Skip to content

Agenda FTF2021

Jump to bottom
ianbjacobs edited this page Mar 31, 2021 · 137 revisions

This is the agenda of a WPWG meeting: 29 March - 1 April.

Background Reading

Minutes

Agenda

Please Review Antitrust and Competition Guidance

Times below shown are ET. Other time zone hints: 15h00-17h00 UTC / 8-10am PDT / 4pm-6pm BST.

29 March

  • 11:00-11:10: Welcome, IRC, Antitrust reminder (Nick Telford-Reed)
  • 11:10-11:30: Background to the agenda / problem statements (slides) (Adrian Hope-Bailie)
  • 11:30-12:30: SPC experimental results and discussion (Benjamin Tidor, Stripe)
  • 12:30-13:00: EMV® 3DS risk assessment requirements (Sameer Tare, Mastercard)

30 March

31 March

  • 11:00-12:30: SPC design considerations and initial API thoughts (slides(Danyao Wang, Google)
    • User journeys: today and ideally
    • Views on benefits of SPC
    • Requirements and assumptions
    • API ideas and task force
  • 12:00-12:15: Worldline demo (Anne Pouillard, Worldline)
  • 12:30-13:00: Discussion with Web Authentication WG (WebAuthn Chairs)
    • Level 2 status, Level 3 plans, any new payments features needed?

1 April

  • 11:00-12:00: SRC use cases and requirements (Jonathan Grossar, Mastercard)
  • 12:00-12:30: Google origin trial for SPC (TENTATIVE)
  • 12:30-13:00:
    • Next meeting: 15 April (agenda)
    • Proposed: Take up SPC as a formal work item of the Web Payments WG
    • PR API Next Steps
    • Overflow and wrap-up

Postponed:

  • Chrome research on browser changes related to privacy / payments (Google)

Requirements

This is a list of comments overheard during the meeting that may help us identify future requirements related to SPC.

  • Is the core of SPC the transaction confirmation dialog
  • Make the enrollment flow a standardized part of SPC.
  • Localization requirements of browser-standard displays
  • Nature of SPC Credentials and relation to Web Authentication Credentials:
    • RP should be able to upgrade a WebAuthn credential to an SPC credential (SPC as "drop-in" solution)
    • Parties should be able to distinguish the type of credential for a credential id (namely: standard Web Authn v. SPC Credential)
  • UX behavior: if you don't have an authenticator, need silent fail to allow for seamless fallback.
  • Allow flexibility for no user presence check
    • See Entersekt proposal as starting point
  • SPC should be usable in delegated authentication scenario (delegation to the merchant)
  • Should SPC be tightly coupled to WebAuthn, or could it be used with other authentication techniques?
  • Should be possible to do SPC enrollment outside payment flow
  • Allow transaction to be completed (with initial ID&V) while SPC enrollment is happening.
  • Should be able to call SPC from an iframe?
  • Should be able to call SPC from a payment handler?
  • Should roaming authenticators be included in SPC's scope?
  • Open banking:
    • What is value proposition to ASPSPs?
    • Does extending the SPC draft to add the consent identifer as a challenge make sense?
    • Is the name "Web Payments Cryptogram" too card-specific? Proposed: Payment Authorization Assertion
    • How does the PISP get access to the public key for assertion verification? (Ian: Might be done out-of-band)
  • SRC:
    • SRCi/DCF can invoke FIDO, even as a non-RP origin, and retrieve FIDO assertion.
    • SCRi/DCF has a mechanism to understand whether browser supports SPC
    • SPC can be used with multiple payment methods
    • SPC credential includes card metadata from relying party
    • Transaction confirmation dialog displays card metdata, merchant origin, transaction amount.
    • No requirement to have a FIDO challenge generated by the RP, as long as the party that generates it is an entity trusted within the SRC system.
    • FIDO assertion data includes merchant identifier and transaction amount in the signature.
  • What level of flexibility is required for nonce generation? Can browser generate one in some use cases?

Attendance

  • Who has registered
  • Bastien Latge (EMVCo)
  • Christina Hulka (FIDO)
  • Sameer Tare (Mastercard)
  • Richard Ledain (EMVCo)
  • Christian Aabye (Visa)
  • James Longstaff (Deutsche Bank)
  • Jean-Luc di Manno (FIME)
  • Gustavo Kok (Netflix)
  • Rafael Cappelletti (Klarna)
  • Ulf Leopold (Klarna)
  • Daniele Berto (Klarna)
  • Remo Fiorentino (Klarna)
  • Timo Gmell (Klarna)
  • Aleksei Akimov (Adyen)
  • Antoine Cathelin (Adyen)
  • Deepu K Sasidharan (Adyen)
  • Eric Alvarez (Adyen)
  • Lucas Bledsoe (Adyen)
  • Marc Perez i Ribas (Adyen)
  • Nils Brenkman (Adyen)
  • Staci Shatsoff (US Federal Reserve Bank of Boston)
  • Vish Shastry (PayPal)
  • Gargi Sharma (PayPal)
  • Ryan Regan (PayPal)
  • Jayasaleen Shanmugam (PayPal)
  • Kincaid O'Neil (Coil)

Home

How we work

Mailing list archives

Meetings

Issues

Tests

Adoption

Previous Topics

Clone this wiki locally