IRC log of wpwg on 2024-04-25

Timestamps are in UTC.

13:58:56 [RRSAgent]
RRSAgent has joined #wpwg
13:59:00 [RRSAgent]
logging to https://www.w3.org/2024/04/25-wpwg-irc
13:59:00 [Ian]
Meeting: Web Payments Working Group
13:59:12 [Gregoire]
Gregoire has joined #wpwg
13:59:19 [Yannick]
Yannick has joined #wpwg
13:59:23 [Ian]
Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20240425
13:59:28 [Ian]
Scribe: Ian
13:59:32 [Ian]
present+ Anne_Pouillard
13:59:35 [Ian]
present+
13:59:40 [Ian]
present+ Tomsaz_Blachowicz
13:59:43 [Ian]
present+ Hari
13:59:48 [Ian]
present+ Jeff_Owenson
13:59:50 [Hari]
Hari has joined #wpwg
13:59:53 [Ian]
present+ Roberio_Matsui
14:00:04 [Ian]
present+ Kenneth_Diaz
14:00:10 [Ian]
present+ Grégoire_Leleux
14:00:38 [Ian]
agenda+ Issue 269 on Limitations for showing transaction data
14:00:41 [Ian]
agenda+ Chrome updates
14:00:49 [Ian]
agenda+ Ideas on support for roaming authenticators
14:00:54 [Ian]
present+ Next meeting
14:01:02 [Ian]
agenda+ Next meeting
14:01:14 [JL]
JL has joined #wpwg
14:01:26 [Ian]
present+ Fahad
14:01:37 [Ian]
present+ Stephen_McGruer
14:01:53 [Ian]
present+ Yannick_Seveant
14:01:59 [Ian]
present+ Gustavo_Kok
14:02:04 [Ian]
present+ Doug_Fisher
14:02:10 [Ian]
present+ Vipul_Koul
14:02:16 [Ian]
present+ Steve_Cole
14:02:22 [Ian]
present+ Nick_Telford-Reed
14:02:38 [Ian]
present+ Imran_Ahmed
14:02:50 [RRSAgent]
I have made the request to generate https://www.w3.org/2024/04/25-wpwg-minutes.html Ian
14:02:54 [Ian]
present+ Gerhard_Oosthuizen
14:03:18 [Ian]
zakim, take up item 1
14:03:18 [Zakim]
agendum 1 -- Issue 269 on Limitations for showing transaction data -- taken up [from Ian]
14:03:21 [Ian]
-> https://github.com/w3c/secure-payment-confirmation/issues/269 Issue 269
14:03:30 [Ian]
Limitations for showing transaction data
14:03:40 [Ian]
present+ Michael_Horne
14:03:44 [Ian]
present+ Arman_Aygen
14:03:47 [Ian]
present+ Sameer_Tare
14:04:04 [Ian]
Stephen: We were contacted on this spec issue. We have multiple strings that can be displayed to the user.
14:04:08 [Ian]
present+ Ravi_Shekhar
14:04:27 [Ian]
Stephen: Question was "what are the limitations on this string" (e.g., newlines)
14:04:36 [Ian]
present+ Jean-Michel_Girard
14:04:48 [Ian]
Stephen: We should specify this in some way. I looked at WebAuthn.
14:05:22 [Ian]
...WebAuthn has no normative spec text; it just specifies that the user agent may truncate the display (even if the full string is sent to the authenticator)
14:05:38 [Ian]
...I think we all expect essentially 1-liner text.
14:05:45 [Ian]
... I also plan to look at the FedCM spec
14:06:01 [Ian]
Ian: How does 3DS handle this sort of thing?
14:06:04 [JL]
In 3DS: Length: Variable, maximum 40 characters. Type: String Same name used in the authorisation message as defined in ISO 8583-1
14:06:18 [JL]
q+
14:06:22 [Ian]
NickTR: I think field lengths are commonly defined in specifications.
14:06:27 [Ian]
ack Jean
14:06:47 [Imran]
Imran has joined #wpwg
14:06:47 [jmgirard]
jmgirard has joined #wpwg
14:07:09 [Gregoire]
Gregoire has joined #wpwg
14:07:10 [Ian]
Jean-Luc: One reason for 40 char length is downstream requirements (ISO) related to those strings
14:07:20 [Ian]
zakim, who's here?
