IRC log of wpwg-spc on 2021-08-23

Timestamps are in UTC.

15:59:42 [RRSAgent]
RRSAgent has joined #wpwg-spc
15:59:42 [RRSAgent]
logging to https://www.w3.org/2021/08/23-wpwg-spc-irc
15:59:47 [Ian]
Meeting: SPC Task Force
16:00:02 [Ian]
Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0032.html
16:00:03 [Ian]
Chair: Ian
16:00:05 [Ian]
Scribe: Ian
16:00:24 [Ian]
present+
16:00:48 [Ian]
present+
16:01:15 [Ian]
present+ Stephen_McGruer
16:01:18 [Ian]
present+ Anne_Pouillard
16:01:24 [Ian]
present+ Susan_Pandy
16:01:31 [Ian]
present+ Adrian_Hope-Bailie
16:01:54 [Anne]
Anne has joined #wpwg-spc
16:02:08 [Ian]
agenda+ Issue 101
16:02:13 [Ian]
agenda+ Issue 84
16:02:39 [Ian]
agenda+ Issue 109
16:03:19 [Ian]
present+ Doug_Fisher
16:03:26 [Ian]
present+ Michel_Weksler
16:03:37 [Ian]
zakim, take up item 1
16:03:37 [Zakim]
agendum 1 -- Issue 101 -- taken up [from Ian]
16:03:44 [Ian]
https://github.com/w3c/secure-payment-confirmation/issues/101
16:03:49 [Ian]
Proposal: support data URIs for card art icons
16:04:45 [Ian]
Stephen: To simplify Account Provider support, can use data URI for icon instead of running a web server.
16:05:03 [Ian]
...so proposal is that we hash the data URL.
16:05:22 [Ian]
...works for both https and data URLs
16:06:36 [Ian]
present+ Praveena_Subrahmany
16:07:36 [Ian]
AdrianHB: What if merchant is given 100 logos by the RP? (Even if out of scope for SPC)
16:07:59 [Ian]
Stephen: Technically, an RP could keep a set of hashes around.
16:08:16 [Ian]
AdrianHB: Anything needed re: hashing?
16:08:21 [Ian]
..specifics about (complicated) hashing?
16:08:51 [mweksler]
mweksler has joined #wpwg-spc
16:10:17 [Ian]
AdrianHB: The browser needs to do the hash since it needs to be sure the hash corresponds to the image
16:10:55 [Ian]
...can we name the hash method?
16:11:04 [Ian]
...look at CSR
16:11:31 [Ian]
Stephen: Hash collision attack is possibly but unlikely
16:11:59 [Ian]
s/CSR/CSP
16:12:54 [Ian]
Doug: A downside of this approach: images change over time; hash of image at time of authentication may not be same at validation time
16:13:05 [Ian]
...and images are cached by merchants
16:14:47 [Ian]
...one mitigation strategy is for the RP to provide fresh images (e.g., via ACS)
16:15:46 [Ian]
Stephen: I think data URL is a reasonable compromise -- the RP passes the data URL to the merchant
16:17:29 [Ian]
...we have advised to the 3DS WG that all the information required for the SPC call is passed at the time of the request
16:17:30 [Ian]
q?
16:18:02 [Ian]
Doug: Are we also talking about display of the issuer logo?
16:18:28 [Ian]
Stephen: At the moment, no. Just one icon for now ('for the instrument')
16:18:33 [Ian]
q+
16:18:45 [Ian]
Stephen: It's reasonable to look into another icon
16:20:34 [Ian]
Ian: Is it important to tell the user to whom they are authenticating (the RP)?
16:20:48 [Ian]
Doug: Our UX experiments show that it's important to show the user to whom they are authenticating.
16:20:56 [Ian]
Ian: This may also be true in open banking context
16:21:31 [Ian]
Doug: When SPC fails, we'd also like to have some continuity (in UI) to fallback authentication
16:21:40 [Ian]
...so I think having extra UI about RP would be important to the consumer
16:23:14 [Ian]
AdrianHB: I think there's no harm to show origin of RP. We should allow the RP to say what icon to show (for them)
16:23:41 [Ian]
...they may choose through their own experimentation that showing a network logo is effective, or a combo logo, or whatever
16:24:14 [Ian]
...this is a mechanism for the RP to show the user some graphical clue about what the user is about to do, and a hash of the bytes would be part of the assertion.
16:24:58 [Ian]
...maybe a single logo suffices if the RP gets to say what it is
16:27:02 [Ian]
topic: Issue 84
16:27:03 [Ian]
https://github.com/w3c/secure-payment-confirmation/issues/84
16:27:40 [Ian]
Ian: Can we close this one with "No UX in v1"
16:28:18 [Ian]
ACTION: Stephen to close issue 84 with explanation about v1 status and reopen later if needed.
16:28:29 [Ian]
Topic: FPWD
16:29:21 [Ian]
Ian: Ready?
16:29:31 [Ian]
Stephen: Coming soon - tx confirmation requirements
16:30:28 [Ian]
Ian: I will aim for 25 August
16:30:33 [Ian]
Topic: next call
16:31:08 [Ian]
30 August
16:31:11 [Ian]
No meeting 6 September
16:31:15 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/08/23-wpwg-spc-minutes.html Ian
16:31:56 [Ian]
Topic: Any origin trial changes?
16:32:24 [Ian]
Stephen: See https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0027.html
16:32:45 [Ian]
Ian: Note in particular:
16:32:51 [Ian]
* 0 credential match UX
16:32:59 [Ian]
* No enrollment UX
16:33:15 [Ian]
RRSAGENT, make minutes
16:33:15 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/08/23-wpwg-spc-minutes.html Ian
16:33:20 [Ian]
RRSAGENT, set logs public
16:33:28 [Ian]
RRSAGENT, set logs public
16:38:36 [Ian]
rrsagent, bye
16:38:36 [RRSAgent]
I see 1 open action item saved in https://www.w3.org/2021/08/23-wpwg-spc-actions.rdf :
16:38:36 [RRSAgent]
ACTION: Stephen to close issue 84 with explanation about v1 status and reopen later if needed. [1]
16:38:36 [RRSAgent]
recorded in https://www.w3.org/2021/08/23-wpwg-spc-irc#T16-28-18