14:40:05 <RRSAgent> RRSAgent has joined #wpwg
14:40:05 <RRSAgent> logging to https://www.w3.org/2022/02/16-wpwg-irc
14:40:09 <Ian> Meeting: Web Payments Working Group
14:40:23 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20220216
14:40:31 <Ian> regrets+ Nick_Telford-Reed
14:47:27 <Ian> agenda+ Changes to browsers and impact on Open Banking
14:48:08 <Ian> agenda+ Changes to browsers and impact on Open Banking
14:48:12 <Ian> zakim, drop agenda 2
14:48:12 <Zakim> agendum 2, Changes to browsers and impact on Open Banking, dropped
14:48:18 <Ian> agenda+ Open Banking and SPC
14:48:29 <Ian> agenda+ TPAC 2022 Survey
14:48:31 <Ian> agenda?
14:48:38 <RRSAgent> I have made the request to generate https://www.w3.org/2022/02/16-wpwg-minutes.html Ian
14:53:51 <Ian> present+ Ian_Jacobs
14:58:20 <Ian> present+ Herve_Robache
14:58:44 <Ian> present+ Detlef_Hillen
15:00:01 <Ian> present+ Ortwin_Scheja
15:00:39 <Ian> present+ Kris_Ketels
15:01:54 <Ian> present+ Stephen_McGruer
15:01:59 <Ian> present+ Sameer_Tare
15:02:28 <Ian> present+ 	Wijnand_Machielse
15:02:37 <Ian> present+ Chris_Wood
15:03:44 <Ian> present+ Manish_Garg
15:03:47 <SameerT> SameerT has joined #wpwg
15:03:57 <Ian> Chair: Ian
15:04:00 <Ian> Scribe: Ian
15:04:25 <Ian> present+ Vincent_Kuntz
15:04:29 <Ian> zakim, take up item 1
15:04:29 <Zakim> agendum 1 -- Changes to browsers and impact on Open Banking -- taken up [from Ian]
15:04:39 <Ian> present+ Ryan_Watkins
15:04:42 <Ian> present+ Susan_Pandy
15:04:52 <Hro> Hro has joined #wpwg
15:04:56 <Ian> Stephen: Browsers are changing for privacy reasons, restricting 3p cookies.
15:05:23 <Ian> ...already restricted in Safari, Firefox; Chrome removing them in 2023 time frame.
15:05:33 <Ian> ...cookie changes are just one of the changes in this space
15:05:42 <Ian> ...so we are having discussions about use cases that will be impacted
15:05:45 <Ian> present+ Leigh_Garner
15:06:21 <Ian> Stephen: We are asking people to think about how flows will break (or are breaking)
15:06:26 <Ian> present+ Gerhard_Oosthuizen
15:07:30 <Ian> Ian: Example of impact: choosing bank; remembering preferred bank
15:07:55 <Ian> Herve: Regarding cookie removal; is this just removal when the browser is closed or even in-session
15:08:42 <Ian> Stephen: Browsers are restricting access in a 3p context. If you are on merchant.com and there is a PISP in an iframe; the PISP will no longer have access to cookies
15:08:52 <Ian> ...there won't be access via HTTP headers or JS
15:09:13 <Ian> ...embedded iframe is a frequent scenario in ad use cases
15:09:20 <Ian> ...but it also has an impact in other use cases.
15:09:41 <Ian> ...for example, request to get pixel images used to carry cookies
15:09:46 <Ian> ...but will no longer do so.
15:10:25 <Ian> ...Ian referred to the open banking flow where the user has to choose their bank.
15:10:41 <Ian> ...and after the first time that choice is memorized, but that functionality (as it is currently implemented) will go away
15:11:26 <Gerhard> Gerhard has joined #wpwg
15:11:49 <Ian> Ian: Another use case - risk assessment
15:12:20 <Ian> Gerhard: I want to clarify - iframes will work; cookies will not
15:12:44 <Ian> Stephen: I think few things will outright break, but rather won't work as well
15:14:09 <Gerhard> q+
15:14:43 <Ian> ack Gerhard
15:15:20 <Ian> Gerhard: Another pattern that is changing - storage access is double-keyed (e.g,. indexDB)
15:15:49 <Ian> ...where in your protocols are you aware of iframe use cases or storage use cases
15:17:36 <Ian> Herve: I don't know about specific uses of cookies in our protocols as they are intended to be RESTful.
15:17:52 <Ian> ..in France the application of open banking is most likely through the use of mobile apps
15:18:15 <Ian> ...thus the payment app embeds the session information.
