13:58:56 <RRSAgent> RRSAgent has joined #wpwg
13:59:00 <RRSAgent> logging to https://www.w3.org/2024/04/25-wpwg-irc
13:59:00 <Ian> Meeting: Web Payments Working Group
13:59:12 <Gregoire> Gregoire has joined #wpwg
13:59:19 <Yannick> Yannick has joined #wpwg
13:59:23 <Ian> Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20240425
13:59:28 <Ian> Scribe: Ian
13:59:32 <Ian> present+ Anne_Pouillard
13:59:35 <Ian> present+
13:59:40 <Ian> present+ Tomsaz_Blachowicz
13:59:43 <Ian> present+ Hari
13:59:48 <Ian> present+ Jeff_Owenson
13:59:50 <Hari> Hari has joined #wpwg
13:59:53 <Ian> present+ Roberio_Matsui
14:00:04 <Ian> present+ Kenneth_Diaz
14:00:10 <Ian> present+ Grégoire_Leleux
14:00:38 <Ian> agenda+ Issue 269 on Limitations for showing transaction data
14:00:41 <Ian> agenda+ Chrome updates
14:00:49 <Ian> agenda+ Ideas on support for roaming authenticators
14:00:54 <Ian> present+ Next meeting
14:01:02 <Ian> agenda+ Next meeting
14:01:14 <JL> JL has joined #wpwg
14:01:26 <Ian> present+ Fahad
14:01:37 <Ian> present+ Stephen_McGruer
14:01:53 <Ian> present+ Yannick_Seveant
14:01:59 <Ian> present+ Gustavo_Kok
14:02:04 <Ian> present+ Doug_Fisher
14:02:10 <Ian> present+ Vipul_Koul
14:02:16 <Ian> present+ Steve_Cole
14:02:22 <Ian> present+ Nick_Telford-Reed
14:02:38 <Ian> present+ Imran_Ahmed
14:02:50 <RRSAgent> I have made the request to generate https://www.w3.org/2024/04/25-wpwg-minutes.html Ian
14:02:54 <Ian> present+ Gerhard_Oosthuizen
14:03:18 <Ian> zakim, take up item 1
14:03:18 <Zakim> agendum 1 -- Issue 269 on Limitations for showing transaction data -- taken up [from Ian]
14:03:21 <Ian> -> https://github.com/w3c/secure-payment-confirmation/issues/269 Issue 269
14:03:30 <Ian> Limitations for showing transaction data
14:03:40 <Ian> present+ Michael_Horne
14:03:44 <Ian> present+ Arman_Aygen
14:03:47 <Ian> present+ Sameer_Tare
14:04:04 <Ian> Stephen: We were contacted on this spec issue. We have multiple strings that can be displayed to the user.
14:04:08 <Ian> present+ Ravi_Shekhar
14:04:27 <Ian> Stephen: Question was "what are the limitations on this string" (e.g., newlines)
14:04:36 <Ian> present+ Jean-Michel_Girard
14:04:48 <Ian> Stephen: We should specify this in some way. I looked at WebAuthn.
14:05:22 <Ian> ...WebAuthn has no normative spec text; it just specifies that the user agent may truncate the display (even if the full string is sent to the authenticator)
14:05:38 <Ian> ...I think we all expect essentially 1-liner text.
14:05:45 <Ian> ... I also plan to look at the FedCM spec
14:06:01 <Ian> Ian: How does 3DS handle this sort of thing?
14:06:04 <JL> In 3DS: Length: Variable, maximum 40 characters. Type: String Same name used in the authorisation message as defined in ISO 8583-1
14:06:18 <JL> q+
14:06:22 <Ian> NickTR: I think field lengths are commonly defined in specifications.
14:06:27 <Ian> ack Jean
14:06:47 <Imran> Imran has joined #wpwg
14:06:47 <jmgirard> jmgirard has joined #wpwg
14:07:09 <Gregoire> Gregoire has joined #wpwg
14:07:10 <Ian> Jean-Luc: One reason for 40 char length is downstream requirements (ISO) related to those strings
14:07:20 <Ian> zakim, who's here?
