14:00:27 <RRSAgent> RRSAgent has joined #wpwg
14:00:27 <RRSAgent> logging to https://www.w3.org/2022/08/18-wpwg-irc
14:00:31 <Ian> Meeting: Web Payments WG
14:00:42 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20220818
14:01:05 <Ian> Regrets: NickTR
14:01:07 <Ian> Chair: Ian
14:01:09 <Ian> Scribe: Ian
14:01:13 <Ian> present+
14:01:19 <Anne> Anne has joined #wpwg
14:01:23 <Ian> present+ David_Benoit
14:01:29 <Ian> present+ Erhard_Brand
14:01:34 <Ian> present+ Gerhard_Oosthuizen
14:01:38 <Ian> presnet+ Gregoire_Leleux
14:01:40 <JMGirard> JMGirard has joined #wpwg
14:01:43 <Ian> present+ Jean-Michel_Girard
14:01:47 <Ian> present+ Anne_Pouillard
14:01:50 <Gerhard> Gerhard has joined #wpwg
14:01:56 <Ian> present+ Steve_Cole
14:02:01 <Ian> present+ Stephen_McGruer
14:02:26 <Ian> present+ Jean-Luc_di_Manno
14:02:32 <Ian> present+ Tomoya_Horiguchi
14:02:44 <Ian> agenda+ SPC updates
14:02:49 <Ian> agenda+ TPAC Check-in
14:02:57 <Ian> agenda+ canMakePayment Use Cases
14:03:10 <Steve_C> Steve_C has joined #wpwg
14:03:17 <Ian> present+ Suzie_Annezo-Sébire
14:03:25 <Ian> present+ Bastien_Latge
14:03:36 <SuzieAS> SuzieAS has joined #wpwg
14:04:53 <Ian> zakim, take up item 1
14:04:53 <Zakim> agendum 1 -- SPC updates -- taken up [from Ian]
14:05:06 <Ian> Start with https://github.com/w3c/secure-payment-confirmation/pull/198
14:05:11 <JeanLuc> JeanLuc has joined #WPWG
14:05:38 <Ian> smcgruer_[EST]: This is an alignment with Web Authentication. We used "rp" instead of "rpid" and want to fix that to align with WebAuthn
14:05:44 <Ian> ...this is reasonable but also a breaking change. :(
14:05:52 <Ian> ...the resulting assertion is affected
14:06:07 <Ian> ...the field name changes
14:06:16 <Bastien> Bastien has joined #WPWG
14:06:20 <Bastien> present+
14:06:24 <Ian> ...my proposal is for implementations to continue to produce "rp" but also add "rpid"
14:06:38 <Ian> ...and we would deprecate "rp" over time.
14:06:47 <Gerhard> +1 for the change, before larger adoption...
14:06:49 <Ian> ...an alternative is to not make the change.
14:07:04 <Ian> smcgruer_[EST]: I think it's reasonable to make the change while small-ish number of users.
14:07:18 <Ian> present+ Manish
14:07:34 <benoit> benoit has joined #wpwg
14:07:39 <Ian> Ian: Thoughts on 3DS integration cost?
14:07:43 <Ian> Bastien: I can check.
14:08:00 <Ian> ...a priori I don't see an issue.
14:08:13 <Ian> smcgruer_[EST]: Verifying the assertion is out of scope of 3DS strictly speaking
14:09:00 <Ian> ACTION: Bastien to check with the EMV 3DS WG
14:09:44 <benoit> +q
14:09:44 <Ian> PROPOSED: Change "rp" to "rpid" in the SPC specification.
14:09:52 <Ian> ack benoit
14:10:06 <Ian> benoit: What would the deprecation plan be?
14:10:46 <Ian> smcgruer_[EST]: Usually we measure usage of features as part of deprecation. But we don't measure things in this case.
