IRC log of wpwg on 2022-05-05

Timestamps are in UTC.

13:48:23 [RRSAgent]

RRSAgent has joined #wpwg

13:48:23 [RRSAgent]

logging to https://www.w3.org/2022/05/05-wpwg-irc

13:48:32 [Ian]

Meeting: Web Payments Working Group

13:48:49 [Ian]

Agenda: https://github.com/w3c/webpayments/wiki/Remote-Agenda-202205

13:48:55 [Ian]

Scribe: Ian

13:49:07 [Ian]

RRSAGENT, make minutes

13:49:07 [RRSAgent]

I have made the request to generate https://www.w3.org/2022/05/05-wpwg-minutes.html Ian

13:49:10 [Ian]

RRSAGENT, set logs public

13:51:27 [Ian]

present+ Ian_Jacobs

13:59:39 [Ian]

present+ Stephen_McGruer

13:59:43 [Ian]

present+ John_Bradley

14:00:17 [Ian]

present+ Erhard_Brand

14:00:36 [Ian]

present+ Carey_Ferro

14:00:40 [Ian]

present+ Steve_Cole

14:00:52 [Carey]

Carey has joined #wpwg

14:01:24 [Ian]

present+ Nick_Burris

14:01:27 [Ian]

present+ Haribalu_V

14:01:37 [Ian]

present+ Praveena_Subrahmanyam

14:01:42 [Ian]

present+ Anne_Pouillard

14:01:52 [Ian]

present+ Bart_de_Water

14:01:57 [Ian]

present+ Richard_le_Dain

14:02:12 [praveenas]

praveenas has joined #wpwg

14:02:19 [Anne]

Anne has joined #wpwg

14:02:58 [Ian]

present+ Adam_Kelly

14:03:05 [Ian]

present+ Jayadevi

14:03:08 [Ian]

present+ Michael_Horne

14:03:18 [Ian]

present+ Doug_Fisher

14:03:22 [Ian]

present+ Uno_Veski

14:03:25 [Ian]

present+ Ryan_Watkins

14:03:31 [Ian]

present+ Hemnath

14:03:42 [bdewater]

bdewater has joined #wpwg

14:04:10 [Ian]

present+ Christiaan_Brand

14:04:17 [dougf]

dougf has joined #wpwg

14:04:24 [Uno]

Uno has joined #wpwg

14:04:56 [Ian]

present+ Sameer_Tare

14:05:02 [Ian]

present+ Gerhard_Oosthuizen

14:05:15 [Gerhard]

Gerhard has joined #wpwg

14:05:17 [Gerhard]

present+

14:05:50 [Hemnath]

Hemnath has joined #wpwg

14:06:35 [Ian]

present+ John_Fontana

14:07:45 [Ian]

Topic: Web Authentication WG

14:08:16 [Ian]

present+ Sami_Tikkala

14:08:20 [Ian]

present+ Tomoya_Horiguchi

14:08:37 [Ian]

present+ Anwar_Moco

14:08:37 [bryanluo]

bryanluo has joined #wpwg

14:08:42 [Ian]

present+ Bryan_Luo

14:09:29 [Ian]

present+ Manish_Garg

14:11:31 [Ian]

present+ Tim_Cappalli

14:16:29 [Ian]

http://www.w3.org/2022/Talks/wpwg-authn-202205/wpwga-202205.pptx

14:16:29 [Ian]

http://www.w3.org/2022/Talks/wpwg-authn-202205/wpwga-202205.pptx

14:17:09 [Ian]

IJ: What is status of request to FIDO2TWG?

14:17:32 [Ian]

smcgruer_[EST]: Proposal has been made; we had an initial discussion on Tuesday (this week); they have assigned some reviewers.

14:17:54 [Ian]

present+ Krithi

14:18:09 [Ian]

John_Bradley: Will be a topic of conversation at FIDO plenary in 2 weeks

14:18:23 [Ian]

...after a first read of the proposal extension makes sense.

14:18:30 [Ian]

...will probably have to have discussions about what the response means.

