W3C

SPC Task Force

28 February 2022

Attendees

Present
Clinton Allen (American Express), Doug Fisher (Visa), Ian Jacobs (W3C), John Bradley (Yubico), Nick Burris (Google), Sameer Tare (Mastercard), Stephen McGruer (Google), Steve Cole (MAG)
Regrets
Carey Ferro
Chair
Ian
Scribe
Ian

Meeting minutes

SPC task force scheduling

Proposed: Move SPC task force discussions to the Thursday WPWG cal

<smcgruer_[EST]> +1

+1

John: +1

SteveC: +1

(No objections)

ACTION: Ian to announce to WG that SPC discussions will move to main meeting.
… and to end the Monday meeting series.

[Anne said +1 to this]

Issue triage and prioritization

* Experiment feedback

* Issue management

* Horizontal review

* Test suite (later)

* Implementation stability

Stephen: We've already done v1 from our perspective.
… we think it's stable, but we are planning to make a breaking change (RPID)

Ian: Any other breaking changes envisioned?

Stephen: Not that I'm aware of.

Stephen: Here's what we are thinking about:

1) Experimental feedback. We hope to have something from Adyen/Airbnb. We've heard from Stripe that they are depending on the opt-out.

2) For issue management, I think that our biggest concerns from Chrome perspective are (1) opt-out and (2) web authentication integration
… until we have those, I don't think we can consider SPC a v1 API ready to advance

3) Regarding test suite; WPT has pretty good coverage for that which we consider testable.
… we could imagine a manual test suite as well

Ian: what does "web auth integration" mean here?

Stephen: Want to get rid of in-browser cache and get to something that has cross browser and synched support.
… we have two unmet dependencies today on the platform.

<smcgruer_[EST]> https://w3c.github.io/secure-payment-confirmation/#steps-to-determine-if-a-credential-is-spc-enabled

<smcgruer_[EST]> https://w3c.github.io/secure-payment-confirmation/#steps-to-silently-determine-if-a-credential-is-available-for-the-current-device

Ian: Any other pieces that are critical to resolve?

John_Bradley: I agree that the most critical thing to resolve is what we are asking WebAuthn/CTAP to store

Ian: Is there an active thread in CTAP?

John: No. The threads in the WebAuthn WG are mostly going to come down to "we need a clear request from the Web Payments WG."

smcgruer_[EST]: My takeaway was that WebAuthn folks said "not our problem; figure out CTAP and then come back to us."
… we have not yet figured out how to get progress in CTAP

John: Google and CABLE will need CTAP support in addition to others

https://github.com/w3c/secure-payment-confirmation/issues/157#issuecomment-993877775

John: This looks like it's come down to a single bit for "cross-origin" and all WebAuthn credentials can be used for payments.
… in a 1p context

Stephen: An RP can use subdomains to control usage

(Ian notes that is captured in the write-up; whew.)

John: We are working on multi-device passkey stuff, and flags to indicate whether a credential is multi-device.
… this could potentially fit into that work
… the flags are defined in WebAuthn and implemented in CTAP.

Ian: Should we add to issue WebAuthn 1695?

John: We have one extra bit

smcgruer_[EST]: Are you asking for us to post our summary (157) into 1667?

John: +1

ACTION: Stephen to point out our "proposal" on WebAuthn issue 1667

Next meeting

3 March WPWG call
… no further monday meetings until further notice

ACTION: Ian to work with Stephen on triaging issues list for WPWG consideration

Summary of action items

  1. Ian to announce to WG that SPC discussions will move to main meeting.
    … and to end the Monday meeting series.
  2. Stephen to point out our "proposal" on WebAuthn issue 1667
  3. Ian to work with Stephen on triaging issues list for WPWG consideration
Minutes manually created (not a transcript), formatted by scribe.perl version 185 (Thu Dec 2 18:51:55 2021 UTC).