14:58:38 <RRSAgent> RRSAgent has joined #wpwg
14:58:43 <RRSAgent> logging to https://www.w3.org/2024/02/01-wpwg-irc
14:58:43 <Ian> Meeting: Web Payments Working Group
14:58:59 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20240201
14:59:17 <Ian> present+
14:59:23 <Ian> present+ Haribalu
15:00:16 <Ian> present+ Fahad
15:00:20 <Ian> present+ Sameer
15:00:31 <JeanLuc> JeanLuc has joined #WPWG
15:00:46 <Ian> present+ Anthony_Lopreiato
15:00:59 <Ian> Chair: Nick_Telford-Reed
15:01:04 <Ian> present+ Stephen
15:01:09 <Ian> present+ Jean-Luc
15:01:15 <Ian> present+ Steve_Cole
15:01:22 <Ian> present+ Tony_England
15:01:27 <Ian> present+ Anne_Pouillard
15:01:45 <Ian> present+ Ravi_Shekhar
15:01:49 <Anne> Anne has joined #wpwg
15:01:55 <RRSAgent> I have made the request to generate https://www.w3.org/2024/02/01-wpwg-minutes.html Ian
15:02:04 <fahad> fahad has joined #wpwg
15:02:05 <Ian> present+ Tomasz_Blachowicz
15:02:37 <Ian> present+ Doug_Fisher
15:03:39 <Ian> present+ David_Benoit
15:03:45 <Tony_> Tony_ has joined #wpwg
15:03:49 <Ian> present+ Gerhard_Oosthuizen
15:04:20 <Ian> present+ Bastien_Latge
15:04:32 <Ian> present+ Praveena
15:04:52 <Tony_> present+
15:05:21 <Ian> Topic: Welcome
15:05:55 <Ian> [Hari, Ravi from PayPal say hi]
15:06:55 <Ian> [Tony Lopreiato says hi]
15:07:44 <Ian> NickTR: If you are new to the group, some ways we work (e.g., IRC) are a bit unique
15:08:01 <Gerhard> Gerhard has joined #wpwg
15:08:09 <praveenas> praveenas has joined #wpwg
15:08:27 <benoit> benoit has joined #wpwg
15:08:32 <Ian> present+ Leo
15:08:42 <dougf> dougf has joined #wpwg
15:09:05 <Ian> Nick: No dumb questions. We push for consensus; genuine collaboration effort.
15:09:45 <Ian> Topic: Chrome response to SPC feedback and prioritization
15:10:47 <Ian> Stephen: I had hoped today to present some early findings from UX work; that will have to wait for a couple of weeks. But we do have a dedicated UX'er on our team
15:10:56 <Ian> ...looking at the feedback from Q4 2023
15:11:18 <Ian> ...at the moment we are focused on some high-level areas:
15:11:19 <Ian> * UX
15:11:23 <Ian> * Device binding
15:12:03 <Ian> ...within UX we heard two large buckets - feedback on UX today and feedback on other use cases
15:12:19 <Ian> ...for the moment we are starting with the current UX (e.g,. size of card art, issuer icons, fallback flow)
15:12:23 <Ian> q+
15:12:32 <Bastien> Bastien has joined #WPWG
15:12:36 <SameerT> SameerT has joined #wpwg
15:12:36 <Bastien> present+
15:12:38 <Steve_C> Steve_C has joined #wpwg
15:12:41 <SameerT> present+
15:12:58 <Leonard__Mastercard_> Leonard__Mastercard_ has joined #wpwg
15:13:28 <Ian> Ian: In 2 weeks some interesting ideas from Gerhard.
15:13:38 <ravi_shekhar> ravi_shekhar has joined #wpwg
15:13:45 <Ian> Stephen: Some things that we don't expect to happen in the short term -- Native SPC in Android.
15:14:07 <Leonard__Mastercard_> quick question: is the "UX person" part of the FIDO alliance UX Working Group?
15:14:08 <Ian> ...our stance is the same for recurring payments and non-payments use cases. We have not yet seen enough investment in SPC to go there yet.
15:14:22 <nicktr> q?
15:14:24 <nicktr> ack ian
15:14:25 <Ian> q-
15:14:36 <Tony_Lopreiato> Tony_Lopreiato has joined #wpwg
15:14:45 <Ian> Stephen: We are still pushing for more native authenticator support (e.g., 3p bit support on Windows)
15:15:12 <Ian> Stephen: Regarding remote authenticators and hybrid, it's an area of interest but not yet strongly working on it...but we do want to continue working on it
15:15:18 <Ian> q+
15:15:30 <Ian> NickTR: Very exciting to have a dedicated UX person
15:17:10 <fahad> fahad has joined #wpwg
15:17:59 <Gerhard> q+
15:18:08 <Ian> Ian: If Chromium appears on iOS might SPC be available?
