06:32:51 <RRSAgent> RRSAgent has joined #qr
06:32:55 <RRSAgent> logging to https://www.w3.org/2023/09/13-qr-irc
06:32:55 <tidoust> RRSAgent, do not leave
06:32:55 <tidoust> RRSAgent, make logs public
06:32:57 <tidoust> Meeting: After 50 years, GS1 is replacing the barcode with QR codes. That matters for devs, for consumers, for brands, for retailers, for trust on the Web.
06:33:00 <tidoust> Chair: Phil Archer
06:33:02 <tidoust> Agenda: https://github.com/w3c/tpac2023-breakouts/issues/16#issuecomment-1716035374
06:33:04 <tidoust> Slideset: https://philarcher.org/gs1/files/2023/09/qr-gs1.pdf
06:33:06 <tidoust> clear agenda
06:33:08 <tidoust> agenda+ Pick a scribe
06:33:10 <tidoust> agenda+ Reminders: code of conduct, health policies, recorded session policy
06:33:13 <tidoust> agenda+ Goal of this session
06:33:14 <tidoust> agenda+ Discussion
06:33:16 <tidoust> agenda+ Next steps / where discussion continues
07:20:14 <tidoust> tidoust has joined #qr
08:45:45 <phila> phila has joined #qr
08:46:24 <nick_lansley_gs1> nick_lansley_gs1 has joined #qr
08:49:43 <nick_lansley_gs1> Testing 123...!
08:59:17 <nick_lansley_gs1> RRSAgent, make logs public
09:01:00 <tidoust> tidoust has joined #qr
09:05:33 <labrax> labrax has joined #qr
09:06:59 <ben_tillyer> ben_tillyer has joined #qr
09:06:59 <ben_tillyer> present+
09:06:59 <labrax> present+ Sebastian Crane
09:09:49 <labrax> ghdot68KjM - I did not do that by hand :D
09:25:24 <labrax> q+
09:25:34 <benoit_> benoit_ has joined #qr
09:26:22 <nick_lansley_gs1> Q: If you have the list of properties - is there a way to define the source of data such as nutrition info?
09:27:20 <nick_lansley_gs1> A: GS1 manages Link Relation Types ('linktypes') - a linktype coming soon is regulated information. The link can then be to a verifiable credential if needed.
09:28:09 <nick_lansley_gs1> A: We would leave that information and mechanisms to the destination URL.
09:28:24 <ben_tillyer> q+
09:28:43 <nick_lansley_gs1> Q: Is it still the case that GTIN is regulated by GS1? (yes)
09:29:20 <nick_lansley_gs1> A: GS1 does not know about all the GTINs, just the prefix (license) component.
09:30:21 <nick_lansley_gs1> Q: I am leaving it up to my web browser to follow the link - I have to trust it?
09:31:10 <phila> ack labrax
09:31:16 <nick_lansley_gs1> A: It's no less secure than any apps you need to trust when scanning a barcode today. Members licensing GTINs can control the web link
09:31:23 <sebastian> sebastian has joined #qr
09:31:28 <sebastian> q+
09:31:35 <Wolfgang> Wolfgang has joined #qr
09:32:01 <Wolfgang> q+ on attack surface
09:32:16 <nick_lansley_gs1> Q: (Sebastian) - why are using http and urls? Why not use query strings
09:34:09 <phila> q?
09:34:11 <nick_lansley_gs1> A: Consumer device cameras already recognise URLS in QR Codes already - we are leveraging that capability. Consumers seeing the URL can see the brand in the URL (e.g. id.kelloggs,com) - no consumer knows 'GS1' - and the whole world coming to one domain of servers would create a traffic issue.
09:34:16 <phila> ack ben_tillyer
09:35:22 <labrax> q+
09:35:39 <nick_lansley_gs1> Q: (Ben - accessibility guidelines WG) - P&G were going to use another 2D code for vision-impaired consumers, but this put a lot of retailers off. (GS1 DIgital Link) solves this for blind customers, very interesting
09:36:29 <nick_lansley_gs1> A (as a Q!): Accessibility is an important use case - how easy is it for a vision-impaired consumers to find the QR Code?
09:37:41 <nick_lansley_gs1> Ben: 'Navi lens'(?) enables ability to find Navi codes and QR Codes don't really work like that via cameras. Could a solution be that the QR Code is always in a certain place on the pack?
09:37:48 <phila> ack sebastian
09:38:04 <nick_lansley_gs1> Q (Wolfgang) - GTINs are managed by GS1?
09:38:17 <nick_lansley_gs1> A: GS1 manages the numbering space.
09:38:33 <nick_lansley_gs1> Q: (Wolfgang) - how about type instance?
09:39:28 <nick_lansley_gs1> A: IN the GS1 Digital Link URI, the identifier comes first (the GTIN number) then some qualifiers follow it such as serial number, and some attrivutes are in query strings such as expiry date,.
09:40:20 <nick_lansley_gs1> Q: (Wolfgang) - Brands could design their own URLs so why use this strict format?