14:07:20 [Zakim]
Present: Anne_Pouillard, Ian, Tomsaz_Blachowicz, Hari, Jeff_Owenson, Roberio_Matsui, Kenneth_Diaz, Grégoire_Leleux, Next, meeting, Fahad, Stephen_McGruer, Yannick_Seveant,
14:07:23 [Zakim]
... Gustavo_Kok, Doug_Fisher, Vipul_Koul, Steve_Cole, Nick_Telford-Reed, Imran_Ahmed, Gerhard_Oosthuizen, Michael_Horne, Arman_Aygen, Sameer_Tare, Ravi_Shekhar, Jean-Michel_Girard
14:07:23 [Zakim]
On IRC I see Gregoire, jmgirard, Imran, JL, Hari, Yannick, RRSAgent, Zakim, Anne, pea1358, canton, dlehn, slightlyoff, hober, ljharb, smcgruer_[EST], rouslan, hadleybeeman, tobie_,
14:07:23 [Zakim]
... nicktr, rbyers, Ian
14:07:42 [Arman]
Arman has joined #WPWG
14:07:51 [Ian]
Doug: I wonder about the reverse: would SPC display something that is allowed by 3DS?
14:08:02 [Ian]
Stephen: For images, yes (e.g., resizing a 6K image)
14:08:24 [SameerT]
SameerT has joined #wpwg
14:08:24 [Ian]
Stephen: Does EMVCo spec say anything about newlines?
14:08:31 [SameerT]
present+
14:08:40 [Ian]
Doug: All ASCII characters are allowed (including NL)
14:09:05 [Ian]
Tomasz: SRC spec defines similar elements (e.g., names, etc.) and usually 255 characters long
14:09:44 [Ian]
...in WebAuthn there are name/display name. The spec is nice and specifies a minimum length that the authenticator is able to accept. But authorizes the authenticator to truncate.
14:09:57 [Ian]
...it's ok if the information is truncated.
14:10:01 [smcgruer_[EST]]
https://w3c.github.io/webauthn/#sctn-strings-truncation
14:10:55 [Ian]
Ian: I would not support disparity between what is displayed and what is sent to the authenticator (unless there's a signal that something was truncated).
14:11:08 [Ian]
(We look more closely at the WebAuthn spec definitions.)
14:11:16 [Ian]
present+ Melissa_Sebastian
14:11:21 [smcgruer_[EST]]
https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-displayname
14:11:27 [smcgruer_[EST]]
"Authenticators MUST accept and store a 64-byte minimum length for a displayName member’s value. Authenticators MAY truncate a displayName member’s value so that it fits within 64 bytes. See § 6.4.1 String Truncation about truncation and other considerations."
14:11:41 [Ian]
Tomasz: When more data is provided, it's not an error, but gives authenticators a way to deal with it by truncating.
14:11:57 [Dfisher]
Dfisher has joined #wpwg
14:12:19 [Ian]
Ian: Does it suffice to point to WebAuthn?
14:12:29 [Ian]
Stephen: Not for some fields
14:13:05 [JL]
q+
14:13:29 [melissavs]
melissavs has joined #wpwg
14:13:44 [Ian]
Stephen: I am thinking of doing this: define a minimum that will be guaranteed, allow user agent to truncate; send truncated info to authenticator.
14:14:00 [Ian]
ack J
14:14:08 [nicktr]
q?
14:14:30 [SameerT]
SameerT has joined #wpwg
14:14:30 [Ian]
Jean-Luc: We may also need to look in to other downstream flows (e.g., ISO 20022)
14:14:48 [nicktr]
q+
14:15:03 [Ian]
ack N
14:15:17 [Ian]
nicktr: ISO 20022 is more verbose in general than 8583.
14:15:46 [Ian]
...8583 would cover us for "old school" payments. 40 characters for payer, amount. 3 for currency
14:16:08 [Ian]
...I would advocate for going small to start an expending as the industry requires.
14:17:20 [Ian]
Stephen: What minimum would be acceptable? I'm hearing 40
14:17:40 [Ian]
NickTR: Let's reflect the lengths found in the 3DS integration.
14:17:53 [Ian]
....they've done the lifting.
14:17:59 [SameerT]
Kudos to Nick on using the full version of the 3DS spec :)
14:18:39 [Ian]
ACTION: Stephen to create a pull request re: issue 269 leveraging EMVCO 3DS values.
14:18:51 [Ian]
Stephen: For PR API the currency is ISO 3-letter code
14:19:16 [Ian]
...value is a valid decimal monetary value.
