Thanks Adrian; if you don't mind I'll follow up in the issue <https://github.com/w3c/secure-payment-confirmation/issues/101> for discussion. On Tue, 24 Aug 2021 at 05:30, Adrian Hope-Bailie <adrian@fynbos.dev> wrote: > Hi all, > > The existing spec I was trying to remember on the call was Subresource > Integrity <https://www.w3.org/TR/SRI/> (Not CSP) > I suggest we leverage this spec (make it a normative dependency and simply > re-use the algorithms here) to avoid reinventing the wheel. > > @Stephen McGruer <smcgruer@google.com> and @Rouslan Solomakhin > <rouslan@google.com> > My suggestion would be that we update the PaymentCredentialInstrument > <https://w3c.github.io/secure-payment-confirmation/#dictdef-paymentcredentialinstrument> to > have an optional "iconIntegrity" member that gets it's definition from SRI. > In the algorithm to check if a payment can be made > <https://w3c.github.io/secure-payment-confirmation/#sctn-steps-to-check-if-a-payment-can-be-made> > we check if there is an integrity value provided and if so we follow the > algorithm s defined in SRI to parse it and validate it against the content > fetched for the image. > Would that work? > > This doesn't answer the question about whether we should show an RP icon > but I think that is a separate issue. > > Adrian > > On Mon, Aug 23, 2021 at 6:41 PM Ian Jacobs <ij@w3.org> wrote: > >> Dear WPWG, >> >> Minutes from today's SPC task force call: >> https://www.w3.org/2021/08/23-wpwg-spc-minutes >> >> Next task force call: 30 August. >> >> There will be no call on 6 September. >> >> Thanks! >> >> Ian >> >> -- >> Ian Jacobs <ij@w3.org> >> https://www.w3.org/People/Jacobs/ >> Tel: +1 718 260 9447 <+1%20718-260-9447> >> >> >> >> >> >> -- smcgruer • he / him
Received on Thursday, 26 August 2021 13:38:11 UTC