W3C home > Mailing lists > Public > public-identity@w3.org > February 2012

Financial Transactions using Web Cryptography

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Sat, 11 Feb 2012 10:09:07 +0100
Message-ID: <4F363033.1050002@telia.com>
To: "public-identity@w3.org" <public-identity@w3.org>
This is a follow-up to my previous (enclosed) posting.

I don't see that the keys provisioned in the second section have
much relevance for the signatures mentioned in the first section.

That is, we are effectively talking about two free-standing work-items
although they both build on JavaScript.

Creating a scheme that combines the requirements would be an entirely
different mission.  Taking a simple example: Mozilla's "soft token"
doesn't support individual PIN-codes.  AFAIK, the situation is roughly
the same for Internet Explorer.  PIN-codes are more or less mandatory
in bank-contexts and it is always the *bank* that sets the policy.

That's why (for example) the Swedish banks that are into strong
authentication roll their own PKI clients which (of course) support
their own "hard-coded" PIN-policies.  Not very universal but that's
what we got...

Anders

-------- Original Message --------
Subject: Web Cryptography Working Group Charter
Resent-Date: Thu, 09 Feb 2012 21:07:36 +0000
Resent-From: public-identity@w3.org
Date: Thu, 09 Feb 2012 22:07:02 +0100
From: Anders Rundgren <anders.rundgren@telia.com>
To: public-identity@w3.org <public-identity@w3.org>

http://www.w3.org/2011/11/webcryptography-charter.html

 "The ability to select credentials and sign statements can
  be necessary to perform high-value transactions such as those
  involved in finance, corporate security, and identity-related
  claims about personal data"

 "The provisioning and use of keys within Web applications can
  be used for scenarios like increasing the security of user
  authentication and determining whether a particular device is
  authenticated for particular services"

If you combine these high-level requirements you essentially get
a "webbified" Google wallet (and more).  However, the Google
wallet is not an API, it is a system and architecture.

For financial transactions and key provisioning the DOMCrypt stuff
that Mozilla showcased last summer, IMO doesn't even come close
to the already shipping Google product so we are apparently (?)
talking about something entirely different.

 "Out of scope: features include special handling directly for
  non-opaque key identification schemes, access control mechanisms
  beyond the enforcement of the same-origin policy, and functions
  in the API that require smartcard or other device-specific behavior"

The Google wallet builds on smart card technology.

Anders
Received on Saturday, 11 February 2012 09:09:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 11 February 2012 09:09:41 GMT