17:00:57 <RRSAgent> RRSAgent has joined #wpwg-spc
17:00:57 <RRSAgent> logging to https://www.w3.org/2021/11/29-wpwg-spc-irc
17:01:01 <Ian> Meeting: SPC task force
17:01:03 <Ian> Chair: Ian
17:01:09 <Ian> present+
17:01:12 <Ian> present+ Susan_Pandy
17:01:16 <Ian> present+ Anne_Pouillard
17:01:31 <Ian> present+ Jeff_Hodges
17:01:34 <Ian> Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Nov/0016.html
17:01:36 <Ian> Scribe: Ian
17:01:59 <Ian> present+ Stephen_McGruer
17:02:03 <Ian> present+ John_Bradley
17:02:20 <Ian> regrets+ Adrian_Hope-Bailie
17:02:38 <Ian> present+ Werner_Bruinings
17:02:55 <Ian> Topic: Cross-origin Web Authen
17:02:58 <Ian> https://github.com/w3c/webauthn/issues/1667#issuecomment-975770111
17:03:05 <Ian> present+ Gerhard_Oosthuizen
17:03:11 <werner> werner has joined #wpwg-spc
17:03:15 <Ian> present+ Doug_Fisher
17:03:31 <Gerhard> Gerhard has joined #wpwg-spc
17:03:44 <Ian> https://github.com/w3c/webauthn/issues/1667#issuecomment-975770111
17:04:12 <Ian> present+ Christian_Aabye
17:04:21 <Ian> John_Bradley: I've not yet expanded on the WebAuthn thread.
17:04:36 <Ian> ...not yet everyone on board about using userid.
17:04:45 <Ian> ...the other approach is two namespaces for rpid
17:05:01 <smcgruer_[EST]> q+
17:05:07 <Ian> ack stm
17:05:10 <Ian> ack sm
17:05:22 <Ian> smcgruer_[EST]: Interesting question - how would we resolve this one way or another.
17:06:09 <Ian> John_Bradley: Implementer buy-in affects implementation
17:06:59 <Ian> Gerhard: One of the most prolific publishers of data on SCA is from a browser vendor
17:07:09 <Ian> ...maybe we could arrange for a discussion
17:08:49 <Ian> q+ Doug
17:09:07 <Ian> Ian: What data do we have?
17:09:07 <Ian> Gerhard: EU said you have to do 2 factor for payments and for login
17:09:18 <Ian> ...it's valuable to have fewer registrations from a ux experience
17:09:43 <Ian> ...we've seen in the banking app and GSM environment value of using same token for both use cases
17:11:00 <Ian> Doug: Regarding resolving this. Although I can't speak for EMVCo, might be a channel for gathering information about bank requirements. I could raise this in 3DS WG so that members can raise it internally
17:11:23 <Ian> ...I think registration of credentials is a difficult area for us to solve, and I think banks would want to leverage existing investments.
17:11:44 <Ian> ...I think they would definitely prefer an environment where credentials could be used in both use cases.
17:12:09 <Ian> John_Bradley: The question is: there is nothing that stops an authentication from also being an SPC credential, but the SPC credential only works with the issuer's origin
17:12:26 <Ian> ...but what we are discussing is what happens when you want to use these credential from 3p origins
17:13:12 <Ian> Doug: I think that RPs will want to use SPC credentials for login
17:13:16 <Ian> ...in a 1p context
17:14:51 <Ian> Gerhard: I expect that the flow will be: (1) register for login (2) register for payments from 1p (3) Register for 3p SPC
17:15:15 <Ian> ...in FAPI flow, there will be full redirect to bank domain.
17:15:25 <Ian> ...even there again, it's a 1p context
17:15:38 <Ian> ...3DS is really the only environment that involves 3p auth
17:16:01 <smcgruer_[EST]> q?
17:16:11 <smcgruer_[EST]> q+
17:16:31 <Ian> regrets+ Praveena
17:16:33 <Ian> ack Doug
17:17:09 <Ian> q+
17:17:33 <Ian> John_Bradley: The two proposals are the same as to whether the bank can use it.
17:17:42 <Ian> ...we also to consider the "no allow" use case
17:17:43 <Ian> ack smcgruer_[EST]
17:18:12 <Ian> smcgruer_[EST]: I would like to hear from our partners who are experimenting to see whether "register for login" is the first use case we'll see.
17:18:57 <Ian> ...I would speculate that if you are looking at a case, for example, where a PSP is doing delegated authentication, the PSP might do SPC as the RP.
17:20:09 <Ian> Gerhard: Merchants ALSO want to use FIDO for both login and payment
17:20:25 <Ian> ack me
17:21:10 <Gerhard> question: Could we look at the Microsoft counter proposal, and it's implications?
17:21:30 <Ian> q+ Doug
17:22:09 <Ian> IJ: another approach is making N registrations easier.
17:22:20 <Ian> John_Bradley: There is a concept of user verification caching; but not implemented.
17:22:32 <Ian> ...there is practically a requirement for some user action for registration
17:22:48 <Ian> ...that could change but would be a large change to the infrastructure
17:25:12 <Ian> Jeff_Hodges: I am hearing the concern is "How many use gestures are required to acquire enough credentials to satisfy the use cases."
17:25:47 <Ian> John_Bradley: Yes, I hear that is what Ian is trying to say.
17:26:12 <Ian> ...that's called user verification caching but there are no instances of that that I know of
17:27:19 <Ian> Gerhard: If MS is proposing an alternative, have we reviewed that?
17:27:43 <Ian> John_Bradley: I am not sure there's an alternative (to "other namespace" approach)
17:29:36 <Ian> ack Doug
17:29:59 <Ian> Doug: I think there is a use case where SPC credentials would be created first and extended after to login id.
17:30:19 <Ian> ...we don't want user to have to select from a list of valid credentials.
17:30:42 <Ian> ...don't want to move friction from credential creation to payment transaction.
17:30:47 <Ian> q?
17:32:57 <Ian> John_Bradley: Question is "Why should WebAuthn allow dual use of a cross-origin credential?"
17:39:08 <Ian> Topic: Next meeting
17:39:13 <Ian> 6 Dec
17:39:16 <Ian> RRSAGENT, make minutes
17:39:16 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/29-wpwg-spc-minutes.html Ian
17:39:19 <Ian> RRSAGENT, set logs public