LGTM for gapless OT transition. On Wed, Sep 8, 2021 at 5:35 PM Stephen Mcgruer <[email protected]> wrote:
> Thank you all for the LGTMs (all four of them ;)). > > One additional piece of business; having discussed with our partners, *we > would like to request a 'gapless' transition for our ongoing Origin Trial* > (that is, skip the required breaking period) to allow an uninterrupted > availability for partners. We believe we meet the bar: the API changed > significantly from M93, to M94, to M95, such that code written solely for > M93-M94 will not work on M95. (So we definitely haven't been avoiding > breaking changes!). > > On Thu, 2 Sept 2021 at 15:25, Yoav Weiss <[email protected]> wrote: > >> LGTM3 >> >> On Thursday, September 2, 2021 at 9:25:14 PM UTC+2 Mike West wrote: >> >>> LGTM2. This has been approved via internal security and privacy review, >>> has gotten substantial developer feedback during OT, and serves a useful >>> purpose. >>> >>> I would ask y'all to pay attention to the TAG in case they provide >>> substantive feedback in the near future. But given that the review was >>> initially filed a year ago, and the conversation stalled in January, I >>> don't think we need to block on their input. >>> >>> -mike >>> >>> >>> On Thu, Sep 2, 2021 at 9:19 PM Alex Russell <[email protected]> >>> wrote: >>> >>>> LGTM1 >>>> >>>> On Wednesday, September 1, 2021 at 5:49:12 PM UTC+1 Stephen McGruer >>>> wrote: >>>> >>>>> > and one which impacted >>>>> <https://twitter.com/yoavweiss/status/1382050433632456711> me as a >>>>> user >>>>> >>>>> Oof! Yes, we'd like to help figure out a way to make *that* not >>>>> happen... >>>>> >>>>> > What would be the timelines for [the commitment to see through the >>>>> WPT test suite]? >>>>> >>>>> My team will be working on test automation for SPC in Q4 2021. As the >>>>> ex-lead of WPT in Chromium, I am quite insistent that we get it done :D. >>>>> >>>>> > Any feedback from the Origin Trial? >>>>> >>>>> During the Origin Trial we did iterate on the API shape significantly, >>>>> but that more came from discussions in the working group than Origin Trial >>>>> participant feedback (who are themselves also in the working group, so >>>>> some >>>>> overlap). >>>>> >>>>> From our Origin Trial partners, we mostly heard that the overall >>>>> experience is working for them and that they're really excited to be able >>>>> to build lower-friction authentication solutions in the payments space! >>>>> >>>>> >>>>> On Wed, 1 Sept 2021 at 10:26, Yoav Weiss <[email protected]> >>>>> wrote: >>>>> >>>>>> Thanks for working on this! This seems like an important problem to >>>>>> solve. (and one which impacted >>>>>> <https://twitter.com/yoavweiss/status/1382050433632456711> me as a >>>>>> user) >>>>>> >>>>>> On Fri, Aug 27, 2021 at 4:04 PM Stephen Mcgruer < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Contact [email protected], [email protected], >>>>>>> [email protected], [email protected] >>>>>>> >>>>>>> Explainerhttps://github.com/w3c/secure-payment-confirmation >>>>>>> >>>>>>> Specificationhttps://w3c.github.io/secure-payment-confirmation/ >>>>>>> >>>>>>> Summary >>>>>>> >>>>>>> Secure payment confirmation augments the payment authentication >>>>>>> experience on the web with the help of WebAuthn. The feature adds a new >>>>>>> 'payment' extension to WebAuthn, which allows a relying party such as a >>>>>>> bank to create a PublicKeyCredential that can be queried by any merchant >>>>>>> origin as part of an online checkout via the Payment Request API using >>>>>>> the >>>>>>> 'secure-payment-confirmation payment' method. >>>>>>> >>>>>>> Blink componentBlink>Payments >>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPayments> >>>>>>> >>>>>>> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/544 >>>>>>> >>>>>>> TAG review statusPending >>>>>>> >>>>>>> *Supported on all platforms?