14:07:20 <Zakim> Present: Anne_Pouillard, Ian, Tomsaz_Blachowicz, Hari, Jeff_Owenson, Roberio_Matsui, Kenneth_Diaz, Grégoire_Leleux, Next, meeting, Fahad, Stephen_McGruer, Yannick_Seveant,
14:07:23 <Zakim> ... Gustavo_Kok, Doug_Fisher, Vipul_Koul, Steve_Cole, Nick_Telford-Reed, Imran_Ahmed, Gerhard_Oosthuizen, Michael_Horne, Arman_Aygen, Sameer_Tare, Ravi_Shekhar, Jean-Michel_Girard
14:07:23 <Zakim> On IRC I see Gregoire, jmgirard, Imran, JL, Hari, Yannick, RRSAgent, Zakim, Anne, pea1358, canton, dlehn, slightlyoff, hober, ljharb, smcgruer_[EST], rouslan, hadleybeeman, tobie_,
14:07:23 <Zakim> ... nicktr, rbyers, Ian
14:07:42 <Arman> Arman has joined #WPWG
14:07:51 <Ian> Doug: I wonder about the reverse: would SPC display something that is allowed by 3DS?
14:08:02 <Ian> Stephen: For images, yes (e.g., resizing a 6K image)
14:08:24 <SameerT> SameerT has joined #wpwg
14:08:24 <Ian> Stephen: Does EMVCo spec say anything about newlines?
14:08:31 <SameerT> present+
14:08:40 <Ian> Doug: All ASCII characters are allowed (including NL)
14:09:05 <Ian> Tomasz: SRC spec defines similar elements (e.g., names, etc.) and usually 255 characters long
14:09:44 <Ian> ...in WebAuthn there are name/display name. The spec is nice and specifies a minimum length that the authenticator is able to accept. But authorizes the authenticator to truncate.
14:09:57 <Ian> ...it's ok if the information is truncated.
14:10:01 <smcgruer_[EST]> https://w3c.github.io/webauthn/#sctn-strings-truncation
14:10:55 <Ian> Ian: I would not support disparity between what is displayed and what is sent to the authenticator (unless there's a signal that something was truncated).
14:11:08 <Ian> (We look more closely at the WebAuthn spec definitions.)
14:11:16 <Ian> present+ Melissa_Sebastian
14:11:21 <smcgruer_[EST]> https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-displayname
14:11:27 <smcgruer_[EST]> "Authenticators MUST accept and store a 64-byte minimum length for a displayName member’s value. Authenticators MAY truncate a displayName member’s value so that it fits within 64 bytes. See § 6.4.1 String Truncation about truncation and other considerations."
14:11:41 <Ian> Tomasz: When more data is provided, it's not an error, but gives authenticators a way to deal with it by truncating.
14:11:57 <Dfisher> Dfisher has joined #wpwg
14:12:19 <Ian> Ian: Does it suffice to point to WebAuthn?
14:12:29 <Ian> Stephen: Not for some fields
14:13:05 <JL> q+
14:13:29 <melissavs> melissavs has joined #wpwg
14:13:44 <Ian> Stephen: I am thinking of doing this: define a minimum that will be guaranteed, allow user agent to truncate; send truncated info to authenticator.
14:14:00 <Ian> ack J
14:14:08 <nicktr> q?
14:14:30 <SameerT> SameerT has joined #wpwg
14:14:30 <Ian> Jean-Luc: We may also need to look in to other downstream flows (e.g., ISO 20022)
14:14:48 <nicktr> q+
14:15:03 <Ian> ack N
14:15:17 <Ian> nicktr: ISO 20022 is more verbose in general than 8583.
14:15:46 <Ian> ...8583 would cover us for "old school" payments. 40 characters for payer, amount. 3 for currency
14:16:08 <Ian> ...I would advocate for going small to start an expending as the industry requires.
14:17:20 <Ian> Stephen: What minimum would be acceptable? I'm hearing 40
14:17:40 <Ian> NickTR: Let's reflect the lengths found in the 3DS integration.
14:17:53 <Ian> ....they've done the lifting.
14:17:59 <SameerT> Kudos to Nick on using the full version of the 3DS spec :)
14:18:39 <Ian> ACTION: Stephen to create a pull request re: issue 269 leveraging EMVCO 3DS values.
14:18:51 <Ian> Stephen: For PR API the currency is ISO 3-letter code
14:19:16 <Ian> ...value is a valid decimal monetary value.
