16:57:02 <RRSAgent> RRSAgent has joined #wpwg-spc
16:57:02 <RRSAgent> logging to https://www.w3.org/2021/12/13-wpwg-spc-irc
16:57:06 <Ian> Meeting: SPC Task Force
16:57:10 <Ian> Chair: Ian
16:57:21 <Ian> Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Dec/0012.html
16:57:24 <Ian> Scribe: Ian
16:57:34 <Ian> Regrets+ Praveena, Gerhard
16:57:39 <Ian> present+ Ian_Jacobs
16:58:25 <Ian> agenda+ Payments/login use cases
16:58:28 <Ian> agenda+ next meeting
16:59:50 <Ian> present+ Stephen_McGrueur
16:59:53 <Ian> present+ John_Bradley
17:00:42 <Ian> present+ Anne_Pouillard
17:01:28 <Ian> present+ Jeff_Hodges
17:01:33 <Ian> present+ Tim_Cappalli
17:01:37 <Ian> present+ Susan_Pandy
17:01:47 <Ian> zakim, take up item 1
17:01:47 <Zakim> agendum 1 -- Payments/login use cases -- taken up [from Ian]
17:02:26 <Ian> https://github.com/w3c/secure-payment-confirmation/issues/157
17:03:33 <timcappalli> timcappalli has joined #wpwg-spc
17:06:13 <Ian> present+ Doug_Fisher
17:06:17 <Ian> present+ Bastien_Latge
17:06:48 <Ian> John_Bradley: Do we need to differentiate between vanilla webauthn and spa-enabled; any reason to do this in the browser?
17:07:05 <smcgruer_[EST]> q?
17:07:06 <smcgruer_[EST]> q+
17:07:07 <Ian> ..is there a requirement to do something *in the browser*?
17:07:20 <Ian> ack smcgruer_[EST]
17:07:56 <Ian> smcgruer_[EST]: My understanding is that we don't need something in the browser, but we've heard some people say "don't allow this to be used for payments unless RP has explicitly set it."
17:08:05 <Ian> present+ Sameer_Tare
17:09:01 <Anne> Anne has joined #wpwg-spc
17:09:14 <Ian> John_Bradley: RP has total control for 1p use cases.
17:09:25 <Ian> ...they can use two different RPID's
17:09:29 <Ian> ack Doug
17:10:12 <Ian> doug: Would be great if RP is tasked with deciding which RPIDs to provide to merchants
17:10:24 <Ian> ..but because merchant is invoking API, could it not add to the credential list?
17:10:57 <Ian> ...I'm hearing that the RP could not be assured that no other credential IDs are used by the merchant.
17:11:06 <smcgruer_[EST]> q+
17:11:10 <Ian> John_Bradley: We need to separate how to solve 1p context before we start ....
17:11:17 <Ian> ...looking at 3p
17:11:37 <Ian> ...if we can agree that 1p uses are ok, then we can focus on a "3p capable" flag.
17:11:38 <Ian> ack smcgruer_[EST]
17:11:52 <Ian> smcgruer_[EST]: From my view, I don't hear a disagreement. I think the 1p use cases are fine.
17:12:33 <Ian> John_Bradley: Regarding prefix / postfix to RPID...I think akshay leaning to "postfix" such as "#payment"
17:12:40 <Ian> ..if we can agree that it's a different namespace.
17:13:11 <Ian> ...so if RP wants to enable SPC for both get() and create(), then they can set a new RPID
17:14:06 <Ian> Ian: How to use same credential for 1p login authentication?
17:14:44 <smcgruer_[EST]> q?
17:14:50 <Ian> John_Bradley: Could involve a change in the browser to recognize postfix
17:14:53 <smcgruer_[EST]> q+
17:14:55 <Ian> q+
17:15:29 <Ian> John_Bradley: As an RP if you want to use SPC in regular auth, then you will only get the 3p type (not a mix of 3p and 1p credentials)
17:15:48 <Ian> ack smcgruer_[EST]
17:16:00 <Ian> smcgruer_[EST]: that is one of two reasons that I think we should not do a namespace.
17:16:10 <Ian> ...the first reason is the one John just cited
17:16:25 <Ian> ...second reason is the need to query credentials for their existence
17:16:40 <Ian> ..if we introduce a namespace to solve the first problem, we'd still need to keep the cache around
17:16:54 <Ian> ...to fix that, we'd need a platform level API
17:17:13 <Ian> John_Bradley: What does "is valid" to you?
