IRC log of wpwg on 2022-08-18

Timestamps are in UTC.

14:00:27 [RRSAgent]: RRSAgent has joined #wpwg
14:00:27 [RRSAgent]: logging to https://www.w3.org/2022/08/18-wpwg-irc
14:00:31 [Ian]: Meeting: Web Payments WG
14:00:42 [Ian]: Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20220818
14:01:05 [Ian]: Regrets: NickTR
14:01:07 [Ian]: Chair: Ian
14:01:09 [Ian]: Scribe: Ian
14:01:13 [Ian]: present+
14:01:19 [Anne]: Anne has joined #wpwg
14:01:23 [Ian]: present+ David_Benoit
14:01:29 [Ian]: present+ Erhard_Brand
14:01:34 [Ian]: present+ Gerhard_Oosthuizen
14:01:38 [Ian]: presnet+ Gregoire_Leleux
14:01:40 [JMGirard]: JMGirard has joined #wpwg
14:01:43 [Ian]: present+ Jean-Michel_Girard
14:01:47 [Ian]: present+ Anne_Pouillard
14:01:50 [Gerhard]: Gerhard has joined #wpwg
14:01:56 [Ian]: present+ Steve_Cole
14:02:01 [Ian]: present+ Stephen_McGruer
14:02:26 [Ian]: present+ Jean-Luc_di_Manno
14:02:32 [Ian]: present+ Tomoya_Horiguchi
14:02:44 [Ian]: agenda+ SPC updates
14:02:49 [Ian]: agenda+ TPAC Check-in
14:02:57 [Ian]: agenda+ canMakePayment Use Cases
14:03:10 [Steve_C]: Steve_C has joined #wpwg
14:03:17 [Ian]: present+ Suzie_Annezo-Sébire
14:03:25 [Ian]: present+ Bastien_Latge
14:03:36 [SuzieAS]: SuzieAS has joined #wpwg
14:04:53 [Ian]: zakim, take up item 1
14:04:53 [Zakim]: agendum 1 -- SPC updates -- taken up [from Ian]
14:05:06 [Ian]: Start with https://github.com/w3c/secure-payment-confirmation/pull/198
14:05:11 [JeanLuc]: JeanLuc has joined #WPWG
14:05:38 [Ian]: smcgruer_[EST]: This is an alignment with Web Authentication. We used "rp" instead of "rpid" and want to fix that to align with WebAuthn
14:05:44 [Ian]: ...this is reasonable but also a breaking change. :(
14:05:52 [Ian]: ...the resulting assertion is affected
14:06:07 [Ian]: ...the field name changes
14:06:16 [Bastien]: Bastien has joined #WPWG
14:06:20 [Bastien]: present+
14:06:24 [Ian]: ...my proposal is for implementations to continue to produce "rp" but also add "rpid"
14:06:38 [Ian]: ...and we would deprecate "rp" over time.
14:06:47 [Gerhard]: +1 for the change, before larger adoption...
14:06:49 [Ian]: ...an alternative is to not make the change.
14:07:04 [Ian]: smcgruer_[EST]: I think it's reasonable to make the change while small-ish number of users.
14:07:18 [Ian]: present+ Manish
14:07:34 [benoit]: benoit has joined #wpwg
14:07:39 [Ian]: Ian: Thoughts on 3DS integration cost?
14:07:43 [Ian]: Bastien: I can check.
14:08:00 [Ian]: ...a priori I don't see an issue.
14:08:13 [Ian]: smcgruer_[EST]: Verifying the assertion is out of scope of 3DS strictly speaking
14:09:00 [Ian]: ACTION: Bastien to check with the EMV 3DS WG
14:09:44 [benoit]: +q
14:09:44 [Ian]: PROPOSED: Change "rp" to "rpid" in the SPC specification.
14:09:52 [Ian]: ack benoit
14:10:06 [Ian]: benoit: What would the deprecation plan be?
14:10:46 [Ian]: smcgruer_[EST]: Usually we measure usage of features as part of deprecation. But we don't measure things in this case.