15:18:48 <Ian> ..but I do see one case where cookies are useful -- to avoid "session @@ attack"
15:19:37 <Ian> ...the the user is redirected to the bank and then bank. The TPP checks the cookie to be sure there is no swap in users during the interaction.
15:20:17 <Ian> ...the thread is: user makes a purchase, is redirected, and then sent back to another user environment. The TPP's job is to prevent this attack (and uses cookies)
15:20:32 <Ian> ...I think that's the sole case that involves user cookies
15:20:48 <Ian> Ortwin: I agree with that assessment
15:20:59 <Ian> Herve: The TPP can use cookies for their own business.
15:21:45 <Ian> Ortwin: The TPP's job is integration into the merchant site. You need to be talking to Plaid, Klarna, etc.
15:23:09 <Ian> Ortwin: You might want to reach out to the TPP Association to make them aware of this.
15:23:37 <Ian> Manish: TPPN. Also in the UK FData.
15:23:48 <Ian> ....there are TPP use cases in both 3p and 1p contexts.
15:24:02 <Ian> ...e.g., list of banks is constantly changing so sometimes choice happens in 1p context
15:24:22 <Ian> ACTION: Ian to follow up with Manish on UK TPP context
15:24:46 <Ian> ACTION: Ian to follow up with Ortwin re: EU TPP Context
15:25:09 <Ian> present+ Tomoya_Horiguchi
15:25:41 <Ian> Ian: Any other checkout context use cases?
15:25:48 <Ian> Orwin: Go ask the TPPS
15:26:07 <Ian> Manish: Here's how the list of banks works - either the TPP provides an API
15:26:16 <Ian> ...in which case the merchant manages the list in a 1p context
15:26:30 <Ian> ...or the TPP provides a web-hosted page (in a 3p context, for example)
15:27:21 <Ian> Manish: Stephen, you mentioned the timeline (2023). Is that tentative?
15:27:29 <Ian> Stephen: that's the declared Chrome timeline
15:27:32 <Gerhard> q+
15:27:40 <Ian> Stephen: See privacysandbox.com
15:28:06 <Ian> ...second half of 2023. But other browsers have already made changes (e.g., Safari a couple of years ago)
15:28:33 <Ian> ...bear in mind that there are also changes not related to cookies
15:28:44 <Ian> ack G
15:28:44 <smcgruer_[EST]> https://privacysandbox.com/open-web/#the-privacy-sandbox-timeline
15:29:10 <SameerT> q: +1 to exciting and scary times
15:29:20 <Ian> Gerhard: If we are aware of cases where browser fingerprinting happens (e.g, user agent string)
15:29:30 <Ian> ...would be good to know
15:30:01 <Ian> stephen: User agent string changes happening sooner.
15:30:02 <Ian> https://developer.chrome.com/docs/privacy-sandbox/user-agent/
15:30:28 <Ian> -> https://www.w3.org/2022/01/20-wpwg-minutes.html#t04 See recent presentation
15:31:15 <Ian> -> https://docs.google.com/presentation/d/1tec2bCpGHGM4FkX4y4GFlBwCa9dWs1ukGot-xkHRX-A/edit#slide=id.g10c56b38801_0_1933 Presentation
15:31:37 <Ian> ack G
15:31:41 <Ian> zakim, take up item 3
15:31:41 <Zakim> agendum 3 -- Open Banking and SPC -- taken up [from Ian]
15:32:21 <Hro> Hro has joined #wpwg
15:32:39 <Ian> Wijnand: Berlin Group is one of the groups doing APIs related to open banking; we have a roadmap in 2022
15:33:17 <Ian> ...first half of year is handling overflow from 2021
15:34:15 <Ian> ...for new architecture items in the roadmap
15:34:31 <Ian> ...some considerations: OpenID, FAPI
15:34:37 <Ian> ...API access scheme development
15:34:54 <Ian> ...we have a EPC, which was tasked by the ECB to work on a safer access scheme
15:35:05 <Ian> ...Berlin Group and others will be involved in this work soon
15:35:09 <Ian> ...this might still impact our 2022 work plan
15:35:19 <Ian> ...another work item is to provide for direct access and signed transaction data
15:35:30 <Gerhard> q+
15:35:52 <Ian> Wijnand: We are also reviewing EIDAS regulation
15:36:09 <Ian> ...the ECB also started work in the space of digital Euro
15:36:25 <Ian> ack Ger
15:36:40 <Ian> Gerhard: Very interesting. The one that stands out for me (in this context) is digital signing.
15:36:54 <Ian> ...SPC uses crypto signature mechanism as part of a payment display
15:37:00 <Ian> ...signs what is displayed to the user.