14:18:59 [Ian]

...if a fido authenticator does not understand the bit you won't get it back in the response; that could be a useful signal

14:19:25 [Ian]

...what goes into the extension and how is it treated by the RP?

14:19:53 [Ian]

John_Bradley: Rather than have the platform management flags, I prefer the individual extension flag to allow authenticators to manage the storage.

14:20:10 [Ian]

Ian: Who is participating from WPWG in the FIDO meeting?

14:20:14 [benoit]

benoit has joined #wpwg

14:20:42 [Ian]

Christiaan: I"ll be there and will work with Stephen

14:21:32 [Ian]

present+ David_Benoit

14:21:43 [Ian]

Ian: For WebAuthn, what has to happen and how do we get it done?

14:21:54 [Ian]

JohN_Bradley: WebAuthn just passes through the extension during create().

14:22:09 [Ian]

Ian: Is the extension defined in a W3C specification?

14:22:16 [smcgruer_[EST]]

q+

14:22:17 [Ian]

John_Bradley: It would more likely be CTAP

14:22:50 [Ian]

...since relies on changes to the protocol

14:23:06 [Ian]

ack smcgruer_[EST]

14:23:42 [Ian]

smcgruer_[EST]: Agree that there are no "client processing steps" at creation time.

14:23:48 [Steve_C]

Steve_C has joined #wpwg

14:24:14 [Ian]

...but for WebAuthn folks, given that we want to expose this in a way similar to Conditional UI, is there a WebAuthn spec change for credential listing APIs?

14:24:41 [Ian]

ChristiaanBrand: We are talking about the client querying the story; this is outside of scope of WebAuthn itself IMO

14:24:55 [smcgruer_[EST]]

s/story/credential store

14:24:57 [SameerT]

SameerT has joined #wpwg

14:25:07 [SameerT]

present+

14:25:11 [Ian]

John_Bradley: Because platform authenticators do some proprietary things, there is no defined API between browser and platform authenticator.

14:25:31 [Ian]

...closest we may have is Akshay API that will expose information from windows platform authenticator to browsers running on windows.

14:25:37 [Ian]

...but that's not in any specification.

14:26:00 [Ian]

smcgruer_[EST]: So I hear 2 work streams (1) working with platform authenticators (2) for remote authenticators, CTAP changes

14:26:32 [Ian]

John_Bradley: We have to figure out in CTAP a standardized way to say "this bit is exposed this way in credential management output"

14:27:00 [Ian]

...there are two ways the platform could get at the information, doing a get() with or without allow list and iterating through credential list, or using credential management API.

14:27:23 [smcgruer_[EST]]

q+ to comment on SPC's extension today - https://w3c.github.io/secure-payment-confirmation/#sctn-payment-extension-registration

14:27:25 [Ian]

q?

14:28:02 [Ian]

John_Bradley: Some of this is CTAP work and will require collaboration.

14:28:03 [Ian]

ack smcgruer_[EST]

14:28:03 [Zakim]

smcgruer_[EST], you wanted to comment on SPC's extension today - https://w3c.github.io/secure-payment-confirmation/#sctn-payment-extension-registration

14:28:48 [Ian]

smcgruer_[EST]: We do have an extension in the SPC spec. At registration time, the client extension steps (1) enable cross-origin creation, which we'd like to move out of SPC (2) they do some enforcement on forcing discoverable credentials, etc.

14:28:55 [Ian]

...we might be able to remove client steps at registration

14:29:07 [Ian]

..but at authentication time, we put payment information in client data.

14:29:20 [Ian]

...we'll either need to move this into WebAuthn or keep it in SPC.

14:29:25 [Ian]

...are you ok with an extension defined in SPC

14:29:30 [Ian]

present+ Tony_Nadalin

14:29:50 [Ian]

John_Bradley: Probably most appropriate for WebAuthn

14:30:15 [Ian]

...we should also consider whether the extension information is passed on through to the authenticator so that authenticators with displays can also display it.

14:30:37 [Ian]

...e.g., CABLE scenario, where the display of information can be displayed on different screens.

