15:59:42 <RRSAgent> RRSAgent has joined #wpwg-spc
15:59:42 <RRSAgent> logging to https://www.w3.org/2021/08/23-wpwg-spc-irc
15:59:47 <Ian> Meeting: SPC Task Force
16:00:02 <Ian> Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0032.html
16:00:03 <Ian> Chair: Ian
16:00:05 <Ian> Scribe: Ian
16:00:24 <Ian> present+
16:00:48 <Ian> present+
16:01:15 <Ian> present+ Stephen_McGruer
16:01:18 <Ian> present+ Anne_Pouillard
16:01:24 <Ian> present+ Susan_Pandy
16:01:31 <Ian> present+ Adrian_Hope-Bailie
16:01:54 <Anne> Anne has joined #wpwg-spc
16:02:08 <Ian> agenda+ Issue 101
16:02:13 <Ian> agenda+ Issue 84
16:02:39 <Ian> agenda+ Issue 109
16:03:19 <Ian> present+ Doug_Fisher
16:03:26 <Ian> present+ Michel_Weksler
16:03:37 <Ian> zakim, take up item 1
16:03:37 <Zakim> agendum 1 -- Issue 101 -- taken up [from Ian]
16:03:44 <Ian>   https://github.com/w3c/secure-payment-confirmation/issues/101
16:03:49 <Ian> Proposal: support data URIs for card art icons
16:04:45 <Ian> Stephen: To simplify Account Provider support, can use data URI for icon instead of running a web server.
16:05:03 <Ian> ...so proposal is that we hash the data URL.
16:05:22 <Ian> ...works for both https and data URLs
16:06:36 <Ian> present+ Praveena_Subrahmany
16:07:36 <Ian> AdrianHB: What if merchant is given 100 logos by the RP? (Even if out of scope for SPC)
16:07:59 <Ian> Stephen: Technically, an RP could keep a set of hashes around.
16:08:16 <Ian> AdrianHB: Anything needed re: hashing?
16:08:21 <Ian> ..specifics about (complicated) hashing?
16:08:51 <mweksler> mweksler has joined #wpwg-spc
16:10:17 <Ian> AdrianHB: The browser needs to do the hash since it needs to be sure the hash corresponds to the image
16:10:55 <Ian> ...can we name the hash method?
16:11:04 <Ian> ...look at CSR
16:11:31 <Ian> Stephen: Hash collision attack is possibly but unlikely
16:11:59 <Ian> s/CSR/CSP
16:12:54 <Ian> Doug: A downside of this approach: images change over time; hash of image at time of authentication may not be same at validation time
16:13:05 <Ian> ...and images are cached by merchants
16:14:47 <Ian> ...one mitigation strategy is for the RP to provide fresh images (e.g., via ACS)
16:15:46 <Ian> Stephen: I think data URL is a reasonable compromise -- the RP passes the data URL to the merchant
16:17:29 <Ian> ...we have advised to the 3DS WG that all the information required for the SPC call is passed at the time of the request
16:17:30 <Ian> q?
16:18:02 <Ian> Doug: Are we also talking about display of the issuer logo?
16:18:28 <Ian> Stephen: At the moment, no. Just one icon for now ('for the instrument')
16:18:33 <Ian> q+
16:18:45 <Ian> Stephen: It's reasonable to look into another icon
16:20:34 <Ian> Ian: Is it important to tell the user to whom they are authenticating (the RP)?
16:20:48 <Ian> Doug: Our UX experiments show that it's important to show the user to whom they are authenticating.
16:20:56 <Ian> Ian: This may also be true in open banking context
16:21:31 <Ian> Doug: When SPC fails, we'd also like to have some continuity (in UI) to fallback authentication
16:21:40 <Ian> ...so I think having extra UI about RP would be important to the consumer
16:23:14 <Ian> AdrianHB: I think there's no harm to show origin of RP. We should allow the RP to say what icon to show (for them)
16:23:41 <Ian> ...they may choose through their own experimentation that showing a network logo is effective, or a combo logo, or whatever
16:24:14 <Ian> ...this is a mechanism for the RP to show the user some graphical clue about what the user is about to do, and a hash of the bytes would be part of the assertion.
16:24:58 <Ian> ...maybe a single logo suffices if the RP gets to say what it is
16:27:02 <Ian> topic: Issue 84
16:27:03 <Ian>   https://github.com/w3c/secure-payment-confirmation/issues/84
16:27:40 <Ian> Ian: Can we close this one with "No UX in v1"
16:28:18 <Ian> ACTION: Stephen to close issue 84 with explanation about v1 status and reopen later if needed.
16:28:29 <Ian> Topic: FPWD
16:29:21 <Ian> Ian: Ready?
16:29:31 <Ian> Stephen: Coming soon - tx confirmation requirements
16:30:28 <Ian> Ian: I will aim for 25 August
16:30:33 <Ian> Topic: next call
16:31:08 <Ian> 30 August
16:31:11 <Ian> No meeting 6 September
16:31:15 <RRSAgent> I have made the request to generate https://www.w3.org/2021/08/23-wpwg-spc-minutes.html Ian
16:31:56 <Ian> Topic: Any origin trial changes?
16:32:24 <Ian> Stephen: See https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0027.html
16:32:45 <Ian> Ian: Note in particular:
16:32:51 <Ian>  * 0 credential match UX
16:32:59 <Ian> * No enrollment UX
16:33:15 <Ian> RRSAGENT, make minutes
16:33:15 <RRSAgent> I have made the request to generate https://www.w3.org/2021/08/23-wpwg-spc-minutes.html Ian
16:33:20 <Ian> RRSAGENT, set logs public
16:33:28 <Ian> RRSAGENT, set logs public
16:38:36 <Ian> rrsagent, bye
16:38:36 <RRSAgent> I see 1 open action item saved in https://www.w3.org/2021/08/23-wpwg-spc-actions.rdf :
16:38:36 <RRSAgent> ACTION: Stephen to close issue 84 with explanation about v1 status and reopen later if needed. [1]
16:38:36 <RRSAgent>   recorded in https://www.w3.org/2021/08/23-wpwg-spc-irc#T16-28-18