Re: [Minutes] 23 August 2021 SPC Task Force; next call is 30 August from Adrian Hope-Bailie on 2021-08-24 (public-payments-wg@w3.org from August 2021)

From: Adrian Hope-Bailie <adrian@fynbos.dev>
Date: Tue, 24 Aug 2021 11:29:51 +0200
To: Ian Jacobs <ij@w3.org>, Stephen McGruer <smcgruer@google.com>, Rouslan Solomakhin <rouslan@google.com>
Cc: Web Payments Working Group <public-payments-wg@w3.org>
Message-ID: <CAK7GZxOG1BgbqSZchg1vo01aqYM5DMhZU93whhxoZhiSiBcdCg@mail.gmail.com>

Hi all,

The existing spec I was trying to remember on the call was Subresource
Integrity <https://www.w3.org/TR/SRI/> (Not CSP)
I suggest we leverage this spec (make it a normative dependency and simply
re-use the algorithms here) to avoid reinventing the wheel.

@Stephen McGruer <smcgruer@google.com> and @Rouslan Solomakhin
<rouslan@google.com>
My suggestion would be that we update the PaymentCredentialInstrument
<https://w3c.github.io/secure-payment-confirmation/#dictdef-paymentcredentialinstrument>
to
have an optional "iconIntegrity" member that gets it's definition from SRI.
In the algorithm to check if a payment can be made
<https://w3c.github.io/secure-payment-confirmation/#sctn-steps-to-check-if-a-payment-can-be-made>
we check if there is an integrity value provided and if so we follow the
algorithm s defined in SRI to parse it and validate it against the content
fetched for the image.
Would that work?

This doesn't answer the question about whether we should show an RP icon
but I think that is a separate issue.

Adrian

On Mon, Aug 23, 2021 at 6:41 PM Ian Jacobs <ij@w3.org> wrote:

> Dear WPWG,
>
> Minutes from today's SPC task force call:
>  https://www.w3.org/2021/08/23-wpwg-spc-minutes
>
> Next task force call: 30 August.
>
> There will be no call on 6 September.
>
> Thanks!
>
> Ian
>
> --
> Ian Jacobs <ij@w3.org>
> https://www.w3.org/People/Jacobs/
> Tel: +1 718 260 9447
>
>
>
>
>
>

Received on Tuesday, 24 August 2021 09:30:16 UTC