14:10:57 <Ian> ...we would start by producing both fields in the assertion
14:11:23 <Ian> ...I expect we would announce a timeline and talk loudly about it
14:11:38 <GregoireLeleux> "rpId" is part of the webAuthenCredList in 3DS spec
14:12:08 <Ian> present+ Susan_Koomen
14:12:21 <benoit> +1 support proposal
14:12:22 <Ian> present+ Rolf_Lindemann
14:12:24 <GregoireLeleux> yes, that's the input creds
14:12:30 <smcgruer_[EST]> +1 support proposal
14:12:59 <Steve_C> +1
14:13:02 <Anne> +1
14:13:03 <Ian> rolf: +1
14:13:04 <JMGirard> +1
14:13:31 <Sue> Sue has joined #wpwg
14:13:33 <Ian> Topic: WebAuthn and cross-origin credential creation
14:13:33 <Ian> https://docs.google.com/document/d/1mMgktymuzspnhfKC9i6_yBfb_VqXcc-DiBBhe0TSv5I/edit
14:14:01 <Rolf> Rolf has joined #wpwg
14:14:11 <Ian> smcgruer_[EST]: we've heard both for SPC and other payments use cases with FIDO is a desire to enroll a user in a cross-origin iframe in a merchant page rather than redirect.
14:14:21 <Ian> ...so SPC enables this but WebAuthn does not
14:14:26 <Ian> ...I have heard people say it is useful generally
14:14:54 <Ian> ...so it would be good to migrate this into Web Authn; there's a standing issue there on that topic
14:14:59 <Ian> ...I'd like to get the WPWG's support for this
14:15:02 <Rolf> What is the WebAuthn issue number?
14:15:18 <Ian> https://github.com/w3c/webauthn/issues/1656
14:16:05 <Ian> IJ: Any highlights for reasons this did not previously get traction?
14:16:37 <Ian> smcgruer_[EST]: The three concerns cited previously on this topic:
14:16:41 <Ian> 1) Tracking
14:17:06 <Ian> ...our proposal helps on this by requiring "user activation" which is not originally required in Web Authentication.
14:17:23 <Ian> 2) Regulatory questions
14:18:08 <Ian> ...I think that usage is relevant here and so not inherently problematic.
14:18:46 <Ian> smcgruer_[EST]: There was also some confusion in the original WebAuthn conversation; the goal is here for origin A to create a credential for itself; not create a credential for another origin.
14:18:54 <Ian> ...I think Google's FIDO folks would be ok with this change.
14:19:07 <Ian> Rolf: This is different from cross-origin invocation with special bit, right?
14:19:10 <Ian> smcgruer_[EST]: Correct.
14:19:31 <Ian> Rolf: If I receive and assertion, can I observe that it was created in a cross-origin iframe?
14:19:43 <Ian> ...the existence of such information could help garner support.
14:19:54 <Ian> smcgruer_[EST]: I would be open to that.
14:20:16 <Ian> ...we need to think about whether there are privacy implications.
14:20:48 <Ian> smcgruer_[EST]: Also note that the caller knows that they are creating an assertion in an iframe.
14:21:02 <smcgruer_[EST]> s/in an iframe//
14:21:21 <Ian> Rolf: It's not clear you can disable invocation in an iframe easily.
14:21:37 <Ian> smcgruer_[EST]: There are headers you can load to stop it. It's the caller's javascript the decides where to call.
14:21:51 <Ian> Rolf: Be sure to tell people that they can disable something, and how to do so.
14:22:19 <Ian> smcgruer_[EST]: Good point. I can add to the proposal mention of headers and possibly adding topOrigin
14:22:39 <Ian> ACTION: smcgruer_[EST] to update the proposal to discussion of how to disable the functionality.
14:22:50 <JeanLuc> X-Frame-Options: DENY ?
