14:57:40 RRSAgent has joined #wpwg 14:57:41 logging to https://www.w3.org/2021/11/18-wpwg-irc 14:58:22 Meeting: Web Payments Working Group 14:58:24 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20211118 14:58:26 Chair: NickTR 14:58:30 Scribe: Ian 14:59:28 present+ Ian_Jacobs 14:59:33 agenda+ SPC issue review 14:59:37 zakim, clear the agenda 14:59:37 agenda cleared 14:59:38 agenda+ SPC issue review 14:59:50 agenda+ Upcoming priorities for discussion 15:00:02 agenda+ Meeting schedule 15:02:08 present+ Anne_Pouillard 15:02:17 present+ Jean-Luc_di_Manno 15:02:22 present+ Tomoya_Horiguchi 15:02:28 present+ Nick_Telford-Reed 15:02:40 Anne has joined #wpwg 15:04:32 JeanLuc has joined #wpwg 15:07:41 present+ Chris_Wood 15:07:45 present+ Susan_Pandy 15:07:50 zakim, take up item 1 15:07:50 agendum 1 -- SPC issue review -- taken up [from Ian] 15:08:30 https://github.com/w3c/secure-payment-confirmation/issues 15:08:37 present+ Stephen_McGruer 15:09:20 -> https://github.com/w3c/webauthn/issues/1667#issuecomment-957887836 WebAuthn 15:10:07 Stephen: This question is how can we make SPC even more of a real WebAuth thing. 15:10:17 ...first thing is to indicate using WebAuthn that "This is an SPC credential" 15:10:33 ...there are two functionalities associated with that: (1) cross-origin ceremony and (2) transaction dialog 15:10:42 ...there's another functionality associated: cross-origin creation 15:11:02 ...the folks at Yubico have proposed a solution that works for all types of authenticators: 15:11:13 15:11:29 ...for example: spc:bank.com 15:11:49 ..this works with remote authenticators - creates a new namespace for the RPID. The authenticator doesn't care what the RPID is 15:11:54 ..the main consequences of this proposal: 15:12:04 1) SPC credentials cannot be used for login and vice versa. 15:12:25 ..that's because the prefix is established at creation [and cannot be changed] 15:13:00 2) This solution binds "cross-origin" and "transaction UX" capability, so that would prevent the separation of those powers as requested by Entersekt 15:13:02 present+ Doug_Fisher 15:13:04 q+ 15:13:08 q? 15:13:23 q- 15:13:28 NickTR: I like the proposal in the sense that I like the specialization of the credential. 15:13:50 ...I think that risks (e.g., privacy leaks) go up as credential usage is more flexible 15:14:06 q+ 15:14:31 smcgruer_[EST]: The reason this proposal precludes the separation of powers, is that the browser only has one bit "SPC-or-NOT" 15:14:40 ..the browser doesn't have a second bit that says 'ONLY-ALLOW-ON-MY-DOMAIN" 15:15:23 smcgruer_[EST]: Part of me wonders if what we should be namespacing is the cross-origin part. 15:15:30 ..the payment transaction screen should always be available. 15:15:46 ..the namespace could refer only to the cross-origin usage. 15:15:55 ...all credentials could be used for payments. 15:16:30 ...it might also suggest "cross-origin login" but Rps could manage that. 15:16:38 s/Rps/user agents 15:16:39 ...I think the cross-origin bit is not likely to be loved by the WebAuthn folks. 15:17:28 Jean-Luc: Would it be possible for have two registrations in this scenario (where there's a ns prefix)? 15:17:44 smcgruer_[EST]: Yes, you could have two registrations. And they are considered two distinct relying parties 15:18:20 q+ 15:18:28 q- 15:18:32 ack me 15:19:08 ian: To summarise the proposal: Here's how to a bit that doesn't break things 15:19:38 ...in practice, could you have a list of enumerated things (e.g. public key, payment, log in...) 15:20:11 ...and can you ever change those things once it's been minted? 15:22:46 smcgruer_[EST]: We need to decide in this WG whether the proposal works. 15:23:07 ...so we need to hear from people who are planning to use SPC (and, e.g., Entersekt who raised the point on separation of powers) 15:24:57 ACTION: Nick to work with Ian to draw more WG attention to the concrete proposal. 15:25:04 I have made the request to generate https://www.w3.org/2021/11/18-wpwg-minutes.html Ian 15:25:21 smcgruer_[EST]: One question - if we do this, does it preclude us from trying something else in the future? 