[transition] CR Request for Secure Payment Confirmation (SPC) from sysbot+notifier@w3.org on 2023-05-10 (public-transition-announce@w3.org from May 2023)

From: <sysbot+notifier@w3.org>
Date: Wed, 10 May 2023 13:23:27 +0000
To: public-transition-announce@w3.org
Message-ID: <88908df1-25d6-2f19-0963-90b90ef17bd4@w3.org>
This is a transition request for a Candidate Recommendation
CR Request for Secure Payment Confirmation (SPC)
from https://github.com/w3c/transitions/issues/504

# Document title, URLs, estimated publication date
* Title: Secure Payment Confirmation
* Editor's draft: https://w3c.github.io/secure-payment-confirmation/
* Publication date: Second week of June 2023

# Abstract

<blockquote>
Secure Payment Confirmation (SPC) is a Web API to support streamlined
authentication during a payment transaction. It is designed to scale
authentication across merchants, to be used within a wide range of
authentication protocols, and to produce cryptographic evidence that
the user has confirmed transaction details.
</blockquote>

# Status
* [Status of the document](https://w3c.github.io/secure-payment-confirmation/#sotd)

# Link to group's decision to request transition
* [WPWG decision to request to go to CR](https://lists.w3.org/Archives/Public/public-payments-wg/2023May/0009.html)

# Changes

* [Commit history since FPWD](https://github.com/w3c/secure-payment-confirmation/compare/ae515e2dfeb4e86a1bdc4756e36fb5f7d2487a93...main)

* [Change history since FWPD](https://github.com/w3c/secure-payment-confirmation/compare/ae515e2dfeb4e86a1bdc4756e36fb5f7d2487a93...main#diff-6f5a1d8263b0b0c42e2716ba5750e3652e359532647ac934c1c70086ae3cedda)

# Requirements satisfied

* The specification was developed based on (and meets) requirements listed in the group's [requirements document](https://github.com/w3c/secure-payment-confirmation/blob/main/requirements.md)

# Dependencies met (or not)

The [WPWG charter](https://www.w3.org/Payments/WG/charter-2022) lists the following groups for coordination.

## Within W3C

* Web Authentication WG. The WPWG has met regularly with the Web Authentication WG as this version of SPC relies on Web Authentication. Over time, some SPC functionality has moved into Web Authentication or CTAP (standardized at the FIDO Alliance). Our coordination is ongoing to ensure that SPC aligns with the future
directions of Web Authentication.
* Web Payment Security Interest Group. The Web Payment Security Interest Group (WPSIG) discusses higher-level interop topics, and the WPWG focuses on APIs. The group's coordinate through overlapping participation, and occasional invitations to all WPSIG participants to join bigger WPWG meetings (e.g., remote meetings or TPAC).
* Web Application Security. The WPWG charter lists the Web Application Security Working Group as a point of contact for security review. The WPWG and Web Application Security WG have not coordinated. The staff contact of the WPWG reached out to the Chairs and staff contact of the Web Application Security WG to see whether that WG would like to review SPC; we received no reply after two weeks.

## External

* EMVCo. Two EMVCo specifications now reference SPC: EMV&reg; 3-D Secure version 2.3 and EMV&reg; Secure Remote Commerce 1.3. Coordination happens through both the WPSIG and directly via discussions within the WPWG.
* FIDO Alliance. Coordination happens through both the WPSIG and directly via discussions within the WPWG.
* Open Banking UK, STET, and Berlin Group. The team contact of the WPWG periodically provides updates to these organizations and invites them to participate in semi-annual meetings.

# Wide Review

* SPC has undergone two horizontal reviews, the first over the bulk of the specification, the second related to two substantive changes to the specification at the end of 2022. For details, see the [first list of horz review requests](https://lists.w3.org/Archives/Public/public-payments-wg/2022Aug/0009.html) and [second list of horz review requests](https://lists.w3.org/Archives/Public/public-payments-wg/2023Jan/0000.html). Those emails include links to GitHub where the review outcomes are documented. All reviews have led to outcomes to the satisfaction of the respective horizontal groups.
* SPC has also been reviewed by EMVCo as part of their integration of SPC into EMV&reg; 3-D Secure and EMV&reg; Secure Remote Commerce.
* At least two companies have made public their experimentation with SPC (Stripe and Adyen), which led to feedback on the specification.

# Issues addressed

* The WPWG identified (and closed) a set of issues to [close for "version 1" of SPC](https://github.com/w3c/secure-payment-confirmation/issues?q=is%3Aissue+is%3Aclosed), and has labeled other isseus as ["after version 1"](https://github.com/w3c/secure-payment-confirmation/issues?q=is%3Aissue+is%3Aopen+label%3Aafter-v1).

# Formal Objections

* None

# Implementation

* The Chromium browser code base supports SPC. SPC is available in Chrome and Edge on MacOS and Windows, as well as in [Chrome on Android](https://developer.chrome.com/blog/spc-on-android/).
* See the [preliminary implementation report](https://wpt.fyi/results/secure-payment-confirmation?label=experimental&label=master&aligned) and [test suite](https://github.com/web-platform-tests/wpt/tree/master/secure-payment-confirmation).
* To exit CR, the WPWG intends to show two impelmentations of SPC in user agents. 
* The WPWG will not request to advance to Proposed Recommendation before 1 August 2023.

# Patent disclosures

* [Disclosures page](https://www.w3.org/groups/wg/payments/ipr). There have been no disclosures or exclusions related to SPC.

-- 
This email was generated automatically using https://github.com/w3c/transition-issues-bot
Received on Wednesday, 10 May 2023 13:23:32 UTC