15:18:11 <nicktr> ack ian
15:18:30 <Gerhard> q-
15:18:30 <nicktr> q+
15:18:37 <Ian> Stephen: No reason not to. I'd be interested hear from people on that.
15:18:59 <Ian> present+ Kenneth_Diaz
15:20:01 <Ian> NickTR: I saw a post from Eiji posting about an android functionality to turn passwords into passkeys. could that be used to magically upscale credentials for SPC?
15:20:14 <Ian> Stephen: I don't think it supports 3p payment but we should look into that.
15:20:48 <nicktr> ack nicktr
15:21:36 <JeanLuc> q+
15:21:40 <Ian> IJ: Is there any news on ACS deployments of SPC
15:21:44 <Ian> ack Jean
15:22:05 <Ian> JeanLuc: As far as I know, 3.2.1 certification has started. We might see some activation later in 2024.
15:22:18 <Tony_> Tony_ has joined #wpwg
15:22:18 <SameerT> q+
15:22:21 <Ian> ack Sameer
15:22:42 <Ian> SameerT: +1 to JeanLuc; although that may not mean everyone is offering it yet.
15:23:20 <Ian> ...2.3.1.1 is the latest version
15:23:31 <nicktr> q?
15:24:22 <Ian> Ian: Stephen, what's the latest with 3p create() with WebAuthn?
15:24:57 <Ian> Stephen: Yes, we've landed it in Canary. Will be in Chrome 123 stable around March. This was possible in SPC and now extends to any WebAuthn creation even without 3p payment bit.
15:25:08 <Ian> ...there's a new permission policy that mirrors the existing one.
15:25:09 <Gerhard> q+
15:25:45 <Ian> Stephen: One thing that will affect this group is that at some point we'll migrate the permission policy from SPC spec to the WebAuthn spec; we'll want to deprecate the SPC one in the future.
15:26:01 <Ian> ...we also throw the wrong type of error in SPC (if you don't have user activation)
15:26:05 <nicktr> issue is here -> https://github.com/w3c/secure-payment-confirmation/issues/267
15:26:08 <Ian> ack Ger
15:26:39 <Ian> Gerhard: In the past we've had challenges with using FIDO in iframe (from EMVCo's perspective).
15:27:00 <Ian> ...given what Stephen has said, what is the state of EMVCo's recommendation around iframe initiation and permissions?
15:27:06 <smcgruer_[EST]> https://w3c.github.io/webauthn/#sctn-permissions-policy
15:27:08 <SameerT> q+
15:27:11 <Ian> ack SameerT
15:27:16 <smcgruer_[EST]> "This specification defines two policy-controlled features identified by the feature-identifier tokens "publickey-credentials-create" and "publickey-credentials-get". Their default allowlists are both 'self'. [Permissions-Policy]"
15:27:20 <Ian> SameerT: A query is always welcome.
15:27:32 <Ian> ...I'll take this back to the WG
15:27:48 <Ian> ...we'll have to evaluate any spec changes
15:28:02 <Ian> ...we could already start communicating changes in FAQs and good practices guides.
15:28:02 <Ian> q?
15:28:03 <nicktr> q?
15:28:31 <Ian> SameerT: Stephen, how does 3p create() interact with passkey providers where the credential might be a passkey?
15:29:28 <Ian> Stephen: Regarding syncing of passkeys, there is a new device-binding proposal under discussion.
15:29:48 <Ian> ...it's clear to the Chrome team that device-binding is an important element for financial services use casejsj.
15:29:54 <Ian> s/casejsj/cases
15:30:14 <Ian> q+
15:31:15 <Ian> ack me
15:32:33 <Ian> Ian: Maybe you get device public key through SPC, both to demonstrate value and also to add value other SPC.
15:32:47 <Ian> Stephen: Probably won't need to do that since we want this more generally.
15:33:09 <Gerhard> q+
15:33:45 <Ian> ack Gerhard
15:34:20 <Ian> Gerhard: Let's unpack this. Device-binding can be good for some purposes but also raises privacy issues.
15:34:49 <smcgruer_[EST]> q+
15:34:55 <Ian> ...an idea would be to find the right way to create siloed device-bindings (merchant origin/bank pair)
15:35:30 <Ian> ack smcgruer_[EST]
15:35:37 <Ian> smcgruer_[EST]: That's an interesting take
15:36:33 <Ian> ..for a given pair (or chain more broadly) you can do whatever you want. This is the CHIPS proposal; most of our privacy work seems headed in this direction.