14:23:03 <Ian> https://docs.google.com/document/d/1h6xgrp0Rwe9b3xs3RYgJ-3SJEwqjLP7jRtAc6DmBFbk/edit?pli=1
14:23:16 <smcgruer_[EST]> JeanLuc: I think that is correct, or use SAMEORIGIN
14:23:43 <Rolf> https://www.w3.org/TR/webauthn-3/#dom-collectedclientdata-crossorigin
14:23:45 <Ian> [We observe that there's a flag in WebAuthn that indicates iframe was cross-origin]
14:24:11 <Ian> smcgruer_[EST]: Jean-Luc, that may be it or another one like "same origin only"
14:24:53 <Ian> PROPOSAL: Adopt the Proposal to re-raise issue of cross-origin creation with the WebAuthn WG (after stephen's edits)
14:25:02 <Ian> Ian: +1
14:25:20 <Anne> +1
14:25:28 <JMGirard> yep +1
14:25:28 <Rolf> +1
14:25:35 <Gerhard> +1
14:25:38 <Steve_C> +1
14:25:43 <smcgruer_[EST]> +1 (do I count? ;))
14:25:45 <Ian> so RESOLVED
14:26:09 <Ian> Topic: TPAC check-in
14:26:34 <Ian> https://github.com/w3c/webpayments/wiki/Agenda-TPAC2022
14:28:23 <Ian> present+ Carey_Ferro
14:29:19 <careyf> careyf has joined #wpwg
14:30:17 <smcgruer_[EST]> Rolf: https://docs.google.com/document/d/1h6xgrp0Rwe9b3xs3RYgJ-3SJEwqjLP7jRtAc6DmBFbk/edit may be useful reading, it's my proposed plan for this
14:30:48 <smcgruer_[EST]> Rolf: It does include such an extension in the WebAuthn space which maps to the FIDO CTAP bit
14:31:21 <smcgruer_[EST]> Sorry, the above is said from Stephen to Rolf, for clarity
14:31:45 <Ian> Rolf: RP can ask the user in advance if they want to use cross-origin.
14:36:04 <Ian> -> https://www.w3.org/2022/09/TPAC/#registration Registration
14:36:46 <smcgruer_[EST]> q+
14:36:51 <Ian> ack smcgruer_[EST]
14:37:16 <Ian> https://www.w3.org/wiki/TPAC/2022/SessionIdeas
14:38:53 <Ian> Ian: Any suggestions for topics?
14:39:23 <Ian> https://docs.google.com/document/d/1Bxm7_gc-Wi7ZjWlgOMPbq3Kdv0L3lgvkkcVaQIFgPx8/edit#heading=h.dvz4zyoilau4
14:41:06 <careyf> Fun fact: there's another TPAC also happening at the same time in Vancouver as our W3C TPAC
14:41:33 <smcgruer_[EST]> And they're first when you google "TPAC Vancouver" ! :D
14:41:44 <smcgruer_[EST]> 'Third Party Advantage Conference'
14:42:37 <Ian> Topic: canMakePayments
14:42:41 <careyf> I saw that Stephen! lol
14:42:55 <Ian> (This relates to Payment Request)
14:42:58 <Ian> -> https://github.com/w3c/payment-handler/issues/401 Issue 401
14:43:05 <Ian> "Request for use cases: "canmakepayment" event"
14:43:40 <Ian> smcgruer_[EST]: We are looking at privacy topics generally (Sandbox) and this touches on all APIs, including PR API and PH API.
14:43:47 <Ian> ...we've published a list of issues
14:43:56 <Ian> -> https://github.com/rsolomakhin/webpayments/blob/gh-pages/privacy/issues/README.md
14:44:04 <Ian> ...we have some ideas for mitigations of these concerns
14:44:12 <Ian> ...we'll discuss more at TPAC
14:44:25 <Ian> ...canMakePayment (and equivalent in Android) carries a lot of information
14:44:46 <Ian> ...so we'd like to be sure we understand the use cases for this functionality so that we can properly mitigate the risks.
14:46:42 <Ian> Ian: Would be good at TPAC to hear more about Chrome [And Other] view of PR API future
14:46:48 <Ian> smcgruer_[EST]: Yes, let's chat
14:47:04 <Ian> Topic: AOB?
14:47:16 <Ian> Topic: Next meeting
14:47:16 <Ian> TPAC
14:47:30 <Ian> (No meeting 1 or 8 Sep)
14:47:49 <Ian> RRSAGENT, make minutes
14:47:49 <RRSAgent> I have made the request to generate https://www.w3.org/2022/08/18-wpwg-minutes.html Ian
14:47:53 <Ian> RRSAGENT, set logs public
15:00:50 <GregoireLeleux> GregoireLeleux has left #wpwg
15:01:53 <careyf> careyf has left #wpwg
15:01:57 <Steve_C> Steve_C has joined #wpwg
15:02:38 <Bastien> Bastien has left #wpwg
15:05:39 <Gerhard_> Gerhard_ has joined #wpwg