14:19:55 [Ian]
[We pause to note that PR API does not allow commas in currency values]
14:20:04 [Ian]
Tomasz: UA should format according to localization preferences
14:21:10 [Ian]
ack Gu
14:21:35 [Ian]
Gustavo: EMVCo has solved for some of this.
14:21:43 [kenneth]
kenneth has joined #wpwg
14:21:58 [nicktr]
The 3DS 2.3.1.1 specification can be downloaded from here -> https://www.emvco.com/specifications/emv-3-d-secure-protocol-and-core-functions-specification-6/
14:22:07 [Ian]
zakim, close item 1
14:22:07 [Zakim]
agendum 1, Issue 269 on Limitations for showing transaction data, closed
14:22:09 [Zakim]
I see 3 items remaining on the agenda; the next one is
14:22:09 [Zakim]
2. Chrome updates [from Ian]
14:22:17 [Ian]
zakim, take up item 2
14:22:17 [Zakim]
agendum 2 -- Chrome updates -- taken up [from Ian]
14:22:20 [nicktr]
q?
14:22:56 [Ian]
Stephen: Here are some updates on design iterations.
14:23:23 [Ian]
...we are still looking for feedback. This is intended to be iterative!
14:23:34 [Ian]
...some feedback we've received is not yet in the deck
14:24:40 [Ian]
rrssgent, make minutes
14:24:43 [Ian]
rrsgent, make minutes
14:24:48 [Ian]
rrsagent, make minutes
14:24:49 [RRSAgent]
I have made the request to generate https://www.w3.org/2024/04/25-wpwg-minutes.html Ian
14:25:03 [Ian]
Regrets+ Juliana_Cafik
14:25:48 [Ian]
Stephen: We want to display issuer/network logos but without having them take over the UX
14:25:52 [Ian]
...text copy is draft
14:26:18 [Ian]
...we are looking at "authenticate another way" in the footer.
14:26:37 [Ian]
This is where "opt-out" appears today, but nobody is using opt-out actively today. Our current proposal is to remove opt-out concept from the spec.
14:26:51 [Ian]
...we need to hear from you whether opt-out experience is necessary.
14:26:54 [nicktr]
q+ to talk about network and issuer labels and implications for routing/regulation
14:26:58 [Ian]
ack nick
14:26:58 [Zakim]
nicktr, you wanted to talk about network and issuer labels and implications for routing/regulation
14:27:09 [Ian]
nickTR: This is great; love the clean design.
14:27:24 [Ian]
...I want to wonder aloud about labels" Issuer" and "network"
14:27:35 [SameerT]
q+
14:27:51 [Ian]
...also, what are the implications for jurisdictions where there might be a choice of routing?
14:27:51 [Ian]
q?
14:27:57 [Ian]
q+ Gerhard
14:27:59 [Ian]
q+ Hari
14:28:41 [Hari]
Hari has joined #wpwg
14:28:44 [Ian]
Stephen: Nick is right; this is some of the first feedback we heard (re labels); this needs to be more flexible.
14:28:59 [Ian]
...we do expect this information overall to be optional.
14:29:11 [Ian]
ack Se
14:29:11 [Ian]
ack Sa
14:29:36 [gkok]
gkok has joined #wpwg
14:29:39 [gkok]
q+
14:29:49 [Ian]
Sameer: The "network" and "issuer" labels may change in some markets; when it's optional and one logo is displayed, how would it appear?
14:30:14 [Ian]
...some logos may not appear as recognizable if you have a longer issuer name
14:30:48 [Ian]
Sameer: Going back to opt-out. We think that opt-out during authentication is confusing (from a 3DS WG perspective)
14:30:52 [Ian]
ack Ge
14:31:37 [Ian]
Gerhard: There are different use cases (e.g., card, open banking, generic) and might adjust labels based on the accepted terminology and even layout of the use case.
14:31:45 [Ian]
..there are probably 15-20 such layouts in the world.
14:32:08 [Ian]
...regarding opt-out, it's tied to the signals available from the dialog.
14:33:03 [Ian]
Gerhard: SPC can be used in 2 contexts: issuer-initiated and merchant-initiated. In the former case, if the user is already on the bank page, then saying "authenticate to your bank" is confusing.
14:33:25 [Ian]
...if there are better signals overall, might make it ok to remove opt-out.
14:33:36 [Ian]
...also, the display might need to change based on 1p or 3p call of SPC
14:33:54 [Ian]
q+ Sameer
14:35:13 [Ian]
Gerhard: Ah, now that I understand opt-out, +1 to removing it from the dialog
14:35:17 [Ian]
q?