15:36:53 <Ian> ...if you wanted to bind merchant A and bank B you can do that without any UI (with CHIPS)
15:37:26 <Ian> ...the place where SPC/FIDO/Request Storage access enter is when you want cross-domain state
15:38:10 <Ian> ...do others agree that pairwise bindings suffice?
15:38:33 <Ian> Gerhard: We'll take what we can get. The hierarchy will help returning users on the same merchant.
15:38:52 <Ian> ...but one of my biggest concerns is the question "are there FIDO credentials on this device?"
15:39:08 <JeanLuc> q+
15:39:26 <Ian> Gerhard: the risk signal would definitely help us
15:39:46 <Ian> ...I'd like to increase the predictability of SPC's availability (and UX)
15:39:48 <nicktr> q?
15:39:49 <smcgruer_[EST]> q?
15:39:50 <smcgruer_[EST]> q+
15:40:14 <nicktr> ack JeanLuc
15:41:10 <Ian> Jean-Luc: There are 2 other important aspects. It's important to be able to tie a private key to a device for risk management.
15:41:18 <Ian> ...and to increase the chances of low friction authentication.
15:41:39 <Ian> ...DBSC is interesting here as well; with that we can rely on the private key remaining in the OS TPM
15:42:01 <Ian> ack smcgruer_[EST]
15:42:46 <Ian> smcgruer_[EST]: TPM is a great improvement.
15:43:16 <Ian> ...it came as a secure measure for avoiding cookie theft but also provides a great possession factor.
15:44:10 <Ian> smcgruer_[EST]: We may want to go back to WebAuthn regarding information available silently.
15:44:18 <Ian> q+
15:44:18 <Gerhard> q+
15:44:58 <nicktr> ack ian
15:45:55 <SameerT> +1 to RP (in 3p context) checking for it's own or associated credential being available on a device
15:46:16 <nicktr> q+ to ask about feature detection
15:46:25 <Ian> Ian: I think it would make sense to answer question "Is there a credential associated with my origin on this device?"
15:46:43 <Ian> smcgruer_[EST]; Maybe. in some cases it may not be obvious to know the answer (due to synching)
15:46:44 <Ian> q?
15:46:47 <Ian> ack Gerhard
15:47:29 <Ian> Gerhard: the fact that WebAuthn came up with discoverable credentials indicates that they consider this important. It might be useful to go to PING to see what they think about this idea.
15:48:01 <Ian> ...another option is to ask whether SPC could be conditional UI -available
15:48:45 <Ian> q?
15:48:49 <Ian> ack nic
15:48:49 <Zakim> nicktr, you wanted to ask about feature detection
15:49:34 <Ian> nicktr: Given that SPC is currently an extension of PR API and PR API has a feature detection mechanism with canMakePayment(), is there a mechanism therein to allow an appropriately provisioned provider to ask if there's a credential?
15:50:22 <Ian> smcgruer_[EST]: What does "appropriately provisioned" mean? We have multiple issues filed against canMakePayment() wrt privacy sandbox.
15:51:28 <nicktr> q?
15:52:28 <Ian> https://www.w3.org/events/happenings/2024/w3c-in-europe-member-meeting/
15:52:45 <Ian> https://www.w3.org/events/meetings/6e0d77c5-06a4-47c5-a282-b44bdf1d7849/
15:52:45 <nicktr> All issues concerning SPC can be tracked here -> https://github.com/w3c/secure-payment-confirmation/issues
15:56:53 <Ian> Topic: Upcoming W3C European Member Meeting
15:57:11 <Ian> Ian: Jean-Luc will present on 6 February. Quick question: your sides show fraud going up in Europe (even with SCA)
15:57:21 <Ian> Jean-Luc: Due to friendly fraud (e.g., due to phishing)
15:57:59 <nicktr> s/friendly fraud/authorised push payment fraud/
15:58:27 <JeanLuc> q+
15:58:57 <nicktr> ack JeanLuc
15:58:58 <Ian> Ian: Should we be discussing authorised push payment fraud on our agenda?
15:59:17 <Ian> Jean-Luc: To things could be interesting: UVI and UVM
15:59:48 <Ian> ...these are WebAuthn extensions
16:00:26 <Ian> ACTION: Stephen to look into UVM extension and report back on its capabilities and deployment to the WG
16:00:33 <Ian> Topic: Next meeting
16:00:33 <Ian> 15 February
16:00:46 <RRSAgent> I have made the request to generate https://www.w3.org/2024/02/01-wpwg-minutes.html Ian
16:01:24 <Ian> RRSAGENT, set logs public
16:01:32 <TallTed> TallTed has joined #wpwg
17:59:36 <Zakim> Zakim has left #wpwg