14:10:57 [Ian]: ...we would start by producing both fields in the assertion
14:11:23 [Ian]: ...I expect we would announce a timeline and talk loudly about it
14:11:38 [GregoireLeleux]: "rpId" is part of the webAuthenCredList in 3DS spec
14:12:08 [Ian]: present+ Susan_Koomen
14:12:21 [benoit]: +1 support proposal
14:12:22 [Ian]: present+ Rolf_Lindemann
14:12:24 [GregoireLeleux]: yes, that's the input creds
14:12:30 [smcgruer_[EST]]: +1 support proposal
14:12:59 [Steve_C]: +1
14:13:02 [Anne]: +1
14:13:03 [Ian]: rolf: +1
14:13:04 [JMGirard]: +1
14:13:31 [Sue]: Sue has joined #wpwg
14:13:33 [Ian]: Topic: WebAuthn and cross-origin credential creation
14:13:33 [Ian]: https://docs.google.com/document/d/1mMgktymuzspnhfKC9i6_yBfb_VqXcc-DiBBhe0TSv5I/edit
14:14:01 [Rolf]: Rolf has joined #wpwg
14:14:11 [Ian]: smcgruer_[EST]: we've heard both for SPC and other payments use cases with FIDO is a desire to enroll a user in a cross-origin iframe in a merchant page rather than redirect.
14:14:21 [Ian]: ...so SPC enables this but WebAuthn does not
14:14:26 [Ian]: ...I have heard people say it is useful generally
14:14:54 [Ian]: ...so it would be good to migrate this into Web Authn; there's a standing issue there on that topic
14:14:59 [Ian]: ...I'd like to get the WPWG's support for this
14:15:02 [Rolf]: What is the WebAuthn issue number?
14:15:18 [Ian]: https://github.com/w3c/webauthn/issues/1656
14:16:05 [Ian]: IJ: Any highlights for reasons this did not previously get traction?
14:16:37 [Ian]: smcgruer_[EST]: The three concerns cited previously on this topic:
14:16:41 [Ian]: 1) Tracking
14:17:06 [Ian]: ...our proposal helps on this by requiring "user activation" which is not originally required in Web Authentication.
14:17:23 [Ian]: 2) Regulatory questions
14:18:08 [Ian]: ...I think that usage is relevant here and so not inherently problematic.
14:18:46 [Ian]: smcgruer_[EST]: There was also some confusion in the original WebAuthn conversation; the goal is here for origin A to create a credential for itself; not create a credential for another origin.
14:18:54 [Ian]: ...I think Google's FIDO folks would be ok with this change.
14:19:07 [Ian]: Rolf: This is different from cross-origin invocation with special bit, right?
14:19:10 [Ian]: smcgruer_[EST]: Correct.
14:19:31 [Ian]: Rolf: If I receive and assertion, can I observe that it was created in a cross-origin iframe?
14:19:43 [Ian]: ...the existence of such information could help garner support.
14:19:54 [Ian]: smcgruer_[EST]: I would be open to that.
14:20:16 [Ian]: ...we need to think about whether there are privacy implications.
14:20:48 [Ian]: smcgruer_[EST]: Also note that the caller knows that they are creating an assertion in an iframe.
14:21:02 [smcgruer_[EST]]: s/in an iframe//
14:21:21 [Ian]: Rolf: It's not clear you can disable invocation in an iframe easily.
14:21:37 [Ian]: smcgruer_[EST]: There are headers you can load to stop it. It's the caller's javascript the decides where to call.
14:21:51 [Ian]: Rolf: Be sure to tell people that they can disable something, and how to do so.
14:22:19 [Ian]: smcgruer_[EST]: Good point. I can add to the proposal mention of headers and possibly adding topOrigin
14:22:39 [Ian]: ACTION: smcgruer_[EST] to update the proposal to discussion of how to disable the functionality.
14:22:50 [JeanLuc]: X-Frame-Options: DENY ?