14:19:55 <Ian> [We pause to note that PR API does not allow commas in currency values]
14:20:04 <Ian> Tomasz: UA should format according to localization preferences
14:21:10 <Ian> ack Gu
14:21:35 <Ian> Gustavo: EMVCo has solved for some of this.
14:21:43 <kenneth> kenneth has joined #wpwg
14:21:58 <nicktr> The 3DS 2.3.1.1 specification can be downloaded from here -> https://www.emvco.com/specifications/emv-3-d-secure-protocol-and-core-functions-specification-6/
14:22:07 <Ian> zakim, close item 1
14:22:07 <Zakim> agendum 1, Issue 269 on Limitations for showing transaction data, closed
14:22:09 <Zakim> I see 3 items remaining on the agenda; the next one is
14:22:09 <Zakim> 2. Chrome updates [from Ian]
14:22:17 <Ian> zakim, take up item 2
14:22:17 <Zakim> agendum 2 -- Chrome updates -- taken up [from Ian]
14:22:20 <nicktr> q?
14:22:56 <Ian> Stephen: Here are some updates on design iterations.
14:23:23 <Ian> ...we are still looking for feedback. This is intended to be iterative!
14:23:34 <Ian> ...some feedback we've received is not yet in the deck
14:24:40 <Ian> rrssgent, make minutes
14:24:43 <Ian> rrsgent, make minutes
14:24:48 <Ian> rrsagent, make minutes
14:24:49 <RRSAgent> I have made the request to generate https://www.w3.org/2024/04/25-wpwg-minutes.html Ian
14:25:03 <Ian> Regrets+ Juliana_Cafik
14:25:48 <Ian> Stephen: We want to display issuer/network logos but without having them take over the UX
14:25:52 <Ian> ...text copy is draft
14:26:18 <Ian> ...we are looking at "authenticate another way" in the footer.
14:26:37 <Ian> This is where "opt-out" appears today, but nobody is using opt-out actively today. Our current proposal is to remove opt-out concept from the spec.
14:26:51 <Ian> ...we need to hear from you whether opt-out experience is necessary.
14:26:54 <nicktr> q+ to talk about network and issuer labels and implications for routing/regulation
14:26:58 <Ian> ack nick
14:26:58 <Zakim> nicktr, you wanted to talk about network and issuer labels and implications for routing/regulation
14:27:09 <Ian> nickTR: This is great; love the clean design.
14:27:24 <Ian> ...I want to wonder aloud about labels" Issuer" and "network"
14:27:35 <SameerT> q+
14:27:51 <Ian> ...also, what are the implications for jurisdictions where there might be a choice of routing?
14:27:51 <Ian> q?
14:27:57 <Ian> q+ Gerhard
14:27:59 <Ian> q+ Hari
14:28:41 <Hari> Hari has joined #wpwg
14:28:44 <Ian> Stephen: Nick is right; this is some of the first feedback we heard (re labels); this needs to be more flexible.
14:28:59 <Ian> ...we do expect this information overall to be optional.
14:29:11 <Ian> ack Se
14:29:11 <Ian> ack Sa
14:29:36 <gkok> gkok has joined #wpwg
14:29:39 <gkok> q+
14:29:49 <Ian> Sameer: The "network" and "issuer" labels may change in some markets; when it's optional and one logo is displayed, how would it appear?
14:30:14 <Ian> ...some logos may not appear as recognizable if you have a longer issuer name
14:30:48 <Ian> Sameer: Going back to opt-out. We think that opt-out during authentication is confusing (from a 3DS WG perspective)
14:30:52 <Ian> ack Ge
14:31:37 <Ian> Gerhard: There are different use cases (e.g., card, open banking, generic) and might adjust labels based on the accepted terminology and even layout of the use case.
14:31:45 <Ian> ..there are probably 15-20 such layouts in the world.
14:32:08 <Ian> ...regarding opt-out, it's tied to the signals available from the dialog.
14:33:03 <Ian> Gerhard: SPC can be used in 2 contexts: issuer-initiated and merchant-initiated. In the former case, if the user is already on the bank page, then saying "authenticate to your bank" is confusing.
14:33:25 <Ian> ...if there are better signals overall, might make it ok to remove opt-out.
14:33:36 <Ian> ...also, the display might need to change based on 1p or 3p call of SPC
14:33:54 <Ian> q+ Sameer
14:35:13 <Ian> Gerhard: Ah, now that I understand opt-out, +1 to removing it from the dialog
14:35:17 <Ian> q?
