Time-sensitive: Joint discussion with Web Authentication WG on 3 May from Ian Jacobs on 2023-05-03 (public-payments-wg@w3.org from May 2023)

From: Ian Jacobs <ij@w3.org>
Date: Tue, 2 May 2023 22:12:43 -0500
To: Payments WG <public-payments-wg@w3.org>
Message-Id: <864316F8-F11A-4748-B3D5-A5B599A53C28@w3.org>

Dear Web Payments WG,

First, I apologize for this late notice. I did not receive confirmation of this opportunity until today.

On two recent occasions we have invited the Web Authentication WG to come to the usual WPWG meeting
for a joint discussion of a number of topics; neither opportunity worked out. 

Instead, we have been invited to join the Web Authentication WG at their 3 May meeting (3-4pm ET). Here is the agenda,
which includes a link to meeting details:
 https://lists.w3.org/Archives/Public/public-webauthn/2023May/0008.html

Note: To access the call information, you need W3C Member access. If you don’t have that access, please contact me privately.

Below are the topics I proposed for the joint discussion.

I realize that many of you may not be able to attend the call. I expect to bring back a summary of the discussion to our
next WPWG call (currently scheduled for 25 May).

I hope that some of you can join and that we’ll have more opportunities up to and including at TPAC for joint discussion
with the WebAuthn WG.

Thank you,

Ian

===========================
Proposed topics for joint discussion

* WPWG issue 220 [1] is about registering SPC-related extensions with IANA. We have (potentially) two: (1) the ‘payment’ extension in SPC, and (2) the cross-origin usage of credentials bit in CTAP [2]. The former is “temporary” (but available) and the latter is intended to be long-term (but not yet available). How should we proceed with IANA registration?

* What’s the latest on Web Authentication (Level 3) that the WPWG should know about? Example:
- Pull request 1801 [3] has landed, meaning over time SPC could (in time) remove its own discussion of cross-origin credential creation.

* Any news on roaming authenticators and UX? SPC would like to support roaming authenticators but I think we are awaiting
  progress on the general UX. The last time we discussed this there were ideas like “Authenticator existence could be cached
  at the OS level.” 

* We also have an open issue regarding the impact of passkeys on SPC [4]. If there is any (public) news about passkeys that 
 we should be aware of in the WG (for SPC), an update would be welcome. However, I would understand if those discussions are ongoing
 in FIDO primarily and that an update to the WPWG is premature.

* Any other topics the WPWG may not be aware of?

[1] https://github.com/w3c/secure-payment-confirmation/issues/220
[2] https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#sctn-thirdPartyPayment-extension
[3] https://github.com/w3c/webauthn/pull/1801
[4] https://github.com/w3c/secure-payment-confirmation/issues/174

 --
Ian Jacobs <ij@w3.org>
https://www.w3.org/People/Jacobs/
Tel: +1 917 450 8783

Received on Wednesday, 3 May 2023 03:12:47 UTC