13:58:16 <RRSAgent> RRSAgent has joined #wpwg
13:58:20 <RRSAgent> logging to https://www.w3.org/2023/05/25-wpwg-irc
13:58:22 <Ian> Meeting: Web Payments Working Group
13:58:38 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20230525
13:58:49 <clinton> clinton has joined #wpwg
13:59:19 <Ian> Scribe: Ian
13:59:22 <Ian> present+
14:00:51 <clinton> apologies, I cannot find the dial in details..
14:00:53 <Ian> https://lists.w3.org/Archives/Public/public-payments-wg/2023May/0013.html
14:01:06 <Ian> https://www.w3.org/events/meetings/2a908b2a-b638-4432-87be-6e212be36684/20230525T100000
14:01:29 <clinton> TY
14:02:13 <benoit> benoit has joined #wpwg
14:02:21 <Ian> present+ Rouslan
14:02:24 <Ian> present+ Stephen
14:02:29 <Ian> present+ Frank_Delache
14:02:41 <Ian> present+ Anne_Pouillard
14:02:44 <Ian> present+ Clinton_Allen
14:03:53 <fdelache> fdelache has joined #wpwg
14:03:54 <Ian> present+ David_Benoit
14:04:11 <Gerhard> Gerhard has joined #wpwg
14:04:17 <Ian> present+ Nick_Telford-Reed
14:04:21 <Ian> chair: Nick
14:04:40 <Anne> Anne has joined #wpwg
14:04:55 <Ian> present+ Jean-Luc_di_Manno
14:04:59 <Ian> present+ Rolf_Lindemann
14:05:03 <Ian> present+ Nick_Burris
14:05:16 <Ian> present+ Fahad_Saleem
14:05:44 <Ian> agenda+ WPWG charter revision update
14:06:07 <Rolf> Rolf has joined #wpwg
14:06:24 <Ian> https://www.w3.org/groups/wg/payments/calendar
14:07:10 <Ian> zakim, take up item 1
14:07:10 <Zakim> agendum 1 -- WPWG charter revision update -- taken up [from Ian]
14:07:19 <Ian> present+ Bastien
14:07:40 <Ian> Ian: In progress
14:08:17 <nicktr> q?
14:08:25 <Gerhard> Cannot get into Webex? Can you pls share details?
14:08:30 <Bastien> Bastien has joined #WPWG
14:08:35 <Bastien> present+
14:08:54 <fdelache> Gerhard: https://www.google.com/url?q=https://us02web.zoom.us/j/86873854269?pwd%3DTk10WjBKQ3dUSjdNb0k1TTFEaUx4dz09&sa=D&source=calendar&ust=1685455624975438&usg=AOvVaw0L8hHx5nu15SYHwga8tVdS
14:09:19 <Ian> Topic: SPC to CR update
14:09:19 <JeanLuc> JeanLuc has joined #WPWG
14:10:18 <Ian>  present+ Gerhard
14:11:07 <Gerhard> (Thanks Franck!)
14:12:46 <Ian> Ian: aiming for 8 June; looking for Member testimonials
14:12:57 <Ian> Nick: We get more traction of course with testimonials
14:13:15 <Ian> Topic: Recap of joint discussion with WebAuthn WG
14:13:38 <Ian> https://lists.w3.org/Archives/Public/public-payments-wg/2023May/0008.html
14:15:33 <nicktr> Q+
14:15:43 <Ian> Ian: Iana registration underway
14:15:58 <Ian> NickTR: Google authenticator allows for backup to the cloud...what does this mean for us?
14:16:27 <Ian> ...you appear to be able to back up to google drive
14:17:06 <Ian> Gerhard: I think it was announced at international password day
14:17:06 <Ian> https://github.com/w3c/secure-payment-confirmation/issues/174
14:17:06 <Ian> Next steps on fallback UX and roaming authenticators?
14:17:23 <Gerhard> Article announcing this: https://security.googleblog.com/2023/04/google-authenticator-now-supports.html
14:19:09 <Ian> [Stephen presents]
14:19:37 <Ian> smcgruer_[EST]: I want to step back and look at the big picture
14:19:42 <Ian> ...there are 2 relevant properties:
14:19:49 <Ian> 1) Privacy - no credential probing!
14:20:06 <Ian> 2) Relying Party Security - 'cross-origin' authentication ceremony only with the RP's permission
14:20:34 <Ian> ...that is: the RP has to be cool with SPC cross-origin usage
14:20:45 <Ian> [Regarding credential probing]
14:21:01 <Ian> ...the site requires user consent to know if a user does or does not have a matching credential available.
