LGTM3 On Thu, Sep 2, 2021 at 12:25 PM Mike West <[email protected]> wrote:
> LGTM2. This has been approved via internal security and privacy review, > has gotten substantial developer feedback during OT, and serves a useful > purpose. > > I would ask y'all to pay attention to the TAG in case they provide > substantive feedback in the near future. But given that the review was > initially filed a year ago, and the conversation stalled in January, I > don't think we need to block on their input. > > -mike > > > On Thu, Sep 2, 2021 at 9:19 PM Alex Russell <[email protected]> > wrote: > >> LGTM1 >> >> On Wednesday, September 1, 2021 at 5:49:12 PM UTC+1 Stephen McGruer wrote: >> >>> > and one which impacted >>> <https://twitter.com/yoavweiss/status/1382050433632456711> me as a user >>> >>> Oof! Yes, we'd like to help figure out a way to make *that* not >>> happen... >>> >>> > What would be the timelines for [the commitment to see through the WPT >>> test suite]? >>> >>> My team will be working on test automation for SPC in Q4 2021. As the >>> ex-lead of WPT in Chromium, I am quite insistent that we get it done :D. >>> >>> > Any feedback from the Origin Trial? >>> >>> During the Origin Trial we did iterate on the API shape significantly, >>> but that more came from discussions in the working group than Origin Trial >>> participant feedback (who are themselves also in the working group, so some >>> overlap). >>> >>> From our Origin Trial partners, we mostly heard that the overall >>> experience is working for them and that they're really excited to be able >>> to build lower-friction authentication solutions in the payments space! >>> >>> >>> On Wed, 1 Sept 2021 at 10:26, Yoav Weiss <[email protected]> wrote: >>> >>>> Thanks for working on this! This seems like an important problem to >>>> solve. (and one which impacted >>>> <https://twitter.com/yoavweiss/status/1382050433632456711> me as a >>>> user) >>>> >>>> On Fri, Aug 27, 2021 at 4:04 PM Stephen Mcgruer <[email protected]> >>>> wrote: >>>> >>>>> Contact [email protected], [email protected], >>>>> [email protected], [email protected] >>>>> >>>>> Explainerhttps://github.com/w3c/secure-payment-confirmation >>>>> >>>>> Specificationhttps://w3c.github.io/secure-payment-confirmation/ >>>>> >>>>> Summary >>>>> >>>>> Secure payment confirmation augments the payment authentication >>>>> experience on the web with the help of WebAuthn. The feature adds a new >>>>> 'payment' extension to WebAuthn, which allows a relying party such as a >>>>> bank to create a PublicKeyCredential that can be queried by any merchant >>>>> origin as part of an online checkout via the Payment Request API using the >>>>> 'secure-payment-confirmation payment' method. >>>>> >>>>> Blink componentBlink>Payments >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPayments> >>>>> >>>>> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/544 >>>>> >>>>> TAG review statusPending >>>>> >>>>> *Supported on all platforms?* >>>>> No. >>>>> >>>>> SPC is launching on MacOS and Windows only initially, as they are >>>>> platforms that have built-in authenticators and which payment partners >>>>> have >>>>> noted as important targets. >>>>> >>>>> Android has browser-level support for SPC, but is excluded from the >>>>> launch due to the lack of Discoverable Credentials currently. We will add >>>>> Android once the platform supports that. >>>>> >>>>> Risks >>>>> Interoperability and Compatibility >>>>> >>>>> This feature adds a WebAuthn extension and PaymentRequest payment >>>>> method type, so the interop risk is that other browsers do not implement >>>>> these types. The feature is detectable (though it could be easier[0]), so >>>>> it should be possible for Web Developers to determine if SPC is enabled >>>>> for >>>>> a given user agent visiting their site. There is a risk that the feature >>>>> will evolve away from the PaymentRequest API[1], which would then require >>>>> a >>>>> deprecation of the current API entry-point. It is worth noting that >>>>> deprecations for payment are often easier than for the general web, as >>>>> there are far, far fewer payment developers and websites that accept >>>>> payments are almost always kept up to date (or their payment integrations >>>>> might break!). [0]: >>>>> https://github.com/w3c/secure-payment-confirmation/issues/81#issuecomment-885046226 >>>>> [1]: https://github.com/w3c/secure-payment-confirmation/issues/65 >>>>> >>>>> Gecko: No signal ( >>>>> https://github.com/mozilla/standards-positions/issues/570 >>>>> <https://chromestatus.com/admin/features/launch/5702310124584960/5?intent=1>) >>>>> Historically (>1 year old) positive signal from informal conversation in >>>>> W3C Payment Handler meetings. However Firefox have since not been involved >>>>> in the API development. >>>>> >>>>> WebKit: No signal ( >>>>> https://lists.webkit.org/pipermail/webkit-dev/2021-August/031956.html) >>>>> >>>>> Web developers: Positive ( >>>>> https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0005.html) >>>>> Support and involvement in API development from multiple web developers >>>>> and >>>>> payment industry partners. Both Stripe and AirBnB have publicly stated >>>>> that >>>>> they have either completed or are in the process of >>>>> prototyping/experimenting with SPC >>>>> >>>>> Debuggability >>>>> >>>>> Existing devtools debugging features should cover SPC (e.g. >>>>> breakpoints, console, etc) >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>> ?Partially >>>>> >>>>> >>>>> https://wpt.fyi/results/secure-payment-confirmation?label=master&label=experimental&aligned >>>>> >>>>> The WPT test suite is only partially complete and needs to be >>>>> extended, but this first requires building out test automation machinery >>>>> and content_shell support. The team is committed to this post initial >>>>> launch. >>>>> >>>> >>>> What would be the timelines for that commitment? >>>> >>>> >>>>> >>>>> Requires code in //chrome?True >>>>> >>>>> Tracking bughttps://crbug.com/1124927 >>>>> >>>>> Launch bug >>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1236570# >>>>> >>>>> Estimated milestones >>>>> Ship: M95. Note that this is directly after the end of the Origin >>>>> Trial, so we are still trying to determine whether we should do the 'week >>>>> off' approach or apply for a no-skip transition. For the latter option, I >>>>> think we may meet the bar. We've significantly changed the API in both M93 >>>>> and M94 during the origin trial, and so M95 for example is not compatible >>>>> with someone using code from M93. >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> https://chromestatus.com/feature/5702310124584960 >>>>> >>>>> Links to previous Intent discussionsIntent to prototype: >>>>> https://groups.google.com/a/chromium.org/d/topic/blink-dev/myUR5gyd5Js/discussion >>>>> Intent to Experiment: >>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/6Dd00NJ-td8 >>>>> >>>> >>>> Any feedback from the Origin Trial? >>>> >>>> >>>>> >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://www.chromestatus.com/>, and then hand-edited. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Maf_i31Fw0VLVbaLfmvNDS1kqWb-RqbOei_in7O0jXC89Q%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Maf_i31Fw0VLVbaLfmvNDS1kqWb-RqbOei_in7O0jXC89Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d69add5b-7cf8-4722-a088-252951ae095cn%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d69add5b-7cf8-4722-a088-252951ae095cn%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DfYTyLpiY%3D2KqAXG4FL-f9YRqhMVMAsDHRKugRHZud-Zg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DfYTyLpiY%3D2KqAXG4FL-f9YRqhMVMAsDHRKugRHZud-Zg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw8uPHERWwN6eBiXK%2BObHDpOyjg9rfy_6_7X_iN-uKcm6w%40mail.gmail.com.