15:30:28 ..the way it would work today to manage "new" credentials it to prepend "SPC:"..but i expect over time the waters might be muddied. 15:31:55 NickTR: If credentials are immutable, you could either (1) recredential in a new namespace or (2) implementations would change behavior. 15:32:12 ...in short, this proposal seems reasonable to me. 15:32:31 ...I have the feeling reissuing the credential is a likely thing people will be done (for credential hygiene if nothing else) 15:32:41 q? 15:33:11 https://github.com/w3c/secure-payment-confirmation/issues/77 15:35:04 ian: explores use case 15:35:25 ...bank account holder with multiple accounts with the same bank 15:36:05 ...if they share a credential, then conceivably they can be linked by third parties 15:36:15 ...creating a potential privacy issue 15:36:55 ian: observation 1: users should be aware, and manage things separately 15:37:44 q? 15:37:53 q+ 15:38:09 q- 15:39:01 q+ to clarify that this isn't what PING said 15:39:26 ian: we need a solution that lets banks do the right thing (individual credentials per instrument) with the user experience of single registration 15:40:19 smcgruer_[EST]: PING asks for a solution that even a malicious bank could not cause a problem, but Ian points out that we can't prevent this anyway. 15:40:28 https://www.w3.org/2021/10/28-wpwg-minutes.html#t01 15:40:42 ian: I'm trying to describe the problem space. 15:41:06 ...I don't think we can prevent multiple accounts per user 15:41:22 ...malicious banks could always broadcast those links 15:41:52 ...I think we should help banks do the right thing 15:42:30 q? 15:42:32 q- 15:43:20 smcgruer_[EST]: this is exactly section 11.3 15:44:39 ian: so I believe that we want one credential per user on registration, but one credential per instrument on API call 15:44:55 Ian: We want "N-to-1" on the server side but "1-to-1" on the browser side. 15:45:07 smcgruer_[EST]: If you define a public method, the merchant can do it, too 15:50:36 ian: what would be good is a way of passing origin plus hash of credential into the authenticator (but this isn't current functionality) 15:50:51 smcgruer_[EST]: whatever we come up with has to be done in the authenticator in order to preserve "cross-browser' 15:51:33 ian: so I think we've found a use case that is worth WebAuthn investigating. 15:51:45 q+ 15:52:11 ack me 15:52:25 nicktr: A meta-observation (non tm version of meta)... 15:52:38 ...is this for v1? 15:56:49 Ian: Can you register N credentials with 1 registration gesture? 15:56:55 (Stephen nods "no") 15:56:57 https://github.com/w3c/webpayments/wiki/Agenda-20211118#upcoming-priorities-for-discussion 15:57:05 I have made the request to generate https://www.w3.org/2021/11/18-wpwg-minutes.html Ian 15:57:15 zakim, take up item 2 15:57:15 agendum 2 -- Upcoming priorities for discussion -- taken up [from Ian] 15:57:21 NickTR: Please have a look at those 15:57:24 zakim, close item 2 15:57:24 agendum 2, Upcoming priorities for discussion, closed 15:57:25 I see 2 items remaining on the agenda; the next one is 15:57:25 1. SPC issue review [from Ian] 15:57:28 zakim, take up item 3 15:57:28 agendum 3 -- Meeting schedule -- taken up [from Ian] 15:57:41 ian: update on process: 15:58:44 ...1) the AC review of Payment request ended a couple of weeks ago. We are working through two formal objections. We hope to satisfy the reviewers. 15:59:17 ...2) rechartering continues 15:59:53 9 Dec is next call 15:59:58 after that: 6 Jan 2022 16:00:14 RRSAGENT, make minutes 16:00:14 I have made the request to generate https://www.w3.org/2021/11/18-wpwg-minutes.html Ian 16:00:17 RRSAGENT, set logs public 16:40:47 rowan_m has joined #wpwg 16:40:53 ljharb has joined #wpwg 16:40:54 AdrianHB has joined #wpwg 16:40:55 ntelford has joined #wpwg 16:40:59 smcgruer_[EST] has joined #wpwg 16:41:03 hadleybeeman has joined #wpwg 16:41:05 jeffh has joined #wpwg 16:41:08 nicktr has joined #wpwg 16:41:11 tobie has joined #wpwg 16:41:21 slightlyoff has joined #wpwg 16:41:27 Travis has joined #wpwg