14:21:24 <Ian> ...SPC dialog + Webauthn dialog are both used to get consent when credential available.
14:21:42 <Ian> ...but when credential not available...ability of user to consent that they do not have a credential does not exist today.
14:21:54 <Ian> ..the reason is that users don't know what it means to say "I don't have a credential"
14:22:15 <Ian> ...so SPC and WebAuthn combine two output states to make it impossible for the site to know "no credential available"
14:22:27 <Ian> ...those two flows leading to the same state are "user declines" and "user has no credential"
14:22:38 <Ian> ...but this opens up a timing attack
14:22:51 <Ian> ...to avoid that, both WebAuthn and SPC show *some sort of UI* when there are no matching credentials
14:23:14 <Ian> ...in the WebAuthn case, there is a choice of other authentication mechanisms.
14:23:26 <Ian> ...why is the probing topic relevant to authenticators?
14:23:41 <Ian> ...to show the right UX, the browser has to know what credentials are available.
14:23:51 <Ian> ...this is achieved through  credential listing API of some sort
14:24:05 <Ian> ...credential listing APIs exist on Android and Windows
14:24:18 <Ian> ...but change is afoot in Android...see credMan
14:24:32 <Ian> ..this will change how Chrome works
14:24:46 <Ian> ...on Windows 11 there is a credential  listing API
14:24:54 <Ian> ..there is no API for this yet on MacOS.
14:25:38 <Ian> ...on MacOS, by the way, Chrome uses its own credential store
14:25:38 <Ian> ..on iOS there is no credential listing API
14:26:19 <Ian> Rolf: ConditionalUI relates to this (and does exist)
14:26:34 <Ian> smcgruer_[EST]: The credential listing API underlies both ConditionalUI and SPC's choice of which UX to show
14:27:39 <Ian> smcgruer_[EST]: It is technically impossible to have a credential listing API for arbitrary roaming authenticators because you don't know if they exist.
14:27:54 <Ian> ...if roaming authenticators are plugged in, there are APIs via FIDO
14:28:30 <Ian> ...so what do we do with SPC when the credential listing API is not available? Today we cache the existence of the credential in the browser.
14:28:40 <Ian> ...this is problematic, because we lose cross-browser support
14:29:02 <Ian> ...also we are only caching SPC credentials, and not general WebAuthn credentials
14:29:20 <Ian> ...also cache can go bad if underlying state changes
14:29:40 <Ian> [Moving to the second requirement for cross-origin opt-in]
14:30:05 <Ian> smcgruer_[EST]: the third-party payment bit is not specified in FIDO.
14:30:28 <Ian> ..the browser needs to check two things (1) is a credential available? (2) is the cross-origin bit set?
14:30:43 <Ian> ...today only Android supports the third-party bit
14:31:03 <Ian> ...so on other platforms Chrome is caching information, which has the same problems.
14:31:13 <Ian> [The path forward]
14:31:26 <Ian> * Need to work with platform authenticators to support a listing credentials API.
14:31:38 <Ian> smcgruer_[EST]: I think we will see positive movement over the next 6 months
14:31:49 <Ian> ...that's how the winds are blowing
14:32:04 <Ian> * Need to work with platform authenticators to support the thirdPartyPayment bit
14:33:12 <Ian> * Need Android folks to address potential upcoming regressions for both of the above
14:34:00 <Ian> * Figure out a story for remote authenticators, for users to say "hey, I have a remote authenticator but it's not plugged in yet"
14:34:32 <Ian> * Fallback UX
14:34:34 <Ian> ...examples => http://www.w3.org/2023/03/spc-fallback.pdf
14:34:57 <Ian> q?
14:35:01 <nicktr> q-
14:35:25 <Ian> Fahad: The whole reason for credential listing, was that to replicate ConditionalUI but with a button?
14:35:38 <Ian> smcgruer_[EST]: I think that's why WebAuthn added the ability
14:36:40 <Ian> Rolf: Why wouldn't you add the credential selection part to the transaction dialog?