14:30:51 [Ian]

...there are reasons to prefer mobile device (e.g., less malware)

14:31:04 [Ian]

...so there's probably a good argument for passing data through to authenticators that can display it

14:31:32 [Ian]

q?

14:32:07 [smcgruer_[EST]]

q+

14:32:31 [Ian]

[Brief side discussion on I18N here]

14:32:54 [Ian]

John_Bradley: Note that the authenticator would not be storing some information (due to space constraints)

14:33:04 [Ian]

ack smcgruer_[EST]

14:33:34 [Ian]

smcgruer_[EST]: How should we resolve question of where information goes?

14:34:13 [Ian]

John_Bradley: We have to figure out what comes back in the extension (e.g., hash of what was displayed) that can be compared to collected client data.

14:34:27 [Ian]

smcgruer_[EST]: I think the payment industry needs it to be signed over.

14:34:38 [Ian]

John_Bradley: In the signed extension you'd get back a hash of what the display information was.

14:35:32 [jonathan_]

jonathan_ has joined #wpwg

14:37:09 [Ian]

John_Bradley: We need to be sure that in the spec, if we are going with extension, that existing roaming authenticators without this extension would still be usable with SPC in a 1p context, assuming they support discoverable credentials.

14:37:27 [Ian]

...we should make sure that, in the short term, the population of existing roaming authenticators work in a 1p context.

14:37:52 [Ian]

John_Bradley: As long as we define the extension in the right way, it should make that easier.

14:39:49 [Ian]

John_Bradley: When WebAuthn client sees extension for special bit, then the client may take multiple paths to enumerate available credentials.

14:39:56 [Ian]

...so there's probably some platform processing things that we'd want to change.

14:40:07 [Ian]

present+ Jonathan_Grossar

14:40:15 [Ian]

present+ Christian_Aabye

14:40:29 [Hemnath_]

Hemnath_ has joined #wpwg

14:40:39 [Ian]

John_Bradley: Some of that extension processing would happen only in the SPC context.

14:42:03 [Ian]

Things that have to be done:

14:42:07 [Ian]

* Define the extension

14:42:13 [Ian]

* Figure out the UI (and where that is specified)

14:42:27 [Ian]

Tony: We have to look at "is this useful for anything else for webAuthn?"

14:43:17 [Ian]

ChristiaanBrand: We should look at generic transaction signing again in WebAuthn

14:45:02 [Ian]

present+ Wendy_Seltzer

14:45:06 [Ian]

[Issue 154]

14:45:30 [Ian]

John_Bradley: Anybody that implements a user dialog about opt-ing out. I think this should not be in WebAuthn. Could be done at the platform layer.

14:45:52 [smcgruer_[EST]]

+1

14:45:52 [Ian]

...e.g., chrome could allow someone to allow setting the bit, and the RP would know because they would not get the extension back.

14:46:11 [smcgruer_[EST]]

q?

14:46:26 [Ian]

Tony: If we leave it up to the platform to do the dialog, it will be done differently everywhere, which will also be confusing.

14:46:50 [Ian]

John_Bradley: Saying you need to do a dialog has not created conformity across browsers to date.

14:47:04 [Ian]

John_Bradley: I'm against forcing browsers to have this dialog.

14:47:07 [Ian]

Tony: +1

14:48:10 [Ian]

John_Bradley: Extra dialogs will create drop-off. We may see banks, for example, causing users to create 2 credentials (one for 1p, one for 3p)

14:48:33 [smcgruer_[EST]]

q+

14:49:20 [Ian]

smcgruer_[EST]: I don't think from a user perspective that SPC is different here from WebAuthn in an iframe.

14:49:43 [Ian]

Tim: I agree with that point. This discussion reraises issue of naming RPIDs in dialog

14:50:22 [Ian]

[Issue 128]

14:51:01 [Ian]

smcgruer_[EST]: There is an existing tracking concern around WebAuthn and tracking, where RP somehow registers user in a malicious context, and then later the malicious tracker activates web authn in a 3p context.

