Agenda FTF2021 - w3c/webpayments GitHub Wiki

This is the agenda of a WPWG meeting: 29 March - 1 April.

Background Reading

Minutes

Agenda

Please Review Antitrust and Competition Guidance

Times below shown are ET. Other time zone hints: 15h00-17h00 UTC / 8-10am PDT / 4pm-6pm BST.

29 March

  • 11:00-11:10: Welcome, IRC, Antitrust reminder (Nick Telford-Reed)
  • 11:10-11:30: Background to the agenda / problem statements (slides) (Adrian Hope-Bailie)
  • 11:30-12:30: SPC experimental results and discussion (Benjamin Tidor, Stripe)
  • 12:30-13:00: EMV® 3DS risk assessment requirements (Sameer Tare, Mastercard)

30 March

31 March

  • 11:00-12:15: SPC design considerations and initial API thoughts (slides)(Danyao Wang, Google)
    • 30 mins: Scope and parameters of the design space
    • 10 mins: Crowdsource interest and priority for the use cases
    • 30 mins: Open Discussion
    • Next steps / call for editors for a task force
  • 12:15-12:40: Worldline demo (Anne Pouillard, Worldline)
  • 12:40-13:00: Second Google origin trial for SPC

1 April

  • 11:00-12:00: SRC use cases and requirements (slides) (Jonathan Grossar, Mastercard)
  • 12:00-12:30: Discussion with Web Authentication WG (WebAuthn Chairs)
    • Level 2 status, Level 3 plans, any new payments features needed?
  • 12:30-13:00:
    • Next meeting: 15 April (agenda)
    • SPC next steps: start task force, set up (new) repo
    • PR API Next Steps update
    • Overflow and wrap-up

Postponed:

  • Chrome research on browser changes related to privacy / payments (Google)

Requirements

This is a list of comments overheard during the meeting that may help us identify future requirements related to SPC.

  • Is the core of SPC the transaction confirmation dialog
  • Make the enrollment flow a standardized part of SPC.
  • Localization requirements of browser-standard displays
  • Nature of SPC Credentials and relation to Web Authentication Credentials:
    • RP should be able to upgrade a WebAuthn credential to an SPC credential (SPC as "drop-in" solution)
    • Parties should be able to distinguish the type of credential for a credential id (namely: standard Web Authn v. SPC Credential)
  • UX behavior: if you don't have an authenticator, need silent fail to allow for seamless fallback.
  • Allow flexibility for no user presence check
    • See Entersekt proposal as starting point
  • SPC should be usable in delegated authentication scenario (delegation to the merchant)
  • Should SPC be tightly coupled to WebAuthn, or could it be used with other authentication techniques?
  • Should be possible to do SPC enrollment outside payment flow
  • Allow transaction to be completed (with initial ID&V) while SPC enrollment is happening.
  • Should be able to call SPC from an iframe?
  • Should be able to call SPC from a payment handler?
  • Should roaming authenticators be included in SPC's scope?
  • Open banking:
    • What is value proposition to ASPSPs?
    • Does extending the SPC draft to add the consent identifer as a challenge make sense?
    • Is the name "Web Payments Cryptogram" too card-specific? Proposed: Payment Authorization Assertion
    • How does the PISP get access to the public key for assertion verification? (Ian: Might be done out-of-band)
  • SRC:
    • SRCi/DCF can invoke FIDO, even as a non-RP origin, and retrieve FIDO assertion.
    • SCRi/DCF has a mechanism to understand whether browser supports SPC
    • SPC can be used with multiple payment methods
    • SPC credential includes card metadata from relying party
    • Transaction confirmation dialog displays card metadata, merchant origin, transaction amount.
    • No requirement to have a FIDO challenge generated by the RP, as long as the party that generates it is an entity trusted within the SRC system.
    • FIDO assertion data includes merchant identifier and transaction amount in the signature.
    • To explore: How keys are exchanged between RPs (e.g., merchant) with SRC system (for validation)
    • Can SPC Credential be used to recognize a user returning to the same browser? E.g., authorized origin queries the browser in a payment context to retrieve all or part of SPC credentials stored for that origin or payment method.
  • What level of flexibility is required for nonce generation? Are there use cases where browser-generated challenges would be useful?
  • Use Large Blob to create portable stored data to reduce enrollment costs (cf. John Bradley)
  • We heard an idea for an opaque identifier to represent a payment credential as stored in the browser (or in Large Blob). The browser would know how to map the opaque identifier to metadata associated with the payment credential, such as art, credential id, and rpid. Enrollment would involve associating the opaque identifier with the payment instrument (on the RP server). It is likely that the opaque identifiers would (like credential ids) be origin-bound. (Note that such ids could be returned to merchants and would be privacy protecting, but they would lack routing information; is such routing information required in practice?)

See also: SPC issues list

SPC Task Force Volunteers

The following people have expressed interest in participating in an SPC task force:

  • Benjamin Tidor (Stripe)
  • Rolf Lindemann (Nok Nok Labs)
  • Gerhard Oosthuizen (Entersekt)
  • Adrian Hope-Bailie (Coil)
  • Marcos Caceres (W3C)
  • Stephen McGruer (Google)
  • Michel Weksler (Airbnb)
  • Sameer Tare (Mastercard)
  • Chris Wood

Attendance

  • Who has registered
  • Bastien Latge (EMVCo)
  • Christina Hulka (FIDO)
  • Sameer Tare (Mastercard)
  • Richard Ledain (EMVCo)
  • Christian Aabye (Visa)
  • James Longstaff (Deutsche Bank)
  • Jean-Luc di Manno (FIME)
  • Gustavo Kok (Netflix)
  • Rafael Cappelletti (Klarna)
  • Ulf Leopold (Klarna)
  • Daniele Berto (Klarna)
  • Remo Fiorentino (Klarna)
  • Timo Gmell (Klarna)
  • Aleksei Akimov (Adyen)
  • Antoine Cathelin (Adyen)
  • Deepu K Sasidharan (Adyen)
  • Eric Alvarez (Adyen)
  • Lucas Bledsoe (Adyen)
  • Marc Perez i Ribas (Adyen)
  • Nils Brenkman (Adyen)
  • Staci Shatsoff (US Federal Reserve Bank of Boston)
  • Vish Shastry (PayPal)
  • Gargi Sharma (PayPal)
  • Ryan Regan (PayPal)
  • Jayasaleen Shanmugam (PayPal)
  • Kincaid O'Neil (Coil)