14:23:03 [Ian]: https://docs.google.com/document/d/1h6xgrp0Rwe9b3xs3RYgJ-3SJEwqjLP7jRtAc6DmBFbk/edit?pli=1
14:23:16 [smcgruer_[EST]]: JeanLuc: I think that is correct, or use SAMEORIGIN
14:23:43 [Rolf]: https://www.w3.org/TR/webauthn-3/#dom-collectedclientdata-crossorigin
14:23:45 [Ian]: [We observe that there's a flag in WebAuthn that indicates iframe was cross-origin]
14:24:11 [Ian]: smcgruer_[EST]: Jean-Luc, that may be it or another one like "same origin only"
14:24:53 [Ian]: PROPOSAL: Adopt the Proposal to re-raise issue of cross-origin creation with the WebAuthn WG (after stephen's edits)
14:25:02 [Ian]: Ian: +1
14:25:20 [Anne]: +1
14:25:28 [JMGirard]: yep +1
14:25:28 [Rolf]: +1
14:25:35 [Gerhard]: +1
14:25:38 [Steve_C]: +1
14:25:43 [smcgruer_[EST]]: +1 (do I count? ;))
14:25:45 [Ian]: so RESOLVED
14:26:09 [Ian]: Topic: TPAC check-in
14:26:34 [Ian]: https://github.com/w3c/webpayments/wiki/Agenda-TPAC2022
14:28:23 [Ian]: present+ Carey_Ferro
14:29:19 [careyf]: careyf has joined #wpwg
14:30:17 [smcgruer_[EST]]: Rolf: https://docs.google.com/document/d/1h6xgrp0Rwe9b3xs3RYgJ-3SJEwqjLP7jRtAc6DmBFbk/edit may be useful reading, it's my proposed plan for this
14:30:48 [smcgruer_[EST]]: Rolf: It does include such an extension in the WebAuthn space which maps to the FIDO CTAP bit
14:31:21 [smcgruer_[EST]]: Sorry, the above is said from Stephen to Rolf, for clarity
14:31:45 [Ian]: Rolf: RP can ask the user in advance if they want to use cross-origin.
14:36:04 [Ian]: -> https://www.w3.org/2022/09/TPAC/#registration Registration
14:36:46 [smcgruer_[EST]]: q+
14:36:51 [Ian]: ack smcgruer_[EST]
14:37:16 [Ian]: https://www.w3.org/wiki/TPAC/2022/SessionIdeas
14:38:53 [Ian]: Ian: Any suggestions for topics?
14:39:23 [Ian]: https://docs.google.com/document/d/1Bxm7_gc-Wi7ZjWlgOMPbq3Kdv0L3lgvkkcVaQIFgPx8/edit#heading=h.dvz4zyoilau4
14:41:06 [careyf]: Fun fact: there's another TPAC also happening at the same time in Vancouver as our W3C TPAC
14:41:33 [smcgruer_[EST]]: And they're first when you google "TPAC Vancouver" ! :D
14:41:44 [smcgruer_[EST]]: 'Third Party Advantage Conference'
14:42:37 [Ian]: Topic: canMakePayments
14:42:41 [careyf]: I saw that Stephen! lol
14:42:55 [Ian]: (This relates to Payment Request)
14:42:58 [Ian]: -> https://github.com/w3c/payment-handler/issues/401 Issue 401
14:43:05 [Ian]: "Request for use cases: "canmakepayment" event"
14:43:40 [Ian]: smcgruer_[EST]: We are looking at privacy topics generally (Sandbox) and this touches on all APIs, including PR API and PH API.
14:43:47 [Ian]: ...we've published a list of issues
14:43:56 [Ian]: -> https://github.com/rsolomakhin/webpayments/blob/gh-pages/privacy/issues/README.md
14:44:04 [Ian]: ...we have some ideas for mitigations of these concerns
14:44:12 [Ian]: ...we'll discuss more at TPAC
14:44:25 [Ian]: ...canMakePayment (and equivalent in Android) carries a lot of information
14:44:46 [Ian]: ...so we'd like to be sure we understand the use cases for this functionality so that we can properly mitigate the risks.
14:46:42 [Ian]: Ian: Would be good at TPAC to hear more about Chrome [And Other] view of PR API future
14:46:48 [Ian]: smcgruer_[EST]: Yes, let's chat
14:47:04 [Ian]: Topic: AOB?
14:47:16 [Ian]: Topic: Next meeting
14:47:16 [Ian]: TPAC
14:47:30 [Ian]: (No meeting 1 or 8 Sep)
14:47:49 [Ian]: RRSAGENT, make minutes
14:47:49 [RRSAgent]: I have made the request to generate https://www.w3.org/2022/08/18-wpwg-minutes.html Ian
14:47:53 [Ian]: RRSAGENT, set logs public
15:00:50 [GregoireLeleux]: GregoireLeleux has left #wpwg
15:01:53 [careyf]: careyf has left #wpwg
15:01:57 [Steve_C]: Steve_C has joined #wpwg
15:02:38 [Bastien]: Bastien has left #wpwg
15:05:39 [Gerhard_]: Gerhard_ has joined #wpwg