first one they like
- 17:04:49 [Ian]
- John_Bradley: authenticators in CTAP will choose the "most recently created credential" of the allow list.
- 17:05:37 [Ian]
- Ian: Is the goal "get one back however that is determined"?
- 17:05:51 [Ian]
- John_Bradley: Nothing in allow list causes a list to be showing in CTAP
- 17:06:10 [Ian]
- ...nothing about credential IDs says "This is your blue authenticator"
- 17:06:13 [Ian]
- ack Doug
- 17:06:22 [SameerT]
- q+ : Ian, can you please run through the problem statement/scenario again
- 17:06:32 [Ian]
- ack Sam
- 17:06:32 [Zakim]
- SameerT, you wanted to say Ian, can you please run through the problem statement/scenario again
- 17:06:54 [Ian]
- Doug: From a 3DS perspective it would be great if credentials were shown and nothing else.
- 17:07:41 [Ian]
- ...let's say SPC use case
- 17:08:01 [smcgruer_[EST]]
- q+ to ask John to clarify behavior in CTAP vs "WebAuthn Authenticator Model" section of WebAuthn
- 17:09:25 [Ian]
- Stephen: There are two levels: "Multiple authenticators are available" ...may want to ask the user to pick one.
- 17:09:45 [Ian]
- ...when credentials are from the same authenticator...the authenticator picks the most recent one.
- 17:09:49 [Ian]
- ack sm
- 17:09:49 [Zakim]
- smcgruer_[EST], you wanted to ask John to clarify behavior in CTAP vs "WebAuthn Authenticator Model" section of WebAuthn
- 17:10:03 [Ian]
- John_Bradley: WebAuthn pretty much always shows you a dialog.
- 17:10:08 [Ian]
- present+ Ryan_Watkins
- 17:10:14 [Ian]
- present+ Christian_Aabye
- 17:10:41 [SameerT]
- q+
- 17:10:41 [Ian]
- John_Bradley: The platform authenticator will give you list of credentials it has and an option to use a roaming authenticator.l
- 17:10:46 [Ian]
- ...lots of innovation in this space
- 17:10:48 [Ian]
- ack SameerT
- 17:13:46 [Ian]
- IJ: Summary:
- 17:13:52 [SameerT_]
- SameerT_ has joined #wpwg-spc
- 17:14:02 [Ian]
- - When multiple authenticators, should user pick one?
- 17:14:19 [Ian]
- - When multiple credential IDs for the same authenticator, implementation detail how one is chosen.
- 17:14:33 [Ian]
- John_Bradley: Authenticator might show a pick list
- 17:15:06 [Ian]
- ...platform authenticators typically do a user verification before they present a pick list
- 17:15:50 [Ian]
- smcgruer_[EST]: In case where user has one matching platform, the only issue I see is how the browser/OS presents option to plug in a security key
- 17:15:58 [Ian]
- s/security key/roaming authenticator
- 17:18:07 [Ian]
- IJ: should we have requirements?
- 17:18:28 [Ian]
- John_Bradley: If there is an allow list you'll get back one (per CTAP). Windows shows a choosers
- 17:20:18 [Ian]
- Ian: Could we just say "it's up to the implementation to get to 1, and it's an implementation detail?"
- 17:20:31 [Ian]
- John_Bradley: What is the expectation about sequencing of uX?
- 17:20:47 [Ian]
- ...do you silently probe and then go back and do a get() with one credential id?
- 17:20:59 [Ian]
- Stephen: The latter.
- 17:21:09 [Ian]
- 1) Browser receives a list of credential IDs.
