Hi all,
The existing spec I was trying to remember on the call was Subresource
Integrity <https://www.w3.org/TR/SRI/> (Not CSP)
I suggest we leverage this spec (make it a normative dependency and simply
re-use the algorithms here) to avoid reinventing the wheel.
@Stephen McGruer <smcgruer@google.com> and @Rouslan Solomakhin
<rouslan@google.com>
My suggestion would be that we update the PaymentCredentialInstrument
<https://w3c.github.io/secure-payment-confirmation/#dictdef-paymentcredentialinstrument>
to
have an optional "iconIntegrity" member that gets it's definition from SRI.
In the algorithm to check if a payment can be made
<https://w3c.github.io/secure-payment-confirmation/#sctn-steps-to-check-if-a-payment-can-be-made>
we check if there is an integrity value provided and if so we follow the
algorithm s defined in SRI to parse it and validate it against the content
fetched for the image.
Would that work?
This doesn't answer the question about whether we should show an RP icon
but I think that is a separate issue.
Adrian
On Mon, Aug 23, 2021 at 6:41 PM Ian Jacobs <ij@w3.org> wrote:
> Dear WPWG,
>
> Minutes from today's SPC task force call:
> https://www.w3.org/2021/08/23-wpwg-spc-minutes
>
> Next task force call: 30 August.
>
> There will be no call on 6 September.
>
> Thanks!
>
> Ian
>
> --
> Ian Jacobs <ij@w3.org>
> https://www.w3.org/People/Jacobs/
> Tel: +1 718 260 9447
>
>
>
>
>
>