IRC log of wpwg-spc on 2021-08-23
Timestamps are in UTC.
- 15:59:42 [RRSAgent]
- RRSAgent has joined #wpwg-spc
- 15:59:42 [RRSAgent]
- logging to https://www.w3.org/2021/08/23-wpwg-spc-irc
- 15:59:47 [Ian]
- Meeting: SPC Task Force
- 16:00:02 [Ian]
- Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0032.html
- 16:00:03 [Ian]
- Chair: Ian
- 16:00:05 [Ian]
- Scribe: Ian
- 16:00:24 [Ian]
- present+
- 16:00:48 [Ian]
- present+
- 16:01:15 [Ian]
- present+ Stephen_McGruer
- 16:01:18 [Ian]
- present+ Anne_Pouillard
- 16:01:24 [Ian]
- present+ Susan_Pandy
- 16:01:31 [Ian]
- present+ Adrian_Hope-Bailie
- 16:01:54 [Anne]
- Anne has joined #wpwg-spc
- 16:02:08 [Ian]
- agenda+ Issue 101
- 16:02:13 [Ian]
- agenda+ Issue 84
- 16:02:39 [Ian]
- agenda+ Issue 109
- 16:03:19 [Ian]
- present+ Doug_Fisher
- 16:03:26 [Ian]
- present+ Michel_Weksler
- 16:03:37 [Ian]
- zakim, take up item 1
- 16:03:37 [Zakim]
- agendum 1 -- Issue 101 -- taken up [from Ian]
- 16:03:44 [Ian]
- https://github.com/w3c/secure-payment-confirmation/issues/101
- 16:03:49 [Ian]
- Proposal: support data URIs for card art icons
- 16:04:45 [Ian]
- Stephen: To simplify Account Provider support, can use data URI for icon instead of running a web server.
- 16:05:03 [Ian]
- ...so proposal is that we hash the data URL.
- 16:05:22 [Ian]
- ...works for both https and data URLs
- 16:06:36 [Ian]
- present+ Praveena_Subrahmany
- 16:07:36 [Ian]
- AdrianHB: What if merchant is given 100 logos by the RP? (Even if out of scope for SPC)
- 16:07:59 [Ian]
- Stephen: Technically, an RP could keep a set of hashes around.
- 16:08:16 [Ian]
- AdrianHB: Anything needed re: hashing?
- 16:08:21 [Ian]
- ..specifics about (complicated) hashing?
- 16:08:51 [mweksler]
- mweksler has joined #wpwg-spc
- 16:10:17 [Ian]
- AdrianHB: The browser needs to do the hash since it needs to be sure the hash corresponds to the image
- 16:10:55 [Ian]
- ...can we name the hash method?
- 16:11:04 [Ian]
- ...look at CSR
- 16:11:31 [Ian]
- Stephen: Hash collision attack is possibly but unlikely
- 16:11:59 [Ian]
- s/CSR/CSP
- 16:12:54 [Ian]
- Doug: A downside of this approach: images change over time; hash of image at time of authentication may not be same at validation time
- 16:13:05 [Ian]
- ...and images are cached by merchants
- 16:14:47 [Ian]
- ...one mitigation strategy is for the RP to provide fresh images (e.g., via ACS)
- 16:15:46 [Ian]
- Stephen: I think data URL is a reasonable compromise -- the RP passes the data URL to the merchant
- 16:17:29 [Ian]
- ...we have advised to the 3DS WG that all the information required for the SPC call is passed at the time of the request
- 16:17:30 [Ian]
- q?
- 16:18:02 [Ian]
- Doug: Are we also talking about display of the issuer logo?
- 16:18:28 [Ian]
- Stephen: At the moment, no. Just one icon for now ('for the instrument')
- 16:18:33 [Ian]
- q+
- 16:18:45 [Ian]
- Stephen: It's reasonable to look into another icon
- 16:20:34 [Ian]
- Ian: Is it important to tell the user to whom they are authenticating (the RP)?
- 16:20:48 [Ian]
- Doug: Our UX experiments show that it's important to show the user to whom they are authenticating.
- 16:20:56 [Ian]
- Ian: This may also be true in open banking context
- 16:21:31 [Ian]
- Doug: When SPC fails, we'd also like to have some continuity (in UI) to fallback authentication
- 16:21:40 [Ian]
- ...so I think having extra UI about RP would be important to the consumer
- 16:23:14 [Ian]
- AdrianHB: I think there's no harm to show origin of RP. We should allow the RP to say what icon to show (for them)
- 16:23:41 [Ian]
- ...they may choose through their own experimentation that showing a network logo is effective, or a combo logo, or whatever
- 16:24:14 [Ian]
- ...this is a mechanism for the RP to show the user some graphical clue about what the user is about to do, and a hash of the bytes would be part of the assertion.
- 16:24:58 [Ian]
- ...maybe a single logo suffices if the RP gets to say what it is
- 16:27:02 [Ian]
- topic: Issue 84
- 16:27:03 [Ian]
- https://github.com/w3c/secure-payment-confirmation/issues/84
- 16:27:40 [Ian]
- Ian: Can we close this one with "No UX in v1"
- 16:28:18 [Ian]
- ACTION: Stephen to close issue 84 with explanation about v1 status and reopen later if needed.
- 16:28:29 [Ian]
- Topic: FPWD
- 16:29:21 [Ian]
- Ian: Ready?
- 16:29:31 [Ian]
- Stephen: Coming soon - tx confirmation requirements
- 16:30:28 [Ian]
- Ian: I will aim for 25 August
- 16:30:33 [Ian]
- Topic: next call
- 16:31:08 [Ian]
- 30 August
- 16:31:11 [Ian]
- No meeting 6 September
- 16:31:15 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/08/23-wpwg-spc-minutes.html Ian
- 16:31:56 [Ian]
- Topic: Any origin trial changes?
- 16:32:24 [Ian]
- Stephen: See https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0027.html
- 16:32:45 [Ian]
- Ian: Note in particular:
- 16:32:51 [Ian]
- * 0 credential match UX
- 16:32:59 [Ian]
- * No enrollment UX
- 16:33:15 [Ian]
- RRSAGENT, make minutes
- 16:33:15 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/08/23-wpwg-spc-minutes.html Ian
- 16:33:20 [Ian]
- RRSAGENT, set logs public
- 16:33:28 [Ian]
- RRSAGENT, set logs public
- 16:38:36 [Ian]
- rrsagent, bye
- 16:38:36 [RRSAgent]
- I see 1 open action item saved in https://www.w3.org/2021/08/23-wpwg-spc-actions.rdf :
- 16:38:36 [RRSAgent]
- ACTION: Stephen to close issue 84 with explanation about v1 status and reopen later if needed. [1]
- 16:38:36 [RRSAgent]
- recorded in https://www.w3.org/2021/08/23-wpwg-spc-irc#T16-28-18