15:37:08 <Ian> ...it would be valuable to know what fields you need to be signed
15:37:23 <Ian> ...then we could SPC sign something that you can leverage on the server
15:37:47 <Ian> ...we'd like to align.
15:38:07 <Ian> Wijnand: Alignment would be extremely needed. As soon as SPC can share data with us, that would be great.
15:38:25 <Ian> ...we've not looked at the SPC draft yet in detail; we don't have details on our side yet
15:38:56 <Ian> Ortwin: We'll use JSON signature to sign the full payment data
15:39:17 <Ian> ...we are turning APIs also into "direct access"; this lets companies use the APIs with their own banks.
15:39:37 <Ian> ...the SCA mechanisms are normally in the enterprise context
15:39:49 <Ian> ..there will be other resources that need to be signed as well (e.g., subscriptions)
15:40:14 <Ian> ...theoretically you might use not only the classical signing mechanisms (certificates) but other methodologies as well.
15:40:35 <Ian> ...we'll be investigating signing mechanisms
15:40:52 <Ian> Ian: How connected are you to FIDO?
15:41:00 <Ian> Ortwin: They are part of our advisory board.
15:43:02 <Ian> Gerhard: If we want to evolve SPC we might want to look at some of the open banking use cases. Currently we support immediate payment consent, but there might also be consent for recurring payments.
15:43:22 <Ian> ...so would be good to hear more use cases to see whether SPC can handle them.
15:43:31 <Ian> Ortwin: Have a look in the roadmap for that
15:43:57 <Ian> ...the EPC is looking into use cases like guarantees, deferred payments (to be executed later), split payments, recurring payments
15:44:20 <Ian> q?
15:44:47 <Ian> Ortwin: You need also to talk to the TPPs regarding integration
15:45:17 <Ian> ...banks are driving this from a 1p access; providers from a 3p point of view
15:45:46 <Ian> -> https://cutt.ly/lPhRSvk Berlin Group roadmap
15:46:31 <Ian> Ian: What options do we have to collaborate more closely?
15:47:05 <Ian> Ortwin: Probably too soon, but when market consultations start, we would like to collaborate
15:47:20 <Ian> Ian: How does that work?
15:47:36 <Ian> Ortwin: We publish publicly. We can ask our advisors if they are interested in a closer relationship.
15:49:18 <Ian> Herve: Re STET, we have standardized functionalities required by regulators; talking about extensions with people.
15:49:29 <Ian> ...on security layer we are still working on a signature mechanism
15:49:44 <Ian> ...we have a client-signed mechanism that was using HTTP signature but there is now a new IETF draft
15:50:01 <Ian> ...we also worked with ETSI to implement a JSON signature mechanism.
15:50:10 <Ian> ...on the client side signature front, we are working with FIDO
15:50:37 <Ian> ...but there are 2 concerns. First, the FIDO mechanisms were not providing all that I needed ... a payment signature. But I think SPC will potentially help.
15:50:55 <Ian> ...my second concern has to do with adoption
15:51:05 <Ian> q+
15:51:18 <Ian> ack me
15:51:31 <Ian> Ian: What are barriers to adoption of FIDO?
15:51:48 <Ian> Herve: In some cases, people already have 2-factor mechanisms and don't want to implement a new architecture
15:52:27 <Ian> ...regarding OpenID connect; banks in France are used to OAuth2. But the move to OpenID connect is not obvious to them.
15:52:43 <Ian> ...we were inspired by FAPI-decoupled approach
15:53:03 <Ian> ...we implemented a version of this approach in the most recent release, but it's not based on OpenID Connect
15:53:37 <Ian> Kris: With my ISO2022 hat on, here's a quick update
15:54:23 <Ian> ...we are revising ISO2022; new work will enable people to register business APIs with ISO 2022
15:55:03 <Ian> Vincent: One thing that might be of interest to this group -- a study group in ISO2022 to look at standardizing digital rights
15:55:31 <Ian> s/rights/wallets
15:55:34 <Ian> ...the scope is not yet defined
15:55:45 <Ian> ...e.g., questions on tokens, fiat currencies, etc.
15:56:49 <Ian> Ian: Let's stay in touch on that!
15:57:12 <Ian> q?
15:57:23 <Ian> zakim, take up item 4
15:57:23 <Zakim> agendum 4 -- TPAC 2022 Survey -- taken up [from Ian]
15:57:51 <Ian> TPAC 2022: 12-16 September
15:58:59 <Ian> RRSAGENT, make minutes
15:58:59 <RRSAgent> I have made the request to generate https://www.w3.org/2022/02/16-wpwg-minutes.html Ian
15:59:03 <Ian> RRSAGENT, set logs public