Re: Overview of Payment App dev call Nov 14th, 2016 from Anders Rundgren on 2016-11-18 (public-payments-wg@w3.org from November 2016)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 18 Nov 2016 17:59:36 +0100
To: Adrian Hope-Bailie <adrian@hopebailie.com>
Cc: Rouslan Solomakhin <rouslan@google.com>, Web Payments Working Group <public-payments-wg@w3.org>, "Hackett, Conor" <Conor.Hackett@worldpay.com>, 임동우 <dw.im@samsung.com>
Message-ID: <fccfa533-129a-2171-c9ca-914c9ca4bfcd@gmail.com>

On 2016-11-18 16:43, Adrian Hope-Bailie wrote:
> Merchant certs can still be used but that would be defined per payment method.

Yes, like for Apple Pay.

It's overly complex to try and do this at the top level.

I wouldn't even think of that.

> ApplePay is a payment method under this system so I think this works

IMO the whole point with super-provider solutions is being a one-stop shop for
as much as is technically feasible, including security.  I *may* be wrong, but
I believe Merchants need to have a certificate bound to a specific Apple root.

Anyway, getting Merchants' server-certificates into Android payment apps represent
an *improvement*, I only questioned the stated use-case for that feature.
This information might as well be transferred to the payment providers who may be
in a better position validating it or simply logging it.

Anders

>
> On 18 November 2016 at 20:08, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     On 2016-11-18 11:56, Rouslan Solomakhin wrote:
>
>         Some Android payment apps would like an extra level of protection by manually
>
>     > checking website certificates against their own list of CAs instead of trusting the OS or the browser.
>
>     I see.  Personally I think this represents a weird trust model.  It it easier understanding
>     the scheme used in Apple Pay where merchant certificates (IIUC...) are unrelated to Web sites.
>
>     Anders
>
>
>
>         On Nov 18, 2016 5:53 AM, "Anders Rundgren" <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>> wrote:
>
>             On 2016-11-16 14:18, Hackett, Conor wrote:
>             <snip>
>
>                 ·         Samsung has proposed several improvements to this spec that not yet in doc:
>
>                 o   Pass merchants certificate to the payment app
>
>
>             Could somebody elaborate a bit on this?  It sounds like a major (and promising)
>             departure from Android intents.
>
>             Anders
>
>
>
>
>
>

Received on Friday, 18 November 2016 17:00:22 UTC