* >>>>>>> No. >>>>>>> >>>>>>> SPC is launching on MacOS and Windows only initially, as they are >>>>>>> platforms that have built-in authenticators and which payment partners >>>>>>> have >>>>>>> noted as important targets. >>>>>>> >>>>>>> Android has browser-level support for SPC, but is excluded from the >>>>>>> launch due to the lack of Discoverable Credentials currently. We will >>>>>>> add >>>>>>> Android once the platform supports that. >>>>>>> >>>>>>> Risks >>>>>>> Interoperability and Compatibility >>>>>>> >>>>>>> This feature adds a WebAuthn extension and PaymentRequest payment >>>>>>> method type, so the interop risk is that other browsers do not implement >>>>>>> these types. The feature is detectable (though it could be easier[0]), >>>>>>> so >>>>>>> it should be possible for Web Developers to determine if SPC is enabled >>>>>>> for >>>>>>> a given user agent visiting their site. There is a risk that the feature >>>>>>> will evolve away from the PaymentRequest API[1], which would then >>>>>>> require a >>>>>>> deprecation of the current API entry-point. It is worth noting that >>>>>>> deprecations for payment are often easier than for the general web, as >>>>>>> there are far, far fewer payment developers and websites that accept >>>>>>> payments are almost always kept up to date (or their payment >>>>>>> integrations >>>>>>> might break!). [0]: >>>>>>> https://github.com/w3c/secure-payment-confirmation/issues/81#issuecomment-885046226 >>>>>>> [1]: https://github.com/w3c/secure-payment-confirmation/issues/65 >>>>>>> >>>>>>> Gecko: No signal ( >>>>>>> https://github.com/mozilla/standards-positions/issues/570 >>>>>>> <https://chromestatus.com/admin/features/launch/5702310124584960/5?intent=1>) >>>>>>> Historically (>1 year old) positive signal from informal conversation in >>>>>>> W3C Payment Handler meetings. However Firefox have since not been >>>>>>> involved >>>>>>> in the API development. >>>>>>> >>>>>>> WebKit: No signal ( >>>>>>> https://lists.webkit.org/pipermail/webkit-dev/2021-August/031956.html >>>>>>> ) >>>>>>> >>>>>>> Web developers: Positive ( >>>>>>> https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0005.html) >>>>>>> Support and involvement in API development from multiple web developers >>>>>>> and >>>>>>> payment industry partners. Both Stripe and AirBnB have publicly stated >>>>>>> that >>>>>>> they have either completed or are in the process of >>>>>>> prototyping/experimenting with SPC >>>>>>> >>>>>>> Debuggability >>>>>>> >>>>>>> Existing devtools debugging features should cover SPC (e.g. >>>>>>> breakpoints, console, etc) >>>>>>> >>>>>>> Is this feature fully tested by web-platform-tests >>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>>> ?Partially >>>>>>> >>>>>>> >>>>>>> https://wpt.fyi/results/secure-payment-confirmation?label=master&label=experimental&aligned >>>>>>> >>>>>>> The WPT test suite is only partially complete and needs to be >>>>>>> extended, but this first requires building out test automation machinery >>>>>>> and content_shell support. The team is committed to this post initial >>>>>>> launch. >>>>>>> >>>>>> >>>>>> What would be the timelines for that commitment? >>>>>> >>>>>> >>>>>>> >>>>>>> Requires code in //chrome?True >>>>>>> >>>>>>> Tracking bughttps://crbug.com/1124927 >>>>>>> >>>>>>> Launch bug >>>>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1236570# >>>>>>> >>>>>>> Estimated milestones >>>>>>> Ship: M95. Note that this is directly after the end of the Origin >>>>>>> Trial, so we are still trying to determine whether we should do the >>>>>>> 'week >>>>>>> off' approach or apply for a no-skip transition. For the latter option, >>>>>>> I >>>>>>> think we may meet the bar. We've significantly changed the API in both >>>>>>> M93 >>>>>>> and M94 during the origin trial, and so M95 for example is not >>>>>>> compatible >>>>>>> with someone using code from M93. >>>>>>> >>>>>>> Link to entry on the Chrome Platform Status >>>>>>> https://chromestatus.com/feature/5702310124584960 >>>>>>> >>>>>>> Links to previous Intent discussionsIntent to prototype: >>>>>>> https://groups.google.com/a/chromium.org/d/topic/blink-dev/myUR5gyd5Js/discussion >>>>>>> Intent to Experiment: >>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/6Dd00NJ-td8 >>>>>>> >>>>>> >>>>>> Any feedback from the Origin Trial? >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> This intent message was generated by Chrome Platform Status >>>>>>> <https://www.chromestatus.com/>, and then hand-edited. >>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "blink-dev" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Maf_i31Fw0VLVbaLfmvNDS1kqWb-RqbOei_in7O0jXC89Q%40mail.gmail.com >>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Maf_i31Fw0VLVbaLfmvNDS1kqWb-RqbOei_in7O0jXC89Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d69add5b-7cf8-4722-a088-252951ae095cn%40chromium.org >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d69add5b-7cf8-4722-a088-252951ae095cn%40chromium.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU_zTdnReyzkLOG4AdJ89LGK8T%3DYBszAv4-KEa2v0NrZg%40mail.gmail.com.