14:51:21 [Ian]

...our privacy folks said SPC lowers bar slightly during registration (in a cross-origin iframe).

14:51:29 [Ian]

...there are protections against this (e.g,. permissions policy)

14:51:36 [Ian]

...so our privacy folks asked for user activation

14:51:44 [Ian]

...so our plan is to fold this in.

14:52:48 [Ian]

Tony: This would affect WebAuthn (user activation)

14:53:18 [Ian]

smcgruer_[EST]: It only affects you if you are creating a payment-labeled credential. Longer term could be better in WebAuthn.

14:55:23 [SameerT]

+1 to Stephen's point

14:55:25 [Ian]

smcgruer_[EST]: we would like to have the conversation about cross-origin registration in WebAuthn; payment industry partners would like that in order to use more WebAuthn

14:55:42 [Ian]

John_Bradley: Is this "user activation" for iframe only or all credentials?

14:55:51 [Ian]

smcgruer_[EST]: Currently it's only for cross-origin create

14:56:11 [Ian]

John_Bradley: Cross-origin creation not allowed in WebAuthn; if we add it, then user activation is probably a good idea.

14:56:43 [smcgruer_[EST]]

s/Currently//

14:57:22 [Manish]

Manish has joined #wpwg

14:58:12 [Ian]

[Issue 12 roaming authenicators]

14:58:30 [Ian]

John_Bradley: We heard from BPCE yesterday that they would want roaming authenticators.

14:58:59 [Gerhard]

q+

14:59:03 [Ian]

ack smcgruer_[EST]

14:59:06 [smcgruer_[EST]]

q-

14:59:08 [Ian]

ack Gerhard

14:59:32 [Ian]

Gerhard: Yes, we would love roaming authenticators. But for it to roam, we would need "no caching"

15:00:12 [smcgruer_[EST]]

q+

15:00:18 [Ian]

John_Bradley: Browser only needs to store information for credentials to be used in a 3p context.

15:00:26 [Ian]

...would work now without that bit in a 1p context.

15:00:49 [Ian]

ack smcgruer_[EST]

15:01:18 [Ian]

smcgruer_[EST]: The important part of SPC is we only show the transaction dialog when there is a chance the user can succeed (a form of conditional UI, as it were).

15:01:43 [Ian]

..it means there's a matching credential nearby. This is trickier for roaming authenticators. Today we do it for platform authenticators via cached data.

15:01:57 [Ian]

...if we want to do it without the spc bit, we'd need to cache ALL FIDO credentials.

15:02:45 [Ian]

John_Bradley: The SPC bit is about "this credential can be used in a 3p context for SPC".

15:03:18 [Ian]

...I think banks will want to be able to use FIDO credentials with SPC in a 1p context.

15:03:44 [Ian]

Christiaan: I think this roaming authenticators for bank use cases is a great use case.

15:04:11 [Ian]

John_Bradley: The question is the SPC dialog ... to cause SPC to go look for another authenticator.

15:04:36 [Ian]

Ian: How is this managed today?

15:04:57 [Ian]

John_Bradley: Non-modal UI is not there yet but coming. I believe there will be an additional option for roaming authenticators.

15:05:21 [Ian]

...we did start a conversation on pairing a roaming authenticator with platform so that credentials could be pre-populated and cached.

15:05:39 [Ian]

...it's not really a problem if all discoverable credentials are displayed.

15:05:52 [Ian]

...if it's not appropriate for SPC, then the verifier should not be sending the credential ID

15:06:23 [Ian]

q?

15:06:46 [smcgruer_[EST]]

q+

15:06:55 [Ian]

John_Bradley: We'd have to understand conditions under which this optional UX could be displayed.

15:07:18 [Ian]

...would need to indicate that someone wants to use an external authenticator.

15:07:35 [Ian]

...not sure that cacheing all the credentials from roaming authenticators is that big a problem.

15:07:50 [Ian]

smcgruer_[EST]: The cacheing idea is interesting, but might be better at platform level rather than browser level.

