13:29:02 RRSAgent has joined #wpwg 13:29:02 logging to https://www.w3.org/2022/07/07-wpwg-irc 13:29:05 Ian has left #wpwg 13:29:17 Ian has joined #wpwg 13:29:25 Meeting: Web Payments Working Group 13:29:37 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20220707 13:29:40 Scribe: Ian 13:50:17 clinton has joined #wpwg 13:58:08 present+ Ian_Jacobs 13:58:37 present+ Carey_Ferro 13:59:22 present+ Jean-Luc_Di_Manno 14:00:07 present+ Nick_Telford-Reed 14:00:22 Chair: Ian 14:01:10 JeanLuc has joined #WPWG 14:01:17 present+ Anne_Pouillard 14:01:20 present+ Steve_Cole 14:01:26 Gregoire has joined #wpwg 14:01:30 Anne has joined #wpwg 14:01:45 present+ Erhard_Brand 14:01:51 present+ Gregoire_Leleux 14:02:01 present+ Praveena_Subrahmanyam 14:02:06 present+ Bart_de_Water 14:02:11 present+ Ryan_Watkins 14:02:19 present+ Jonathan_Grossar 14:02:55 present+ Suzie_Annezo-Sebire 14:02:58 JMGirard has joined #wpwg 14:03:02 present+ Stephen_McGruer 14:03:12 bdewater-shopify has joined #wpwg 14:03:19 bdewater-shopify has left #wpwg 14:03:23 Topic: SPC: From browser cache to FIDO/WebAuthn integration 14:03:30 -> https://docs.google.com/document/d/1h6xgrp0Rwe9b3xs3RYgJ-3SJEwqjLP7jRtAc6DmBFbk/edit Chrome doc 14:04:03 [Slide presentatino] 14:04:14 cferro has joined #wpwg 14:04:28 smcgruer_[EST]: This is about how we are going to get from today's Chrome implementation of SPC to a future where SPC is properly part of the underlying (FIDO-related) APIs 14:04:34 present+ David_Benoit 14:04:50 [SPC today] 14:04:55 bdewater-shopify has joined #wpwg 14:05:14 SuzieAS has joined #wpwg 14:05:17 smcgruer_[EST]: Some limitations today - we cache info in the browser, which means first of all that credentials are not shared between browsers running on the same device. 14:05:22 present+ Matt_Crothers 14:05:29 present+ Tomoya_Horiguchi 14:06:16 smcgruer_[EST]: Also means we limit use of credentials to a subset of what we want to be used for SPC (e.g., ordinary FIDO credentials in a 1p context) 14:06:24 smcgruer_[EST]: Another limitation today is no support for remote authenticators 14:06:29 Bastien has joined #WPWG 14:06:36 smcgruer_[EST]: And finally, we don't want to override some WebAuthn behaviors 14:06:57 present+ Clinton_Allen 14:07:11 [Stephen walks through SPC flow reminder] 14:07:27 present+ Jean-Michel_Girard 14:08:19 Ian: Please include the flow slide in the explainer!~ 14:08:58 [Ideal end state] 14:10:00 smcgruer_[EST]: (1) no overrides of underlying APIs (2) reliance on authenticators (CTAP) to answer questions (a) does credential exist? (b) is it available cross-origin if this is a cross-origin request? (3) any [discoverable] FIDO credential should work (4) only cross-origin credentials should work in cross-origin scenarios (5) should work with platform and roaming authenticators. 14:10:22 [What needs to change to get there] 14:10:30 smcgruer_[EST]: Lots to read there 14:10:37 [Very aggressive timeline!] 14:10:53 smcgruer_[EST]: We're already behind. At a high level, we need a few things: 14:11:10 ...authenticators need to have the spc extension 14:11:19 ...SPC needs to be cleaned up to align with that 14:11:36 ...the "payment" extension needs to become an alias for the above 14:11:53 ...it will take some time to get authenticator support (e.g., a year) 14:12:26 ...in the meantime I would like to hear from you -- should we support a second extension that can be used to allow requests for cross-origin 14:12:41 ...if you are a user of SPC ONLY in a 1p context, should we support that before the authenticators make it easier for us? 14:13:23 +q 14:13:26 ack jean 14:14:01 present+ Susan_Koomen 14:14:15 JeanLuc: What is impact on reliance on discoverable credentials? 14:15:01 smcgruer_[EST]: Discoverable credentials allow us to look up credentials. Today, to my knowledge, right now authenticators don't let you do that look-up without a user interaction with the device. 14:15:26 ...they are more used in WebAuthn right now where the platform authenticator says "which of these identities do you want to use?" 14:15:48 ...that said, discoverable credentials are likely to be the basis for the BROWSER to query authenticators silently. 