17:01:24 <RRSAgent> RRSAgent has joined #wpwg-spc
17:01:24 <RRSAgent> logging to https://www.w3.org/2021/11/22-wpwg-spc-irc
17:02:23 <Ian> Meeting: SPC Task Foce
17:02:28 <Ian> Chair: Ian
17:02:30 <Ian> Scribe: Ian
17:02:47 <Ian> Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Nov/0012.html
17:02:47 <Ian> present+
17:02:51 <Ian> present+ Anne_Pouillard
17:02:53 <Ian> present+ Doug_Fisher
17:02:58 <jcemer> jcemer has joined #wpwg-spc
17:02:58 <Ian> present+ Jean_Carlo_Emer
17:03:04 <Ian> present+ Jeff_Hodges
17:03:12 <Ian> present+ Praveena_Subrahmanyan
17:03:17 <Ian> present+ Gerhard_Oosthuizen
17:03:46 <Ian> Topic: Web Authentication proposal for using namespaces
17:04:00 <Ian> present+ John_Bradley
17:04:21 <Ian> -> https://github.com/w3c/webauthn/issues/1667#issuecomment-957887836 WebAuthn issue
17:04:35 <Doug> Doug has joined #wpwg-spc
17:04:52 <Ian> Gerhard: There are two topics really:
17:04:59 <Ian> a) Protecting keys
17:05:09 <Ian> b) Splitting cross-origin / for payments
17:05:32 <Ian> Gerhard: Regarding "spc:" prefix. See my comment:
17:05:38 <Ian> https://github.com/w3c/webauthn/issues/1667#issuecomment-975171376
17:06:09 <Ian> ....there are multiple use cases, but for banks the primary use case is authentication in their own domain
17:08:15 <Ian> present+ Susan_Pandy
17:09:22 <Ian> smcgruer_[EST]: SPC namespace would be allowed to be used with (1) cross-origin behavior and (2) transaction UX
17:09:50 <Ian> ..namespace will prevent login use cases
17:10:21 <Ian> John_Bradley: There's no reason SPC couldn't use login credentials for payments for BOUND origins
17:10:39 <Ian> ...and a special cross-origin type for other use cases
17:10:51 <Ian> smcgruer_[EST]: So we could create a "cross-origin:" prefix
17:11:09 <Ian> ...that would mean that if you are a smart merchant, you could not use cross-origin for login
17:11:46 <Ian> gerhard: The thing I'm worried about with the ns is that it excludes other use cases.
17:12:18 <Ian> ==========
17:12:34 <Ian> 1) If you want to limit to same origin, just allow SPC with WebAuthn vanilla
17:13:07 <Ian> 2) Logging on same origin
17:13:15 <Ian> 3) Login from different origin
17:13:19 <Ian> 4) Payment from different origin
17:13:34 <Ian> Gerhard: Seems like we want to allow all but #3 (login from non-rp)
17:14:19 <Ian> ...in the case of 3DS and open banking, the other three use cases are interesting
17:14:32 <smcgruer_[EST]> q?
17:14:55 <Ian> John_Bradley: Login from not-pr.com is problematic.
17:15:07 <Ian> ...other than payments context there is no backchannel protocol.
17:15:33 <Ian> ...if we agreed that all banking credentials could be used as non-rp.com for payments we would not need to differentiate.
17:16:19 <smcgruer_[EST]> q+
17:16:20 <Ian> Gerhard: Feedback we've heard from issuers is that they are not that keen in using a credential from the merchant.
17:17:14 <Ian> ...what I don't want is banks to not adopt SPC due to theory that credentials could be misused.
17:18:23 <Ian> ack sm
17:18:45 <Ian> smcgruer_[EST]: There's another reason to have the separation - some WebAuthn folks never want their credential to be used by another domain.
17:19:01 <Ian> ...so I think there's good reason to separate the 3p use case if we can.
17:19:24 <Ian> ...if we have a 3p enabled ns, you could have payment and login on rp.com with a single credential (since all 1p)
17:19:50 <Ian> ...once you add the "3p:" namespace, non-rp.com could use the credential ONLY for payments (not login)
17:19:55 <Ian> ...so there is no upgrade path.