15:08:17 [Ian]

Tim: There's definitely a benefit of link type function at OS

15:08:32 [Ian]

Christiaan: Are we saying that new roaming authenticators won't work?

15:08:57 [Ian]

John_Bradley: Maybe first time you plug in your key you are asked "do you want to use this for secure payments"

15:09:14 [Ian]

Tim: I think it would be like when you plug phone into computer and there's a pairing experience / dialog

15:09:24 [Ian]

Christiaan: I Think sounds reasonable to cache data

15:09:26 [Gerhard]

q+

15:09:36 [Ian]

John_Bradley: We can do this now with credential management

15:09:38 [Ian]

ack Gerhard:

15:09:39 [Ian]

ack Gerhard:

15:09:55 [Ian]

Gerhard: We don't want to deviate in UX and other processes.

15:10:38 [Ian]

...if 3DS sends back 5 credentials (2 platform, 2 phone, 1 roaming)....I am hearing that Stephen wants to know that there are 2 that work

15:10:45 [Ian]

...Stephen is cacheing the first two

15:11:40 [Ian]

...until we are clear on WebAuthn way forward, we don't want to implement it in SPC

15:11:58 [Ian]

q?

15:12:00 [Ian]

ack Gerhard

15:12:21 [Ian]

ack smcgruer_[EST]

15:12:48 [Ian]

[Stephen shows a demo]

15:13:49 [Ian]

...you could plug in security key in dialog that tells user no credential found.

15:14:14 [Ian]

...so in this case, WebAuthn ceremony could be triggered first, and then only after the tx dialog would be shown

15:14:51 [Ian]

...if I've never registered, there is a UX issue.

15:15:12 [Ian]

...I like John's pre-cacheing idea but even without that there are some things we could do.

15:16:36 [Ian]

John_Bradley: If Non-modal UI is used to get the list of credentials; that can also be used to expose the credentials from roaming authenticators

15:17:07 [SameerT]

q+

15:17:10 [Ian]

ack SameerT

15:17:32 [Ian]

SameerT: Does the RP know that a credential comes from a roaming authenticator?

15:17:38 [Ian]

John_Bradley: You get back a transport hint.

15:17:51 [Ian]

...so "USB" and "NFC" and "BLE" give you some information

15:18:06 [dom]

dom has joined #wpwg

15:18:58 [Ian]

Tony: Are you sure this is checked at certification?

15:19:10 [Ian]

JohN_Bradley: It is checked that it is provided; not that it is accurate

15:19:40 [Ian]

SameerT: If the RP knows that the device being used is a roaming authenticator, they may not send it if the UX will break.

15:19:47 [smcgruer_[EST]]

q?

15:22:07 [dom]

RRSAgent, pointer

15:22:07 [RRSAgent]

See https://www.w3.org/2022/05/05-wpwg-irc#T15-22-07

15:23:49 [Ian]

[SPC 174]

15:23:57 [Ian]

John_Bradley: Depends on timing; when extension codified.

15:24:03 [Ian]

...we should probably redefine the extension.

15:24:09 [Ian]

..the extension is "Device Public Key"

15:24:27 [Ian]

...please return me a flag so that I can tell whether the credential is being used on the same device or a new device.

15:24:40 [Ian]

..for security purposes a verifier can tell whether this is a new device.

15:25:03 [Ian]

Tim: The RP does NOT need to request the extension.

15:25:16 [Ian]

...the flag is set at creation time

15:25:58 [Ian]

John_Bradley: We should make sure that SPC causes platform discoverable credentials created on Android to emit the device public key extension

15:26:26 [Ian]

Tim: Suggest not hard coding the extension in SPC

15:27:21 [Ian]

John_Bradley: If we don't require it as "always being required" then we need to tell all merchants that they need to include it. Request is potentially coming from a 3p

15:27:29 [Ian]

...that's why making it mandatory in SPC would simplify some things

15:27:34 [Ian]

Tim: I do agree with that.

15:28:02 [Ian]

Tim: Are these banking folks ok with the change?