- 17:21:24 [Ian]
- 2) Can ask (in the future) whether the platform authenticator knows it (Conditional UI)
- 17:21:41 [Ian]
- 3) our "no match" dialog could be extended to ask user to plug in roaming authenticator
- 17:22:08 [Ian]
- John_Bradley: As long as we say credentials are created with cred protect levels 0 or 2
- 17:22:42 [Ian]
- ...at level 2, you need the credential ID
- 17:22:55 [Ian]
- ..at level 0, there's no privacy as long as the rpid is known
- 17:23:10 [Ian]
- ...Chrome currently uses cred level 2 for discoverable
- 17:24:05 [Ian]
- ...assuming you had, say, a Yubikey, Chrome could iterate over credentials with user presence 0, user verified 0 to determine whether available before user is prompted
- 17:24:33 [Ian]
- ...there's also an NFC use case where user needs to do a tap operation then they might need a dialog
- 17:25:12 [Ian]
- ...may be ok to only present "roaming" option if there's no platform credential available
- 17:25:28 [Ian]
- Stephen: Good question.
- 17:26:16 [Ian]
- John_Bradley: I think in most cases, you'd proceed with the platform authenticator if the issuer has provisioned it
- 17:26:46 [Ian]
- Stephen: I'd be happy to punt to WebAuthn. The WebAuthn implementation could go ahead to resolve it.
- 17:26:57 [Ian]
- Doug: Great discussion. We do have questions on 3DS side re: UX
- 17:27:17 [smcgruer_[EST]]
- q?
- 17:27:19 [smcgruer_[EST]]
- q
- 17:27:20 [Ian]
- ...we should allow the RP to create more than one credential (may be done at PAN level rather than identity level)
- 17:27:59 [smcgruer_[EST]]
- q+
- 17:28:02 [Ian]
- ...could the OS give an option to insert a roaming authenticator, and if the used it, could the assertion fail if there was no credential...would the RP know?
- 17:28:12 [smcgruer_[EST]]
- q-
- 17:28:25 [Ian]
- John_Bradley: That could not happen if you are using an allow list
- 17:28:52 [smcgruer_[EST]]
- q+
- 17:29:26 [Ian]
- John_Bradley: The list of credential ids doesn't tell you about which authenticator (platform or roaming) or if on this machine or not
- 17:29:48 [smcgruer_[EST]]
- q-
- 17:30:08 [Ian]
- JeffH: Doug brings up a key question - the data model.
- 17:30:17 [Ian]
- ...the data model needs to get decided
- 17:30:35 [Ian]
- ..if I understood correctly, it's whether the issuer is mapping the credentials to accounts or instruments.
- 17:30:49 [Ian]
- q+
- 17:32:27 [Ian]
- John_Bradley: If you have one credential per PAN, where does WEbAuthn get info it will present.
- 17:32:50 [Ian]
- Stephen: We don't do instrument selection; the merchant (and account provider) have chosen the instrument before SPC is called
- 17:34:27 [Ian]
- John_Bradley: The answer to the question is "one response". We may want to clarify "what goes in the user id" and we could help avoid a pick list.
- 17:34:41 [Ian]
- Stephen: At registration time, the RP should "be consistent"
- 17:35:02 [Ian]
- John_Bradley: Yes, the RP should be consistent at registration time, otherwise there might be some UX issue.
- 17:36:30 [Ian]
- ACTION: Ian to follow up with Stephen about next steps.
- 17:36:39 [Ian]
- Topic: Next meeting
- 17:36:54 [Ian]
- 15 Nov
- 17:37:03 [Ian]
- RRSAGENT, make minutes
- 17:37:03 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/11/08-wpwg-spc-minutes.html Ian
- 17:37:12 [Ian]
- RRSAGENT, set logs public
- 17:42:43 [Ian]
- zakim, bye
- 17:42:43 [Zakim]
- leaving. As of this point the attendees have been Anne, Clinton, John_Bradley, Praveena, Sameer, Stephen, Doug_Fisher, JeffH, Michel, Weksler, Ryan_Watkins, Christian_Aabye
- 17:42:43 [Zakim]
- Zakim has left #wpwg-spc
- 17:42:45 [Ian]
- reagent, bye