14:35:24 [Ian]
ack Hari
14:35:25 [smcgruer_[EST]]
Opt Out today https://usercontent.irccloud-cdn.com/file/cH5vhIc6/opt_out.png
14:35:48 [Ian]
Hari: From end user perspective, I don't have a clear idea of how is authenticating me
14:36:00 [Ian]
...if we are bringing a PSP into the mix, how is that information shown?
14:37:23 [Ian]
Stephen: the problem we ran into with "who is doing the authenticating"
14:37:33 [Ian]
...the URLs are not often understandable to users.
14:37:53 [Ian]
...(Ian adds: and not trustable to put the name of the party)
14:38:32 [SameerT]
ACS on behalf of the issuer to be precise
14:38:33 [Ian]
...often 3DS challenge flows are doing by ACS's on behalf of banks.
14:38:55 [Ian]
....if we are talking about passkeys, what you want is the passkey owner name
14:39:03 [Ian]
q?
14:39:12 [Ian]
ack gkok
14:39:45 [Ian]
gkok: What happens when transaction is tokenized?
14:40:10 [Ian]
Stephen: All the information comes from the caller and will be optional.
14:40:43 [Ian]
q?
14:40:47 [Ian]
ack Sam
14:41:12 [Ian]
Sameer: Regarding ACS Url, in most implementations the cardholders want to see the URLs, even if different than the URL of the issuer.
14:41:50 [Ian]
...rearding Gustavo's point, in the 3DS structure, the SPC input is being provided by the issuer.
14:42:07 [Ravi]
Ravi has joined #wpwg
14:44:31 [gkok]
q+
14:45:08 [Ian]
IJ: Is it preferable to show confusing URL v. nothing?
14:45:48 [Ian]
Stephen: The question is whether the "on behalf of" info info should be in the tx dialog in addition to the webauthn dialog.
14:46:19 [nicktr]
q?
14:46:21 [smcgruer_[EST]]
Here, rsolomakhin.github.io is the relying party https://usercontent.irccloud-cdn.com/file/gu2A4Y8q/webauthn_macos_dialog.png
14:46:33 [Ian]
Ian: what if tx dialog has clue that info will be on the next screen?
14:46:35 [Ian]
ack gkok
14:46:51 [Ian]
gkok: I am wondering how much of an issue this is; we may just need to test on this.
14:47:45 [Ian]
Stephen: We have not explored whether SPC should ping the RP directly during the flow at a .well-known URL. We could be much more confident what name to provide.
14:47:57 [dfisher]
dfisher has joined #wpwg
14:48:35 [Ian]
Ian: Maybe lazy (only if user wants to know.)
14:48:36 [Ian]
q?
14:49:08 [RRSAgent]
I have made the request to generate https://www.w3.org/2024/04/25-wpwg-minutes.html Ian
14:53:21 [Ian]
(Stephen also talks about some UX options that were rejected.)
14:54:19 [Ian]
Stephen: e.g., logos from network and issuer at top were perceived as overly branded for browser-owned UX
14:54:39 [gkok]
q+
14:54:39 [nicktr]
q?
14:54:43 [Ian]
ack gk
14:55:42 [Ian]
zakim, take up item 3
14:55:42 [Zakim]
agendum 3 -- Ideas on support for roaming authenticators -- taken up [from Ian]
14:55:46 [Ian]
https://www.w3.org/2024/Talks/ij-roaming-20240425/ij-roaming-20240425.pdf
14:58:44 [RRSAgent]
I have made the request to generate https://www.w3.org/2024/04/25-wpwg-minutes.html Ian
14:59:01 [Ian]
Nick: I think a longer discussion of this should happen at next call
14:59:12 [Ian]
zakim , close item 3
14:59:14 [Ian]
zakim, take up item 4
14:59:14 [Zakim]
agendum 4 -- Next meeting -- taken up [from Ian]
14:59:19 [Ian]
Next: 9 May
14:59:22 [Ian]
RRSAGENT, make minutes
14:59:23 [RRSAgent]
I have made the request to generate https://www.w3.org/2024/04/25-wpwg-minutes.html Ian
14:59:32 [Ian]
RRSAGENT, set logs public
14:59:44 [melissavs]
melissavs has left #wpwg
15:00:59 [Gregoire]
Gregoire has left #wpwg
15:58:04 [TallTed]
TallTed has joined #wpwg