14:16:11 ...we are close to having this. These APIs (mostly) exist; what we need is the cross-origin bit 14:16:37 q+ 14:16:53 smcgruer_[EST]: I believe we have resolved that any returned credential can be used for 1p context 14:17:32 ...in the latest Windows insider built they have added APIs for listing discoverable credentials without user interaction. 14:18:39 benoit_ has joined #wpwg 14:18:56 ack me 14:19:05 IJ: Is the silent access API a work item at the CTAP level? 14:19:32 smcgruer_[EST]: In terms of 3p bit, there's a pending pull request at the CTAP level. 14:19:43 ...that will make it possible to query authenticators 14:20:56 Ian: What about standard API for roaming authenticators? 14:21:15 smcgruer_[EST]: I think that's supported via Credential Management API; John Bradley could clarify here. 14:22:08 Ian: Back to Stephen's question -- any views on priority of 1p support without SPC-bit set within the next year? 14:22:53 Erhard: Yes, I would say we would be interested support for the feature. 14:23:44 smcgruer_[EST]: What we would do is to introduce 2 more extensions. One would be mark a credential as "SPC" and one would be to set a credential as cross-origin enabled. 14:23:50 ...both would be cached in the browser 14:23:57 ...one would mean "ok for SPC cross origin" 14:24:04 ...one would mean "ok for SPC, but not cross origin" 14:24:22 ..and the existing extension would mean "ok for SPC and cross origin" (an alias) 14:24:27 Erhard: That makes sense. 14:24:43 Ian: Backwards compatibility issues? 14:25:02 smcgruer_[EST]: Should have no impact on 3DS integration. This happens a credential creation time (which is not covered in 3DS) 14:25:45 Ian: What should we be looking for at TPAC on this? 14:26:02 what is currently missing on SPC to be able to use roaming authenticator? 14:26:21 smcgruer_[EST]: I could imagine talking about the 2 extensions; but not sure what priority of that is yet. 14:26:35 ...separately we'll provide an update on where we are with authenticators. 14:26:43 ...I would like to see the 3p bit merged in FIDO by then 14:27:16 smcgruer_[EST]: Regarding support for roaming authenticators: 14:27:38 a) We could specify a fallback flow in the spec: "If you have a roaming authenticator, insert now." It's a fair amount of implementation. 14:28:06 erhardbrand has joined #wpwg 14:28:23 b) Or, to do this more properly, we'd need to understand what the Credential Management API can do for us; discussion with WebAuthn folks. They have a long-term conversation about whether roaming authenticators should be able to proactively tell the OS (after first inserted) what credentials are available. 14:28:36 ...then you could use this for SPC without having the device already inserted. 14:29:51 Topic: TPAC 2022 14:29:59 -> https://www.w3.org/2022/09/TPAC/ TPAC home 14:30:10 -> https://www.w3.org/2022/09/TPAC/#registration Registration soon! 14:30:25 ..hotel info + special rate 14:30:42 -> https://www.w3.org/calendar/tpac2022/group-meetings/ 14:32:34 -> https://github.com/w3c/webpayments/wiki/Agenda-TPAC2022 WPWG meeting page 14:33:14 Sue has joined #wpwg 14:34:32 Ian: Remote participation will be an option 14:34:55 Will you be sending out the agenda soon? 14:35:53 Ian: At the latest mid-August 14:36:34 Monday morning? 14:36:51 Would we start Monday morning? 14:36:55 Monday, 12 September, 9:00-16:00 PT. Note: We will do our best to ensure that critical agenda items are discussed in the morning session. 14:37:08 Thank you 14:37:11 Is DID Working Group part of TPAC? 14:37:21 https://www.w3.org/calendar/tpac2022/group-meetings/ 14:38:29 thanks 14:38:35 Topic: Next meeting of WPWG 14:38:49 -> https://lists.w3.org/Archives/Public/public-payments-wg/2022Jun/0001.html 14:38:57 18 August 14:39:34 ADJOURNED 14:39:38 RRSAGENT, make minutes 14:39:38 I have made the request to generate https://www.w3.org/2022/07/07-wpwg-minutes.html Ian 14:39:41 RRSAGENT, set logs public 14:56:38 rrsagent, bye 14:56:38 I see no action items