17:20:12 <Ian> ...can you use 3p credentials for login?
17:20:25 <Ian> John_Bradley: Not without changing WebAuthn due to rpid
17:20:57 <Ian> ...if you attempt to say that you are an rpid that the browser can't validate, because there's a colon it's not a valid UI
17:21:08 <Ian> smcgruer_[EST]: But the developer experience would be terrible
17:26:05 <Gerhard_> Gerhard_ has joined #wpwg-spc
17:26:29 <Ian> Ian: I am hearing from Gerhard that "same origin" more important than "reuse for login"
17:26:47 <Ian> John_Bradley: If we limit ourselves to discoverable credentials, we can also leverage the user_id field.
17:27:01 <Ian> ...we could have flag that says "this can be used cross-origin with SPC"
17:27:11 <Ian> ...we have a number of characters we can use in the field for flags
17:27:21 <Ian> ..but we'd need to limit ourselves to discoverable credentials.
17:27:49 <Ian> ...you'd lose non-discoverable credentials, but that might be an ok tradeoff.
17:27:56 <Ian> JeffH: Why discoverable credentials only?
17:28:13 <Ian> John_Bradley: No user_id returned in non-discoverable credentials. (You COULD return it but nobody does.)
17:28:30 <Gerhard_> Question: Who could inform us if the usage of Payment in First party would require a special permission / setting during creation?
17:28:43 <Gerhard_> Then we can focus exclusively on the Cross-domain part of the problem..
17:29:18 <Ian> JeffH: In WebAuthn we say user_id can be used by the RP.
17:29:25 <Ian> ...we state that it's really for an account identifier
17:29:52 <Ian> John_Bradley: Right, you could not use an existing credential cross-origin
17:30:08 <Ian> John_Bradley: We could make a structured field.
17:30:24 <Ian> ...I think we have 64 bytes in that field
17:30:40 <Ian> JeffH: We could do some form of namespace stuff there fore newly created credentials.
17:30:45 <Gerhard_> q+
17:31:02 <Ian> JohN_Bradley: An upside is that you would not need an extension. the RP could just make them.
17:31:24 <Ian> ...the semi-downside is that arbitrary RPs could discover the format, but nothing we are doing would stop them anyway
17:31:42 <Ian> ack Gerhard_
17:31:59 <Ian> Gerhard_: Is this WebAuthn Level 2?
17:32:16 <Ian> John_Bradley: Would work with any authenticators that support discoverable credentials.
17:32:31 <Ian> ...and works in roaming authenticators (that support discoverable credentials)
17:33:02 <Ian> smcgruer_[EST]: My pitch has been that we do discoverable credentials; but in current design you can fall back to non-discoverable credentials.
17:33:35 <Ian> John_Bradley: I prefer also  supporting non-discoverable credentials; but probably going with "what we have in hand" better
17:34:52 <Ian> https://github.com/w3c/webauthn/issues/1667
17:35:34 <Ian> ACTION: John Bradley to write up proposal on that thread
17:35:47 <Ian> JeffH: I suggest we add SPC to the title of that issue.
17:36:08 <Ian> Gerhard: One question is do we need a flag for 1p usage? (or just 3p usage)
17:36:24 <Ian> John_Bradley: I don't think WebAuthn has an opinion on using a WebAuthn credential for payments in a 1p
17:36:48 <Ian> Gerhard: Second point is: what if we want to use it for still other custom displays (related to payment)
17:36:53 <Ian> ...e.g., P2P or recurring
17:37:02 <Ian> ...in other words "even more use cases"
17:38:02 <Ian> John_Bradley: We may wish to consider structured data to avoid stepping on toes
17:38:19 <Ian> ...e.g., "ephemeral" flag so that credentials are not replicated across devices
17:39:08 <Ian> Topic: Next call
17:39:21 <Ian> 29 Nov
17:39:31 <Ian> RRSAGENT, make minutes
17:39:31 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/22-wpwg-spc-minutes.html Ian
17:39:35 <Ian> RRSAGENT, set logs public
20:43:02 <Zakim> Zakim has left #wpwg-spc