-
Notifications
You must be signed in to change notification settings - Fork 63
Agenda FTF2021
ianbjacobs edited this page Mar 31, 2021
·
137 revisions
This is the agenda of a WPWG meeting: 29 March - 1 April.
- Registration. Please register to help us manage attendance. See attendance below.
- Call in logistics. Requires a W3C Member account.
- Meet on irc.w3.org in #wpwg
Please Review Antitrust and Competition Guidance
Times below shown are ET. Other time zone hints: 15h00-17h00 UTC / 8-10am PDT / 4pm-6pm BST.
- 11:00-11:10: Welcome, IRC, Antitrust reminder (Nick Telford-Reed)
- 11:10-11:30: Background to the agenda / problem statements (slides) (Adrian Hope-Bailie)
- 11:30-12:30: SPC experimental results and discussion (Benjamin Tidor, Stripe)
- 12:30-13:00: EMV® 3DS risk assessment requirements (Sameer Tare, Mastercard)
- 11:00-12:00: SPC and frictionless flows (slides) (Gerhard Oosthuizen, Entersekt)
- 12:00-12:45: SPC and open banking (slides)(Chris Wood)
- 11:00-12:15: SPC design considerations and initial API thoughts (slides)(Danyao Wang, Google)
- 30 mins: Scope and parameters of the design space
- 10 mins: Crowdsource interest and priority for the use cases
- 30 mins: Open Discussion
- Next steps / call for editors for a task force
- 12:15-12:30: Worldline demo (Anne Pouillard, Worldline)
- 12:30-13:00: Discussion with Web Authentication WG (WebAuthn Chairs)
- Level 2 status, Level 3 plans, any new payments features needed?
- 11:00-12:00: SRC use cases and requirements (Jonathan Grossar, Mastercard)
- 12:00-12:30: Google origin trial for SPC (TENTATIVE)
- 12:30-13:00:
- Next meeting: 15 April (agenda)
- Proposed: Take up SPC as a formal work item of the Web Payments WG
- PR API Next Steps
- Overflow and wrap-up
- Chrome research on browser changes related to privacy / payments (Google)
This is a list of comments overheard during the meeting that may help us identify future requirements related to SPC.
- Is the core of SPC the transaction confirmation dialog
- Make the enrollment flow a standardized part of SPC.
- Localization requirements of browser-standard displays
- Nature of SPC Credentials and relation to Web Authentication Credentials:
- RP should be able to upgrade a WebAuthn credential to an SPC credential (SPC as "drop-in" solution)
- Parties should be able to distinguish the type of credential for a credential id (namely: standard Web Authn v. SPC Credential)
- UX behavior: if you don't have an authenticator, need silent fail to allow for seamless fallback.
- Allow flexibility for no user presence check
- See Entersekt proposal as starting point
- SPC should be usable in delegated authentication scenario (delegation to the merchant)
- Should SPC be tightly coupled to WebAuthn, or could it be used with other authentication techniques?
- Should be possible to do SPC enrollment outside payment flow
- Allow transaction to be completed (with initial ID&V) while SPC enrollment is happening.
- Should be able to call SPC from an iframe?
- Should be able to call SPC from a payment handler?
- Should roaming authenticators be included in SPC's scope?
- Open banking:
- What is value proposition to ASPSPs?
- Does extending the SPC draft to add the consent identifer as a challenge make sense?
- Is the name "Web Payments Cryptogram" too card-specific? Proposed: Payment Authorization Assertion
- How does the PISP get access to the public key for assertion verification? (Ian: Might be done out-of-band)
- SRC:
- SRCi/DCF can invoke FIDO, even as a non-RP origin, and retrieve FIDO assertion.
- SCRi/DCF has a mechanism to understand whether browser supports SPC
- SPC can be used with multiple payment methods
- SPC credential includes card metadata from relying party
- Transaction confirmation dialog displays card metdata, merchant origin, transaction amount.
- No requirement to have a FIDO challenge generated by the RP, as long as the party that generates it is an entity trusted within the SRC system.
- FIDO assertion data includes merchant identifier and transaction amount in the signature.
- What level of flexibility is required for nonce generation? Can browser generate one in some use cases?
- Benjamin Tidor (Stripe)
- Rolf Lindemann (Nok Nok Labs)
- Gerhard Oosthuizen (Entersekt)
- Adrian Hope-Bailie (Coil)
- Marcos Caceres (W3C)
- Stephen McGruer (Google)
- Michel Weksler (Airbnb)
- Who has registered
- Bastien Latge (EMVCo)
- Christina Hulka (FIDO)
- Sameer Tare (Mastercard)
- Richard Ledain (EMVCo)
- Christian Aabye (Visa)
- James Longstaff (Deutsche Bank)
- Jean-Luc di Manno (FIME)
- Gustavo Kok (Netflix)
- Rafael Cappelletti (Klarna)
- Ulf Leopold (Klarna)
- Daniele Berto (Klarna)
- Remo Fiorentino (Klarna)
- Timo Gmell (Klarna)
- Aleksei Akimov (Adyen)
- Antoine Cathelin (Adyen)
- Deepu K Sasidharan (Adyen)
- Eric Alvarez (Adyen)
- Lucas Bledsoe (Adyen)
- Marc Perez i Ribas (Adyen)
- Nils Brenkman (Adyen)
- Staci Shatsoff (US Federal Reserve Bank of Boston)
- Vish Shastry (PayPal)
- Gargi Sharma (PayPal)
- Ryan Regan (PayPal)
- Jayasaleen Shanmugam (PayPal)
- Kincaid O'Neil (Coil)
Mailing list archives
Issues
- Secure Payment Confirmation
- Payment Request API
- Payment Method Identifiers
- Payment Handler API
- Payment Method Manifest
- General
- Tokenized Card
- 3DS
- SRC
Tests
Adoption
Previous Topics