15:29:33 [Ian]

Jonathan_Blocksom: Here at Capital One, we'd send fact of new device to our risk engine; it would probably send a request for MFA at that point.

15:29:37 [Ian]

present+ Joe_Vasterling

15:29:55 [Ian]

Tim: That's exactly how we imagine this being used. So I guess I am in favor of requiring it.

15:30:49 [Ian]

ACTION: Ian to work with all the chairs to schedule continued coordination time with WebAuthn

15:31:01 [Ian]

RRSAGENT, make minutes

15:31:01 [RRSAgent]

I have made the request to generate https://www.w3.org/2022/05/05-wpwg-minutes.html Ian

15:31:26 [Ian]

Topic: Best Buy experience with WebAuthn for Login

15:32:20 [Ian]

Joe: We've been looking at WebAuthn for frictionless login with good security

15:33:06 [Ian]

...there is an option to select WebAuthn to log into your profile

15:33:19 [Ian]

...there are a few hurdles we've seen

15:33:25 [Ian]

..first one is "what do we call this"?

15:33:49 [Ian]

...it's not easy to relay to customer what they will be doing.

15:34:01 [Ian]

q+ Tony

15:34:34 [Ian]

Joe: We are also hearing from our devs that the technical documents can be confusing / in complete.

15:34:57 [Ian]

ack Tony

15:35:16 [Ian]

Tony: Do you think people understand what WebAuthn is? They understand "sign in with Google" etc.

15:35:29 [Ian]

Joe: I agree. That friction we are feeling is that consumers may not get it

15:35:55 [Ian]

...they are starting to communicate more closely to familiar phrases.

15:36:20 [Ian]

Tim: In the press today we are making an industry push to call this "Use a Passkey"

15:36:30 [Ian]

...we'd like to move away from platform specific branding

15:36:34 [Ian]

...we are pushing strongly for this.

15:36:42 [bdewater]

https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/ & https://blog.google/technology/safety-security/one-step-closer-to-a-passwordless-future/ & https://www.apple.com/newsroom/2022/05/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard/ :)

15:38:01 [Ian]

Tim: We think this is a good approach moving forward.

15:38:34 [Ian]

Joe: Where are we in our journey? Testing and learning.

15:38:51 [Ian]

...I appreciate the press release today describes things that will be helpful from a UX perspective.

15:39:48 [Ian]

[Joe shows a demo of how this works today on bestbuy.com]

15:39:57 [Ian]

present+ Dominique_Hazael-Massieux

15:40:09 [smcgruer_[EST]]

q+

15:40:38 [Ian]

[Joe lists benefits of using FIDO over passwords]

15:40:50 [Ian]

Joe: We see the value; key is to test and learn

15:40:59 [Ian]

ack smcgruer_[EST]

15:41:12 [Ian]

smcgruer_[EST]: Small question on the demo - right at the start there is a best buy mobile UI

15:41:20 [Ian]

...did the user click a button to cause that modal to show up?

15:41:39 [Ian]

Joe: It pops up post registration

15:43:35 [Ian]

Ian: Anybody want to speak to documentation?

15:44:07 [Gerhard]

q+

15:44:10 [dom]

q+

15:44:14 [Ian]

ack Gerhard

15:44:35 [Ian]

Gerhard: Regarding the device spread you've seen with this (between Mac, Windows, Android)...

15:45:02 [Ian]

Joe: Right now primarily on desktop (Chrome, Edge)

15:45:23 [Ian]

...for our in-app experience, I could see what information we are seeing in terms of adoption.

15:46:08 [Ian]

Dom: Thank you for the presentation. You indicate that your team found gaps in documentation. Is that documentation on the API itself, or the overall user journey with WebAuthn? We have a WebAuthn Adoption CG

15:46:22 [Ian]

...we'd be keen to get feedback from your team on challenges they hit

15:46:25 [dom]

-> https://www.w3.org/community/webauthn-adoption/ WebAuthn Adoption Community Group

15:46:41 [Ian]

Joe: The big piece was API documentation.