14:36:51 <Ian> smcgruer_[EST]: That's something we might need to do
14:40:58 <Ian> present+ Steve_Cole
14:41:06 <Ian> Rolf: Add roaming support for "use another way"
14:41:12 <Ian> ...that's what WebAuthn does today
14:41:40 <Ian> smcgruer_[EST]: That gets messy because people also want to use the phrase "user another way" to mean "don't use a passkey"
14:42:16 <Ian> ...Ian's deck shows moving from SPC 2-state exist (pass/fail) to 3-state exist (pass/cancel/doesnt-or-cant use passkey)
14:42:27 <Ian> ...to have roaming authenticators show up in the third bucket is non-trivial
14:43:41 <Ian> IJ: So how do we make progress?
14:43:59 <Ian> smcgruer_[EST]: See above last slide
14:45:14 <Ian> q?
14:45:17 <nicktr> q+
14:45:59 <Ian> ack nick
14:46:31 <Ian> nicktr: Where is best place to have discussion with platform authenticator providers?
14:46:42 <Ian> Rolf: regarding list credentials, suggest WebAuthn WG
14:46:52 <Ian> ...for the extra bit, likely more a FIDO discussion
14:47:30 <Ian> ...question is whether platform authenticators will implement that CTAP feature
14:49:56 <Ian> Ian: Maybe we write up deployment needs and share broadly, including TPAC
14:50:26 <Ian> Topic: Returning user recognition
14:50:26 <Ian> https://github.com/w3c/webpayments/wiki/Agenda-20230525#returning-user-recognition
14:51:38 <Ian> smcgruer_[EST]: We have publicly stated that in Q1 of 2024 Chrome, 1% of stable users will not have 3p cookies
14:51:55 <Ian> ...we are moving towards no 3p cookies later in 2024
14:52:08 <Ian> ...1% of stable users is a lot of people,
14:52:44 <Ian> ...suggest testing sites with Chrome settings where there are no 3p cookies and see what breaks
14:53:05 <Ian> nicktr: How are 3ds implementations looking with 3p cookie deprecation?
14:54:00 <Ian> Franck: This is something we'll have to test
14:54:13 <Ian> ..how can I easily test?
14:54:26 <smcgruer_[EST]> https://privacysandbox.com/news/the-next-stages-of-privacy-sandbox-general-availability
14:54:57 <smcgruer_[EST]> chrome://settings/cookies
14:55:03 <Ian> smcgruer_[EST]: You can test with your own cookie settings in your browser.
14:55:27 <Ian> ...we will also in Q4 of this year, we will have a mechanism to test on your domain
14:55:44 <Steve_C> Steve_C has joined #wpwg
14:56:03 <Ian> Franck: Any way to roll this out incrementally?
14:56:26 <Ian> smcgruer_[EST]: Normally the way this works is via origin trials. It's up to the domain to decide whether to enable something on a given visit
14:57:03 <Ian> [Regarding storage access]
14:57:19 <smcgruer_[EST]> https://github.com/cfredric/chrome-storage-access-api
14:57:47 <Ian> smcgruer_[EST]: Chrome is planning to ship Request Storage Access
14:58:00 <Ian> ...you can get back 3p cookie access with user consent
14:58:46 <Ian> ...this is an ack that there are no good solutions yet for some use cases and we need this for now
14:58:52 <Ian> ...still want to find better solutions
14:59:26 <smcgruer_[EST]> https://groups.google.com/a/chromium.org/g/blink-dev/c/vyXWn1W1daA/m/tL3f1_WbAwAJ?utm_medium=email&utm_source=footer&pli=1
14:59:34 <Ian> smcgruer_[EST]: Also, bounce tracking update
14:59:50 <Ian> ...we've announced public plans to address this
15:00:03 <Ian> ...if a user has visited a tracker themselves, we are basically saying "that's fine"
15:00:16 <Ian> ..but if you are an entity where the user has not interacted with your site, these changes will create issues
15:01:00 <Ian> Topic: Next meeting
15:01:03 <Ian> 8 June
15:01:07 <RRSAgent> I have made the request to generate https://www.w3.org/2023/05/25-wpwg-minutes.html Ian
15:01:54 <nicktr> next meeting is during Money2020 in Amsterdam, so I should give apologies
15:02:03 <Ian> ok
15:04:18 <bkardell_> bkardell_ has joined #wpwg
17:24:19 <Ian> zakim, bye
17:24:19 <Zakim> leaving.  As of this point the attendees have been Ian, Rouslan, Stephen, Frank_Delache, Anne_Pouillard, Clinton_Allen, David_Benoit, Nick_Telford-Reed, Jean-Luc_di_Manno,
17:24:19 <Zakim> Zakim has left #wpwg
17:24:23 <Ian> rrsagent, bye
17:24:23 <RRSAgent> I see no action items