14:35:24 <Ian> ack Hari
14:35:25 <smcgruer_[EST]> Opt Out today https://usercontent.irccloud-cdn.com/file/cH5vhIc6/opt_out.png
14:35:48 <Ian> Hari: From end user perspective, I don't have a clear idea of how is authenticating me
14:36:00 <Ian> ...if we are bringing a PSP into the mix, how is that information shown?
14:37:23 <Ian> Stephen: the problem we ran into with "who is doing the authenticating"
14:37:33 <Ian> ...the URLs are not often understandable to users.
14:37:53 <Ian> ...(Ian adds: and not trustable to put the name of the party)
14:38:32 <SameerT> ACS on behalf of the issuer to be precise
14:38:33 <Ian> ...often 3DS challenge flows are doing by ACS's on behalf of banks.
14:38:55 <Ian> ....if we are talking about passkeys, what you want is the passkey owner name
14:39:03 <Ian> q?
14:39:12 <Ian> ack gkok
14:39:45 <Ian> gkok: What happens when transaction is tokenized?
14:40:10 <Ian> Stephen: All the information comes from the caller and will be optional.
14:40:43 <Ian> q?
14:40:47 <Ian> ack Sam
14:41:12 <Ian> Sameer: Regarding ACS Url, in most implementations the cardholders want to see the URLs, even if different than the URL of the issuer.
14:41:50 <Ian> ...rearding Gustavo's point, in the 3DS structure, the SPC input is being provided by the issuer.
14:42:07 <Ravi> Ravi has joined #wpwg
14:44:31 <gkok> q+
14:45:08 <Ian> IJ: Is it preferable to show confusing URL v. nothing?
14:45:48 <Ian> Stephen: The question is whether the "on behalf of" info info should be in the tx dialog in addition to the webauthn dialog.
14:46:19 <nicktr> q?
14:46:21 <smcgruer_[EST]> Here, rsolomakhin.github.io is the relying party https://usercontent.irccloud-cdn.com/file/gu2A4Y8q/webauthn_macos_dialog.png
14:46:33 <Ian> Ian: what if tx dialog has clue that info will be on the next screen?
14:46:35 <Ian> ack gkok
14:46:51 <Ian> gkok: I am wondering how much of an issue this is; we may just need to test on this.
14:47:45 <Ian> Stephen: We have not explored whether SPC should ping the RP directly during the flow at a .well-known URL. We could be much more confident what name to provide.
14:47:57 <dfisher> dfisher has joined #wpwg
14:48:35 <Ian> Ian: Maybe lazy (only if user wants to know.)
14:48:36 <Ian> q?
14:49:08 <RRSAgent> I have made the request to generate https://www.w3.org/2024/04/25-wpwg-minutes.html Ian
14:53:21 <Ian> (Stephen also talks about some UX options that were rejected.)
14:54:19 <Ian> Stephen: e.g., logos from network and issuer at top were perceived as overly branded for browser-owned UX
14:54:39 <gkok> q+
14:54:39 <nicktr> q?
14:54:43 <Ian> ack gk
14:55:42 <Ian> zakim, take up item 3
14:55:42 <Zakim> agendum 3 -- Ideas on support for roaming authenticators -- taken up [from Ian]
14:55:46 <Ian> https://www.w3.org/2024/Talks/ij-roaming-20240425/ij-roaming-20240425.pdf
14:58:44 <RRSAgent> I have made the request to generate https://www.w3.org/2024/04/25-wpwg-minutes.html Ian
14:59:01 <Ian> Nick: I think a longer discussion of this should happen at next call
14:59:12 <Ian> zakim , close item 3
14:59:14 <Ian> zakim, take up item 4
14:59:14 <Zakim> agendum 4 -- Next meeting -- taken up [from Ian]
14:59:19 <Ian> Next: 9 May
14:59:22 <Ian> RRSAGENT, make minutes
14:59:23 <RRSAgent> I have made the request to generate https://www.w3.org/2024/04/25-wpwg-minutes.html Ian
14:59:32 <Ian> RRSAGENT, set logs public
14:59:44 <melissavs> melissavs has left #wpwg
15:00:59 <Gregoire> Gregoire has left #wpwg
15:58:04 <TallTed> TallTed has joined #wpwg