17:17:35 <Ian> Stephen_McGruer: We have a conditional UI sort of behavior: if authenticator is available, do X; Otherwise do Y
17:17:46 <smcgruer_[EST]> https://w3c.github.io/secure-payment-confirmation/#steps-to-silently-determine-if-a-credential-is-available-for-the-current-device
17:18:25 <smcgruer_[EST]> s/is authenticator is available/if credential is present for this authenticator/
17:18:51 <Ian> John_Bradley: you can use credential management to find credentials based on their RPs. The biggest problem with credential management is that you need to do some sort of authentication for privacy reasons before you can get at the credentials.
17:19:08 <Ian> ...you can either do credential management or an allow list (with user presence = 0)
17:19:24 <Ian> ..the latter works for both platform and remote authenticators if you have the credential IDs
17:19:30 <Ian> ...more complicated on Windows
17:20:39 <Ian> ..that would work with namespaced credentials
17:21:52 <Ian> Ian: What needs to change on an RP server?
17:22:07 <Ian> JOhn_Bradley: Nothing should change for the 1p other than how to recognize the typed credentials.
17:27:47 <Ian> John_Bradley: If we can flag credentials without touching RPID, then we can not touch WebAuthn at all.
17:31:50 <Ian> ....if we are not using RPID then "3p ok" is only necessary to be known by the SPC API.
17:32:04 <Ian> Ian: How do we get the bit in the credential?
17:32:13 <Ian> John_Bradley: A Webauthn extension.
17:32:40 <smcgruer_[EST]> 'A WebAuthn extension' is just the mechanism for a developer to say 'I want this to happen'. It is not the bit itself.
17:33:11 <Ian> John_Bradley: Platforms would have to know how to set bit / or authenticator would have to do it.
17:35:34 <Ian> John_Bradley: People expect to be using fields for different things. To be backwards compatible we need to step on somebody's usage of something (userid, Cred blob, something else)
17:35:36 <smcgruer_[EST]> But we don't *have* to be backwards compatible!
17:35:52 <Ian> John_Bradley: ...there may be sensitivities about stepping on existing usage.
17:36:00 <Ian> ...if we want to use something other than the RPID to flag this.
17:36:05 <Ian> q+
17:36:55 <Ian> John_Bradley: Having it's own data element ideal. But shy of that, re-using existing fields. If changes have to happen in the platform as opposed to the browser, the deployment lag for some platforms will need to be taken into consideration.
17:37:13 <Ian> ...one advantage of using the RPID is that could be manipulated by the browser and passed through the DLL.
17:38:24 <Ian> Ian: Why would RP need RPID?
17:38:35 <Ian> JohN_Bradley: RP doesn't read the credential.
17:38:57 <Ian> Stephen: RP's can separate credentials if they want (via RPID)
17:39:52 <Ian> John_Bradley: I'm ok with long term approach, as long as you understand the consequences.
17:40:10 <Ian> Tim: +1 to doing this the "right way for the long term"
17:40:25 <Ian> ...John's right that the devil's in the details. But +1 to "doing it the right way."
17:41:32 <Ian> Stephen: Credentials will work in short term in 3p context due to per-browser caching.
17:42:13 <Ian> John_Bradley: You can go cross browser in 1p on the same device
17:42:18 <smcgruer_[EST]> I don't believe that's true due to https://w3c.github.io/secure-payment-confirmation/#steps-to-silently-determine-if-a-credential-is-available-for-the-current-device
17:42:35 <smcgruer_[EST]> (Still need a cache to do conditional showing ==> still per-browser)
17:42:41 <Ian> Tim:  There are other use cases where an extra bit would be valuable (e.g., a "type" field for sync in to the cloud)
17:43:01 <Ian> ACTION: Stephen to work with Ian to write this up
17:43:36 <Ian> Next meeting: 10 Jan
17:45:12 <Ian> RRSAGENT, make minutes
17:45:12 <RRSAgent> I have made the request to generate https://www.w3.org/2021/12/13-wpwg-spc-minutes.html Ian
17:45:17 <Ian> RRSAGENT, set logs public