09:41:00 <Wolfgang> s/(Wolfgang)/(Sebastian)/
09:41:00 <Wolfgang> q?
09:41:30 <nick_lansley_gs1> A: It's about minimising the codes on the pack - ideally only one - so it can be resued by many systems. So a checkout only looks for the number following the fourth forward-slash to get the same number as the 1D original barcode.
09:42:34 <nick_lansley_gs1> A: If you have a serial number it can be that instance of the product, and you can also get basic info for just the GTIN.
09:42:34 <phila> q?
09:43:30 <Wolfgang> q+ (proxying Pat to be on the queue)
09:43:42 <nick_lansley_gs1> A: Each scanning application can lok in different parts of the URL to find the data they are looking for. E.g. A retailer staff app could just look for for expiry dates
09:43:48 <Wolfgang> q+ to proxy Pat
09:43:49 <benoit_> q+
09:43:54 <phila> ack Wolfgang
09:43:54 <Zakim> Wolfgang, you wanted to comment on attack surface and to proxy Pat
09:44:30 <nick_lansley_gs1> (I'm getting names mixed up - sorry thanks for fixing!)
09:45:44 <nick_lansley_gs1> Q: (Wolfgang) - there may be many ways a scanner could implement parsing GS1 Digital Link incorrectly exposing an attack surface. Does the spec come with recommended implementations, etc?
09:46:59 <nick_lansley_gs1> A: A woman went to a coffee shop, scanned the coffee cup's QR Code. Web page says 'download this app and ignore any warnings'. A rogue app is then downloaded. The person should have adhered to the warnings but the 'news' is that the QR Code is the issue.
09:48:34 <nick_lansley_gs1> A: The attack surface we are being told we are opening is not new - and most scanners simply want to get just part of the data. A rogue actor could stick a 1D barcode over an existing one.
09:48:48 <phila> q?
09:48:57 <nick_lansley_gs1> A: We are looking at hashing and verifiable credentials as possible future answers.
09:49:32 <nick_lansley_gs1> Q: (Wolfgang) I would disagree that just parsing a number is not a security issue.
09:49:47 <phila> acl labrax
09:49:51 <phila> ack labrax
09:49:54 <nick_lansley_gs1> A: We do offer C code to scanner manufacturers
09:49:54 <Wolfgang> q?
09:50:12 <Wolfgang> q+ to proxy Pat
09:51:07 <nick_lansley_gs1> Q (Sebastian) Are existing laser-based barcode scanners going to keep up with the latest generation of QR codes?
09:52:09 <nick_lansley_gs1> A: We are working with manufacturers toimplement this. The 1D barcode is not going to disappear. There are securer QR Codes but these are proprietary and often require licensing.
09:52:40 <nick_lansley_gs1> Q: (Sebastian) - what about speed and throughput?
09:53:37 <phila> q?
09:53:40 <nick_lansley_gs1> A: Yes we have tested in a lab the 1D vs QR Code parsing speed is 10-20 milliseconds. This is 'longer' but we still can get 70 items per minutes through a scanner as needed by supermarkets.
09:53:44 <phila> ack benoit_
09:53:45 <benoit_> wouldn't something like "gtin:09123123123?expiry=xxxx&something=else" resolve all of these concerns?  the only objection I have heard is "your phone can't scan it by default", but if standardized, wouldn't that change more quickly than education?
09:54:58 <nick_lansley_gs1> Q: (benoit) - having a GTIN scheme gets around web domains expiring.
09:56:17 <phila> q?
09:56:24 <nick_lansley_gs1> A: Not hopeful that Apple and Android would support this. Example is data matrix barcode which is on billions of medical products and they are still not interested because they would not know what fo do with it,
09:57:21 <nick_lansley_gs1> A: If you can persuade Apple and Google to raise an 'intent' (default app) when a GTIN: scheme is used then excellent.
09:57:35 <phila> ack Wolfgang
09:57:35 <Zakim> Wolfgang, you wanted to proxy Pat
09:57:38 <Wolfgang> [next speaker is Pat, not Wolfgang]
09:59:12 <labrax> That is an unintended advertisment for DisplayPort :)
10:00:05 <nick_lansley_gs1> Q: Big concern for me is being able to identify an individual. My TV gets updates from the internet but it means my TV brand could recognise 'me' uniquely. Could a system work out the individual if they scan QR Codes from their device? Privacy element is biggest concern,
10:01:13 <phila> q?
10:01:13 <nick_lansley_gs1> A: At GS1 we don't collect data. The logs are lost deliberately.
10:01:13 <labrax> Thank you!
10:01:14 <phila> https://philarcher.org/gs1/files/2023/09/qr-gs1.pptx
10:01:21 <phila> https://philarcher.org/gs1/files/2023/09/qr-gs1.pdf
10:01:48 <ben_tillyer> Thank you for organising the session!
10:02:00 <phila> RRSAgent, draft minutes
10:02:01 <RRSAgent> I have made the request to generate https://www.w3.org/2023/09/13-qr-minutes.html phila
10:18:33 <phila> phila has joined #qr
12:05:13 <tidoust> tidoust has joined #qr