15:46:50 [Ian]

...the documentation was perceived as "confusing"

15:47:06 [Ian]

...they felt it was incomplete; they had to figure out how to connect the dots to make the final API call.

15:47:31 [Ian]

...I can ask internally for more specific.

15:48:04 [Ian]

q?

15:48:07 [Ian]

ack me

15:48:09 [Ian]

ack dom

15:48:25 [Ian]

Ian: Plans?

15:48:30 [Ian]

Joe: It's on and people are monitor ing

15:48:41 [Ian]

...we are also getting feedback through surveys

15:48:49 [Ian]

s/monitor ing/monitoring/

15:49:15 [Ian]

...I think there is interest in using this an expanding where we can

15:49:49 [Ian]

John_Fontana: Are you using this in an enterprise context?

15:49:58 [Ian]

Joe: I don't think they are looking at this today

15:50:16 [Ian]

...I will check with technical teams on other interests.

15:51:08 [Ian]

Topic: User Recognition

15:51:45 [smcgruer_[EST]]

Ian: [Presenting slide deck]

15:52:07 [smcgruer_[EST]]

... talked previously in this WG around changes in privacy in browsers

15:52:13 [smcgruer_[EST]]

... at TPAC people said user recognition important

15:52:22 [smcgruer_[EST]]

... two threads (1) fraud mitigation, (2) returning users for flows like SRC

15:52:41 [smcgruer_[EST]]

... Update: Anti-Fraud CG started meeting this year; so far approved charter and close to approving use-cases

15:52:51 [smcgruer_[EST]]

... some emerging proposals for the use-cases

15:53:03 [smcgruer_[EST]]

... Have invited them to the WPWG to share updates

15:53:51 [smcgruer_[EST]]

... On the returning user flow; some use-cases have come up - SRC (remember SRC identity), Open Banking (remember preferred bank), ...

15:54:34 [smcgruer_[EST]]

... There are some approaches without 3p cookies with UX: pop-up, Storage Access API, WebAuthn+Conditional UI

15:55:01 [smcgruer_[EST]]

... For conditional UI, strongly attached to autofill in Chrome currently, but we may be interested in other experiences that aren't autofill-based. For later discussion with WebAuthn WG

15:55:34 [smcgruer_[EST]]

... Other technologies that don't seem applicable: Trust Tokens, isLoggedIn - they both lack user info

15:56:22 [smcgruer_[EST]]

... The First Party Sets proposal may be useful for use-cases like SRC, where there are multiple networks

15:57:19 [smcgruer_[EST]]

... to wrap-up - want to look at Conditional UI for SRC

15:57:31 [smcgruer_[EST]]

... plus - what are we missing in general?

15:58:30 [Ian]

smcgruer_[EST]: There's a slightly broader scope for user recognition than you speak to: there are also use cases where PSPs have experiences they want to provide across merchants.

15:58:40 [Ian]

..suppose I have "Stephen's Shop" online

15:59:09 [Ian]

...I think there are more use cases than Ian covered.

15:59:25 [Ian]

q?

16:00:42 [Ian]

Topic: Next meeting

16:00:43 [Ian]

26 May

16:01:21 [Ian]

RRSAGENT, make minutes

16:01:21 [RRSAgent]

I have made the request to generate https://www.w3.org/2022/05/05-wpwg-minutes.html Ian

16:01:27 [Ian]

RRSAGENT, set logs public

16:01:42 [Gerhard]

Thanks for all the preparations and material, Ian! Great sessions.

16:45:09 [bryanluo]

bryanluo has joined #wpwg

16:46:15 [Ian]

/dialog koalie

17:16:41 [bryanluo]

bryanluo has joined #wpwg

17:17:11 [bryanluo_]

bryanluo_ has joined #wpwg

17:18:59 [bryanluo]

bryanluo has joined #wpwg

17:35:41 [bryanluo]

bryanluo has joined #wpwg

18:01:33 [bkardell_]

bkardell_ has joined #wpwg

18:17:23 [Zakim]

Zakim has left #wpwg